On September 7, 2017, credit-monitoring giant Equifax revealed that unauthorized access to its credit-report databases had led to the breach of sensitive personal information of more than 143 million people. By March of 2018, that number had grown to an estimated 148 million affected.
In the post-Equifax age, cybersecurity breaches continue to mount and cause trouble for both institutions and consumers. Although the Equifax debacle is generally considered the worst corporate data breach in U.S. history, there are other hacks that have exposed more total records and/or undercut the public’s trust in similar fashion. Here, we look at other serious security breaches and how they may or may not have impacted you.
Just several weeks after the Equifax breach was reported, Facebook experienced another security issue affecting almost 50 million user accounts. This came on the heels of several other internal breaches earlier in the year.
This time around, hackers exploited a vulnerability in Facebook’s code that impacted the “View As” feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens—essentially the digital keys that keep people logged in to the application without the need for password re-entry, which they could then use to take over people’s accounts and infiltrate other apps.
The company responded by taking measures to fix the vulnerability and reset the access tokens of not only those thought to be affected by the breach but another 40 million accounts that were subjected to a View As look-up in the year preceding the attack.
2. Under Armour
Under Armour’s food and nutrition app, MyFitnessPal, was reportedly hacked in February 2018. The breach compromised the usernames, email addresses, and passwords of the app’s roughly 150 million users. On the brighter side, the company disclosed the intrusion in under a week and was credited with doing a relatively good job of setting up its data protections so that the hackers couldn’t access valuable user information like location, credit card numbers, or birth dates.
Although not an unprecedented cybersecurity breach, the Under Armour situation was another frustrating reminder of the unreliable state of security on corporate networks.
3. Russian Grid Hacking
It wasn’t until 2018 that the U.S. government began publicly acknowledging the Russian state’s involvement in 2017 grid hacking schemes. It’s alleged that Russian hackers infiltrated and probed U.S. power companies and may have even gained direct access to an American utility’s control systems.
4. U.S. Universities
In March 2018, the Department of Justice indicted nine Iranian hackers over an alleged spree of attacks on more than 300 universities in the United States and abroad. The suspects were charged with infiltrating 144 U.S. universities, 176 universities in 21 other countries, 47 private companies, and other targets like the United Nations, the U.S. Federal Energy Regulatory Commission, and the states of Hawaii and Indiana.
According to the DOJ, the Iranian hackers stole data estimated to be worth $3 billion in intellectual property. The attacks used carefully crafted spearphishing emails to trick professors and other university affiliates into clicking on malicious links and entering their network login credentials. Of the 100,000 accounts hackers targeted, they were able to gain credentials for about 8,000, with 3,768 of those at U.S. institutions. revelation.
At the end of May 2018, officials warned of another Russian hacking campaign―this time impacting more than 500,000 routers worldwide. The attack spread a type of malware known as VPNFilter, which can be used to coordinate the infected devices to create a massive botnet. It can also directly spy on and manipulate web activity on the compromised routers by introducing spam campaigns, stealing data, and crafting targeted, localized attacks.
Soon after its discovery, Symantec put out a recommendation that users reboot their routers immediately to partially get rid of the threat, along with other measures to reduce vulnerability..
Data breaches have a quiet cousin known as data exposure. A data exposure happens when data is stored and secured improperly such that it is exposed on the open internet and easily accessible to anyone who comes across it. This often occurs when cloud users misconfigure a database so it requires little or no authentication to access.
This was the case in 2018 with the marketing and data aggregation firm Exactis, which left about 340 million records exposed on a publicly accessible server. The leak didn’t include social security numbers or credit card information, but it did comprise very personal information about hundreds of millions of U.S. adults. Exactis has since protected the data, but it is now facing a class action lawsuit over the incident.