How safe, exactly, is your personal data on the Internet? The answer: It is not in the slightest bit secure, and this is barely an exaggeration, since much of your data may have already been exposed multiple times without your knowledge. By personal data we mean your passwords, phone numbers, credit card numbers, medical records, Social Security numbers, and more. A major data breach occurs almost every day, with some breaches not being discovered until days, months, or even years after the fact. An alarming data risk report by Varonis revealed that 58 percent of all organizations have over 100,000 folders of data that are accessible to every single employee in the organization. One wrong click by a careless employee can leave your login details, transaction history, and more in the hands of an opportunistic hacker. Forbes estimated that 4.1 billion records had been exposed by data breaches in the first half of 2019 alone. That’s nearly 700 million exposed records every month. Here are the biggest 2019 data breaches — and there are still nearly four months yet to go.
January 16: Fortnite
Fortnite boasts over 200 million users worldwide, but an old, unsecured web page left its players exposed to the risk of having their accounts hacked, audio recorded, and in-game currency used without hackers even needing them to type in their login information. Check Point Research discovered the vulnerability and reported it to Epic Games, who quickly secured the breach point.
Scammers have typically conned players into entering their login credentials and credit card information by luring them with the promise of earning free “V-Bucks,” which is the game’s virtual currency. However, this more undetectable method exploited a vulnerability in a subdomain of Epic Games that allowed an XSS attack to be launched when a user merely clicked a link sent by the attacker.
January 17: Oklahoma Department of Securities
A shocking report by the UpGuard Data Breach Research team revealed that decades’ worth of data in a storage server belonging to the Oklahoma Department of Securities had been exposed for nearly a week before the breach was discovered. A search engine called Shodan registered that the data was publicly accessible on Nov. 30, 2018. Analysts at Upguard discovered on Dec. 7 that the server contained sensitive content and updated the Oklahoma Department of Securities the very next day, prompting them to revoke public access to the sensitive data almost immediately. The extent of the breach remains to be determined as the range of data left unsecured included personal information, internal communication records, and login information.
January 17: Collection #1
A massive data breach known as Collection #1 was revealed by ethical hacker and researcher Troy Hunt earlier this year. He discovered a data set containing over 770 million unique email addresses and over 21 million unique passwords that had been compiled from multiple data breaches.
Troy Hunt found the collection of files on a cloud storage service, MEGA, after he was tipped off by multiple contacts. The massive data set included over 87GB of data and was composed of over 12,000 files. The compromised email addresses and passwords were separately uploaded to Have I Been Pwned (HIBP) and Pwned Passwords, so users can check if their login credentials have been leaked.
January 21: Elasticsearch cloud storage
Over 108 million records of bets made at websites belonging to an online casino group were stored on an Elasticsearch server that hadn’t been secured with a password. Security researcher Justin Paine notified ZDNet about his discovery, revealing that the database contained information about players’ names, email addresses, home addresses, phone numbers, bets, wins, deposits, and withdrawals. However, their credit card details had been partially redacted, which rendered them unusable to hackers. The data was rather sensitive because it left the players vulnerable to extortion schemes by hackers who had data on their wins and losses. Shortly after it was reported, the server went offline, though it is unclear which entity took down the unsecured information.
March 29: Verifications.io
A database containing over 982 million email addresses was leaked by a marketing company in one of the biggest email database breaches to have ever occurred. The marketing company, known as Verifications.io, sent emails to email addresses to verify if they were valid, but it had absolutely no security measures in place to protect the massive database of email addresses it had collected.
The exposed information was discovered by security expert Bob Diachenko, who notified the company’s support team, leading to the database being taken down. However, it is uncertain how many of the nearly billion email addresses had already been leaked to hackers. While the database did not contain any credit card details or passwords, it did contain the names of users, their employer’s name, their date of birth, their gender, and their home address.
April 2: Facebook
Facebook users are constantly at risk of having their data exposed to the public as a result of the large number of third-party apps and programs that have access to their information. Not all these third parties store user data on secured servers, leading to massive data breaches like the one that was revealed in April. According to the UpGuard Cyber Risk team, a digital media company called Cultura Colectiva based in Mexico left over 540 million records of user IDs, account names, likes, and comments exposed on a publicly accessible server.
Another smaller data breach that was more concerning was also discovered around the same time. A Facebook-integrated app called “At the Pool” exposed over 22,000 users’ passwords through a backup in an Amazon S3 bucket that stored the passwords as plain text. Since many users tend to duplicate passwords across apps, malicious entities could have easily gained access to their Facebook accounts through the exposed passwords.
May 25: First American Corp.
First American Financial Corp., a Fortune 500 financial services company, was revealed to have allowed over 885 million records to be publicly accessed by anyone who had ever been emailed a link to a document by the company. Merely by changing a single digit in the document link, users could access other users’ wire transactions dating back to 2003. These documents contained tax records, bank account numbers, Social Security numbers, driver’s license images, and mortgage records. Krebs on Security reported that a developer named Ben Shoval had noticed the breach and notified the company, which shut down the website leaking the data.
May 24: Canva
In May, Canva revealed that a cyberattacker had managed to access over 139 million users’ information, including names, email addresses, countries of residence, and cryptographically protected passwords. The attacker was also able to briefly view credit card details from before September 2016, but these details were insufficient to make transactions. Canva managed to stop the attack midway, but it still urged users to change their passwords just to be on the safe side.
May 29: Flipboard
Flipboard experienced an attack similar to the one on Canva between June 2018, and March, when its databases were accessed by an unauthorized party. The names, cryptographically protected passwords, and email addresses of over 145 million users may have been left exposed in the attack.
July 29: Capital One
Of all the 2019 data breaches, this was the big one, at least in terms of future ramifications. A Seattle-based software engineer named Paige Thompson was arrested after hacking the database of Capital One, one of the largest banks in the United States. According to The New York Times, she managed to steal over 80,000 bank account numbers, more than 140,000 Social Security numbers, over 1 million Canadian social insurance numbers, and millions of credit card applications. The data stolen dated back to as far as 2005, and the bank reported that the breach could potentially cost it more than $300 million.
2019 data breaches: Protect yourself
These 2019 data breaches are proof that all organizations, no matter how small, need to invest in cybersecurity and ensure that all their databases are protected. Larger companies like Facebook that often have third-party apps access their users’ data need to be particularly careful about how these third-party companies are handling the data they receive from users. As a user, a step you can take to ensure that your information is secured is to constantly update your passwords and to avoid reusing the same ones across platforms. If you use a VPN connection to stay anonymous online and protect your activity from prying eyes, ensure that you use a good VPN provider to avoid having your data logged and sold to third parties without your consent.
Featured image: Shutterstock