Cyber breaches and data leaks occurred on an almost daily basis throughout 2019. Many stole the personal details of hundreds, thousands, and in some cases millions of people. Often, consumers became victims through no fault of their own, but companies big and small, young and old, saw breaches into their data bases, with details of customers compromised, stolen, and in some cases sold to the highest bidder.
Medical providers, charities, retailers, online games, social networks and financial businesses were attacked. Others simply left millions of pieces of personal data on servers without a password, open for anyone with an internet connection to rifle through without limitation.
Norton by Symantec Granite Gray Norton Core Secure WiFi Router, Built-in Network, Device and Antivirus Security, Smart Parental Controls, Replaces Wireless Router
In some cases, these massive troves of personal data — names, addresses, phone numbers, Social Security numbers and even bank details — were listed for sale online, where criminals could use them to cause further damage. Here are GearBrain's picks for what we consider 12 of the most significant data breaches of 2019:
Evite: Inviting friends and hackers into your life
Evite hack saw 100 million accounts affected Getty Images/iStockphoto
Popular online invitation site Evite got hit with a severe breach, discovered after a massive dump of data included details from their site appeared on the dark web in April. The hacker, identified by ZDNet as Gnoisticplayers, started selling the data specifically from Evite for bitcoin, which included, claimed the hacker, 10 million user records: the name of customers, their country, email, password, IP addressed — and also potentially phone numbers, mailing addresses and birthdates.
But then, the hack reportedly grew — and is now thought to have affected more than 100 million accounts. Notably, too, the passwords here were in cleartext — meaning anyone could read them. Evite admitted the site had been hacked, and that the data stemmed from 2013. The company reset their login to force people to create new passwords if their accounts had been impacted. Of course, that's after their details had flown out the door.
Facebook stumbled. Again.
Facebook's bad news continued through 2019 Getty Images
Facebook's distrust with users just continued to grow in 2019, when phone numbers of more than 200 million users were found — unencrypted — on an open database in May. While Facebook didn't appear to have created the catalog of information, the phone numbers had been matched up with the User IDs of users on the social media site: not a good look.
Then in November, Facebook users accidentally found out that they may have given some Android apps access to their posts, user names, and email addresses.
All of these slips came a year after Facebook was forced to deactivate a feature that let people search for users via their phone number, and of course one year after the Cambridge Analytica scandal which allowed the analytics firm to access millions of users data.
First America Financial Corp made it easy to view strangers' mortgage documents
Millions of mortgage documents could be viewed by anyone Getty Images/iStockphoto
In May this year, the website of First America Financial Corp, a Fortune 500 real estate insurance company, leaked hundreds of millions of documents related to mortgage deals dating back to 2003. These records, which could be viewed by anyone and were not password-protected, included bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images.
The leaking server was discovered by a real estate developer and reported by KrebsOnSecurity. Before the leak was fixed, anyone who knew the URL for one valid document on the First America Financial Corp website could view other documents by changing a single digit in the URL.
It was estimated that over 885 million documents were exposed, before the server was finally protected days later.
Radiohead: Revenge is sweet
Radiohead got their ow back against music hackers Getty Images
The best hacker revenge story of the year goes to the band Radiohead. Hackers got hold of 18 hours of old recordings by the English group, demanding a ransom of $150,000 or else they'd release the tracks to the public. Radiohead thought that was such a good idea, they went ahead and did it anyway — selling all 18 discs of the tracks for $24 (£18) .
The money, of course, never made it to the hackers, but the band didn't keep it either — giving all proceeds to Extinction Rebellion, a global organizations known for its conservation and environmental work.
U.S. Customs and Border Protection did the opposite with its data
US Customs cyber attack may have affected up to 100,000 people Getty Images
Those who drove across certain U.S. border lines may have had their faces and license plates breached through a cyber attack. The federal agency only admitted the problem in June 2019 — and it may have affected just 100,000 people. Still, the deferral agency wouldn't give any additional details, such as which border crossings were affected, or even which countries, to help people know if the issue may involve them or now.
U.S. Customs and Border Protection ended up pointing the finger to a subcontractor moving the data from its site to a company network. They also tried to reassure people that passports and other travel data wasn't involved.
Capital One hack impacted 100M Americans
In July this year, Capital One bank admitted to a "data security incident" which has occurred in March, and said the incident may have impacted about 100 million people in the US, plus a further six million in Canada.
The stolen data included customer names, addresses, birth dates, credit ratings and more. The hacker was said to have worked alone and broke into Capital One's systems through a "configuration vulnerability" which was discovered by the company on July 17.
Thankfully, credit card numbers and customer login details were not accessed. However, Capital One admitted that Social Security numbers of 140,000 US customers and one million Canadian customers were stolen.
Words With Friends players. Every single one of them
In September, the hugely popular Scrabble-like game Words With Friends was subject to a huge data breach. Speaking to The Hacker News, well-known Pakistan-based hacker Gnosticplayers claimed they had stolen the user details of all 218 million mobile players of Words With Friends. That's every single person who has played the game on a smartphone.
Player names, email addresses, login IDs, hashed passwords and Zynga IDs were stolen. For some players, the stolen data also included their password reset tokens, phone number, and Facebook ID.
Elasticsearch server left 1.2 billion people exposed
Exposed server contained over 4TB of data Getty Images
You know your data breach is bad when it's measured in the billions. That's exactly the case for Elasticsearch, a firm which offers its self-titled open-source search and analytics engine. In October, an Elasticsearch server with no password protection was discovered, giving anyone access to over 4TB of data.
This data included the personal information of more than 1.2 billion people, including their names, email addresses and phone numbers, plus their public LinkedIn and Facebook profile information. The data appeared to have come from two different data enrichment companies, called People Data Labs and OxyData.Io.
Macy's hit with malware
Macy's point-of-sale hack stole customer credit card details Getty Images
Macy's found suspicious code injected into the Macys.com web site, which grabbed information from shoppers as they checked out from the online store, removing it on October 15. But they didn't inform customers until nearly a month later on November 14, 2019.
The hack affected not just names and address information but also details about the way they paid, from account numbers of payment cards to security codes and expirations dates. Customers affected got 12 months of Experian IdentityWorks protection for free, but the move may not have come fast enough. The brand from suffering a stock dive on the news.
Disney+ users got hacked immediately
Just hours after Disney launched its highly-anticipated Disney+ streaming service in November, customers began complaining en masse about being locked out of their accounts.
Although many said their accounts had been hacked and blamed a lack of security on Disney's part, the likely answer is that the users fell victim to what's known as credential stuffing. This is where they use an email address and password combination which they've used elsewhere, and with a service which itself has indeed been hacked.
These pairs of usernames and passwords are sold online to hackers who use automated software to try them with other websites and services, like Disney+. When one works, it is sold for a few dollars.
Twitter had its own issues
Twitter accidentally gave rogue apps permission to see tweets and email addresses Getty Images
Twitter fell into the same sticky mess as Facebook in November when it admitted that some of its users also accidentally gave permission to some rogue Android apps to see their recent tweets, user names and email addresses too. That concern sprang six months after Twitter admitted it had shared some data with ad partners that users had thought was private.
That information — from country codes to whether someone had engaged with an ad — was locked down again in August., Twitter admitted online. But the problem traced back to May of 2018, and Twitter is potentially looking at a GDPR fine.
TrueDialog failed to protect millions of text messages
TrueDialog works with over 900 phone operators to send automated text messages Getty Images/iStockphoto
In December, the private details of millions of Americans were left exposed for anyone to see on a massive database of text messages held by TrueDialog.
The decade-old firm works with over 900 cell phone operators, who use the service to contact more than five billion people globally, via services like marketing text messages, emergency alert systems, and education SMS services.
The leaky server, which contained millions of unencrypted messages, was discovered by cybersecurity company vpnMentor, and not protected by a password. Anyone could view the text messages held by the server, then use the private information to conduct phishing campaigns, or sell the data to other parties.
Data exposed by the unprotected server included:
- Full names of recipients, TrueDialog account holders and TrueDialog users
- Content of messages
- Email addresses
- Phone numbers of recipients and users
- Dates and times messages were sent
- Status indicators on messages, like read receipts
- TrueDialog account details