Some of 2019’s Most Notable Cyber Breaches…So Far
From Collection #1 to Facebook’s plaintext password gaffe, 2019 has been a rollercoaster year so far.
We have only just entered the second half of the year, and so far, 2019 certainly hasn’t left us short of security disaster stories, with a number of high-profile cyber breaches having been revealed already.
A month rarely seems to pass without a significant cyber attack, data breach or IT slip-up, and this is a pattern that has been present for several years now.
While companies, governments and organisations the world over are continuing to improve their cyber standards – and defences – the rapid pace of change, combined with the ever-improving technological capabilities of bad actors are contributing to the perilous cyber landscape we find ourselves traversing today.
Here are some of the most notable cybersecurity incidents of 2019 (so far…)
2019 started off with an almighty bang in the form of Collection #1, which at that point was the largest data breach ever discovered. An astounding 777,904,991 email addresses and more than 21 million unique passwords were exposed in the breach.
Initially reported by security researcher Troy Hunt, who runs the Have I Been Pwned website, the data was believed to have been a combination of “many different individual data breaches from literally thousands of different sources”.
Hunt said that the data first appeared in a folder on cloud storage and file hosting service, MEGA, before it was posted online. The folder consisted of more than 12,000 files, totalling 87GB and 2,692,818,238 rows.
A US-based cybersecurity firm, Recorded Future, reported at the time that it had identified the hacker responsible for assembling the cybercriminal treasure trove. A hacker going by the name of Corpz was believed to have collected the data over a period of nearly three years. Records from companies that were hacked previously, whose data was subsequently exposed or sold online made up the lions share of the collection.
Find out more here.
In May, news aggregation platform Flipboard revealed it had fallen foul to a huge security breach. Hackers were able to access the platform’s database systems for more than nine months, the company lamented.
The database in question was used by the firm to store users’ account information, which included sensitive information such as usernames, email addresses and encrypted passwords.
While passwords were unreadable and difficult to crack, Flipboard advised users to reset their passwords if they had been set prior to the 14th of March 2012. Passwords created before this date had been scrambled with a weaker SHA-1 algorithm, the company conceded.
This data breach also exposed a significant number of users’ digital account tokens, which are used to connect a Flipboard account to third-party services or social media accounts.
Arguably the most concerning aspect of this breach was the vast period of time during which the database was exposed. In a statement, Flipboard confirmed that the hacks took place between the 2nd of June 2018 and 23rd of March 2019. A second breach also occurred between the 21st and 22nd of April 2019.
Find out more here.
At times it feels as if Facebook enjoys the misery of repeated scandals. Not content with its tedious recovery from the Cambridge Analytica debacle, in March it was revealed that hundreds of millions of user passwords had been exposed.
The social media giant found that upwards of 500 million user passwords had been stored in plaintext within its internal storage systems.
This major blunder, according to Facebook’s VP of Engineering, Security and Privacy, “caught our attention because our login systems are designed to mask passwords using techniques that make them unreadable”.
Plaintext passwords are believed to date back as far as 2012 and were accessible to around 2,000 engineers and developers at the firm.
In a statement, the Facebook emphasised that the passwords were “never visible to anyone outside of Facebook” and that its investigation had found “no evidence to date that anyone internally abused or improperly accessed them”.
To add insult to injury, several weeks later the company announced that the incident also affected “millions” of Instagram users and not the “tens of thousands” that were previously thought to have been impacted.
In an update to its initial blog post on the breach, the company said: “We discovered additional logs of Instagram passwords being stored in a readable format. We now estimate that this issue impacted millions of Instagram users. We will be notifying these users as we did the others.”
Find out more here.
Home Office Blunder Reveals EU Nationals’ Information
In April, the Home Office offered an apology to hundreds of EU nationals living in the UK after an IT blunder saw their details exposed.
The government department had contacted a number of EU nationals applying for settled status to resubmit their information. However, a failure to use the ‘blind CC’ option on the email revealed the details of other applicants.
Following the “administrative error” the Home Office apologised to those affected and even requested that recipients delete the email in question.
“The deletion of the email you received from us on 7 April would be greatly appreciated,” the Home Office wrote in a message of apology.
A spokesperson for the department commented at the time: “In communicating with a small group of applicants, an administrative error was made which meant other applicants’ email addresses could be seen.
“As soon as the error was identified, we apologised personally to the 240 applicants affected and have improved our systems and procedures to stop this occurring again.”
The Home Office said it had improved its procedures for dealing with citizens’ personal information after the blunder.
Find out more here.
Windrush Data Breach
Another blunder in April saw the Home Office expose the personal details of Windrush compensation scheme applicants.
Another “administrative error” by the department allowed applicants to the Windrush compensation scheme see other people’s email addresses. Five batches of emails were involved in this particular incident, with each containing around 100 recipients.
Immigration Minister Caroline Nokes “unreservedly” apologised at the time and acknowledged that an “administrative error” had been the cause of the blunder.
In April of this year, car manufacturer Toyota announced a significant data breach which saw as many as 3.1 million customers and employees affected. The attack was launched on dealerships in Japan and followed a previous cyberattack on Toyota Australia in February.
At the time, reports suggested that up to eight of the company’s subsidiaries and dealerships were targeted in the attack, with hackers gaining access to the firm’s internal computer systems. Employment details, dates of birth and names were all believed to have been exposed in the breach.
In a statement, Toyota said: “Information that may have been leaked this time does not include information on credit cards”.