It’s not just individuals who are facing the dangers of data hacks and breaches. This threat is prevalent on all levels – for individuals, businesses, and governments.
These issues are becoming more serious. The occurrences are becoming more frequent, affected number of people are growing exponentially and the type of information being leaked is simply dangerous.
Here’s the list of 2019’s most prominent hacks and breaches – from personal records to mismanagement of data to outright horrific technology rollouts.
Singapore H.I.V. Registry Disclosed (14,200 Patients Affected) – January 28, 2019
A story of love, deception, betrayal, and fraud.
The Singaporean Ministry of Health has released a statement on January 28, 2019, revealing that 14,200 patient records in the nation’s H.I.V. registry were illegally obtained and disclosed online.
This story begins with Mikhy K Farrera Brochez, an American citizen who claimed to be a child prodigy who entered Princeton University at the age of 13. He had forged all the paperwork around his academic background to boot.
Mikhy could not legally work in Singapore due to the country’s policy around banning foreigners with H.I.V. from working.
He then entered a romantic relationship with a local doctor who provided his own blood to provide a false negative for H.I.V. tests. The boyfriend and doctor, by the name of Ler Teck Siang, was the Head of the Ministry of Health’s National Public Health Unit from 2012 to 2013.
This scheme worked for Mikhy for several years until in 2016 when he was arrested for drug possession. He was caught with ketamine and cannabis.
Mikhy obtained the H.I.V. registry through Der’s credentials and disclosed them online.
The information included their name, identification number, contact details (phone number and address), HIV test results and related medical information. The name, identification number, phone number and address of 2,400 individuals identified through contact tracing up to May 2007 were also included.
Over 5,400 Singaporeans and 8,800 foreigners diagnosed with H.I.V. were affected.
Apple FaceTime Bug (Caller Heard Audio Before the Call Was Accepted) – January 29, 2019
2019 started off a little bit scary for Apple customers as a FaceTime bug allowed callers – even random ones – to listen in on any iOS user.
The bug essentially was reproduced by adding your own number to the FaceTime call while the call was ringing. The bug affected all iOS devices running iOS 12.1+.
This story unfolded to an even bigger security issue.
— Benji Mobb™ (@BmManski) January 28, 2019
Another bug came to light – this time, a more serious one than the last. This new bug not only allowed audio eavesdropping but also turned on your camera. Essentially, anyone who wished to use this bug could access any iOS users’ video and audio.
617 Million Stolen Account Details Up For Sale on the Dark Web – February 11, 2019
A cybercriminal started selling stolen accounts credentials from 16 websites. The seller confirmed there has been at least one buyer.
Some account details relate to hacks dating back in 2017, whereas some account details are more recent. The full list of companies and numbers is listed below:
- Dubsmash (162 million)
- MyFitnessPal (151 million)
- MyHeritage (92 million)
- ShareThis (41 million)
- HauteLook (28 million)
- Animoto (25 million)
- EyeEm (22 million)
- 8fit (20 million)
- Whitepages (18 million)
- Fotolog (16 million)
- 500px (15 million)
- Armor Games (11 million)
- BookMate (8 million)
- CoffeeMeetsBagel (6 million)
- Artsy (1 million)
- DataCamp (700,000)
The seller is selling the account details from 0.3 BTC to 0.549 BTC per website. In total, at the time of posting, the entire dump was on sale for less than $20,000 worth in BTC.
Companies like CoffeeMeetsBagel received extra flack due to the sensitivity of the data contained in the accounts.
Dalil, a Saudi Caller ID App Leaked Real Life Data of 5+ Million Users – February 26, 2019
A popular Saudi caller ID app, Dalil App, was recently found using an unsecure MongoDB to store customer data.
The customer data logged:
- Caller Name
- Phone Number
- IP Address (Internal and External)
- Email Address
- SIM ID
- Cell ID (Location)
- GPS Location
The fact that this data included the full names, phone numbers, email addresses, and location is a serious threat to anyone using the app. To throw salt on the injury, Dalil’s team continued to use this unsecure MongoDB even after receiving a ransom note.
763 Million Email Records Leaked From Verifications.io – March 7, 2019
Bob Diachenko, a veteran Cyber Threat Intelligence Director discovered an unsecure MongoDB instance from an email marketing company, Verifications.io. The database was 150 GB in size and contained over 808 million records with 763 unique email addresses.
This database included:
- Email Address
- Phone Number
- User IP
- Date of Birth
Truly scary times we live in. The data was also cross-referenced with HaveIBeenPwnd and found to be a completely unique set of data, not a collection of old dumps.
The company’s website is no longer active.
Facebook Stored Hundreds of Millions of Passwords in Plaintext – March 21, 2019
Security consultant and investigator Brian Krebs published a story where he revealed that Facebook had been storing millions of user passwords in plaintext for years.
According to an anonymous source, a senior Facebook employee, an internal investigation indicated between 200 million to 600 million Facebook users’ passwords were stored in plaintext and accessible by more than 20,000 Facebook employees.
Krebs’ source also revealed that over 2,000 Facebook engineers had approximately 9 million queries related to the passwords.
Facebook promptly released a press release statement shedding no new information. The statement went onto say, “passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them.”
Hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users were affected.
Source: Krebs on Security
12.5+ Million Records of Pregnant Women in India Leaked – April 1, 2019
Another discovery by Bob Diachenko. This time, it involved yet another unsecure MongoDB incident containing a total of 12.5 million records that included critically sensitive patient information.
The database records included all forms that the women had to fill along with family history and medical examination records. The database was also left unprotected for an entire month after the leak was first detected and notified by Bob Diachenko.
Georgia Tech Database Leak of 1.3 Million People – April 2, 2019
On April 2, the VP for IT and CIO of Georgia Tech sent out an email blast titled “Cybersecurity Incident” to all those affected. It read that there has been an “unauthorized access to a web application” that contained “personal information for up to 1.3 million individuals.”
The web application exposed personal information of current and former faculty members, staff, students and applicants.
The authorities have been notified but there is no word on how they plan on fixing the issue.
It seems that Georgia Tech isn’t all that good at tech.
Bodybuilding.com Leak of 7 Million Registered Users – April 22, 2019
Bodybuilding.com, the biggest website and community dedicated to bodybuilding, announced that their user database has leaked. They urged their users to change their login credentials immediately and said no social security numbers or credit card information were leaked (since they do not store this information in the first place).
It seemed one of the employees was caught in a phishing email. The cybercriminals used this opportunity to access the company’s network and databases.
Although they were not sure whether the customer information was accessed, they still took the responsibility on to notify all their customers.
1.6 Million AMC Network Subscribers Leaked – May 03, 2019
It’s no surprise to see that Bob Diachenko and his team discovered this leak. AMC Networks left over 1.6 million records of subscribers unsecured. This information included full names, email addresses and subscription details. It also included invoices as well as the last four digits of users’ credit cards.
It also contained video analytics data. AMC, in addition, was unresponsive when contacted.
16 Years of Customer Data Leaked by First American Financial Corp – May 24, 2019
The Fortune 500 real estate title insurance company First American Financial Corp was found to have leaked hundreds of millions of documents dating back to 2003.
The documents included bank account numbers, tax records, social security numbers, receipts, drivers license images and mortgage records.
In total, there were over 885 million files. No authentication was required to access the files.
139 Million Canva Account Credentials Breached – May 24, 2019
Canva, a $2.5 billion online photo editing startup admitted to a security breach affecting over 139 million users.
The hacker known as GnosticPlayers admitted to the crime. The hacker is notorious for breaches; they have taken over 1 billion records to date.
Canva stated that the passwords were all encrypted with bcrypt, one of the standard encryptions widely used today. However, information such as email addresses and real names were included in the data.
150 Million Flipboard User Credentials Breached – May 28, 2019
Flipboard, a news aggregation app with over 150 million users announced a critical data breach of their internal systems.
The internal systems included Flipboard users’ account credentials but did not affect third-party app integrations (such as social media networks).
The kicker? The vulnerability existed for over nine months – the cybercriminal had full access of Flipboard’s database.
Flipboard did not share how many users were affected by this breach; as a precaution, Flipboard reset the passwords for all accounts.
US Travelers Biometrics and Images Breached (US Customs) – June 11, 2019
The US Customs and Border Protection (CBP) announced that US travelers’ biometrics, photos, and license plate images were recently compromised.
The initial announcement shared less than 100,000 people were affected, but no specific numbers were shared.
CBP shifted the blame to the unnamed subcontractor who apparently broke safety protocols and was in breach of contract.
The subcontractor moved the sensitive files off of the CBP network to their own unsecure network. Then the network was compromised and cybercriminals had full access to travelers’ photos.
CBP also stated that:
- Their own network was not compromised
- None of the images were found on the darknet at the time of the report
- Photographs did not include airline passengers
Ironically, this breach happened at a time when CBP is pushing for the use of facial recognition technology. How can the American public trust the CBP with such technology if they cannot keep the data secure?
AMCA Breach Affects 20+ Million – July 17, 2019
This breach dates back to August 1, 2018. The initial reports showed around 11.9 million patients’ data were breached, including personal and medical records, as well as credit card numbers.
Quest Diagnostics assured that laboratory test results were not among the breached data. In June, LabCorp, another laboratory testing company, confirmed they were affected by the same data breach. This breach affected 7.7 million patients.
The latest confirmation comes from Clinical Pathology Laboratories who shared that 2.2 million patient data has been breached in the same AMCA breach.
AMCA filed for bankruptcy.