[BreachExchange] The 10 biggest data hacks of the decade

[Destry Winant]

https://www.cnbc.com/2019/12/23/the-10-biggest-data-hacks-of-the-decade.html

Since 2010, data breaches have exposed over 38 billion records,
according to the cybersecurity firm Risk Based Security.

That sounds like a lot — and it is. Consider this: There are roughly
327 million Americans, according to the latest Census estimate. That
means the average person has had 116 of their accounts compromised
over the past decade.

Overall, Risk Based Security tells CNBC Make It that there have been
at least 40,650 data hacks since the beginning of 2010. And while many
were smaller data breaches, there were a few mega hacks that will
likely remain records for years to come.

The Identity Theft Resource Center provided CNBC Make It with a
ranking of the biggest data breaches announced since 2010, based on
the number of accounts compromised. ITRC ranked only breaches that it
could confirm the number of records affected.

Several companies, such as 7-Eleven, WhatsApp and Fortnite, reported
security flaws in the past year that could have exposed millions of
customers’ data, but the extent of the accessed data was not reported.

Here’s a look at the data hacks that will go down in history as the
biggest of the past decade.

10. UnderArmour (MyFitnessPal)

Number of records hacked: 143.6 million

Announced: March 2018

Fitness clothing company UnderAmour announced in March 2018 that
hackers had accessed the backend database for its popular diet and
fitness app MyFitnessPal. Hackers were able to retrieve usernames,
email addresses and hashed passwords. Hashed passwords are encrypted,
so they must be cracked before they can be used.

Credit reporting company Equifax Inc. corporate offices are pictured
in Atlanta, Georgia.Tami Chappell | Reuters

9. Equifax

Number of records hacked: 147 million
Announced: September 2017

The Equifax data breach was one of the largest in history. The company
announced the data breach in September 2017, eventually reporting that
147 million consumers were affected, about 56% of Americans. Hackers
were able to get access to people’s names, Social Security numbers,
dates of birth, credit card numbers and even driver’s license numbers.

During the investigation into the breach, Equifax admitted the company
was informed in March that hackers could exploit a vulnerability in
its system, but failed to install the necessary patches.

In July, Equifax agreed to pay $700 million to settle federal and
state investigations into how it handled the massive data breach. A
spokesperson from Equifax said at the time of the settlement that data
from the 2017 breach had yet to be discovered for sale on the dark
web.

8. Dubsmash

Number of records hacked: 161.5 million
Announced: February 2019

In February, video messaging app Dubsmash announced that hackers
nabbed nearly 162 million users’ account holder names, email addresses
and hashed passwords.

The breach actually occurred in December 2018, but cyber thieves
posted that the data was for sale on the dark web in February. It was
part of a data dump that included over 600 million accounts from 16
hacked websites.

7. Republican National Committee (Deep Root Analytics)

Number of records hacked: 198 million
Announced: June 2017

Independent cyber experts found voter information for 198 million
Americans on a publicly accessible server in June 2017. It turned out
that the Republican National Committee had hired conservative
marketing firm Deep Root Analytics, which failed to keep voter
information secure.

Deep Root’s cloud server was publicly accessible for about 12 days and
contained personal information on voters, including home addresses,
birthdays, phone numbers and opinions on political issues.

Source: Zygna

6. Zynga

Number of records hacked: 218 million
Announced: September 2019

Mobile game producer Zynga announced in October that a hacker had
accessed account log-in information on Sept. 12 for customers who play
the popular “Draw Something” and “Words with Friends” games.

In addition to the log-in credentials, the hacker accessed usernames,
email addresses, log-in IDs, some Facebook IDs, some phone numbers and
Zynga account IDs of about 218 million customers who installed iOS and
Android versions of the games before Sept. 2, 2019.

5. Exactis

Number of records hacked: 340 million
Announced: June 2018

Most Americans had not heard of the marketing and data aggregation
firm Exactis before June 2018, but the company had quietly built a
database consisting of personal information on hundreds of millions of
Americans and businesses.

But that database was built on an unsecure server, a flaw security
researcher Vinny Troia discovered in early June 2018. Exactis exposed
about two terabytes worth of data that included email addresses, home
addresses, phone numbers and other personal information such as
hobbies and information on any children in the household.

4. Marriott (Starwood)

Number of records hacked: 383 million
Announced: November 2018

The names, addresses, contact information and passport numbers of over
300 million people who stayed at a Starwood hotel property were
accessed in a major data hack, Marriott hotels reported in November
2018. Marriott acquired the Starwood hotel chain in 2016.

Marriott’s data team confirmed that the Starwood guest reservation
database — which contains up to 500 million accounts — had been
compromised, and the hacking may have been ongoing since 2014.

5:30
CNBC Investigates: The hacking threat hiding in plain sight

3. Veeam

Number of records hacked: 445 million
Announced: September 2018

It’s not good when a data management firm makes news for mishandling
customer data. But that’s exactly what happened to Switzerland-based
Veeam. The company said in a statement that one of its “marketing
databases was mistakenly left visible to unauthorized third parties.”

Due to “human error,” about 445 million records containing names,
emails and IP addresses in the database were visible for about 10
days. But Veeam said many of those records were duplicates and only
about 4.5 million unique email addresses ended up exposed.

2. River City Media

Number of records hacked: 1.37 billion
Announced: March 2017

An email marketing company, River City Media, made headlines in 2017
for leaking 1.4 billion records. The company improperly configured a
backup that accidentally placed the entire database online, which
contained details like IP addresses, names and even physical
addresses.

Chris Vickery, a MacKeeper security researcher, said at the time of
the data breach discovery that River City Media was able to gather the
information through a spam operation that involved sending emails
promising “credit checks, education opportunities and sweepstakes.”

1. Yahoo!

Number of records hacked: up to 3 billion
Announced: September and December 2016

Currently, the title for the largest data breach in history goes to
Yahoo. The company — which Verizon announced plans to acquire in July
2016 — disclosed it was the victim of multiple major hacks over the
years that exposed the names, email addresses, telephone numbers and
dates of birth of over a billion people who used Yahoo.

Yahoo told the public in September 2016 it had experienced a breach in
2014 that affected at least 500 million accounts. It followed that
announcement up with another in December of that same year that
detailed a 2013 attack on its network that exposed at least one
billion user accounts.

After the sale of Yahoo closed in 2017, Verizon noted that the 2013
attack affected all three billion of Yahoo’s users. Yahoo eventually
agreed to pay $117.5 million to settle a class-action lawsuit in April
2019 over how it handled communications around the hacks.