2016 was a very interesting year for infosec and cyber security, with Cyber criminals showing their force particularly when it came to data breaches and unauthorised access to computer systems. I take a look back at some of the biggest data breaches of 2016.
Yahoo – 1 Billion +
Not just one, but two security breaches last year. In September Yahoo blamed a ‘state-sponsored actor’ behind the details of over 500 million accounts getting hacked in 2014. Account information stolen included names, email addresses, telephone numbers, dates of birth, hashed passwords and security answers and questions. Fast forward to December and Yahoo announced that at least 1 billion user accounts had data stolen in a separate attack.
It wasn’t a good year for Yahoo, back in October it was reported by Reuters that the company had scanned all of its user accounts for a US intelligence agency. It’s also rumored that Verizon will ask for a $1 billion discount on its $4.83 billion acquisition of Yahoo.
FriendFinder Networks – 412,214,295 Accounts Exposed
Over 20 years worth of data from six databases was hacked in October. Announced in November, the databases included usernames, email addresses, and passwords, 125 million of which were stored in plain text in addition to practically all the hashed passwords being cracked.
The notification of the breach came from LeakedSource, not FriendFinder networks.
Feeble Weebly – 43,430,316 User Details Leaked
San Francisco-based drag-n-drop website platform Weebly had over 43 million user details exposed through LeakedSource. The mega breach contained usernames, email addresses, passwords and IP addresses. The company stressed that it does not store credit card information and Weebly issued password resets.
DailyMotion – 85.2 Million Leaked
Undertaken by an unknown hacker, 85.2 million unique email addresses and usernames were extracted from DailyMotions systems. The hacker managed to access 18.3 million accounts with passwords, but they were scrambled with bcrypt making them difficult to crack.
The leak took place on October 20th, with DailyMotion commenting on the issue on December 6th, a day after coming to light in media.
Three Mobile – 6 Million Customers Affected
Three admitted hackers had gained access to its customer upgrade information after using an employee login. The data accessed included names, phone numbers, addresses and dates of birth.
Three had felt particularly picked on throughout October and November as it announced that they had noticed an increasing level of attempted handset fraud. Whether that be at retail stores or attempts to unlawfully intercept upgrade devices.
Austrailian Red Cross Blood Service – 550,000 Donors Leaked
Over half a million personal details of blood donors in Australia were accessed by an ‘unauthorized person’ according to chief executive Shelly Park in October.
She admitted the file was accessed due to human error. The file in question was a backup of a web from that is used to access a donation between 2010-2016 and included name, address and other personal details from a short questionnaire.
Turkish Citizenship Database – 49,611,709 Turkish Citizens Details Online
Personal information of nearly 50 million Turkish Citizens was posted online in a downloadable 6.6GB file. The data included National Identifier numbers, full names and parents names, gender, city and date of birth, full address and ID registration. Almost everything needed for criminals to commit identity fraud.
A statement on the data leak page said “Who would have imagined that backwards ideologies, cronyism and rising religious extremism in Turkey would lead to a crumbling and vulnerable technical infrastructure?”. The leak also included the details of Turkish President Tayyip Erdogan along with that of his predecessor, as well as the current prime minister.
What’s Next?
We’re left wondering if our data will be safe this year and if we’ll see something break the 1 billion bar set by Yahoo.
When it comes to passwords you should use a password manager such as LastPass, Keeper or 1Password to create unique and secure passwords for each website you use. It’s also very good practice to enable two-factor authentication if available.
Sources:
- World’s Biggest Data Breaches Visualization from information is beautiful. The clever tool puts together hacks as bubbles representative too the number of records lost.
- Find websites that support 2 Factor-Authentication and shout at those that don’t
- These were the biggest hacks, leaks and data breaches of 2016 – ZDNet