Data Breaches 2019

The Biggest Data Breaches and Hacks of 2019: As a new year begins, it’s time to begin reflecting on what has been observed and what has been learnt. It’s estimated that over 10 billion records have been breached in 2019; comprised of thousands of hacks, security failures and breaches, it seems as though the issue of information security is a long way from being fixed.

Far from an exhaustive list, the following are some of the biggest and most disastrous data breaches and hacks of 2019:


In September, the records of around 419 million Facebook users were discovered stored on a database with no password protection in place. The records contained users unique Facebook ID, their phone numbers, and in some cases users’ names, genders and locations.

Though the ‘owner’ of the database is unknown, it’s possible that the user data was obtained legitimately through the Facebook API and then stored without the proper precautions.

Despite the records not containing any explicitly sensitive information, exposed data can be used by cyber-criminals to launch phishing campaigns and even exploit the information via a sim-swap attack.

Facebook stated: “The data set has been taken down and we have seen no evidence that Facebook accounts were compromised”.

First American Corporation

In one of the most sensitive of recent data breaches, the First American Financial Corp. leak exposed an astounding 885 million documents relating to 16 years of mortgages, including bank details, tax records, social security numbers and even driver’s license images.

Shockingly, no authentication was required to view these documents and the company cited a “design deficit” that allowed attackers access to a purported tiny portion of the exposed documents.  

According to the company, it has since only been able to identify 32 customers whose private information was ‘potentially accessed’ without authorisation.

Capital One

In July of this year, 80,000 bank account numbers, over 1,140,000 social security numbers and millions of credit card applications of Capital One customers were stolen.

Potentially costing the company more than $300 million, this breach shows that even the company which would appear to have the most to lose from a hack, can’t always protect themselves perfectly.

What’s unusual about this breach is the fact the hacker responsible made little effort to conceal their action, even boasting about activities on Twitter and Slack.

As a former worker at Amazon Web Services, the hacker was able to gain access to Capital One data by exploiting their technical expertise and knowledge of the internal security of AWS, before being quickly caught.


You may not have heard of Zynga, but you’ll probably recognise their game, Words with Friends. In September, more than 200 million players accounts, including email addresses, login details and names were stolen by a hacker by the name of 'Gnosticplayers'.

As one of the most popular US-based social gaming companies, Zynga has since hired third-party data forensics firms as well as contacting law enforcement about the hack and contacting affected users.  


Details from around 139 million user accounts were taken from a Canva database this May. Of these, 61 million password hashes were reportedly stolen, though it may not be as devastating as it sounds.

All of these passwords were hashed with the very secure bcrypt algorithm, and though this information will likely be sold on the black-market, it’s unlikely that many accounts will be directly compromised.

As with the Zynga breach, the Canva attack was also perpetrated by the hacker Gnosticplayers. Ultimately, the identity of Gnosticplayers is unknown and may even be a hacker collective.

Most strange, is that the hacker alerted a media outlet about the breach only hours after, a pattern which has been repeated within the community.

In November again, another entity going by the name 'A_W_S' stole the information of 21 million Mixcloud users, shortly followed by an announcement of their achievement to several journalists.

If you’d like to learn more about how you can protect your greatest assets with unique and engaging information security awareness training. click the link below.

Security Awareness for your Organisation

Enjoyed our blog? Learn more about how Hut Six can help improve you security awareness with training and simulated phishing. Start a free trial now, or book a meeting with one of our experts.


Google Chrome Password Security

Google Chrome Goes for Gold in Password Security

Google Chrome introduces new password safety features. Cybersecurity blog by Information Security awareness training provider Hut Six.

Pseudonymisation in GPDR

What is Pseudonymisation?

What is pseudonymisation, and why it important to GDPR compliance? Blog from information security awareness training provider Hut Six.

Windows Security Flaw Discovered by NSA

NSA Discloses Severe Windows 10 Security Flaw

An extremely serious Windows 10 Security Flaw has been exposed by the NSA. Blog by cyber security awareness training provider Hut Six.

WiFi Network Security

Top 5 WiFi Safety Tips: The Guide to Staying Secure

How safe is WiFi? Use these WiFi safety tips to help keep you secure online. Blog from cyber security awareness training provider Hut Six.

Travelex Ransomware Attack

Travelex Ransomware Attack Enters Its Third Week

Travelex enters its third week of shutdown at the hands of a ransomware attack. Cyber Security blog by cyber security awareness training provider Hut Six.

Malware and Stalkerware Pandemic

Malware, Stalkerware – Beware: The Growing Market for Privacy Invading Apps

Malware is a persistent threat that can affect every aspect of our digital lives. Identifying, avoiding and removing it are essential to your information security.

Phishing Simulation for Employees

Sending Simulated Phishing Attacks to Employees

How can simulated phishing attacks improve your organisation's security awareness? Blog from information security awareness training provider Hut Six.

The CIA Triangle in Information Security

Information Security Principles: What is the CIA Triad?

The CIA triad consists of three principles upon which professionals typically focus. Blog by Information Security awareness training provider Hut Six.

Trusting HTTPS and SSL Certificates

Suspicious Certificates, Transparency and HTTPS

Will Certificate Transparency Help to Rebuild Confidence in Certificate Authorities? Blog by information security training provider Hut Six Security

UK Government and ICO Cryptojacked

Information Commissioner’s Office Mining Crypto

In 2018 it was discovered thousands of websites had been hijacked by crypto-mining code, known as a "Cryptojacking" attack. Including UK Gov and ICO websites.

Speak to us about your Cyber Awareness