In 2018 an estimated 500 million personal records were stolen as a result of cyber security breaches. That total is alarming, but it seems like a drop in the ocean in comparison with 2019.
According to the RiskBased Data Breach QuickView Report 2019 Q3, at the end of September alone, 5,183 breaches had taken place, exposing 7.9 billion records. In comparison with the 2018 Q3 report, the total number of breaches was up 33.3%. The total number of records exposed had more than doubled: up by 112%.
To underline the extent of the problem Security magazine has compiled a list of the worst 12 data breaches of 2019.
1. Social Media Profiles Data Leak – 4 billion records
In October, cybersecurity experts Bob Diachenko and Vinny Troia found a trove of data exposed and easily accessible to the public on an unsecured server. It contained 4 terabytes of personally identifiable information (PII): equivalent to about 4 billion records. A count of unique people across all data sets exceeded 1.2 billion people, making this one of the largest ever data leaks from a single source organisation. The leaked data contained names, email addresses, phone numbers, LinkedIn and Facebook profile information.
The discovered ElasticSearch server containing all of the information was unprotected and accessible via a web browser. No password or authentication of any kind was needed to access or download all the data. This data leak stands out even more because it contains data sets that appear to originate from two different data enrichment companies.
2. Orvibo Leaked Database – 2 billion records
In July, cybersecurity researchers discovered an open database linked to Orvibo Smart Home products, exposing more than 2 billion records. According to the researchers, Orvibo, which runs an IoT platform, claims to have around a million users, including private individuals who connected their homes, as well as hotels and other businesses with Orvibo smart home devices.
The data breach affected users around the world. The type of data exposed included email addresses, passwords, account reset codes, precise geolocation, IP addresses, user names and ID and much more.
3. TrueDialog Data Breach – over 1 billion records
Based in Austin, Texas, TrueDialog creates SMS solutions for large and small businesses. It currently works with over 990 cell phone operators and reaches more than five billion subscribers, worldwide.
Breached in late November, the TrueDialog database, hosted by Microsoft Azure and run on the Oracle Marketing Cloud in the US, included 604 GB of data. This included nearly 1 billion entries of highly sensitive data. The sensitive data contained in millions of SMS messages included: full names of recipients, TrueDialog account holders and TrueDialog users, content of messages, email addresses, phone numbers of recipients and users and much more.
4. First American Data Breach – 885 million records
In July, a data leak at First American Financial Corp., the largest real estate title insurance company in the U.S., exposed transaction records of 885 million individuals. First American leaked hundreds of millions of documents related to mortgage deals going back to 2003.
Records included bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts and drivers license images. The records were available without authentication to anyone with a Web browser.
5. Verifications.io Data Breach – 808 million records
In April, Diachenko and Troia reported finding a publicly accessible MondoDB database that contained 150 gigabytes of detailed marketing data. Owned by the email validation firm Verifications.io, the database was taken offline on the same day that Diachenko reached out to the company. The database contained four separate collections of data, totalling 808,539,939 records.
6. “Collection #1” Data Breach – 773 million records
In January, cybersecurity expert Troy Hunt announced he had found a set of email addresses and passwords totalling 2,692,818,238 rows, made up of many different individual data breaches from thousands of different sources. In total, there were 1,160,253,228 unique combinations of email addresses and passwords. Unique email addresses totalled 772,904,991. Unique passwords totalled 21,222,975.
Multiple people reached out to Hunt and directed him to the collection of files on the cloud service MEGA, which contained over 12,000 separate files and more than 87GB of data. In addition, he was pointed to a popular hacking forum where the data was being advertised. In the files, Hunt found his own personal data, such as email addresses and a password he used many years ago.
7. Dream Market Breach – 620 million records
In February, The Register reported that some 617 million online account details stolen from 16 hacked websites were on sale on the dark web. Accounts such as Dubsmash and MyFitnessPal held as many as 162 million and 151 million sets of details, respectively.
According to the report, sample account records consisted mainly of account holder names, email addresses and passwords. These passwords were hashed, or one-way encrypted, and had to be cracked before they could be used. Other information revealed depended on the site and included location personal details, and social media authentication tokens.
8. Third-Party Facebook App Data Exposure – 540 million records
In April, UpGuard security researchers revealed that two third-party developed Facebook app datasets were exposed to the public internet. One database originated from Cultura Colectiva, a Mexico-based media company, and weighed in at 146 gigabytes with more than 540 million records detailing comments, likes, reactions, account names, Facebook IDs and more.
The other third-party app, “At the Pool,” was exposed to the public internet via an Amazon S3 bucket, say the researchers. This database backup contained columns for user information such as username IDs, friends, likes, music, movies, books, photos, events, groups, check-ins, interests, passwords and more.
9. Indian Citizens MongoDB Database – 275 million records
In May 2019, Diachenko once again revealed that he had discovered a MongoDB database exposing 275,265,298 records of Indian citizens that contained highly PII. The database was left unprotected for more than two weeks.
Diachenko said the publicly accessible MongoDB database hosted on Amazon AWS included information such as name, gender, date of birth, email, phone numbers, education details, professional information (employer, employment history, skills, and functional areas) and current salaries.
10. Chinese Job Seekers MongoDB Data Breach – 202 million records
In January, Diachenko found an 854 gigabyte MongoDB database that contained 202,730,434 records about job candidates from China. The data contained candidate’s skills and work experience, as well as such PII as phone numbers, email addresses, marriage status, political leanings and even height, weight and other personal data.
BJ.58.com, a Chinese classifieds company, told Diachenko the data originated from a third-party firm that collects data from many professional sites. The database was secured about a week after Diachenko discovered the breach.
11. Canva Data Breach – 139 million records
In May, Security Magazine reported that Canva, a graphic-design tool website, suffered a data breach affecting 139 million users. Data exposed included customer usernames, real names, email addresses, passwords and city and country information. In addition, of the total 139 million users, 78 million users had a Gmail address associated with their Canva account.
12. ElasticSearch Server Breach – 108 million records
In January, ZDnet reported that an online casino group leaked information on more than 108 million bets, including details about customers’ personal information, deposits and withdrawals. The data leaked from an ElasticSearch server that was left exposed online without a password. ElasticSearch is a portable, high-grade search engine that companies install to improve their web apps’ data indexing and search capabilities.
Details of these and other breaches are available at Security, where this article originally appeared.