There’s no doubt that 2016 has been a massive year for security breaches. We’ve seen data breaches affecting large retailers, social media platforms and even political campaigns. In this article I’m going to give you the list of what I believe to be
The Top 10 Most Damaging Security Breaches of 2016
(In no particular order ..)
So it apparently doesn’t matter whether you’re an old school business or one of the hottest tech companies around. Snapchat have proven that no organisation is totally immune to phishing attacks. Earlier this year Snapchat revealed that their payroll data had been breached.
It seems a scammer emailed somebody within the organisation posing as the company’s CEO Evan Spiegel. Unfortunately, neither Snapchat’s security systems, nor the employee realised it was a scam, and the data was “disclosed externally,” the company explained.
Snapchat followed up to state that it took action within 4 hours of the incident, and confirmed that it was an isolated case. The company advised that it had notified the FBI, and provided identity theft protection services to the affected employees.
On January 27th 2016 it was reported that fast-food retailer Wendy’s were investigating a security breach involving payment information at some of their retail stores . While Wendy’s initially claimed that the incident had only affected around 300 stores, it later came to light than more than 1,000 stores had been affected.
In a statement Wendy’s said that the point-of-sale systems at over 1,000 locations had been compromised, resulting in the theft of customer payment information. These systems were managed by a 3rd party vendor remotely, and it was the breach of this vendor which lead to the security compromise.
This is a phenomenon known as supply chain hacking. If hackers are unable to target a particular organisation, they’ll frequently target suppliers or other trusted partners of the organisation that have remote access to their networks.
While the actual hack didn’t take place in 2016 news about the true scale of the data breach did. LinkedIn initially claimed that the security breach only affected around 6.5 million accounts – which had been leaked onto a Russian crime forum.
It then became apparent that the hackers had taken much more than the 6.5 million accounts initially leaked. It was revealed that the true number of accounts breached was closer to 117 million. The usernames and passwords were again being listed for sale on a Russian ‘dark web’ marketplace.
Corey Scott, LinkedIn’ Chief Information Security Officer said “We became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012”.
He said that as a precautionary measure the company required all accounts which they believed to have been compromised to reset their passwords.
A division of Hydreon Corporation named Lifeboat runs servers for Minecraft Pocket Edition—the smartphone version of the immensely popular video game Minecraft.
According to security researcher Troy Hunt, who maintains a database of compromised user credentials, accessible via his Have I Been Pwned? website, Lifeboat’s network was hacked in January 2016, resulting in a data breach exposing the mobile game’s seven million-plus user base.
In a subsequent interview with Motherboard, Hunt accused Lifeboat of failing to notify its customers of the incident. Moreover, passwords accessed in the breach also hashed with a weak MD5 algorithm, making them susceptible to cracking.
A spokesperson for Lifeboat said in a statement “We did not learn of the security breach until late February. At that time we prompted you to choose a new password in-game,” the statement read. “The password that you chose is encrypted using much stronger algorithms, and we’ve taken steps to better guard the data.”
5. Verizon Enterprise
Stolen credentials from a Verizon Enterprise data breach emerged online earlier this year. The database contained the contact information of around 1.5 million Verizon customers. The entire data breach was priced at $100,000 however the seller also offered to break it up in to chunks of 100,000 records for $10,000 a piece.
Contacted about the posting, Verizon Enterprise told Brian Krebs from KrebsOnSecurity that the company had recently identified a security flaw in its site that permitted hackers to steal customer contact information, and that it is in the process of alerting affected customers.
“Verizon recently discovered and remediated a security vulnerability on our enterprise client portal,” the company said in an emailed statement. “Our investigation to date found an attacker obtained basic contact information on a number of our enterprise customers. No customer proprietary network information (CPNI) or other data was accessed or accessible.”
Moving onto a slightly more embarrassing security breach we’ve got the pornography site Brazzers. Almost 800,000 Brazzers accounts were exposed (heh) earlier this year by a hack on the Brazzers Forum which was running an out-of-date version of vBulletin.
Motherboard Magazine reported that “The data contains 790,724 unique email addresses, and also includes usernames and plain-text passwords. (The set has 928,072 entries in all, but many are duplicates.)”.
Matt Stevens, public relations manager from Brazzers, told Motherboard in an email, “This matches an incident which occurred in 2012 with our ‘Brazzersforum,’ which was managed by a third party. The incident occurred because of a vulnerability in the said third party software, the ‘vBulletin’ software, and not Brazzers itself.”
“That being said, users’ accounts were shared between Brazzers and the ‘Brazzersforum’ which was created for user convenience. That resulted in a small portion of our user accounts being exposed and we took corrective measures in the days following this incident to protect our users,” Stevens added.
Yet another hack dating back to 2012. It seems that 2012 was the year of the data breach – except it’s taken us until 2016 to really learn about the true scale. Following a string of denials Dropbox finally came out this year to confirm they were the victim of a hack affecting 68 million accounts.
They had little option but to own up to the incident as a dump of the credentials was posted online. The dump contained usernames and hashed passwords, which use a one-way algorithm to scramble the plain-text data.
Unfortunately many of these passwords were not using an additional layer of protection called a salt – leaving a large number of these passwords vulnerable to cracking techniques.
“This is not a new security incident, and there is no indication that Dropbox user accounts have been improperly accessed,” said Patrick Heim, Dropbox’s head of trust and security, in a statement.
To their credit Dropbox acted quickly to news of the leak and forced all Dropbox users to update their passwords.
Well done Dropbox!
8. Mossack Fonseca
This incident quickly became known as the ‘Panama Papers’ breach in what was a highly targeted attack. Mossack Fonseca, a quiet Panamanian law firm, had experienced one of the most controversial security breaches of 2016.
The attack sent a tsunami of controversy around the world as details of the leak emerged, and within days at least one world leader had resigned. Information exposing the tax avoidance of the world’s most rich and famous was everywhere.
The attacker managed to exfiltrate a huge amount of data, including several million sensitive documents and emails. So much data in fact that journalists and other investigators are still pouring through the masses of data today.
The source of the hack? An out of date Revolution Slider plugin on their website – which was hosted on the same internal network as their email server. Once the web host had been compromised the entire network was placed under the attackers control.
It seems that for a company protecting such sensitive information the company took no steps to secure their digital infrastructure – lacking even a basic firewall to protect their internal servers from web attacks.
It really makes you wonder how many other organisations are doing just as badly when it comes to protecting their sensitive data. I can’t help but think that they really should have read How to Secure Your WordPress Site Against Hackers – it would have no doubt saved their bacon.
Moving on ..
9. Clinton Campaign
It seems that politician’s aren’t immune to cyber security problems either. Earlier in 2016 it emerged that Hilary Clinton was doing a Mossack Fonseca – by hosting her own internal email server. While this is not uncommon for a business, it’s absolutely insane for somebody to do this from home.
As somebody who comes from a technical background myself – I wouldn’t even want to host my own email server at home! It’d be a nightmare to keep patched, configured and up-to-date. Locking it down would be a part-time job, so I have no idea what Hilary was thinking.
Just when her record on cyber security couldn’t get any worse, it emerged more recently that her campaign chairman John Podesta’s emails had also been hacked. The source? Password re-use across multiple accounts. His credentials were found in an existing data breach, most likely one of the ones listed above.
Not only that – but Podesta’s Twitter account and personal email account were also affected. It seems that people still don’t realise the havoc that can be caused by password re-use. While I’m politically neutral – I do have to wonder whether Hilary Clinton is ready to lead the US cyber security strategy from the Whitehouse.
Man I’m good to you. I’ve saved the best for last. That Yahoo! breach. Wow it’s a big one. Some estimates are suggesting 500 million user accounts have been affected. Not only is this terrible for Yahoo! – but details have since emerged that they were also complicit in government email surveillance programs.
That’s right – the US Government were given unlimited access to browse your personal Yahoo! emails. If things couldn’t be worse enough – Verizon were actually mid-way through finalising a deal to acquire Yahoo! for $4.8 billion dollars.
Surprise surprise, Verizon had absolutely no knowledge of the security breach prior to negotiating that deal, despite evidence to suggest that it was known about internally. The data stolen included users’ names, email addresses, telephone numbers, dates of birth and encrypted passwords.
It’s a terrible situation for Yahoo!. Any users that still lingered on their email service have now logged in to update their passwords and enable email forwarding to another email service such as Google’s Gmail or Microsoft’s Outlook.
Recent news suggest that at a minimum Verizon are looking to secure a significant discount on the original asking price, with some sources claiming that Verizon may attempt to go back on the deal entirely.
So that’s it – The 10 Most Damaging Security Breaches of 2016!
What do YOU think about these breaches?
I’d love to hear YOUR comments!