Today, the vast majority of successful organizations invest a great deal of time, money and resources in their security. With the endless media coverage of the latest data breaches, targeting even the most elite of organizations, it is no surprise.
The constant evolution of threats and vulnerabilities leaves no business completely immune. Today, we highlight the financial and brand impacts caused by some of the most significant breaches to date. The following list is organized by the total number of impacted users, in ascending order.
Between the months of February and March 2014, eBay found itself the unfortunate victim of a data breach of encrypted passwords. Ultimately, the resulting impact led eBay to require it’s 145 million users to reset their passwords. Threat actors involved had allegedly used a set of staff credentials to gain entry to a proverbial mountain of user data. The information stolen included encrypted passwords and personal information, including names, email addresses, home addresses, phone numbers and dates of birth. Details of the breach were released in May 2014, after a month-long investigation by eBay.
September 2017, Equifax, one of the three largest consumer credit reporting agencies in the United States of America, publicized that their systems had been breached, compromising the personal data of 148 million Americans. The data compromised included names, addresses, telephone numbers, dates of birth, social security numbers, and driver’s license numbers. In addition, credit card information of nearly 209,000 customers was also exposed in this data breach. To this date, the sensitivity of the information processed by Equifax sets a new precedent for the impact a breach can have on the organization and its customers.
Today, the connectivity of every facet of our lives seems to land on the internet. To keep fit, millions of fitness fanatics the world over log their journey through the MyFitnessPal, diet and exercise, application. In February of 2018, MyFitnessPal endured a massive data breach. Among the exposed details includes: email addresses, IP addresses, login credentials and more. What made this breach so sinister is that, in 2019, much of this sensitive data landed on the darkweb, and began circulating, ultimately landing on the information security website “Have I Been Pwned.”
Back in June of 2012, a professional networking platform, LinkedIn made the grim announcement that they had suffered a data breach, with the initial indication of 6.5 million users impacted. We did not learn of the true reach of the impacts until 2016, when it was announced that a massive 165 million users’ accounts had been compromised, including over 117 million hashed passwords.
As a result of the data breach, other service providers, including Netflix, forced their own users to change all passwords that shared likeness to their LinkedIn password. To date, it is still not clear as to exactly why LinkedIn did not pursue further investigation in to the original breach in 2012.
May 2018, the social media giant Twitter advised all users that they had identified a glitch that stored unmasked passwords in an internal log, granting all user passwords access to the internal network, a glitch that went undiscovered for months. Though twitter did not disclose the number of users impacted, they indicated it was significant, advising all 330 million users to change their passwords as a precaution.
November 2018, in line with PIPEDA, Marriott International made the grim announcement that threat actors had stolen the collective personal data of 500 million Starwood hotel customers. As discussed in previous Packetlabs blogs, a persistent threat actor will not always act immediately. During the process of investigation, it was discovered that the hackers had gained access in 2014, remaining active during Marriott’s acquisition of Starwood in 2016.
The information that was exposed included contact information, names, passport details, travel information and other personal data. The New York Times declared the breach the work of Chinese intelligence, seeking to data on US citizens. To date, if this holds true, it would be one of the largest breaches involving personal data by a nation-state threat actor.
Speaking of state-actors, Yahoo disclosed they had reason to believe they were responsible for a cyber-attack the organization endured in 2014. Among the compromised data was full names, email address, phone numbers, hashed password, birth dates and more. Ultimately failing to investigate the breach, it was not until 2016 that Yahoo publicly announced the breach follows an incident in which a stolen database made its way to the dark web.
It is no secret that North Americans love their social media, with most individuals logging in daily to keep up with the latest in social news and media. In April of 2019, a cyber risk team UpGuard, revealed that two third-party Facebook application datasets had been wide-open to the public internet. The most significant of the two, Cultura Colectiva, contained records of 540 million, detailing account names, passwords, likes, comments and more!
August 2013, Yahoo disclosed the details of a data breach they endured at the hands of a group of hackers. Of the exposed data, included security passwords and answers which greatly increase the risk of identity theft of Yahoo users. In December of 2016, in final negotiations to self to Verizon, Yahoo forced all of its users to change their passwords and re-enter security questions, encrypting those not already protected. Perhaps unsurprisingly, in October of 2017, Yahoo revised their previous estimate to a massive 3 billion user accounts. To date, this remains one of the most impactful breaches in history.
Data breaches are here to stay and they’re happening now more than ever. Regardless of the size, industry or maturity of your organization, it is recommended that all businesses remain on top of their security. To maximize security, Packetlabs recommends, at minimum, annual penetration testing as well as additional testing when any significant changes are completed. If you would like to learn more about what Packetlabs can do for your organization, contact us today!
October 24 - Blog
Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.
September 27 - Blog
InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.
September 26 - Blog
Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.
© 2024 Packetlabs. All rights reserved.