11 of the worst data breaches in 2021 so far
It’s no secret that Covid-19 has accelerated the number of cyber-attacks and data breaches witnessed across the globe. Increased reliance on technology as the world worked, shopped and socialised from home increased the surface area for attackers, who capitalised on a growing amount of PII (personally identifiable information) available across the internet.
According to the FBI’s 2020 Internet Crime Report, the Internet Crime Complaint Center received nearly 800,000 cybercrime complaints in 2020, with reported losses exceeding $4.1 billion.
As well as an increased number of attacks and data leaks, threats have also developed in sophistication and speed, thanks to the application of advanced technologies like machine learning, artificial intelligence and 5G. These technologies are only going from strength to strength, meaning 2021 has seen a whopping 3.9 billion breached records so far.
Of all the cyber-attacks seen over the last six months, data breaches have accounted for more than 86% of all breached records. In this post we take a look back at 11 of the worst data breaches seen globally so far this year.
LinkedIn – 700 million records leaked
In June, LinkedIn found itself facing a government probe after data on 700 million of its users was scraped and posted online.
A user on database sharing marketplace RaidForums posted the data up for sale before it was reported by news site Privacy Sharks, who contacted LinkedIn after verifying a sample of one million records.
In a statement, LinkedIn reported that “this was not a LinkedIn data breach and our investigation has determined that no private LinkedIn member data was exposed.”
But it’s not the first time this has happened. Data from 500 million LinkedIn users was leaked back in April, though the social media giant maintained that all the data was publicly available and the result of scraper bots.
Mimecast – Security certificate compromised
Back at the start of the year, a sophisticated cybercriminal compromised a Mimecast certificate used to authenticate the cloud-based email management service’s Sync and Recover, Continuity Monitor and Internal Email Protect (IEP) products to Microsoft 365 Exchange web services.
According to the company, it was alerted to the compromise by Microsoft and approximately 10% of its customers used the compromised connection, but have since been asked to reinstall a newly issued certificate.
Pixlr – 83 million records exposed
Also in January, a database containing 1.9 million user records belonging to Pixlr, a free online photo-editing application, was leaked by a hacker.
The database was stolen at the same time as the attack on fellow stock photo site 123RF, which exposed over 83 million user records. The leaked records include email addresses, usernames, hashed passwords, user’s country and newsletter subscription information.
Reverb – five million marketplace details leaked
April saw a database containing the personal details of over 5.6 million users of the popular music instruments online marketplace, Reverb, discovered after it was leaked into the dark web.
The database contained full names, email addresses, postal addresses, phone numbers, order count, PayPal account email addresses and IP addresses. Reverb customers began receiving data breach notifications stating that customer information was exposed, after the data was discovered by a researcher and the finding published on Twitter.
Facebook, Instagram and LinkedIn (again) – 214 million accounts leaked
Yes, another social media data breach. This time a Chinese social media management company, Socialarks, suffered a data leak through an unsecured database that exposed account details and PII of at least 214 million social media users from Facebook, Instagram and LinkedIn. The 400GB data leak of personal data included several high-profile celebrities and social media influencers.
The exposed information for each platform varies but includes users’ names, phone numbers, email addresses, profile links, usernames, profile pictures, profile description, follower and engagement logistics, location, Messenger ID, website link, job profile, LinkedIn profile link, connected social media account login names and company name.
Volkswagen & Audi – 3.3 million records exposed
In June, a third-party marketing services supplier disclosed the PII of 3.3 million customers of Volkswagen and its Audi subsidiary in the US and Canada.
Most of the exposed data included names, mailing addresses, email addresses, phone numbers and information about purchased, leased or inquired about vehicles including vehicle identification numbers, makes, models, years, colors and trim packages. More sensitive data was leaked for 90,000 individuals in the US, including driver’s license numbers and a small number of birth dates, social security or social insurance numbers, account or loan numbers and tax identification numbers.
Android – More than 100 million users exposed
May was the month Android suffered at the hands of adversaries. Security researchers discovered that personal data of more than 100 million users of the mobile operating system had been exposed due to various misconfigurations of cloud services.
The data was found in unprotected real-time databases used by 23 apps, with download counts ranging from 10,000 to 10 million. The discovery revealed that some Android developers fail to follow basic security practices to restrict access to the app’s database.
Microsoft – More than 30,000 organizations breached
On March 2nd, Microsoft reported it was the victim of a state-sponsored cyber-attack from the Chinese hacking group called Hafnium. The attack affected more than 30,000 organizations across the US, including local governments and government agencies.
In the eighth instance of a state-led cyber-attack against civil organizations and businesses Microsoft has reported in the last year, the internet giant explained that the group “primarily targets entities in the United States for the purpose of exfiltrating information from a number of industry sectors.”
Accellion – 17 organizations’ data leaked
January saw file transfer and collaboration software provider Accellion release four patches to address vulnerabilities used by threat actors to attack their customers through their File Transfer Appliance service. However, before 17 customers could install the patch, ransomware group Clop and financial crime group FIN11 exploited the vulnerabilities to access customer data. Affected customers included The US Department of Health and Human Services and the University of California.
This came after Accellion discovered a zero-day vulnerability in affecting the same service in the month prior, and released a patch to fix it.
Automatic Funds Transfer Systems (AFTS) – 38 million records breached
Between 3rd and 4th February, third-party payment processor AFTS experienced a ransomware attack that led to a breach of millions of individuals’ data. The breach is estimated to have affected up to 38 million vehicle owners in California alone, while multiple local government bodies in North America released notices explaining how the breach may affect their residents.
The cyber-attack was carried out by a cyber-gang known as Cuba Ransomware, responsible for numerous attacks on financial, logistics, and technology organizations across North America and Europe over recent years.
MeetMindful – Over two million users’ data leaked
Back in January, MeetMindful’s online dating service was hacked and a 1.2GB file containing PII from 2.28 million users was posted on a well-known hacking site. An investigation by the company reported that the breach only affected users who had created or updated their account prior to March 2020.
The leaked details included names, email addresses, location details, dating preferences, marital status, birth dates, IP addresses, Bcrypt-hashed account passwords, Facebook user IDs and Facebook authentication tokens.
How to protect your business from data breaches
As often is the case, data breaches are a case of when not if. Making sure your customer data is secure is imperative to staying one step ahead of attackers.
To prevent social media data breaches, businesses need to ensure they protect user information and secure company data. Efficient training and technology can also help reduce the likelihood of a data breach along with increasing employee awareness and regularly updating policies.
Take back control over your system.