[BreachExchange] Worst Data Breaches of 2018

Destry Winant destry at riskbasedsecurity.com
Fri Dec 28 08:37:37 EST 2018


https://securitytoday.com/Articles/2018/12/27/Worst-Data-Breaches-of-2018.aspx?Page=1

It seemed like data breaches were everywhere in 2018, affecting
everyone from a Canadian cannabis store to Chili’s restaurants. Yale
even discovered and discloseda 2008 data breach this year. The amount
and types of data accessed varied, but each incident was another
reminder of the importance of data security.


We’ve rounded up a few of the biggest data breaches from 2018 below.

Marriott

One of the biggest data breaches of the year—and potentially of all
time—was disclosed earlier this month. Marriott International, the
world’s largest hotel chain, announced a breach of its Starwood guest
reservation database and said that as many as 500 million guests could
be affected. Upon investigation, Marriott found that there had been
unauthorized access since 2014 and that an “unauthorized party” had
copied and encrypted some information and “took steps toward removing
it,” but the company did not specify how much data was removed.

Marriott said that for about 327 million of affected guests, accessed
information included some combination of a name, address, phone
number, email, passport number, Starwood Preferred Guest account
information, date of birth, gender, arrival and departure information,
reservation data and communication preferences.

My Fitness Pal

Under Armor said about 150 million users were affected by a data leak
in the company’s MyFitnessPal app that occurred in February. Under
Armor said notified users via email and in-app messages, and it was
“working with leading data security firms to assist in its
investigation.”


The company said “an unauthorized party acquired data associated with
MyFitnessPal user accounts,” such as usernames, passwords and email
addresses.

Quora

About 100 million Quora users were affected by authorized access to
one of its systems by a “malicious third party,” according to the
site. Quora said it was logging out all users who might have been
affected in order to prevent further damage and notifying users whose
data had been compromised.

Compromised information may include names, emails, encrypted password
and data imported from linked networks.

USPS

A security vulnerability in the U.S. Postal Service’s “Informed
Visibility” mail tracking and reporting service potentially exposed
the data of more than 60 million customers. The postal service said it
is not aware of anyone’s records being accessed, but the security hole
has been fixed.

The service’s API could have allowed almost anyone with a USPS account
to view other users’ account details and even access information such
as when critical documents and checks were scheduled to be delivered
to their mailboxes.

Facebook

Among the many unfortunate headlines for Facebook this year was a
massive data breach that exposed the account details and personal
information of almost 50 million users. Facebook said they have fixed
the security vulnerability and alerted authorities of the breach.

The hack was possible due to Facebook’s “View As” feature, which lets
users view their own account as if they were a stranger in order to
check post privacy settings, etc. The feature gives the user an
“access token,” which allows them to log back into their account
without resubmitting information, and hackers exploited this to
harvest other users’ access tokens.


If you use the same login information and password for accounts across
many different websites, hackers could potentially find your login in
a data breach of a lower-stakes app and use it to access your account
on something more important and private, like a bank account. Read
more about protecting yourself from hackers here.


More information about the BreachExchange mailing list