[BreachExchange] The 6 biggest and most embarrassing consumer hacks of all time

Audrey McNeil audrey at riskbasedsecurity.com
Fri Oct 14 15:33:44 EDT 2016


http://www.digitalspy.com/tech/feature/a810763/the-6-
biggest-and-most-embarrassing-consumer-hacks-of-all-time/

IT managers, hang your heads in shame. 2016 has been an extraordinary year
in the world of cybersecurity, with several of the most devastating hacks
in history having emerged over recent months.

>From Yahoo to Brazzers to the PlayStation Network, we've rounded up a
selection of the biggest and most embarrassing consumer hacks in history.
It's time for a slightly lighter look at mass misery. Oh, and you might
want to change a couple of passwords, too.

1. Yahoo

When? 2014, but details of the hack were disclosed in September 2016.

What Happened? The daddy of all hacks. If you were one of the poor 500
million sods affected by the breach, congratulations - you've gone down in
history. Unfortunately, nobody will actually honour your name or remember
your anguish, but you can take something like… sombre pride, we guess, in
belonging to this most famous class of hack victims. One estimate even put
the number of clients affected in the billions.

Though the scale of the attack was only revealed last month, the action
actually took place in late 2014, with Yahoo blaming the naughtiness on a
mysterious "state-sponsored actor". (They probably mean Russia or China but
who can say?)

Users' names, email addresses, dates of birth and phone numbers were
seized, but the company doesn't believe the baddies made off with any bank
details. Oh, and the stolen passwords were cryptographically hashed
(shortened, basically), which makes Yahoo appear a tiny bit less careless.

Why Was It So Embarrassing? Scale aside, the timing of the story wasn't
great. Yahoo was (and still is) out on its back, but also in the middle of
a multi-billion pound deal with Verizon. Whether the sale actually goes
through or not remains to be seen.

2. MySpace

When? 2008? Nobody's entirely sure, but details of the hack were disclosed
in May 2016.

What Happened? The past came back to haunt millions of one-time MySpace
users. 360 million accounts were breached by a hacker known as Peace, who
put all of the details up for sale on a hacking forum. The data included
the email addresses, usernames and (weakly) hashed passwords attached to
accounts created before June 11, 2013, which was when the site underwent a
major redesign.

MySpace invalidated the passwords of any accounts that were known to be
affected by the hack, but the despicable villains behind Peace proceeded to
use the details they'd stolen to try to break into users' other accounts.

Why Was It So Embarrassing? MySpace may be an easy target for cruel japes
in this modern world of largely similar, but ultimately less flamboyant and
innocent social networks, but it was the dog's whatsits back in the day.
What we can't excuse is the embarrassingly widespread use (73,145 times, to
be precise) of Blink182 as a password. Remember: whiny American bands have
an expiry date, but password security never goes out of fashion.

Also, Oculus CEO Brendan Iribe was reportedly one of those caught out by
the hack. His Twitter account was breached in the aftermath of the attack,
with reports claiming this was because he hadn't changed his password since
MySpace's heyday.

3. LinkedIn

When? 2012, but full details of the hack were disclosed in May 2016.

What Happened? First things first: yes, this is the most exciting thing to
have happened to LinkedIn, regardless of how worried it made millions of
high-powered professionals who are great at showing fellow high-powered
professionals what they're supposed to be good at.

Once more, the hacktastic hellmonsters behind Peace caused the trouble,
managing to force their way into 165 million accounts, cackle at their
made-up Microsoft Excel skills and stick the stolen data up for sale online.

Why Was It So Embarrassing? Worryingly, LinkedIn initially announced that
6.5 million accounts had been affected - just a little way off the actual
figure - with the true extent of the hack revealed four years later. There
was also controversy when it emerged that the company had hashed passwords
before the attack but, like a terrible cook, failed to "salt" them,
enabling the baddies to quickly unscramble more than half of them.

Funnily enough, it seems that there isn't much of a market for stolen
LinkedIn swag. After apparently doing little with the data - apart from
attempting to squirm into online accounts where bank details may be hidden,
of course - for all of that time, Peace eventually put it up for sale for
the very reasonable asking price of five bitcoin (around £1,500). When no
takers came forward, it ended up slashing that in half.

4. PlayStation Network

When? April 2011.

What Happened? The online gaming community got taken for a ride. Hackers
forced their way into Sony's PlayStation Network on April 19, 2011, forcing
the behemoth to take the service offline two days later. It went dark for
over three weeks, eventually coming back online on May 14.

102 million accounts were affected by the attack, which included breaches
of the Qriocity and Sony Online Entertainment services. As well as login,
details, names, addresses and numbers, the bank details of over 23,000 SOE
users in Europe were also stolen.

Why Was It So Embarrassing? Where do we start? Most frustrating of all was
arguably the fact that Sony waited until April 26 to reveal that the
personal information of millions had been stolen. That's a week. Even then,
nobody could actually change their PSN details because the entire service
was down.

Reports also emerged claiming that Sony had got rid of security staff ahead
of the hackand should have been better prepared, as it suffered a number of
smaller attacks in the build-up to the main event.

Finally, many believe that Sony actually went looking for trouble through
its legal pursuit of PlayStation 3 jailbreaker George Hotz. Anonymous,
which described the move as "wholly unforgiveable", declared cyberwar on
Sony on April 4, launching attacks on the company over the following days.
However, the hacking group abandoned the tactic on April 7, conceding that
it was only ruining gamers' lives.

We're still not sure who was behind the infamous PlayStation Network hack,
but at the time Sony pointed the finger at Anonymous, which denied any
responsibility.

5. Ashley Madison

When? July 2015.

What Happened? The veil of secrecy was spectacularly lifted off millions of
broken marriage vows. A group of hackers called the Impact Team revealed
that they'd managed to seize the data of 30 million AshleyMadison.com
users. For any of you innocent so-and-sos out there, that's a site
dedicated to helping married people hook up with other married people. Not
especially wholesome, but a handy tool for the unhappily hitched. Or so
they thought.

It later emerged that less than 1% of the female accounts on the site were
used on a regular basis, meaning that over 5.4 million of Ashley Madison's
5.5 million registered female users were potentially fake. The fact that an
extremely high number of them were created from the same IP address pretty
much confirms that a LOT of desperate guys were busy lusting after the same
computer geek.

Impact Team, which threatened to post all of the information online unless
Avid Life Media took down Ashley Madison and a site called Established Men,
also took issue with the company's business practices, claiming that it
retained user information on its servers even after customers paid $19 to
have their details deleted.

Avid Life Media stood firm, and its users' names, email addresses and
numbers were made public the following month.

Why Was It So Embarrassing? Read the rest of this section again.

Then there was the ruling earlier this year which stated that anybody
seeking retribution against Ashley Madison for breaching their privacy
would not be able to do so anonymously.

There was, however, a tragic element to the tale, with several suicides
being linked back to the hack.

6. Brazzers

When? 2013, but details of the hack were disclosed in September 2016.

What Happened? Penetration, exposure and, erm, backdoor access are nothing
new to Brazzers, but the porn site's fans almost certainly never expected
to be on the receiving end of the treatment. 800,000 of its users had their
pants pulled down back in 2013, when a bunch of hackers managed to get
their hands on their email addresses, usernames and passwords, all in plain
text, through a forum associated with the site.

News of the breach only broke last month, and Brazzers confirmed that
vulnerabilities in the vBulletin software used to run the chat forum were
to blame, before taking measures to protect its hardware-wielding users
again.

Why Was It So Embarrassing? Brazzers deals in porn, so reporters had a
field day. Also, as pointed out by security researcher Troy Hunt at the
time, the release of the data on the forum was potentially more damaging to
users than the news that they had a Brazzers account, as the stolen login
credentials provided access to private conversations about their deepest
and dirtiest sexual fantasies (doing it on top of a server with a hacking
collective, eww).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161014/4a70bc08/attachment.html>


More information about the BreachExchange mailing list