Data Breaches 2019

The Biggest Data Breaches and Hacks of 2019: As a new year begins, it’s time to begin reflecting on what has been observed and what has been learnt. It’s estimated that over 10 billion records have been breached in 2019; comprised of thousands of hacks, security failures and breaches, it seems as though the issue of information security is a long way from being fixed.

Far from an exhaustive list, the following are some of the biggest and most disastrous data breaches and hacks of 2019:

Facebook

In September, the records of around 419 million Facebook users were discovered stored on a database with no password protection in place. The records contained users unique Facebook ID, their phone numbers, and in some cases users’ names, genders and locations.

Though the ‘owner’ of the database is unknown, it’s possible that the user data was obtained legitimately through the Facebook API and then stored without the proper precautions.

Despite the records not containing any explicitly sensitive information, exposed data can be used by cyber-criminals to launch phishing campaigns and even exploit the information via a sim-swap attack.

Facebook stated: “The data set has been taken down and we have seen no evidence that Facebook accounts were compromised”.

First American Corporation

In one of the most sensitive of recent data breaches, the First American Financial Corp. leak exposed an astounding 885 million documents relating to 16 years of mortgages, including bank details, tax records, social security numbers and even driver’s license images.

Shockingly, no authentication was required to view these documents and the company cited a “design deficit” that allowed attackers access to a purported tiny portion of the exposed documents.  

According to the company, it has since only been able to identify 32 customers whose private information was ‘potentially accessed’ without authorisation.

Capital One

In July of this year, 80,000 bank account numbers, over 1,140,000 social security numbers and millions of credit card applications of Capital One customers were stolen.

Potentially costing the company more than $300 million, this breach shows that even the company which would appear to have the most to lose from a hack, can’t always protect themselves perfectly.

What’s unusual about this breach is the fact the hacker responsible made little effort to conceal their action, even boasting about activities on Twitter and Slack.

As a former worker at Amazon Web Services, the hacker was able to gain access to Capital One data by exploiting their technical expertise and knowledge of the internal security of AWS, before being quickly caught.

Zynga

You may not have heard of Zynga, but you’ll probably recognise their game, Words with Friends. In September, more than 200 million players accounts, including email addresses, login details and names were stolen by a hacker by the name of 'Gnosticplayers'.

As one of the most popular US-based social gaming companies, Zynga has since hired third-party data forensics firms as well as contacting law enforcement about the hack and contacting affected users.  

Canva

Details from around 139 million user accounts were taken from a Canva database this May. Of these, 61 million password hashes were reportedly stolen, though it may not be as devastating as it sounds.

All of these passwords were hashed with the very secure bcrypt algorithm, and though this information will likely be sold on the black-market, it’s unlikely that many accounts will be directly compromised.

As with the Zynga breach, the Canva attack was also perpetrated by the hacker Gnosticplayers. Ultimately, the identity of Gnosticplayers is unknown and may even be a hacker collective.

Most strange, is that the hacker alerted a media outlet about the breach only hours after, a pattern which has been repeated within the community.

In November again, another entity going by the name 'A_W_S' stole the information of 21 million Mixcloud users, shortly followed by an announcement of their achievement to several journalists.

If you’d like to learn more about how you can protect your greatest assets with unique and engaging information security awareness training. click the link below.