We’re happy to announce that SelfKey will be partnering with Polkadot.
All Data Breaches in 2019 & 2020 – An Alarming Timeline
Your data is valuable and should belong to you. Nevertheless our online records are exposed on an almost daily basis, with potentially devastating consequences. This blog post aims to provide an up-to-date list of data breaches and hacks.
Your personal information is not safe online. Data breaches happen on an almost daily basis, exposing our email addresses, passwords, credit card numbers, social security numbers and other highly sensitive data.
Unfortunately, most people do not understand the gravity of the problem until it personally affects them through identity theft or other malicious activity. Unsurprisingly however, the rate of identity related crime is exploding, and a recent study claims that there is a new victim of identity theft every 2 seconds in the United States alone.
On top of that, Experian has published statistics showing that 31% of data breach victims later have their identity stolen. Keeping in mind that the number of records exposed through data breaches is so high, this is alarming news.
One important reason for the malaise is that data breaches have seemingly become an inevitable part of modern life. We have to register for online accounts in order to participate in a modern society, and have to swallow the fact that the centralized databases containing our information will sooner or later suffer a breach.
That is why SelfKey is working on an end-to-end self-sovereign identity management system which will do a much better job of protecting you from data breaches.
You can learn more about our solution here, but for now, let’s take a closer look at the damage.
State of the breach June 2020: AT LEAST 16 billion records, including credit card numbers, home addresses, phone numbers and other highly sensitive information, have been exposed through data breaches since 2019. The first quarter of 2020 has been one of the worst in data breach history, with over 8 billion records exposed.
Check out Have I Been Pwned to see if your accounts have been compromised by a data breach.
Over 1 Million – OneClass, June 29, 2020
Online learning platforms have become increasingly popular targets for data breaches over the past few months as the education world has gone digital. Unfortunately, OneClass is no exception and left the data of over a million North American students (many of them minors) exposed on an unsecured Elasticsearch server. The data exposed included students’ full names, email addresses, schools/universities, phone numbers, account details and school enrollment details.
Over 2 Billion – BlueKai, June 19, 2020
US tech giant Oracle owns BlueKai, a company very few have heard of outside of marketing circles but it possesses one of the largest banks of web tracking data outside of the federal government. The company uses website cookies, and other tracking technology, to follow your activities on the web then sells that data to companies and marketing firms.
For an unknown period of time, all of that web tracking data was left exposed on a server without a password. Billions of records were unsecured for anyone to find. The data exposed included names, home addresses, email addresses and other identifiable data including web browsing activity. The details are still fuzzy. Oracle says that they have taken care of the problem but haven’t offered up any information as to how this happened and who was affected.
At Least 8 Million – Postbank, June 14, 2020
The Postbank in South Africa has had to replace over 12 million bank cards after an unencrypted master key was stolen by employees. The master key granted anyone complete access to the bank’s systems and the ability to change information on any of the bank’s 12 million cards. The breach specifically affected between 8 and 10 million beneficiaries who receive social grants every month. It’s still unclear if any funds were stolen, and exactly what data was exposed.
5 Billion – Keepnet Labs, June 9, 2020
Keepnet Labs is a UK security company that initially experienced a breach back in March 2020 when a database was exposed containing data that had been previously been exposed in other data breaches. After being notified, Keepnet Labs quickly took the data down but refused to acknowledge the breach. They even went as far as to pursue legal action against at least one tech reporter who had written about the breach.
The breach was finally acknowledged this month when Keepnet Labs issued a statement saying that they were not directly responsible, but rather a third party provider was. Although no new data was exposed, it’s ironic that a security company would experience a data breach.
329,000 – Chartered Professional Accountants of Canada, June 4, 2020
Chartered Professional Accountants of Canada (CPA) experienced a cyberattack early in the month that allowed unauthorized third parties to gain access to the personal information of over 329,000 members and stakeholders. The stolen information was mostly related to the distribution of the CPA Canada magazine and included personal data such as names, addresses, email addresses, and employer information.
Passwords and credit card numbers were also exposed, but CPA Canada says they were all protected by encryption. Anyone affected by the breach has been notified by the company, and CPA Canada notified the relevant authorities.
47.5 Million – Truecaller, May 27, 2020
The personal data of 47.5 million Indians was found for sale on the dark web for $1,000, and is claimed to have originated from the popular caller ID and spam blocking app Truecaller. Personal information such as phone numbers, service providers, names, genders, and more was made available.
However, Truecaller denies there was a breach at all. Truecaller suffered a previous data breach in May 2019, and the company suggests that it is the same data set that is for sale. If Truecaller has suffered a breach this month, then it’s a case of gross negligence, or it could just be criminals trying to make a quick buck.
26.3 Million – LiveJournal, May 27, 2020
For years rumors have circled that blogging platform LiveJournal suffered from a data breach, and many users have reportedly received extortion letters tied to their LiveJournal accounts. The breach was finally confirmed this month by multiple hackers who are selling the user data on the dark web. It’s unclear what year the breach actually took place, but the details weren’t revealed until this month when Have I Been Pwnd? received a copy of the leaked user database.
The data that was breached included usernames, emails, and plaintext passwords of over 26 million users. LiveJournal and it’s parent company, DreamWidth, have yet to acknowledge the breach despite users complaining of having their data stolen for years.
8.3 Billion – AIS, May 25, 2020
Thailand’s largest cellphone network pulled a database containing billions of Thai internet users offline after discovering records were being leaked for over two weeks. The passwordless database was discovered by security researcher Justin Paine who quickly notified AIS about the massive breach.
AIS has come out saying that no personal information was made available, but unfortunately, that’s just not true. The leaked data included DNS queries, which have the potential to let authorities and hackers know who was visiting which websites and from where. This is particularly problematic as Thailand has incredibly strict censorship laws, and if the authorities get ahold of the leaked data, it could lead to arrests.
25 Million – Mathway, May 25, 2020
A popular website for helping students and children learn mathematics suffered from a data breach, resulting in more than 25 million records being exposed. The breach was only discovered when the records were being sold on the dark web earlier in May. So far, it is believed that only emails and hashed passwords were exposed.
Over 1 Million – EHTERAZ, May 22, 2020
While many governments have talked about using an app to track the spread of COVID-19, only a handful of countries have actually created one. In Qatar, the app used by the government to track COVID-19, EHTERAZ, is compulsory. Unfortunately, due to inadequate security measures, the app suffered a data breach exposing the sensitive personal information of over one million residents.
Information such as names, birth dates, national ID numbers, location, and health status were all made available. It is unknown how long this data was exposed for, but luckily the Qatari government was quick to act.
2.3 Million – Indonesia, May 22, 2020
The private data of over two million voters in Indonesia was found for sale on the dark web, along with a threat to release a further 200 million records. It’s unclear exactly where the data came from, and how it got stolen, but some of the records date back as far as 2013. Information such as home addresses, names, and national ID numbers were breached. The investigation is still ongoing.
9 Million – EasyJet – May 19, 2020
European budget airline EasyJet suffered a major breach that began in January 2020 but didn’t notify customers until April and May 2020. Emails and travel information were amongst the information that was breached, and over 2,000 customers had their credit and debit card details accessed.
EasyJet has declined to say how the attack happened, and who committed it. Thanks to the GDPR, EasyJet could face a major fine if they are discovered to have inadequate security measures in place.
9 Million – CDEC Express, May 14, 2020
Russian delivery company, CDEC Express, suffered a major breach when it was discovered that the records of 9 million customers were for sale on the dark web. CDEC Express has denied that they were the ones who were breached, stating that personal data is collected many companies and that they were not the source. Information such as the delivery of goods, buyer information, and tax ID numbers were all breached.
3.7 Million – MobiFriends, May 11, 2020
Millions of users of a popular online dating app, MobiFriends, were hacked early in May. The breached data includes dates of birth, gender, website activity, mobile numbers, usernames, email addresses and MD5 hashed passwords. The breach is believed to have originally taken place in January 2019, but the information has recently been available for sale (and now for free) on the dark web.
21,909,707 – Unacademy, May 3, 2020
One of India’s largest online learning platforms, Unacademy, suffered from a massive breach after a hacker gained access to a database and began selling account information of more than 20 million users. Names, emails, passwords, and account activity were among the data that was stolen. Hackers have claimed to have stolen more data than just user information, but what that may be (and if it’s true) remain to be seen.
91 Million – Tokopedia, May 3, 2020
Indonesia’s largest e-commerce platform, Tokopedia, began investigations after security researchers discovered a treasure trove of customer data for sale on the dark web. However, the initial breach turned out to be far worse than anticipated. The initial number of 15 million records ballooned up to 91 million after the investigation was launched.
While Tokopedia has stated several times that passwords were not included in the data that was leaked, plenty of other personal information was. Names, emails and birthdays were all available for sale, and there were at least two buyers of the information.
Unknown – ExecuPharm, April 27, 2020
Major US pharmaceutical firm ExecuPharm suffered a major data breach in March but didn’t notify the public until a month later. Malicious actors gained access to ExecuPharm’s servers and held them for ransom. Additionally, the hackers also sent out phishing emails to ExecuPharm’s employees.
It’s unclear exactly how many people were affected, but a large amount of sensitive data was leaked including social security numbers, taxpayer IDs, driver’s license numbers, passport numbers, bank account details, credit card numbers, and more. The hackers later went on to publish the stolen data on the dark web.
160,000 – Nintendo, April 24, 2020
Video game giant Nintendo experienced a breach that affected 160,000 users. The issues began in early April when hackers gained access to login IDs and passwords to Nintendo accounts. Malicious actors gained access to nicknames, emails, birth dates, and country of residence. Even worse, some accounts experienced fraudulent purchases.
28,000 – GoDaddy, April 23, 2020
GoDaddy is one of the world’s largest domain registrars and a web hosting company that provides services to roughly 19 million customers around the world. While only 28,000 customers were affected, any breach for a company of this size is a big deal. The data breach itself took place in October 2019 but wasn’t discovered until April 2020.
An unauthorized individual gained access to login credentials for SSH on hosting accounts, and as a result, the breach only affected hosting accounts. So far, it doesn’t appear like any personal information was leaked. That being said, the investigation is still ongoing.
5.2 Million – Marriott, March 31, 2020
This isn’t the first time hotel giant Marriott has suffered a data breach. Back in 2018, 383 million records were leaked. This time, hackers obtained login details of two employees and broke into the system in January 2020. Marriott has said that they have no reason to believe that any payment information was breached, just personal data of their customers (such as names, addresses, and contact information).
29,969 – Norwegian Cruise Line, March 20, 2020
March was already a bad months for cruise lines, and things got a lot worse for Norwegian Cruise Line when one of it’s databases was breached. The leaked information was only regarding travel agents, no guests were affected. Despite being notified of the breach earlier in the month, the company was slow to react and has since attempted to downplay the extent of the breach.
Unknown – Rogers, March 18, 2020
Canadian telecommunications giant Rogers experienced a data breach when one of their external providers inadvertently made information available online that provided access to a customer database. It’s unclear how many customers were affected, but the company has over 10 million wireless subscribers. Rogers stated that although personal information like names, addresses, and contact information was leaked, no payment information or passwords were compromised.
Unknown – Princess Cruises, March 13, 2020
It’s been a rather unfortunate month for Princess Cruises. First they had to suspend operations thanks to COVID-19, then they announced that they had experienced a data breach. The breach actually took place from April to July 2019 and discovered the breach in May 2019. It’s unclear why the cruise line waited so long to notify customers.
An authorized party managed to gain access to employee email accounts and accessed personal information of employees, crew members, and guests. It’s unclear exactly how many people were affected, and Princess Cruises has been pretty quiet about the whole thing.
6.9 Million – The Dutch Government, March 11, 2020
In a rather bizarre turn of events, the Dutch government admitted to losing two external hard drives that contained the personal data of more than 6.9 million organ donors. The hard drives contained records from 1998 to 2010 and had been placed in a vault in 2016. When officials went to access them this year, they were mysteriously gone. So far, there is no evidence that anyone has attempted to use the data.
At Least 81.6 Million – Antheus Tecnologia, March 11, 2020
Brazilian biometric solutions company Antheus Tecnologia suffered from a significant data leak and other security flaws, which lead to an Elasticsearch server containing biometric data to be exposed. An estimated 76,000 fingerprints were on the server. Other records included employee company emails and telephone numbers.
201,162,598 Million – Unknown, March 5, 2020
The Comparitech security research team alongside security expert Bob Diachenko discovered an unprotected Google cloud server containing the personal data of 200 million US residents. The server was originally found in January, and the team worked to identify the owner of the server but couldn’t uncover who they were.
The server was finally taken offline in March, although the data was exposed for at least one month. Most of the data exposed contained personal, demographic, and property information. The majority of the information was incredibly detailed, including things like net worth, property value, mortgage details, and tax assessment info.
900,000 – Virgin Media, March 5, 2020
A Virgin Media database containing the personal information of 900,000 people was left unsecured online for ten months. The data breach is not the result of criminal activity, just negligence on the part of Virgin Media. The database was for marketing purposes and contained information such as names, phone numbers, emails, and home addresses.
The database was accessed by an unknown person while it was available on at least once. Virgin Media reported to incident to the ICO and has launched a full investigation.
330,000 – Slickwraps, February 21, 2020
On the 25th of February The Verge reported that Slickwraps, a company that makes vinyl skins for phones, tablets and laptops, suffered a significant data breach affecting the personal information of over 330,000 customers. Worryingly, the hackers sent out an email blast to all affected users, mentioning their name, home address and an indictment of Slickwraps security measures.
— Toneman (@Toneman) February 21, 2020
Unknown – Defence Information Systems Agency, February 11, 2020
The US defence agency that handles secure communications for the White House suffered a data breach between May and July of 2019, but the breach wasn’t discovered until February 2020. The Defence Information Systems Agency (DISA) is responsible for direct telecommunications and IT support for President Donald Trump, Vice President Mike Pence, their staff, the U.S. Secret Service, the chairman of the Joint Chiefs of Staff and other senior members.
The extent of the breach, including how many were affected and what data was compromised, is unclear as DISA has been extremely tight-lipped. The agency employs over 8,000 military and civilian employees according to their website.
Unknown – The United Nations, January 29, 2020
Hackers compromised dozens of UN servers in the summer of 2019, yet the world body kept it a secret, even from it’s own employees. While the size of the breach is unclear, staff records, health insurance, and commercial contract data were compromised. As the UN is under diplomatic immunity, they are not required to divulge what data was taken or notify those affected. The UN was allegedly notified about several security issues years ago.
At least 10,000 – LabCorp, January 28, 2020
Clinical laboratory LabCorp suffered an earlier breach in July 2019 when 7.7 million records were stolen. Unfortunately, the security upgrades they must have made were not enough to prevent another breach at the end of January 2020. At least 10,000 patient records were exposed including names, addresses, and in some cases, social security numbers.
250 Million – Microsoft, January 22, 2020
Microsoft didn’t have a great start to 2020. 250 million customer service and support records, going all the way back to 2005, were breached. Microsoft has said that only email addresses and IP addresses were exposed, but security researchers believe that it goes beyond that.
According to Microsoft, the records were not publicly available as they were stored on an internal data base and were only exposed for just under a month. The tech giant conducted an internal investigation and claims that there was no sign of malicious use.
2.4 Million – Wyze, December 30, 2019
The smart camera provider Wyze suffered two breaches at the end of December when databases were left exposed for over two weeks. So far, it appears that only email addresses were leaked. Smart cameras are starting to become a popular target for hacks.
Unknown – Wawa, December 19, 2019
Wawa is a convenience store chain on the east coast of the US, and suffered a massive data breach involving payment information starting in March 2019. The breach wasn’t discovered until December, and it is believed that thousands have been affected. Card numbers and customers names are amongst some of the data that was stolen.
267 Million – Facebook, December 19, 2019
Security expert Bob Diachenko discovered that a database containing personal information of more than 267 million Facebook users had been left exposed. The exposed data included names, phone numbers, and Facebook IDs. Hackers in Vietnam are believed to be responsible.
15 million – LifeLabs, December 17, 2019
In what is believed to be the largest breach in Canadian history, medical testing company LifeLabs suffered a hack in October that left 15 million records of patient data exposed. The breach wasn’t announced until December, and the company is now facing a billion dollar class action lawsuit.
The SelfKey Identity Wallet is a free identity solution for Windows, Linux and Mac. Get yours today!
Unknown – OnePlus, November 23, 2019
Indiatoday.in has reported that the popular Chinese smartphone manufacturer, OnePlus, has suffered a significant data breach. According to the OnePlus security team, an unauthorized party managed to access customer information by exploiting a vulnerability in the OnePlus website. This information includes phone numbers, email addresses, first and last names, as well as shipping addresses. As of now payment information does not seem to have been compromised and it is not yet clear how many people have been affected.
1 Million – T-Mobile, November 22, 2019
T-Mobile, the multi-national wireless network operator, suffered a major data breach, reportedly affecting over 1 million customers. The exposed data includes phone numbers, billing addresses, T-Mobile account numbers, names, and details about rates and plans.
The news comes at a particularly bad time, as customers suffer a heightened risk of identity fraud during the holidays, while T-Mobile’s attempted merger with Sprint may now face more intense scrutiny.
1.2 Billion – Unknown, 22 November 22, 2019
An unprotected server containing 1.2 billion records of personal data was found by security researchers. Renowned security experts Vinny Troia and Bob Diachenko found the Elasticsearch server and soon concluded that the data had been sourced by a data enrichment company. This would explain the breath-taking size of the breach, which exposed 622 million unique email address, as well as social media profiles, phone numbers, employers and even job titles.
3 Million – UniCredit, October 28, 2019
3 Million customers of the Italian Bank UniCredit have had their sensitive information exposed by a major data breach. The compromised information includes the names, telephone numbers, email addresses and even cities where clients were registered. ZDNet reports that, although UniCredit operates internationally, all exposed records related to Italian customers.
Yet unknown – 7-Eleven, October 25, 2019
The 7-Eleven fuel app was taken offline on Thursday after customers reported that they could access the personal information of other app users. The information reportedly included the amount of money in their account, names, email addresses, phone numbers and their date of birth. According to the Guardian, the app has been downloaded over 2 million times.
Yet unknown – Web.com, October 16, 2019
On the 16th of October the domain name registration service Web.com announced a serious data breach. According to the disclosure notice an unauthorized third-party gained access to a limited number of their computer systems in late August. According to the statement no credit card data was compromised as a result of the incident.
XX Million – Malindo Air, September 18, 2019
Malindo Air, the low-cost Indonesian Airline, has confirmed a significant data breach affecting millions of passengers. The information, including names, home addresses, phone numbers and even passport numbers, has already been leaked on public forums meaning that those affected, likely already face a much higher risk of identity theft and fraud.
20 Million – Novaestrat, September 16, 2019
A massive data breach has reportedly affected almost the entire population of Ecuador. Security company vpnMentor was the first to identify the breach, when their research team found a Miami-based Elasticsearch server run by the Ecuadorian company Noaestrat.
The breach is particularly damaging, due to the extensive quantity of information stored about each individual. This includes birth dates, names, contact information, national identification numbers, tax payer identification numbers, driving records and bank account balances. The information was seemingly compiled by several Ecuadorian government registries, automotive associations and the Ecuadorian national bank. Among the affected are reportedly six million children.
50,000 – Get, September 9, 2019
According to the Guardian, the personal details of around 50,000 university students have been exposed. An app designed to facilitate payments for university clubs and societies, called Get, apparently allowed unauthorized users to get access to other users’ data, including names, email addresses, date of birth and phone numbers.
14 Million – Hostinger, August 25, 2019
Techcrunch reported that the popular web hosting service Hostinger suffered a major data breach affecting millions of users. According to the report, a hacker gained access to the company’s systems including an API database. That database contained customer usernames, email addresses and passwords.
Hostinger has said that the API database stored roughly 14 million customers’ records.
1 Million – Suprema, August 14, 2019
One of the leading biometrics companies, Suprema, left the fingerprints, facial recognition information, unencrypted usernames and passwords of over 1 million people on an unencrypted database. The Guardian broke the story, reporting that Suprema’s data is used by the UK Metropolitan police and 5,700 other organizations.
23 Million – CafePress, August 5, 2019
The personal information of over 23 million CafePress customers has been exposed according to multiple reports. The custom T-shirt and merchandise company has yet to issue a statement but the exposed data has been circulating in hacker forums for weeks. The data breach involved the names, usernames, email addresses, passwords, and physical addresses.
50 Million – Poshmark, August 1, 2019
The US-based fashion platform Poshmark suffered a significant data breach according to a blog post on their site. An unauthorized third party managed to access the email addresses, names, user names, and even clothing size preferences of Poshmark users.
It is still unclear how many people are affected but Poshmark is said to have around 50 million users.
100 Million – Capital One, July 29, 2019
The New York Times is reporting that a former Software Engineer hacked the database of Capital One and obtained the personal information of more than 100 million people. Federal prosecutors have named it one of the largest data breaches in history with potentially devastating consequences.
In addition to millions of stolen credit card applications – Capital One is the third largest issuer of credit cards in the US – the breach also compromised one million Canadian social insurance numbers.
300,000 – QuickBit, July 22, 2019
On the 22nd of July, Coindesk reported that the Swedish cryptocurrency exchange QuickBit suffered an extensive data breach. According to the report, the digital asset platform unknowingly leaked the data of 300,000 customers via an unprotected MongoDB database.
The exposed data included full names, addresses, email addresses, user gender, and dates of birth.
5 Million – Bulgaria’s National Revenue Agency, July 17, 2019
Bulgaria suffered a devastating data breach and the largest in its history according to The Next Web. Hackers managed to breach the National Revenue Agency and access highly sensitive information of 5 Million citizens. Bulgaria’s population stands at 7 Million, meaning that almost everyone is affected.
The compromised data includes personal identifiable numbers, addresses, and even income data. The hackers sent a download link to local media and stated: “The state of your cyber-security is a parody.” An investigation into the extent and ramifications of the data breach are under way.
14,600 – Los Angeles County Department of Health Services, July 10, 2019
CBS Los Angeles reported that malicious actors managed to use a phishing attack to access highly sensitive personal information of 14,600 patients. 2019 has been a horrific year for customer privacy in the medical industry, with breaches occurring on an almost weekly basis.
According to reports, the Los Angeles County Department of Health is in the process of notifying patients. The phishing attack happened in March 2019, and the hackers seemingly had access to employee accounts for several hours. Among the exposed information is: names, addresses, phone numbers and patient information.
78,000 – Maryland Dept. of Labor, July 6, 2019
According to Yahoo News, 78,000 people may have had their personal information exposed, due to a data breach affecting Maryland’s Department of Labor. The data reportedly occurred earlier this year and no evidence of malicious activity was found. Nevertheless, the Department is offering all affected customers two years free credit monitoring.
Mars Mission Data – NASA, June 24, 2019
On the 24th of June it was reported that NASA had experienced a significant security incident. According to this report, an unauthorized individual managed to access NASA’s Jet Propulsion Laboratory, making off with highly sensitive information. The hacker supposedly went undetected for 10 months and had access to many critical projects – including details about NASA’s Curiosity Rover.
11 Million – Emuparadise, June 10, 2019
ZDNet has reported that 11 million user accounts of the popular gaming emulator Emuparadise were exposed after a recent data breach. The user passwords were stored as salted MD5 hashes, a form of encryption deemed unsafe since 2012, and were easily cracked. The full extent of the breach is still unknown, although ZDNet claims that passwords, email addresses, IP addresses and usernames are involved.
7.7 Million – Labcorp, June 4, 2019
Just a day after Quest Diagnostics announced its breach, another company dealing with highly sensitive medical records announced a major security incident. According to USA Today, Labcorp was also using the collections firm American Medical Collection Agency (AMCA), which experienced a supposed breach earlier this month. Specifics are hard to come by, but names, addresses, dates of birth, and balance information are likely among the compromised data.
11.9 Million – Quest Diagnostics, June 3, 2019
Quest Diagnostics, a clinical laboratory company, announced that an “unauthorized user” gained access to the medical records and social security numbers of up to 12 million customers. Information is still sparse, but it appears that AMCA, a billing vendor used by Quest, was exploited for the attack. All parties are working closely together to understand the full scope of the data breach.
Unknown – Checkers Restaurants, May 30, 2019
ZDNet reported that hackers breached the security systems of Checkers Restaurants and installed malware which infiltrated the restaurant chain’s point of sale software. As a result, the hackers managed to steal customers’ payment card number, cardholder name, expiration date and card verification code.
Hundreds of locations have been affected although the total number of impacted customers is still unknown.
Unknown – Flipboard, May 29, 2019
The popular news aggregation app Flipboard announced that it had detected unauthorized access to some of its databases between June 2, 2018 and March 23, 2019. It’s still unclear how many of the 145 million monthly users are affected, but names, email addresses and cryptographically protected passwords are among the exposed data.
139 Million – Canva, May 28, 2019
Marketingland reported that the leading graphic design tool Canva had experienced a cyber attack which affected up to 139 million users. According to the report, the attack targeted usernames, email addresses and passwords, although luckily credit card details were not compromised. Canva is particularly popular among entrepreneurs and online marketers from all over the world.
885 million – First American, May 25, 2019
Renowned cyber security experts Krebs on Security reported that Fortune 500 giant First American Financial Corp exposed customers’ bank account numbers, statements, mortgage as well as tax records through its faulty website. 885 million highly sensitive records were leaked to anyone who knew where to look, with the records going back to 2003.
49 Million – Chtrbox, May 20, 2019
An unsecured database seemingly belonging to Chtrbox, a Mumbai-based social media marketing firm, was discovered online. TechCrunch reports that the database contained more than 49 million records comprising bio info, email address, phone number, and profile picture of millions of Instagram users.
1.5 Million – Freedom Mobile, May 9, 2019
The VPN Mentor research team discovered a data breach which exposed the personal information of 1.5 million Freedom Mobile users. Worryingly, the data included credit card numbers and CVV numbers, meaning that significant financial damage will likely be incurred as a result.
1.6 Million – AMC Networks, May 1, 2019
Renowned security expert Bob Diachenko discovered a publicly available MongoDB instance exposing the data of 1.6 million AMC network subscribers. The subscriber information contained names, emails, subscription plan details and more personally identifiable information. This is another alarming example of failure to meet the very lowest security standards.
Unknown – Atlanta Hawks, April 23, 2019
Struggling Basketball teams are just as vulnerable to data breaches as governments, businesses and Universities. On April 23, CNet reported that the Atlanta Hawks eCommerce store had been infected with malware designed to steal the payment information of customers. Expert Willem De Groot identified the notorious hacking group Magecart as the culprit and the Atlanta Hawks are still investigating the full extent of the hack.
9 Million – Bodybuilding.com, April 22, 2019
One of the biggest service providers in the fitness industry, bodybuilding.com, suffered a serious hacking attack potentially impacting its 9 million users. According to Forbes, a sophisticated phishing attack had allowed hackers to gain access to the highly sensitive data including billing addresses, names, email addresses and birth dates.
Unknown – Microsoft Email Services, April 15, 2019
Popular email services msn.com, hotmail.com and outlook.com were affected by a significant data breach according to TechCrunch. The vulnerability seemingly existed between January 1st and March 28 2019, and allowed hackers to access email accounts.
540 Million – Facebook, April 2, 2019
Mark Zuckerberg was in the news for all the wrong reasons in April 2019. The (so far) newest addition to the litany of blunders involved exposing the personal records of over 540 million Facebook users. According to TechCrunch, cybersecurity experts found the data on an unsecured, publicly accessible database.
1.3 Million – Georgia Tech, April 2, 2019
Universities are just as likely to get hacked as a business or government organization. On April 2nd, a host of highly sensitive personal information managed by Georgia Tech was accessed by a hacker. The information of 1.3 million faculty members, students and employees was affected according to patch.com. Social Security Numbers, birth days, names and addresses were breached.
980 Million – Verifications.io, March 29, 2019
Towards the end of March 2019, cybersecurity expert Bob Diachenko found an unsecured database containing 982 million email addresses along with names, genders, employers and home addresses. The server was unsecured and available to anyone who knew were to look. Upon notification verifications.io, the company seemingly behind the database, shut down its website and ostensibly ceased to operate.
2 Million – Earl Enterprises, March 29, 2019
The credit card information of more than 2 million customers of Earl Enterprises was stolen and later sold according to krebsonsecurity.com. Criminals managed to install sophisticated malware on the company’s point of sale software, allowing them to syphon off the highly sensitive payment information.
1.8 Million – Federal Emergency Management Agency, March 22, 2019
Data breaches are particularly harmful when they affect vulnerable people. In March 2019, the Washington Post reported that 1.8 million disaster survivors had their banking information plus their home addresses accidentally shared with contractors. These people had primarily sought shelter after wildfires and hurricanes.
2 Million – Oregon Department of Human Services, March 21, 2019
Government organizations are just as likely to suffer data breaches as hospitals, businesses and two person startups. On March 21st, the Oregon Department of Human Services announced that poorly trained employees had fallen for a phishing attack, comprising highly sensitive personal information of roughly 1.6 million people. This includes emails, addresses, names and much more.
600 Million – Facebook, March 21, 2019
Facebook has a long history of privacy abuses and data scandals. At the end of March 2019, the social media giant admitted that it had failed to secure the passwords of 600 million users since around 2012. Thousands of Facebook employees had access to the millions of unsecured records, which were stored in a plain text file.
1.5 Million – Gearbest, March 14, 2019
In March, the VPN Monitor research team reported that Gearbest, a highly successful Chinese eCommerce company, had a completely unsecured database. The VPN Monitor team managed to access a database containing 1.5 million records. Alarmingly, the information contained payment information, billing address, order history and much more highly sensitive information.
2.4 Million – Dow Jones, March 1, 2019
One of the most significant data breaches ever occurred on March 1st, when more than 2 million identity records including government officials and politicians was leaked online. According to reports from Zdnet, the information was stored, alarmingly, on a publicly accessible database.
1 Million – UW Medicine, February 20, 2019
February 20th was a particularly bad day for the personal data of medical patients as both Advent and UW Medicine reported significant data breaches. In the case of the UW Medicine data breach, nearly 1 million people were affected by a simple bug: A problem with the platforms server indexed highly sensitive data on search engine’s, meaning that patient’s financial history, passwords, social security and more were available with a simple Google search.
42,000 – Advent Health, February 20, 2019
Data breaches affecting medical records are particularly hazardous. In February, the Advent Health Medical Group notified its members of a 16-month long data breach exposing medical histories, social security numbers and a host of highly sensitive information. According to reports, 42,000 individuals were affected.
14.8 Million – 500px, February 15, 2019
The popular photo sharing site 500px was hacked, exposing the data of 14.8 million users. Information such as names, usernames, emails, locations, gender, and birth dates were revealed. The website notified its users and forced a password reset, although the hack happened in July 2018 and they weren’t aware of it until February 2019.
6 Million – Coffee Meets Bagel, February 14, 2019
In a case of ironically poor timing, the dating app Coffee Meets Bagel announced a data breach just in time for Valentine’s Day. While only names and emails of users were exposed, the breach impacted approximated 6 million people.
Unknown – Dunkin’ Donuts, February 12, 2019
Dunkin’ Donuts announced a data breach for the second time in three months, affecting DD Perks rewards members. Hackers used credential stuffing attacks to gain access to customer accounts, then sold them on the Dark Web for profit. The first of these attacks happened at the end of November, and although the company didn’t say how many customers had been affected, there are currently 10 million DD Perks members.
24,000 – EyeSouth Partners, February 6, 2019
An unauthorized third party gained access to an employee email account of Georgia-based EyeSouth Partners. Over 24,000 patients had their data compromised, such as names, health insurance information, and account balance information.
Unknown – Huddle House, February 4, 2019
The US-based casual dining and fast food restaurant chain, Huddle House had their point of sale system compromised, giving hackers the ability to install malware to steal the payment information of customers between August 2017 and February 2019. How much damage was done is still unclear as Huddle House is continuing their investigation.
20,000 – Catawba Valley Medical Center, February 4, 2019
Phishing scams seems to be a popular and effective cyberattack in the medical industry, as three employee email accounts at Catawba Valley Medical Center were hacked by one in the summer months of 2018. An estimated 20,000 patients of the North Carolina-based medical facility had their names, birth dates, social security numbers, and personal health information exposed in the attack.
Unknown – Houzz, January 31, 2019
To finish off January, the popular home improvement website Houzz announced a data breach affecting users of their platform. While Houzz did not disclose how many people were affected by the breach, the site has approximately 40 million users. The company stated that public profile information such as names, locations, usernames, and hashed passwords were taken by an unauthorized third party.
23,000 – Critical Care, Pulmonary & Sleep Associates, January 31, 2019
Employees of the Critical Care, Pulmonary & Sleep Associates (CCPSA) fell for a phishing attack that led to approximately 23,000 patients having their data breached. The Colorado-based healthcare facility realized that the hacker had access to names, dates of birth, addresses, medical information, social security numbers, and driver’s licenses for three months
100,000 – Alaska Department of Health & Social Services, January 23, 2019
Alaska’s Division of Public Assistance was the target of a cyberattack that exposed data of at least 100,000 people. It is still unknown who the attacker was, but they were able to access the names, birth dates, addresses, social security numbers, health information, and income of people who had applied for government programs.
24 Million – Ascension, January 23, 2019
The data analytics company Ascension, based in Fort-Worth, Texas, left more than 24 million mortgage and banking documents unprotected in an online database for at least two weeks. According to a report from TechCrunch, the documents included people’s names, addresses, dates of birth, social security numbers, and financial information.
108 Million – Various Online Betting Sites, January 23, 2019
Four different online betting sites stored data on Elasticsearch cloud storage without securing it. Approximately 108 million records were breached including names, addresses, emails, phone numbers, usernames, birth dates, IP addresses, account balances, games played, and win and loss information. If you’ve placed bets via kahunacasino.com, azur-casino.com, easybet.com, or viproomcasino.net, your information was likely exposed.
12,000 – Graeters Ice Cream, January 22, 2019
The Cincinnati-based purveyor of sweets, Graeter’s Ice Cream notified approximately 12,000 online customers that their data had been compromised. Malicious code was discovered on the company’s checkout page which captured customer data such as customer credit card details, names, addresses, phone numbers, and fax numbers.
20,000 – BlackRock Inc., January 22, 2019
The world’s largest asset manager, BlackRock, accidentally leaked the information of as many as 20,000 financial advisors. The company had posted confidential spreadsheets which contained information related to the advisors who work with BlackRock’s iShares unit. The names, emails, and assets managed by advisors were amongst the information that was exposed.
773 Million – Collection #1, January 17, 2019
On the same day, security researcher Troy Hunt discovered a massive database of leaked data on a cloud storage site called MEGA. The database contained over 773 million emails and 22 million passwords, amalgamated from thousands of different data breaches dating back to 2008. The information was also shared on a popular hacking forum, so it is unknown who exactly accessed the data. Needless to say, it doesn’t look good. If you are worried that your credentials have been compromised, you can check on Have I Been Pwned?
Unknown – Oklahoma Department of Securities, January 17, 2019
The Oklahoma Department of Securities (ODS) left millions of government files exposed and unprotected on an open server belonging to the agency. Amongst the exposed files were records pertinent to FBI investigations. The oldest records that were exposed dated back to 1986, and range from personal data to login credentials and internal communications records. The ODS is currently investigating how many records were exposed, who may have accessed them and the potential damage this data breach may have caused.
Unknown – Fortnite, January 16, 2019
The popular online video game Fortnite was found to have exposed players to being hacked. A security firm called Check Point discovered the vulnerabilities in the game and alerted Fortnite to the threat. The vulnerabilities could have allowed malicious actors to take over the account of any player, view their personal information, purchase V-bucks (the in-game currency), and listen in to game chatter. While it is unknown just how many users were affected, Fortnite has 200 million users worldwide of which 80 million are active each month.
31,000 – Managed Health Services of Indiana, January 11, 2019
A phishing attack on the Managed Health Services of Indiana (MHS) exposed the health information of more than 31,000 patients in 2018 and was not discovered until January. The compromised data included names, insurance ID numbers, dates of birth, addresses, and medical conditions. While the MHS says there has been no evidence that the data has been misused, patients were obviously upset.
Unknown – OXO, January 10, 2019
The New York-based manufacturer, OXO discovered that they had been hacked in two separate incidents over the past two years. Both hacks exposed customer information entered on their website. OXO found unauthorized code on their website which collected customer names, addresses, and credit card information. The company has declined to announce the number of customers who were affected by the breach.
Unknown – BenefitMall, January 7, 2019
BenefitMall, a US provider of HR, payroll, and employer services, announced a data breach that occurred after an email phishing attack compromised employee login credentials. The exact extent of this breach is unknown as the company has not released the exact number of records that were affected by the attack. That being said, the stolen information could include customer information such as names, social security numbers, addresses, bank account numbers, dates of birth, and information about their insurance premiums.
Unknown – DiscountMugs.com, January 4, 2019
A major online retailer of custom mugs and apparel, DiscountMugs.com was hacked over a four-month period during the latter half of 2018. Although the company did not disclose how many customers were affected by the breach, it is believed to be upwards of several thousand. A malicious card skimming code had been placed in the company’s payment section of their website and hackers were able to steal full card payment details, names, emails, phone numbers, and addresses.
7.6 Million – BlankMediaGames, January 3, 2019
In almost no time at all, the next great data breach occurred the day after Blur announced their breach. This time, the information of 7.6 million gamers had been stolen during a hack of the game Town of Salem by BlankMediaGames (BMG). According to BMGs announcement, the server had been compromised and emails, usernames, IP addresses, in-game purchases, and in-game activity had been exposed.
2.4 Million – Blur, January 2, 2019
It didn’t take long for the first major breach announcement of 2019. Blur announced a breach after an unsecured server exposed a file containing 2.4 million user names, email addresses, password hints, IP addresses, and encrypted passwords. The password management company urged their users to change their Blur login credentials and enable two-factor authentication.