It’s not just individuals who are facing the dangers of data hacks and breaches. This threat is prevalent on all levels – for individuals, businesses, and governments.
These issues are becoming more serious. The occurrences are becoming more frequent, affected number of people are growing exponentially and the type of information being leaked is simply dangerous.
Here’s the list of 2019’s most prominent hacks and breaches – from personal records to mismanagement of data to outright horrific technology rollouts.
January
Singapore H.I.V. Registry Disclosed (14,200 Patients Affected) – January 28, 2019
A story of love, deception, betrayal, and fraud.
The Singaporean Ministry of Health has released a statement on January 28, 2019, revealing that 14,200 patient records in the nation’s H.I.V. registry were illegally obtained and disclosed online.
This story begins with Mikhy K Farrera Brochez, an American citizen who claimed to be a child prodigy who entered Princeton University at the age of 13. He had forged all the paperwork around his academic background to boot.
Mikhy could not legally work in Singapore due to the country’s policy around banning foreigners with H.I.V. from working.
He then entered a romantic relationship with a local doctor who provided his own blood to provide a false negative for H.I.V. tests. The boyfriend and doctor, by the name of Ler Teck Siang, was the Head of the Ministry of Health’s National Public Health Unit from 2012 to 2013.
This scheme worked for Mikhy for several years until in 2016 when he was arrested for drug possession. He was caught with ketamine and cannabis.
Mikhy obtained the H.I.V. registry through Der’s credentials and disclosed them online.
The information included their name, identification number, contact details (phone number and address), HIV test results and related medical information. The name, identification number, phone number and address of 2,400 individuals identified through contact tracing up to May 2007 were also included.
Over 5,400 Singaporeans and 8,800 foreigners diagnosed with H.I.V. were affected.
Source: Government of Singapore, Ministry of Health.
Apple FaceTime Bug (Caller Heard Audio Before the Call Was Accepted) – January 29, 2019
2019 started off a little bit scary for Apple customers as a FaceTime bug allowed callers – even random ones – to listen in on any iOS user.
The bug essentially was reproduced by adding your own number to the FaceTime call while the call was ringing. The bug affected all iOS devices running iOS 12.1+.
This story unfolded to an even bigger security issue.
Now you can answer for yourself on FaceTime even if they don’t answer🤒#Apple explain this.. pic.twitter.com/gr8llRKZxJ
— Benji Mobb™ (@BmManski) January 28, 2019
Another bug came to light – this time, a more serious one than the last. This new bug not only allowed audio eavesdropping but also turned on your camera. Essentially, anyone who wished to use this bug could access any iOS users’ video and audio.
Source: 9to5mac
February
617 Million Stolen Account Details Up For Sale on the Dark Web – February 11, 2019
A cybercriminal started selling stolen accounts credentials from 16 websites. The seller confirmed there has been at least one buyer.
Some account details relate to hacks dating back in 2017, whereas some account details are more recent. The full list of companies and numbers is listed below:
- Dubsmash (162 million)
- MyFitnessPal (151 million)
- MyHeritage (92 million)
- ShareThis (41 million)
- HauteLook (28 million)
- Animoto (25 million)
- EyeEm (22 million)
- 8fit (20 million)
- Whitepages (18 million)
- Fotolog (16 million)
- 500px (15 million)
- Armor Games (11 million)
- BookMate (8 million)
- CoffeeMeetsBagel (6 million)
- Artsy (1 million)
- DataCamp (700,000)
The seller is selling the account details from 0.3 BTC to 0.549 BTC per website. In total, at the time of posting, the entire dump was on sale for less than $20,000 worth in BTC.
Companies like CoffeeMeetsBagel received extra flack due to the sensitivity of the data contained in the accounts.
Dalil, a Saudi Caller ID App Leaked Real-Life Data of 5+ Million Users – February 26, 2019
A popular Saudi caller ID app, Dalil App, was recently found using an unsecure MongoDB to store customer data.
The customer data logged:
- Caller Name
- Phone Number
- IP Address (Internal and External)
- Email Address
- SIM ID
- IMEI
- Timestamp
- Cell ID (Location)
- GPS Location
The fact that this data included the full names, phone numbers, email addresses, and location is a serious threat to anyone using the app. To throw salt on the injury, Dalil’s team continued to use this unsecured MongoDB even after receiving a ransom note.
March
763 Million Email Records Leaked From Verifications.io – March 7, 2019
Bob Diachenko, a veteran Cyber Threat Intelligence Director discovered an unsecured MongoDB instance from an email marketing company, Verifications.io. The database was 150 GB in size and contained over 808 million records with 763 unique email addresses.
This database included:
- Name
- Email Address
- Phone Number
- Address
- Gender
- User IP
- Date of Birth
Truly scary times we live in. The data was also cross-referenced with HaveIBeenPwnd and found to be a completely unique set of data, not a collection of old dumps.
The company’s website is no longer active.
Facebook Stored Hundreds of Millions of Passwords in Plaintext – March 21, 2019
Security consultant and investigator Brian Krebs published a story where he revealed that Facebook had been storing millions of user passwords in plaintext for years.
According to an anonymous source, a senior Facebook employee, an internal investigation indicated between 200 million to 600 million Facebook users’ passwords were stored in plaintext and accessible by more than 20,000 Facebook employees.
Krebs’ source also revealed that over 2,000 Facebook engineers had approximately 9 million queries related to the passwords.
Facebook promptly released a press release statement shedding no new information. The statement went onto say, “passwords were never visible to anyone outside of Facebook and we have found no evidence to date that anyone internally abused or improperly accessed them.”
Hundreds of millions of Facebook Lite users, tens of millions of other Facebook users, and tens of thousands of Instagram users were affected.
Source: Krebs on Security
April
12.5+ Million Records of Pregnant Women in India Leaked – April 1, 2019
Another discovery by Bob Diachenko. This time, it involved yet another unsecured MongoDB incident containing a total of 12.5 million records that included critically sensitive patient information.
The database records included all forms that the women had to fill along with family history and medical examination records. The database was also left unprotected for an entire month after the leak was first detected and notified by Bob Diachenko.
Georgia Tech Database Leak of 1.3 Million People – April 2, 2019
On April 2, the VP for IT and CIO of Georgia Tech sent out an email blast titled “Cybersecurity Incident” to all those affected. It read that there has been an “unauthorized access to a web application” that contained “personal information for up to 1.3 million individuals.”
The web application exposed the personal information of current and former faculty members, staff, students and applicants.
The authorities have been notified but there is no word on how they plan on fixing the issue.
It seems that Georgia Tech isn’t all that good at tech.
Source: WSBTV
Bodybuilding.com Leak of 7 Million Registered Users – April 22, 2019
Bodybuilding.com, the biggest website and community dedicated to bodybuilding, announced that their user database has leaked. They urged their users to change their login credentials immediately and said no social security numbers or credit card information were leaked (since they do not store this information in the first place).
It seemed one of the employees was caught in a phishing email. The cybercriminals used this opportunity to access the company’s network and databases.
Although they were not sure whether the customer information was accessed, they still took responsibility on to notify all their customers.
May
1.6 Million AMC Network Subscribers Leaked – May 03, 2019
It’s no surprise to see that Bob Diachenko and his team discovered this leak. AMC Networks left over 1.6 million records of subscribers unsecured. This information included full names, email addresses and subscription details. It also included invoices as well as the last four digits of users’ credit cards.
It also contained video analytics data. AMC, in addition, was unresponsive when contacted.
16 Years of Customer Data Leaked by First American Financial Corp – May 24, 2019
The Fortune 500 real estate title insurance company First American Financial Corp was found to have leaked hundreds of millions of documents dating back to 2003.
The documents included bank account numbers, tax records, social security numbers, receipts, drivers license images and mortgage records.
In total, there were over 885 million files. No authentication was required to access the files.
139 Million Canva Account Credentials Breached – May 24, 2019
Canva, a $2.5 billion online photo editing startup admitted to a security breach affecting over 139 million users.
The hacker known as GnosticPlayers admitted to the crime. The hacker is notorious for breaches; they have taken over 1 billion records to date.
Canva stated that the passwords were all encrypted with bcrypt, one of the standard encryptions widely used today. However, information such as email addresses and real names were included in the data.
150 Million Flipboard User Credentials Breached – May 28, 2019
Flipboard, a news aggregation app with over 150 million users announced a critical data breach of their internal systems.
The internal systems included Flipboard users’ account credentials but did not affect third-party app integrations (such as social media networks).
The kicker? The vulnerability existed for over nine months – the cybercriminal had full access to Flipboard’s database.
Flipboard did not share how many users were affected by this breach; as a precaution, Flipboard reset the passwords for all accounts.
June
US Travelers Biometrics and Images Breached (US Customs) – June 11, 2019
The initial announcement shared less than 100,000 people were affected, but no specific numbers were shared.
CBP shifted the blame to the unnamed subcontractor who apparently broke safety protocols and was in breach of contract.
The subcontractor moved the sensitive files off of the CBP network to their own unsecured network. Then the network was compromised and cybercriminals had full access to travelers’ photos.
CBP also stated that:
- Their own network was not compromised
- None of the images were found on the darknet at the time of the report
- Photographs did not include airline passengers
Ironically, this breach happened at a time when CBP is pushing for the use of facial recognition technology. How can the American public trust the CBP with such technology if they cannot keep the data secure?
July
AMCA Breach Affects 20+ Million – July 17, 2019
This breach dates back to August 1, 2018. The initial reports showed around 11.9 million patients’ data were breached, including personal and medical records, as well as credit card numbers.
Quest Diagnostics assured that laboratory test results were not among the breached data. In June, LabCorp, another laboratory testing company, confirmed they were affected by the same data breach. This breach affected 7.7 million patients.
The latest confirmation comes from Clinical Pathology Laboratories who shared that 2.2 million patient data has been breached in the same AMCA breach.
AMCA filed for bankruptcy.
Capital One Hacked Affecting 100+ Million – July 29, 2019
It wasn’t a great Monday for Capital One Financial Corp – the public financial services holding company shared that over 100 million individuals were affected by a hack.
The suspected hacker who has been arrested? A 33-year-old software engineer from Seattle named Paige Adele Thompson. The hacker supposedly did not have access to credit card account numbers but other customer data such as bank account numbers, social security numbers, and phone numbers were acquired between March 12 and July 17.
Thompson is a former Amazon employee and Capital One had been using Amazon’s web services; she presumably knew more about the vulnerabilities than the average techie.
Apparently, the Capital One hack will cost between $100 to $150 million for customer support and legal issues. In total, 140,000 social security numbers and 80,000 linked bank account numbers were compromised.
How did this hacker get caught? She exposed herself – touting and bragging about her “accomplishments” online. She even went as far as to place the tools and code relevant to the hack on her public GitHub repository which also included her full name and resume. She also bragged about using IPredator and TOR.
August
BioStar 2 Leaks 27.8 Million Records Including Biometric Data – August 13, 2019
Biometric data breach isn’t like a password breach. You can always change your account credentials but you can never change your biometrics.
The fact that BioStar 2 not only stored all these sensitive information unhashed, but the data was apparently easily obtainable through simple URL manipulation. On top of that, the company behind BioStar 2 was unresponsive and uncooperative. It took 8 days to close the breach.
Over 27.8 million records were included in the unsecure Elasticsearch interface. The way BioStar 2 stored the biometrics is a little strange as well. They stored actual fingerprints in their database instead of saving a hashed version of it. It’s the equivalent of storing passwords in plaintext in an unprotected database.
Hostinger DB Breach Leaks 14 Million User Credentials – August 25, 2019
Hostinger is one of the largest web hosting services, often topping the best web hosting rankings. On August 23, 2019, the team received alerts that one of their servers has been accessed by an unauthorized third party. The bigger problem was that the server directly allowed access to the client database via an authorization token.
The database contained over 14 million Hostinger user information including user names, emails, passwords (hashed), names and IP addresses. The database did not contain any financial data such as credit card information or the like since all payment goes through a secure third-party payment processor.
One customer report to media outlets included a chat log where a customer support representative confirmed that financial data can be retrieved but the CEO outright denied any financial data was compromised.
The security hole was closed in two days and Hostinger reset all user login credentials.
September
Unprotected Facebook Database Discovery – 419 Million Records Leaked – September 4, 2019
A security researcher by the name of Sanyam Jain discovered an unprotected database containing over 419 million records of personal information.
A total of 133 million records of Facebook users from the US, 50 million from Vietnam and 18 million from the UK were discovered in an unprotected, unsecured database. The dataset included phone numbers, Facebook IDs, names, genders, and countries.
A Facebook representative shared that “no evidence that Facebook accounts were compromised” and that the data is old.
Multiple security researchers and journalists, on the other hand, verified and confirmed that the dataset matched existing accounts.
This leaves 419 million people susceptible to SIM-swapping scams.