Security News

Top 10 Biggest Data Breaches in 2018

Martin Hron, 20 December 2018

There have been many, so let’s count down some of the year’s biggest data breaches.

As we look back at the year, it’s impossible not to acknowledge the rampant data breaches that caused such chaos for what seemed to be all 52 weeks of the year. The secret and sensitive data of literally hundreds of millions of people has been torn open and exposed, then aggregated on various dark web lists for sale. Data breaches are a terrifying top trend in the cybercrime world that shows no sign of slowing any time soon.

If your info has been compromised in one of these unfortunate events, we have covered how to survive a data breach, but there are many whose recovery from a breach was a nightmarish climb back to sanity. For the morbidly curious, let’s take a closer look at our top 10 data breaches of 2018.

The interesting thing is, while some data breaches are deliberate attacks, others are simply neglected databases that security auditors find lying around the web like unguarded, unlocked safes. Our list contains some of each. In descending order, counting down some of the biggest data breaches of the year, what follows is the worst of the worst.

#10 — Panera

Number of victims: 37 million
Who was targeted: All PaneraBread.com customer accounts
What data was exposed: Names, email and physical addresses, birthdays, and the last four digits of the customers’ credit card numbers
Timeframe: Disclosed April 2018
What happened: Despite being warned by a cybersecurity expert in August 2017 that their website was leaking data, the Panera IT team failed to act until 8 months later when it announced the leak and took the site down for security maintenance.

#9 — Newegg

Number of victims: 50 million
Who was targeted: Newegg online shoppers
What data was exposed: Credit card info
Timeframe: August 14, 2018 - September 18, 2018
What happened: The online retailer was hacked by cybergang Magecart, who injected a credit card skimming code into the Newegg website. Whenever a customer bought something online, that payment info went straight to Magecart’s C&C (command and control server).

#8 — Elasticsearch

Number of victims: 82 million (57M consumers, 26M businesses)
Who was targeted: Users and online businesses across the internet
What data was exposed: From individual users — names, email and physical addresses, phone numbers, IP addresses, employers, and job titles. From businesses — names, company details, zip codes, carrier routes, latitudes/longitudes, census tracts, phone numbers, web addresses, email addresses, employee count, revenue numbers, NAICS codes, SIC codes, and more.
Timeframe: Discovered November 14, 2018
What happened: This is one of those cases we mentioned above where a regular security audit led to a researcher stumbling upon over 80 million records of sensitive, aggregated data. It is unknown how long the databases were sitting unguarded and who, if anyone, has had the opportunity to copy and steal all the data. Cybersecurity experts believe they have tracked down the source of the unguarded databases to a data management company that has since closed its doors, but it is still officially unknown.

#7 —  Facebook

Number of victims: 87 million
Who was targeted: Facebook users
What data was exposed: Profile info, political beliefs, friend networks, private messages
Timeframe: Disclosed September 2018
What happened: This is the notorious Cambridge Analytica scandal where the data-collecting firm illegally harvested users’ info without their permission. The secret operation was politically motivated—namely, to influence the 2016 US presidential campaign. And though the breach occurred a couple years ago, it’s only this year that investigatory conclusions have come out, giving us a clearer picture of what happened.

#6 — MyHeritage

Number of victims: 92 million
Who was targeted: MyHeritage users
What data was exposed: email addresses and hashed passwords
Timeframe: Alerted June 2018
What happened: Cybersecurity researchers alerted the genealogy site in June 2018 that an outside server had been discovered with sensitive MyHeritage info. The company confirmed the info was legitimate and alerted its users that any account holders who signed up earlier than October 26, 2017 were at risk and should change their passwords.

#5 — Quora

Number of victims: 100 million
Who was targeted: Quora users
What data was exposed: Names, email addresses, hashed passwords, profile data, public and non-public actions
Timeframe: Discovered December 3, 2018
What happened: Many questions still surround the details of this breach, but the question-and-answer site reported to its users that a third party had gained unauthorized access to one of their systems, expounding no further.  

#4 — Under Armour

Number of victims: 150 million
Who was targeted: MyFitnessPal users
What data was exposed: User names, email addresses, hashed passwords
Timeframe: Late February 2018
What happened: The company’s food and nutrition app was hacked, opening up the above info to the attackers, but not, thankfully, any payment info, which the company processes through a separate channel.

#3 — Exactis

Number of victims: 340 million (230M consumers, 110M businesses)
Who was targeted: Users and businesses across the internet
What data was exposed: Over 400 categories of detail, such as phone numbers, email and physical addresses, interests, ages, religions, pet ownership, etc.
Timeframe: June 2018
What happened: Data collection firm Exactis somehow had 2 terabytes of data relocated to a public site for all to see. It’s unknown who or how many people accessed the info before it was discovered.

#2 — Starwood

Number of victims: 500 million
Who was targeted: Starwood guests
What data was exposed: Names, email and physical addresses, phone numbers, passport numbers, account info, birth dates, gender, travel info, and accommodation info. Some of the breached info also included hashed credit card info.
Timeframe: Discovered September 10, 2018, but could have stretched as far back as 2014
What happened: Like many of the other official breach statements, the Marriott-owned hotel chain issued a statement that its servers had suffered “unauthorized access,” but recent discoveries from the investigation indicate the breach may have been caused by the Chinese government for political purposes.

#1 — Aadhaar

Number of victims: 1.1 billion
Who was targeted: Indian citizens
What data was exposed: Aadhaar numbers, names, email and physical addresses, phone numbers, and photos
Timeframe: August 2017 - January 2018
What happened: Anonymous sellers over WhatsApp charged Rs 500 and lower for a portal into India’s Unique Identification Authority where the records of virtually every citizen was at the payer’s fingertips.

What to do if your password was stolen in a data breach

If you fear you may be a victim of any of these incidents or others, immediately:

  • Change any and all passwords similar to the password that was breached (and get out of the habit of reusing passwords in the first place). Make your login credentials uncrackable by following today’s best password practices. And never send 2FA codes to anyone.
  • Be wary of suspicious SMS or emails that claim to be from your bank or insurance company — or any company for that matter — as impersonations are especially common in the aftermath of data breaches.
  • Use caution when providing data that may not be necessary for any online account you have set up (like a passport number for booking a hotel room), and always monitor your credit score for changes, which could indicate identity theft.

Looking ahead — How to protect yourself in 2019

We must at all costs avoid falling into the jaded mindset of “another day, another data breach,” because protecting your personal information matters now more than ever before. If you’ve ever provided personal data to any company, either online or offline, I’m sorry to say that you are a potential target of cybercrime.

The stark reality is that any experienced hacker, if he or she works hard enough, will eventually gain access to an unprotected organization. So instead of blindly putting faith in companies’ privacy policies, individuals must educate themselves and not trust anyone to be a good custodian of their private information. Here are a few simple actions you can take to keep yourself in the “Unharmed” category for 2019.

Use a password manager

No excuses. Password manager tools work on your desktop, mobile phone, and tablet. Using them means you can assign every account you have a unique, complex password, but you yourself need only remember one. This ensures that any data breach that includes your credentials won't “bleed over” into other accounts.

Remember, if you ever feel your information has been breached, you can search your own email address on an aggregated stolen password site, like Avast Hack Check, and it will let you know if the password to that account has been leaked. And, yes, it’s always better to know.

Whenever possible, activate 2FA

By activating two-factor authentication, even if attackers have your username and password, they still cannot access your account.  And, definitely use 2FA on your email account if you can.

Have a safe new year, everyone!