My heritage (92 million users)
A company that can test people’s DNA to find their ancestors and build their family trees leaked the email addresses and hashed passwords of over 92 million users. The attack was noticed in June when the company’s security researcher found their users’ data sitting in a private server that doesn’t belong to the company.
My Heritage stated that the most sensitive user data, such as their DNA info and family trees, is stored on separate systems that weren’t compromised.
Quora (100 million users)
The question-and-answer website Quora was recently hacked and put 100 million users at risk. Quora representatives said they’d noticed that ‘a malicious third party’ had accessed sensitive information on Quora’s database. These cybercriminals gained access to nearly everything, from users’ names and IP addresses to their Q&A history, access tokens, and private messages.
Quora claimed that none of their partners’ financial information or any anonymous Q&A’s had been affected. The attack is under investigation and no further comments have been made by the company.
Firebase (100 million users)
Firebase, a Google-owned development platform, leaked the sensitive information of over 100 million users. The platform might not be well known to everyone, but it’s widely used by mobile developers.
Appthority researchers scanned 2.7 million iOS and Android apps that connect to and store their data on Firebase. They found that over 3,000 of those apps were connected to a misconfigured database that could be accessed by anyone.
These apps with ‘leaky backends’ had been downloaded on the Google Play Store over 620 million times and could have exposed highly sensitive data, including user IDs, plaintext passwords, users’ locations, bank details, bitcoin transactions, social media accounts, and even health records.
Google was notified of the ‘leaky’ apps and their backends.
My Fitness Pal (150 million users)
At the beginning of the year, My Fitness Pal, a food and nutrition app owned by Under Armour, leaked the data of 150 million users. Once the company noticed the breach, they notified their users in almost record time(compared to other companies) – 4 days.
The company confirmed that hackers got hold of usernames, email addresses and hashed passwords. My Fitness Pal stated that other information such as credit card numbers, wasn’t compromised because it was stored separately from generic user information.
It’s unknown how hackers broke into the systems, but Under Armour is working with data security firms to investigate the attack and take precautionary measures to avoid similar break-ins in the future.
Twitter (330 million users)
Twitter rarely makes the headlines when it comes to data breaches, but this year was different. A security bug exposed 330 million users’ passwords, all in plain text.
Twitter stated that there was an issue with their password hashing system. It failed to encrypt passwords and was saving them in plain text. Their investigators claimed that no one had actually accessed the data, but if any of the affected accounts had been hacked, their passwords would have been visible to the attacker. Their information could then be used to access other accounts.
Twitter has advised a number of users to change their passwords as a precautionary measure. The bug has now been fixed.
Marriott (500 million users)
The biggest data breach of the year (if not ever) exposed the data of half a billion users. Marriott said that hackers broke into its booking system and accessed customer data for the last four years. This major data breach affected the following Starwood properties: St. Regis, Westin, Sheraton, Aloft, Le Meridien, Four Points, and W Hotels. Marriott’s hotel databases are separate and haven’t been compromised.
Cybercriminals stole Starwood’s customers’ names, addresses, phone numbers, card numbers, passport numbers and even the information of where and who they were traveling with.
Because this information wasn’t used for any known financial gains or identity thefts, there are rumors that this could’ve been a state-sponsored attack. A former British intelligence officer said that the aim of this attack could’ve been to get valuable information on spies, diplomats and military officials who’ve stayed in Marriott hotels over the years. It’s strange that the attack remained unnoticed for such a long time and that none of the information was monetized.
Cybersecurity and privacy in 2019
The scope of these attacks shows that even the biggest corporations are vulnerable and are prone to errors. This means that it’s becoming more difficult to trust them as we never know when our data is going to end in the wrong hands.
Unfortunately, we have little to no control over when the next company will be hacked, but we can take a few precautionary steps to protect data breaches:
- Use strong and unique passwords.
- Think twice before posting anything on social media. This information can be used against you.
- If you shop online, use a credit card. You will have less liability for fraudulent charges if your financial information leaks.
- Provide companies only with necessary information. The less information they have, the less they can leak.
Look out for fraud. If notified that your data was leaked or was affected by data breaches, change your passwords and take the steps advised by the company that compromised your data.