Andrei Nichol E. Castro
Andrei Nichol E. Castro
Andrei Nichol E. Castro
Castro
1. Yahoo
The company first publicly announced the incident – which it said took
place in 2013 – in December 2016. At the time, it was in the process of
being acquired by Verizon and estimated that account information of
more than a billion of its customers had been accessed by a hacking
group. Less than a year later, Yahoo announced that the actual figure of
user accounts exposed was 3 billion. Yahoo stated that the revised
estimate did not represent a new “security issue” and that it was sending
emails to all the “additional affected user accounts.”
Despite the attack, the deal with Verizon was completed, albeit at a
reduced price. Verizon’s CISO Chandra McMahon said at the time:
“Verizon is committed to the highest standards of accountability and
transparency, and we proactively work to ensure the safety and security
of our users and networks in an evolving landscape of online threats. Our
investment in Yahoo is allowing that team to continue to take significant
steps to enhance their security, as well as benefit from Verizon’s
experience and resources.” After investigation, it was discovered that,
while the attackers accessed account information such as security
questions and answers, plaintext passwords, payment card and bank data
were not stolen.
2. Alibaba
Over an eight-month period, a developer working for an affiliate
marketer scraped customer data, including usernames and mobile
numbers, from the Alibaba Chinese shopping website, Taobao, using
crawler software that he created. It appears the developer and his
employer were collecting the information for their own use and did not
sell it on the black market, although both were sentenced to three years
in prison.
3. LinkedIn
Professional networking giant LinkedIn saw data associated with 700
million of its users posted on a dark web forum in June 2021, impacting
more than 90% of its user base. A hacker going by the moniker of “God
User” used data scraping techniques by exploiting the site’s (and others’)
API before dumping a first information data set of around 500 million
customers. They then followed up with a boast that they were selling the
full 700 million customer database. While LinkedIn argued that as no
sensitive, private personal data was exposed, the incident was a violation
of its terms of service rather than a data breach, a scraped data sample
posted by God User contained information including email addresses,
phone numbers, geolocation records, genders and other social media
details, which would give malicious actors plenty of data to craft
convincing, follow-on social engineering attacks in the wake of the leak.
4. Sina Weibo
With over 600 million users, Sina Weibo is one of China’s largest social
media platforms. In March 2020, the company announced that an
attacker obtained part of its database, impacting 538 million Weibo users
and their personal details including real names, site usernames, gender,
location, and phone numbers. The attacker is reported to have then sold
the database on the dark web for $250.
5. Facebook
In April 2019 two datasets from Facebook apps had been exposed to the
public internet. The information related to more than 530 million
Facebook users and included phone numbers, account names, and
Facebook IDs. However, two years later (April 2021) the data was posted
for free, indicating new and real criminal intent surrounding the data. In
fact, given the sheer number of phone numbers impacted and readily
available on the dark web because of the incident, security researcher
Troy Hunt added functionality to his HaveIBeenPwned (HIBP) breached
credential checking site that would allow users to verify if their phone
numbers had been included in the exposed dataset.
6. Marriott International
Hotel Marriot International announced the exposure of belonging to half
a million Starwood guests following an attack on its systems in
September 2018. In a statement published in November the same year,
the hotel giant said: “On September 8, 2018, Marriott received an alert
from an internal security tool regarding an attempt to access the
Starwood guest reservation database. Marriott quickly engaged leading
security experts to help determine what occurred.”
7. Yahoo
9. MySpace
Though it had long stopped being the powerhouse that it once was,
social media site MySpace hit the headlines in 2016 after 360 million
user accounts were leaked onto both LeakedSource.com and put up for
sale on dark web market The Real Deal with an asking price of 6 bitcoin
(around $3,000 at the time).
10. NetEase
12. LinkedIn
With its second appearance on this list is LinkedIn, this time in reference
to a breach it suffered in 2012 when it announced that 6.5 million
unassociated passwords (unsalted SHA-1 hashes) had been stolen by
attackers and posted onto a Russian hacker forum. However, it wasn’t
until 2016 that the full extent of the incident was revealed. The same
hacker selling MySpace’s data was found to be offering the email
addresses and passwords of around 165 million LinkedIn users for just 5
bitcoins (around $2,000 at the time). LinkedIn that it had been made
aware of the breach, and said it had reset the passwords of affected
accounts.
13. Dubsmash
In December 2018, New York-based video messaging service Dubsmash
had 162 million email addresses, usernames, PBKDF2 password hashes,
and other personal data such as dates of birth stolen, all of which was
then put up for sale on the Dream Market dark web market the following
December. The information was being sold as part of a collected dump
also including the likes of MyFitnessPal (more on that below), MyHeritage
(92 million), ShareThis, Armor Games, and dating app CoffeeMeetsBagel.
14. Adobe
In early October 2013, that hackers had stolen almost three million
encrypted customer credit card records and login data for an
undetermined number of user accounts. Days later, Adobe increased that
estimate to include IDs and encrypted passwords for 38 million “active
users.” Security blogger Brian Krebs then reported that a file posted just
days earlier “appears to include more than 150 million username and
hashed password pairs taken from Adobe.” Weeks of research showed
that the hack had also exposed customer names, password, and debit and
credit card information. An agreement in August 2015 called for Adobe to
pay $1.1 million in legal fees and an undisclosed amount to users to settle
claims of violating the Customer Records Act and unfair business
practices. In November 2016, the amount paid to customers was reported
to be $1 million.