Last year, cyber criminals didn’t just hack data, they also collected account databases from breaches and leaks that had occurred years ago, only to sell them for profit.
Some breaches shocked the world as they affected millions of people across the globe.
“With so many breaches and leaks in 2019, it is possible that your email address or other details ended up in the wrong hands. You can check whether your email was in one of the databases by going to ‘Have I Been Pwned’,” says Daniel Markuson, a digital privacy expert at NordVPN, an American advanced Virtual Private Networks (VPN) service provider.
“You can also check whether your password has leaked and might be used in a credential stuffing attack by visiting ‘NordPass’ and checking if your password is secure,” he told Digital Business.
A report released this week by NordVPN, whose VPN services are used by over 12 million internet users worldwide, details some of the worst data breaches of the past year. These are:
Collections #1-5 - 3 billion breaches: Collections #1-5 were probably the biggest leaks of 2019. They contained usernames and passwords collected over many years of breaches. Collection #1 is was collection of data leak files and combination lists that were in a huge disk drive, containing 87GB of data files. Hasso Plattner Institute reported that it discovered that 611 million of the credentials in Collections #2–5 had not been included in the Collection #1 database.
“These batches appeared on hacking forums and were noticed by security researcher Troy Hunt, who identified the link between them all and informed the public,” says the report.
The first batch was released in January and contained data for 770 million people. Then, a few weeks later, Collections #2-5 appeared on the internet. They contained 25 billion unique records and roughly 2.2 billion unique usernames and passwords, making this one of the most significant leaks to date.
Collection by Gnosticplayers– Over 1 billion: This is a collection of breaches affecting more than 1 billion internet users. A hacker called Gnosticplayers collected databases from 45 companies and put them up for sale on the dark web.
“These batches contained data such as users’ full names, email addresses, passwords, location data, and social media account information,” the report reveals.
The companies whose data was released include Dubsmash (162 million), MyFitnessPal (151 million), MyHeritage (92 million), ShareThis (41 million), Animoto (25 million), 500px (15 million), CoffeeMeetsBagel (6 million) and more.
Facebook- 419 million: A security researcher at the GDI Foundation found an unprotected server with a database containing about 419 million phone numbers belonging to Facebook users. “The database was available to anyone, and it also included Facebook IDs, which makes finding user’s names and personal details even easier,” the report says.
The owner of the server wasn’t found, but the database was taken down shortly after it was discovered.
Zynga- 218 million: If you have ever played online games such as ‘Words with Friends’ or ‘Draw Something’, you should be worried because their creator, Zynga, was breached in 2019.
The hack affected a whopping 218 million users. Bad actors accessed log-in credentials, usernames, email addresses, some Facebook IDs, some phone numbers and Zynga account IDs.
Dubsmash- 161.5 million: In February, video messaging app Dubsmash announced that hackers gathered nearly 162 million users’ account holder names, email addresses and hashed passwords. Hashed passwords are encrypted, so they must be decrypted before use.
Capital One- 106 million: In July, American bank Capital One announced that they suffered a massive data breach affecting 100 million Americans and 6 million Canadians.
The hacker, the report explains, accessed credit card applications made between 2005 and 2019. They contained personal data including names, home addresses, email addresses and dates of birth.
“What makes this one of the worst breaches of 2019 is that some bank numbers and social security numbers also ended up in the hands of the hacker.”
Houzz - 49 million: Houzz, an American home design website, started the year announcing a breach in which hackers got unauthorised access to its customers' publicly available information, as well as usernames and encrypted passwords.
The company noticed the breach at the end of 2018 and was pretty vague about it in their public statements. However, Interstate Technology and Regulatory Council (ITRC) reported that the hack affected almost 49 million Houzz customers.
Suprema- 27.8 million: Another company, Suprema, was shocked when a security loophole left 27.8 million people’s biometric data exposed.
Suprema is a security company responsible for the web-based Biostar 2 biometrics lock system in South Korea. The system is used by almost 6,000 organisations in 83 countries, including governments and banks.
Biostar uses fingerprints and facial recognition to allow employees into restricted buildings and areas.
Security researchers from American cyber security firm VPNmentor found that the Biostar database was left unprotected and largely unencrypted. Worst of all, they got access to tonnes of sensitive information.
American Medical Collection Agency- 18.6 million: American Medical Collection Agency data breach affected 18.6 million who worked for two lab testing companies.
First, Quest Diagnostics was notified that someone had unauthorised access to AMCA’s databases for eight months. The hack affected almost 12 million of their customers.
Hackers got access to very personal information such as credit card numbers, bank account information, medical information, and social security numbers.
Then there was LabCorp, another company whose customers were affected by this breach. Almost 8 million customers’ personal and financial data was compromised.
Nadav Zafrir, chief executive of Israeli think tank and cybersecurity company Team 8 said these threats must be dealt with from the criminal’s prespective. You must be better at hacking than them.
“The network has to be mapped from the attackers’ mindset. You need to insert a decoy in the machine’s networks which will lead cyber attackers to a false code,” he said during the recent CyberTech Global conference in Tel Aviv.
He said the world must rethink the concept of cyber security as attackers get more advanced, and therefore, online security must be seen as a business enabler.
“Since these attackers are using AI and machine learning, you must go ahead of them and use deep learning to secure your networks. This way, we can accurately predict their attacks,” said Mr Guy Caspi, CEO of Deep Instinct.
But the cyberspace war is becoming complex, as hackers quickly learn the defense mechanisms used by most cyber security companies. They change their attack patterns, timing and hacking codes to snare cyber professionals using false positives and false negatives.
“We clean the environment by pushing hackers out but they come back with different tools. But now we have a system where all attacks, visible and invisible are detected and detonated in real time,” said Lior Div, chief executive of Cybereason.