Privacy - July 8, 2019

The biggest data breaches of 2019

admin July 8, 2019

0 627 20 min read

As the famous idiom goes: “Nothing is certain but death and taxes.” Now, in our digital age, we can add one more certainty: data breaches.

This year we’ve already seen quite a long list of data breaches from all around the world. While most of the focus usually falls on financial data breaches, many hackers are now going after softer targets, such as healthcare and social services. In fact, 2019 has already seen multiple data breaches related to the healthcare field.

In fact, 2019 has already seen multiple data breaches related to the healthcare field.

The number one danger of data breaches is identity theft. With just a few details, like your date of birth, social security number, etc., scammers can use your information to take out loans, get credit cards, or use it for more sophisticated phishing attempts.

Beyond that, they can also access the account that was hacked, collecting private messages, videos and images. In general, what hackers can do with your data is often limited to how creative they are. In order to keep yourself safe, you not only have to practice your own safety, but you need to be aware if your data is out there right now, in some hacker’s hands or being traded on hacker forums.

Our list below is updated from the newest to the oldest data breaches for 2019.

May 31 – Flipboard’s major breach

Affected users: possibly 1 billion+
Industry or type: news aggregation app and site
Cause of breach: hack

The most popular news aggregation site and app, Flipboard, has just revealed a major data breach. It is currently unknown how many users have been affected, but seeing as Flipboard has more than 1 billion download from Google Play alone (and that it’s pre-installed on many phones), it is most likely major.

The data stolen in the data breach includes:

names
usernames
email addresses
protected passwords (salted and hashed with bcrypt)

Users (not logged in on their phones) have since had their passwords reset and will have to change them. Smartphone users will have to log out by themselves.

May 28 – UK’s Investment Week breach

Affected users: 330,000+
Industry or type: online publication
Cause of breach: unsecured server

One of UK’s largest business online publications, Investment Week, has leaked the data of 330,000+ users. Independent security researchers first contacted them on April 29, but after only a muted response, posted a Reddit thread on May 28.

They then contacted VPNpro for an exclusive on what the leak contained, and why Investment Week’s parent company, Incisive Media, gave a subpar response.

The leaked data includes:

phone numbers
names and email addresses
subscription information
city and country
company information

Read our exclusive story on Investment Week’s breach here.

May 24 – Canva data breach

Affected users: 139 million
Industry or type: online graphic design service
Cause of breach: hack

The popular graphic design online tool, Canva, reported that user data was compromised in a cyber attack. Canva, which now also owns popular image sharing sites Pexels and Pixabay, reports that the following information was accessed:

usernames
email addresses
demographic information
protected passwords (salted and hashed with bcrypt)
part credit card and payment data

Users have been urged to change their passwords.

May 20 – Instagram data scraping

Affected users: 49 million+
Industry or type: social media
Cause of breach: unsecured database

Millions of Instagram influencers had their personal data scraped and stored on an unsecured database by a Mumbai-based marketing firm. Many high-profile influencers were included in the database, including celebrities, food bloggers, and other popular personalities.

The personal data includes the following:

bio
profile information
personal phone number
personal email addresses

Facebook, which owns Instagram, disputes that users’ personal contact information could have been scraped.

May 15 – WhatsApp hack affects 1.5 billion users

Affected users: 1.5 billion
Industry or type: messaging app
Cause of breach: hack

In a sophisticated breach, WhatsApp, the popular messaging app owned by Facebook, reported a huge vulnerability in its systems. This breach could allow hackers to completely access users’ phones by simply calling the victim on WhatsApp.

The victim wouldn’t even need to answer it: the malicious could would be implanted by simply making a call. A WhatsApp spokesperson hinted that the malicious code could be from a private company Israeli cyber called NSO group.

However, they have denied the allegations. It is unsure how many users have been affected so far.

May 1 – Failed Citycomp blackmail turned data breach

Affected users: unknown (more than 516 GB of data)
Industry or type: IT services
Cause of breach: hack

After failing to blackmail the German IT company Citycomp, which provides crucial IT services to many enterprise companies, a hacking group published a large set of data of some of its customers, including very well known enterprises.

Citycomp has more than 70,000 services and storage systems for its customers, including cash register systems and printers. The cyberattack happened in early April, and was able to fight off the attack with the help of the German police. However, some of their customers’ data was stolen nonetheless.

The financial and private information of some popular client were stolen, including:

Ericsson
MAN
Toshiba
UniCredit
British Telecom
VAG
Leica
Hugo Boss
Porsche
many other

April 29 – Unknown Microsoft Cloud server breach

Affected users: 80 million
Industry or type: online service
Cause of breach: unsecured database

Security researchers discovered an unsecured database that is hosted on a Microsoft cloud server. At the moment, the owner of this data is not known.

Nonetheless, the database contains the data of more than 80 million US households. This information includes:

names
addresses
age
dates of birth
geographic location

Other demographic information was also included. Hackers can use this information (in combination with other data stolen in various breaches) to steal money, do social hacking, or engage in other malicious activities.

April 25 – Atlanta Hawks ecommerce hack

Affected users: unknown
Industry or type: online store
Cause of breach: malicious code

The Atlanta Hawks’ online shop was compromised by hackers, who implemented credit card skimming code on the football team’s ecommerce site. The hackers were able to steal data from any purchases made on or after April 20, 2019. The code was identified by security researches a few days later.

The data that was stolen includes:

customer name
customer address
credit card details

April 22 – Bodybuilding.com data breach

Affected users: 30 million
Industry or type: online store and forum
Cause of breach: phishing scam

The internet’s biggest online forum and ecommerce shop for bodybuilders and fitness enthusiasts, Bodybuilding.com, fell victim to a phishing attack that possibly ended up with more than 30 million of its monthly users’ data exposed.

The company wasn’t sure whether any of its customers’ or users’ data was stolen, but decided to notify its users anyways. The hack came from a successful phishing email received in July 2018. The hackers first gained access in February 2019 and Bodybuilding.com finished its investigation on April 12.

The data that could have been stolen includes:

name and email address
billing and shipping addresses
phone number
order history
biographical data
Bodybuilding.com communications

April 15 – Microsoft Email Services breach

Affected users: unknown
Industry or type: online service
Cause of breach: hack

According to a Microsoft email, a “limited” number of people using Microsoft’s web email services – including those with @msn.com or @hotmail.com – had their accounts hacked. The breach, which occurred between January 1 and March 28, has since been solved. But in that time, hackers were able to view users’:

email address
folder names
email subject lines
email contacts

The hackers were luckily unable to read any of the users’ email addresses, however. Nonetheless, the company is recommending that affected users should change their passwords.

April 4 – Facebook’s massive breach (again)

Affected users: 540 million
Industry or type: social media
Cause of breach: unsecured server (via third-party developers)

Deja vu in the modern era: Facebook (yes, them again) revealed that the records of 540 million of its users had been publicly exposed on Amazon’s cloud computing service. The breach was discovered by the UpGuard Cyber Risk team, who reported that multiple third-party Facebook apps had posted the records in plain sight.

The leaked data includes:

user IDs
friends data
photos
location data
check ins, etc.

April 4 – Georgia Tech data breach

Affected users: 1.3 million
Industry or type: university
Cause of breach: vulnerable web application

The world-renowned George Institute of Technology (commonly referred to as “Georgia Tech”) revealed in early April that 1.3 million students and employees had their information exposed in a data breach.

The fault has been placed on a vulnerability in a web application. A hacker was able to access the database connected to the web app. The stolen information includes:

first and last names
Social Security numbers
addresses
dates of birth

April 3 – Toyota’s multiple breaches

Affected users: 3.1 million
Industry or type: automotive
Cause of breach: hack

Within the span of 5 weeks, the popular Japanese car company Toyota suffered two major data breaches. Toyota reports that hackers were able to breach its IT systems and thereby access information that belongs to some of its sales subsidiaries. The previous hack affected 1.3 million Toyota car buyers.

It isn’t clear what kind of information was stolen, although Toyota promises that no financial information was exposed.

March 31 – Earl Enterprise credit card leak

Affected users: 2.15 million
Industry or type: restaurant
Cause of breach: malware on POS systems

Earl Enterprise, the parent company for popular restaurants including Planet Hollywood, Mixology and Buca di Beppo revealed that more than 2 million of their customers’ credit card numbers had been stolen. Security researches KrebsOnSecurity discovered that those numbers were being sold online. It is believed that malware was installed on the restaurants’ point-of-sale systems.

The stolen data includes:

credit card numbers
debit card numbers
expiration dates
some cardholder names

March 21 – Facebook password leak

Affected users: 100 million+
Industry or type: social media
Cause of breach: unencrypted passwords

On March 21, Facebook admitted that the passwords of hundreds of millions of its users had been stored in plain text on the company’s internal servers. While they claimed that their systems were supposed to encrypt passwords, more than 2,000 Facebook engineers and developers had easy access to hundreds of millions of users’ passwords.

The company said that it hadn’t found any evidence that this was abused by its employees. However, given the struggling social media giant’s years-long problems with transparency and truth, it’s best to assume that if yours is one of those exposed passwords, you should probably change it just to be safe.

March 14 – Gearbest (Chinese shopping giant)

Affected users: 1.5 million+
Industry or type: online shopping
Cause of breach: unsecured server

The Chinese online shopping giant, Gearbest, has apparently been storing user data on an unsecured server. Cybersecurity researcher Noam Rotem found an Elasticsearch server (the same as ones from above) that was leaking millions of users’ data each week.

Some of the leaked information includes:

purchased products
shipping address
customer information (name, email, phone number)
payment information
order numbers
account passwords
national IDs and passport information

Since being contacted about the unsecured server, however, Gearbest hasn’t responded or secured their server yet. This means that the true number of affected users is likely much more than 1.5 million.