Among all the cyber attacks, choosing top 10 data breaches required consideration of many parameters. So the list of top 10 data breaches here takes these factors into account: number of people affected, reputation of the organization, security status of the organization and response efficiency to a breach.
1. Aadhaar Breach
The Unique Identification Authority of India (UIDAI) suffered a breach in 2018 that put all the records of Aadhaar Card( a card that serves as a unique identifier for a citizen) holders in trouble. Almost 1.1 billion people were affected and their personal information such as phone number, date of birth, etc. This data was being sold on WhatsApp for 500 INR per record. The concerned authorities such as UIDAI and TRAI kept on denying any such incidents initially but later took the matter into consideration.
There is also a funny incident of chairman of TRAI claiming that no data is compromised. The chairman gave his mobile number in a tweet challenging to find his address and other personal information. Soon some security researchers came up with all his information and posted it in the comments. One person even placed an order by from his number on an e-commerce platform by social engineering one customer support executive. However, it was not clear whether the data has been obtained by the information from leaked Aadhaar details or just by utilizing OSINT.
2. Starwood Breach
Starwood is a hotel chain whose brand is owned by Mariott International. The company discovered in 2018 that a data breach in 2014 led to data theft of around 500 million users. This data contained personal information including passport numbers, emails, phone numbers, addresses, and credit card numbers. Attackers had access to the database from 2014 till September 2018. Almost everyone who did any booking during this time period was affected by the breach.
3. Exactis Breach
In June 2018, a security researcher named Vinny Troia discovered that the US-based data broker company Exactis had one of its database compromised into being public. The database consisted of 3 TeraBytes of data related to around 340 million users. This data contained personally identifiable information such as names, phone numbers and residential addresses. Although this data did not have payment information or government identification information. However has personal data on around 30 variables like religious affiliations, political orientation, interests, etc. Since the company collects data from many sources and some of the data records belonged to well-known businessmen, Exactis faced many lawsuits over the breach.
4. Under Armour Breach
The nutrition app “MyFitnessPal” was hacked and personal info with emails and hashed password were leaked. 150 million users were affected. The company stated that the user’s payment info is still secure as the company uses a separate channel for payment processing. The breach happened in late February and was noticed by the company in March. The company stated that apart from payment information being safe no sensitive information had been leaked. It also stated that it does not store government identifies like SSNs.
5. Quora Breach
Quora is a well-known platform for knowledge and experience sharing. This site informed its users in December 2018 that a third party has gained unauthorized access to sensitive data of around 100 million users. This data contained names, emails, phone numbers and hashed passwords.
6. MyHeritage Breach
MyHeritage is an online genealogy platform that helps people determine their ancestors and find relatives based on their DNA. In 2018 some researchers found sensitive data related to MyHeritage users on a third party server. The sensitive data contained mostly emails and hashed passwords of around 92 million users. The company after verification informed the users and requested them to change their passwords.
7. Facebook Breach
In October 2018 Facebook announced a data breach to its systems and logged out around 90 million people out of their accounts. The attackers had taken advantage of a bug in the feature “view as” to collect authorization tokens that let them have full visibility of user’s data. It was estimated that around 50 million user’s data might have been leaked. Facebook made this prediction the basis of the number of users that used the “view as” feature since its addition to the website. Those who used the feature at least once and were logged into Facebook were logged out to prevent further problems.
8. Elasticsearch Breach
Elasticsearch is a search engine that is based on Java and uses an open source library named Lucene. The company had three misconfigured IP address clusters that exposed the hosted information to the public. The security researchers used IoT search engine Shodan to demonstrate how easy it was to discover these misconfigured servers. These exposed about 73 GB data of users that include general personal data as well as sensitive data of affected users.
9. Newegg Breach
Security solutions firm Volexity found out that the electronics store website contained a malicious JavaScript code injected by attackers at some point that was sending user’s data to a website owned by attackers. The attackers had registered a website with a domain name containing the phrase “newegg” to avoid raising suspicion. They had also provided an SSL certificate to the website to further blend in. The company found the code to be suspicious during its audit of JS files that were being imported by the website during the checkout process. To confirm it they ran the Whois check against the domain and ran a check on the SSL certificate issuing date. The attack was disclosed to the public by the company in September 2018 and around 50 Million user’s credit card info was suspected to have been leaked.
10. Panera Bread Breach
Panera Bread is a bakery/café chain in the USA and Canada with over 2000 stores. The company notified the press in April 2018 that it has recently patched a vulnerability that resulted in some customers data getting leaked. It also stated that around 40,000 records have been leaked. This came in a response to a publication on a blog named “Krebs on Security” that claimed that a vulnerable endpoint has been leaking customer data for 8 months and the bug has been fixed just recently. The blog post also included the screenshots of the email conversation that happened between the company and the researcher who first notified the company about the leak. The leak was suspected to compromise a far larger number of records than what was claimed by Panera. The information about it was public on a Pastebin post so it was hard to predict the exact number. Though Brian Krebs, the author wrote that it is around 37 million.