The Malwarebytes Labs blog called 2018 the year of the data breach. What a year it was. The list of companies that were hacked by cybercriminals reads like a who’s who list of the world’s biggest tech companies, retailers, and hospitality providers—and that’s only the data breaches that we know about. In many instances, an organization or company won’t even know they’ve been breached until years later.
According to the Ponemon Institute’s 2018 Cost of a Data Breach study, a data breach goes undiscovered for an average of 197 days. It takes another 69 days to remediate the data breach. By the time the security failure is discovered and fixed, the damage is already done. The criminals responsible will have enjoyed unfettered access to databases full of valuable data—your valuable data. Not to mention the data of hundreds of millions of people like you who had the bad luck of doing business with a company that got hacked.
Data breach definition
Unlike most of the other topics we’ve covered under Cybersecurity Basics, a data breach isn’t a threat or attack in its own right. Rather, a data breach comes as a result of a cyberattack that allows cybercriminals to gain unauthorized access to a computer system or network and steal the private, sensitive, or confidential personal and financial data of the customers or users contained within. Common cyberattacks used in data breaches include the following:
With most data breaches, cybercriminals want to steal names, email addresses, usernames, passwords, and credit card numbers. Though cybercriminals will steal any data that can be sold, used to breach other accounts, steal your identity, or make fraudulent purchases with.
In some instances, hackers want to steal your data just to prove that they can. This was the case in the 2015 VTech data breach, in which the data on 5 million adults and 200,000 children was compromised. The hacker responsible claimed they had no plans for the data and did not share it with anyone. Honor among thieves, right?
“A data breach comes as a result of a cyberattack that allows cybercriminals to gain unauthorized access to a computer system or network and steal the private, sensitive, or confidential personal and financial data of the customers or users contained within.”
How do data breaches happen?
An exploit is a type of attack that takes advantage of software bugs or vulnerabilities, which cybercriminals use to gain unauthorized access to a system and its data. These vulnerabilities lie hidden within the code of the system and it’s a race between the criminals and the cybersecurity researchers to see who can find them first.
The criminals, on one hand, want to abuse the exploits while the researchers, conversely, want to report the exploits to the software manufacturers so the bugs can be patched. Commonly exploited software includes the operating system itself, Internet browsers, Adobe applications, and Microsoft Office applications. Cybercriminal groups sometimes package multiple exploits into automated exploit kits that make it easier for criminals with little to no technical knowledge to take advantage of exploits.
A SQL injection (SQLI) is a type of attack that exploits weaknesses in the SQL database management software of unsecure websites in order to get the website to spit out information from the database that it’s really not supposed to. Here’s how it works. A cybercriminal enters malicious code into the search field of a retail site, for example, where customers normally enter searches for things like “top rated wireless headphones” or “best-selling sneakers.”
Instead of returning with a list of headphones or sneakers, the website will give the hacker a list of customers and their credit card numbers. SQLI is one of the least sophisticated attacks to carry out, requiring minimal technical knowledge. Malwarebytes Labs ranked SQLI as number three in the The Top 5 Dumbest Cyber Threats that Work Anyway. Attackers can even use automated programs to carry out the attack for them. All they have to do is input the URL of the target site then sit back and relax while the software does the rest.
Spyware is a type of malware that infects your computer or network and steals information about you, your Internet usage, and any other valuable data it can get its hands on. You might install spyware as part of some seemingly benign download (aka bundleware). Alternatively, spyware can make its way onto your computer as a secondary infection via a Trojan like Emotet.
As reported on the Malwarebytes Labs blog, Emotet, TrickBot, and other banking Trojans have found new life as delivery tools for spyware and other types of malware. Once your system is infected, the spyware sends all your personal data back to the command and control (C&C) servers run by the cybercriminals.
Phishing attacks work by getting us to share sensitive information like our usernames and passwords, often against normal logic and reasoning, by using social engineering to manipulate our emotions, such as greed and fear. A typical phishing attack will start with an email spoofed, or faked, to look like it’s coming from a company you do business with or a trusted coworker. This email will contain aggressive or demanding language and require some sort of action, like verify payments or purchases you never made.
Clicking the supplied link will direct you to a malicious login page designed to capture your username and password. If you don’t have multi-factor authentication (MFA) enabled, the cybercriminals will have everything they need to hack into your account. While emails are the most common form of phishing attack, SMS text messages and social media messaging systems are also popular with scammers.
Broken or misconfigured access controls can make private parts of a given website public when they’re not supposed to be. For example, a website administrator at an online clothing retailer will make certain back-end folders within the website private, i.e. the folders containing sensitive data about customers and their payment information. However, the web admin might forget to make the related sub-folders private as well.
While these sub-folders might not be readily apparent to the average user, a cybercriminal using a few well-crafted Google searches could find those misconfigured folders and steal the data contained in them. Much like a burglar climbing right into a house through an open window, it doesn’t take a lot of skill to pull off this kind of cyberattack.
Data breach news
- Open Subtitles breach: The dangers of password reuse
- Neiman Marcus data breach affects millions
- The Clubhouse database breach is likely a non-breach. Here’s why.
- “Have I been pwnd?”– What is it and what to do when you *are* pwned
- Ubiquiti breach, and other IoT security problems
- Vastaamo psychotherapy data breach sees the most vulnerable victims extorted
- How to get your Equifax money and stay safe doing it
- What to do when you discover a data breach
- Collection 1 data breach: what you need to know
- Tomorrowland festival goers affected by data breach
- Major data breaches at Adidas, Ticketmaster pummel web users
- Two major Canadian banks blackmailed after alleged data breach
Is my stolen data encrypted?
After a data breach, affected companies will try and assuage the fear and outrage of their customers by saying something to the effect of “Yes, the criminals got your passwords, but your passwords are encrypted.” This isn’t very comforting and here’s why. Many companies use the most basic form of password encryption possible: unsalted SHA1 hashing.
Hash and salt? Sounds like a delicious way to start the day. As it applies to password encryption, not so great. A password encrypted via SHA1 will always encrypt or hash to the same string of characters, which makes them easy to guess. For example, “password” will always hash as
This shouldn’t be a problem, because those are the two worst passwords possible, and no one should ever use them. But people do. SplashData’s annual list of most common passwords shows that people aren’t as creative with their passwords as they should be. Topping the list for five years running: “123456” and “password.” High fives all around, everyone.
With this in mind, cybercriminals can check a list of stolen, hashed passwords against a list of known hashed passwords. With the decrypted passwords and the matching usernames or email addresses, cybercriminals have everything they need to hack into your account.
What do criminals do with my data?
Stolen data typically ends up on the Dark Web. As the name implies, the Dark Web is the part of the Internet most people never see. The Dark Web is not indexed by search engines and you need a special kind of browser called Tor Browser to see it. So what’s with the cloak and dagger?
For the most part, criminals use the Dark Web to traffic various illegal goods. These Dark Web marketplaces look and feel a lot like your typical online shopping site, but the familiarity of the user experience belies the illicit nature of what’s on offer. Cybercriminals are buying and selling illegal drugs, guns, pornography, and your personal data. Marketplaces that specialize in large batches of personal information gathered from various data breaches are known, in criminal parlance, as dump shops.
The largest known assemblage of stolen data found online, all 87GBs of it, was discovered in January of 2019 by cybersecurity researcher Troy Hunt, creator of Have I Been Pwned (HIBP), a site that lets you check if your email has been compromised in a data breach. The data, known as Collection 1, included 773 million emails and 21 million passwords from a hodgepodge of known data breaches. Some 140 million emails and 10 million passwords, however, were new to HIBP, having not been included in any previously disclosed data breach.
Cybersecurity author and investigative reporter Brian Krebs found, in speaking with the cybercriminal responsible for Collection 1, that all of the data contained within the data dump is two to three years old—at least.
Is there any value in stale data from an old breach (beyond the .000002 cents per password Collection 1 was selling for)? Yes, quite a bit.
Cybercriminals can use your old login to trick you into thinking your account has been hacked. This con can work as part of a phishing attack or, as we reported in 2018, a sextortion scam. Sextortion scammers are now sending out emails claiming to have hacked the victim’s webcam and recorded them while watching porn. To add some legitimacy to the threat, the scammers include login credentials from an old data breach in the emails. Pro tip: if the scammers actually had video of you, they’d show it to you.
If you reuse passwords across sites, you’re exposing yourself to danger. Cybercriminals can also use your stolen login from one site to hack into your account on another site in a kind of cyberattack known as credential stuffing. Criminals will use a list of emails, usernames and passwords obtained from a data breach to send automated login requests to other popular sites in an unending cycle of hacking and stealing and hacking some more.
Which are the biggest data breaches?
It’s the top ten countdown no one wants to be on. Here’s our list of the 10 biggest data breaches of all time. You may be able to guess many of the companies featured on this list, but there might be a few surprises as well.
10. LinkedIn | 117 million
Cybercriminals absconded with email addresses and encrypted passwords for 117 million LinkedIn users in this 2012 data breach. The passwords were encrypted, right? No big deal. Unfortunately, LinkedIn used that darn SHA1 encryption we talked about earlier. And if you have any doubts that your stolen passwords are being decrypted, Malwarebytes Labs reported on hacked LinkedIn accounts being used in an InMail phishing campaign.
These InMail messages contained malicious URLs that linked to a website spoofed to look like a Google Docs login page by which cybercriminals harvested Google usernames and passwords. Still better than that temp-to-perm ditch-digging job recruiters keep sending you.
9. eBay | 145 million
In early 2014, cybercriminals clicked “Steal It Now” when they broke into the network of the popular online auction site and pinched the passwords, email addresses, birth dates, and physical addresses for 145 million users. One positive takeaway, financial information from sister site PayPal was stored separately from user information in a practice known as network segmentation (more on that later). This had the effect of limiting the attack and prevented criminals from getting to the really sensitive payment info.
8. Equifax | 145.5 million
The credit reporting company Equifax took a hard hit to their own “credit” score, at least in the eyes of American consumers, when the company announced they had experienced a data breach back in 2017. All of this could have been avoided if Equifax just kept their software up-to-date. Instead, hackers were able to take advantage of a well-known software bug and hack into the underlying software supporting the Equifax website.
What makes the Equifax data breach so awful is not the size, though considerable; rather, it’s the value of the information stolen. The perpetrators made off with the names, birthdates, Social Security numbers, addresses, and drivers license numbers for 145.5 million Americans. Add to that approximately 200,000 credit card numbers and you get one of the worst data breaches in terms of sensitivity of the compromised data.
7. Under Armour | 150 million
Sports apparel company Under Armour’s slogan is “Protect This House.” Apparently, they didn’t take their own advice when their diet and exercise app MyFitnessPal was hacked in February of 2018. In the attack, cybercriminals managed to steal the usernames, emails and encrypted passwords for 150 million users. Under Armour did well to announce the data breach within a week of its discovery. On the flip side, the company used weak SHA1 encryption on some of the stolen passwords, meaning criminals could crack the passwords and reuse them on other popular websites.
6. Exactis | 340 million
The Exactis data breach is a little different in the sense that there’s no proof cybercriminals stole any data. However, the cybersecurity researcher who discovered the “data breach” believes that criminals did. Speaking with Wired, Vinny Troia said, “I’d be surprised if someone else didn't already have this.” Exactis, a Florida-based marketing firm, had records for 340 million Americans (that’s every single US citizen) stored on an unsecure server.
Any cybercriminal could have found the data using a special search engine called Shodan that lets users find Internet-connected devices. While the breach did not include data like credit card and Social Security numbers it did include detailed lifestyle information, like religion and hobbies, that could be used in phishing attacks.
5. Myspace | 360 million
Remember Myspace? The social networking site that came before Facebook? If you had a Myspace account and you reuse passwords from site-to-site, you may be at risk. Cybercriminals stole data on 360 million pre-2013 Myspace users. This may not seem like a big deal, but the stolen passwords used that weak SHA1 encryption we keep talking about. As mentioned previously, criminals can try and reuse your old passwords on other popular sites in a credential stuffing attack.
4. AdultFriendFinder | 412 million
You’d think a site like AdultFriendFinder, billed as the “World’s Largest Sex and Swinger Community,” would know to use protection. Instead cybercriminals penetrated the site’s defenses and stole usernames, encrypted passwords, emails, date of last visit, and membership status for 412 million accounts. A previous data breach at AdultFriendFinder, affecting 4 million users, included sexual preference and whether or not the user was looking for an extramarital affair. Yikes.
3. Yahoo | 500 million
Yahoo? More like oh no! Yahoo makes its first appearance on our countdown with the 2014 attack on the former Internet tech giant. At its height during the dot-com boom years, Yahoo was one of the most visited sites on the web. This huge attack surface caught the attention of various bad actors.
In the attack, cybercriminals made off with the personal information for as many as 500 million Yahoo users. In 2017, the US Department of Justice filed charges against four Russian nationals in connection with the Yahoo attack, two of whom were Russian government officials. To date, only one of the Russians has seen the inside of a jail cell.
2. Marriott International | 500 million
Just like housekeeping, hackers ignored the “Do Not Disturb Sign” and caught the world’s largest hotel company Marriott International in a compromising situation. The 2014 Starwood-Marriott attack wasn’t discovered until September of 2018. During the intervening years cybercriminals had unrestricted access to the personal information of 500 million Starwood-Marriott customers—anyone who ever booked a reservation at a Starwood property—including names, mailing addresses, phone numbers, email addresses, passport numbers, and dates of birth.
1. Yahoo—again | 3 billion
Yahoo has the embarrassing distinction of being the only company to make our list of biggest data breaches twice. To add insult to injury, Yahoo also takes the top spot. In August of 2013, cybercriminals stole data on every Yahoo user in the world—all three billion of them. The sheer size of the data breach is difficult to fathom.
Over one-third of the world’s population was affected. When the attack was first revealed in 2016, Yahoo claimed only one billion of its users were affected by the data breach, later changing the figure to “all Yahoo user accounts” less than a year later. The timing couldn’t have been worse. At the time Yahoo revealed the updated data breach numbers, the company was in negotiations to be acquired by Verizon. News of the data breach allowed Verizon to scoop up Yahoo at a fire sale price. Yahoo was acquired by Verizon in 2017.
Data breach laws
It seems like we’re reading about another data breach with every news cycle. Are data breaches increasing in frequency or is something else going on? One possible reason for the increase in data breaches (at least the appearance of an increase) is growing regulation around how we communicate data breaches.
Since the start of the millennium, governments all over the world have put laws into place that require companies and organizations to make some sort of disclosure after experiencing a data breach. Whereas in years past compromised parties could sit on the knowledge of a data breach for as long as they wanted to.
In the United States there is no national law overseeing data breach disclosures. However, as of 2018, all 50 US states have data breach laws on the books. Those laws vary from one state to the next, but there are some commonalities. Namely, any organization at the center of a data breach must take the following steps:
- Let the people affected by the data breach know what happened as soon as possible.
- Let the government know as soon as possible, usually that means notifying the state’s attorney general.
- Pay some sort of fine.
As an example, California was the first state to regulate data breach disclosures in 2003. Persons or businesses at the center of a data breach must notify those affected “without reasonable delay” and “immediately following discovery.” Victims can sue for up to $750 while the state’s attorney general can impose fines of up to $7,500 for each victim.
Similar laws have been enacted in the European Union and throughout the Asia Pacific region. Facebook is the first large tech company to allegedly run afoul of the EU’s General Data Protection Regulation (GDPR) after it announced a software bug gave app developers unauthorized access to user photos for 6.8 million users. Facebook didn’t report the breach for two months—about 57 days too late, as far as the GDPR is concerned. As a result, the company may have to pay up to $1.6 billion in fines.
What should I do when my data is stolen?
Even if you’ve never used any of the sites and services listed on our list of biggest data breaches, there are hundreds of smaller data breaches that we didn’t mention. Before we get into our steps for responding to a data breach, you may want to visit Have I Been Pwned and see for yourself. All you have to do is enter your email address in the “pwned?” search box and watch in horror as the site tells you all the data breaches you’ve been pwned in.
It’s also worth noting that your data may be part of a breach that the public at large doesn’t know about yet. Often times a data breach won’t be discovered until years later.
One way or another, there’s a good chance your data was compromised and there’s a very good chance your data will be compromised again.
Now that you know your data is floating around somewhere on the Dark Web, we’ve created this step-by-step list of what to do when your data is stolen.
- Reset your password for the compromised account and any other accounts sharing the same password. Really though, you shouldn’t reuse passwords across sites. Granted, remembering a unique alphanumeric password for all of your online accounts and services is impossible—unless you’re good with mnemonics or, better yet, you have a hard drive implanted in your head like Johnny Mnemonic. For everyone else, consider using a password manager like 1Password. Password managers have the added benefit of alerting you when you land on a spoofed website. While that login page for Google or Facebook might look real, your password manager won’t recognize the URL and won’t fill in your username and password for you.
- Monitor your credit accounts. Look for any suspicious activity. Remember you get a free credit report, one from each of the three major credit bureaus, every year at annualcreditreport.com. This is the only US Federal Trade Commission authorized site for obtaining free credit reports.
- Consider a credit freeze. A credit freeze makes it harder to open up a line of credit under your name by restricting access to your credit report. You can lift or stop the freeze at any time. The only hassle is that you must contact each credit bureau individually to enact or remove a freeze.
- Watch your inbox carefully. Opportunistic cybercriminals know that millions of victims of any given data breach are expecting some kind of communication regarding hacked accounts. These scammers will take the opportunity to send out phishing emails spoofed to look like they’re coming from those hacked accounts in an attempt to get you to give up personal information. Read our tips on how to spot a phishing email.
- Consider credit monitoring services. Should you sign up? Often times, after a data breach, affected companies and organizations will offer victims free identity theft monitoring services. It’s worth noting that services like LifeLock et al. will notify you if someone opens up a line of credit in your name, but they can’t protect your data from being stolen in the first place. Bottom line—if the service is free, go ahead and sign up. Otherwise, think twice.
- Use multi-factor authentication (MFA). Two-factor authentication is the simplest form of MFA, meaning you need your password and one other form of authentication to prove that you are who you say you are and not a cybercriminal attempting to hack your account. For example, a website might ask you to enter your login credentials and enter a separate authentication code sent via text to your phone.
You can also download and share these tips via our handy data breach checklist.
How do I prevent data breaches?
The fines, clean-up costs, legal fees, lawsuits, and even ransomware payouts associated with a data beach add up to a lot of money. The 2018 Ponemon Cost of Data Breach study found the average cost of a data breach to be right around $3.9 million, an increase of 6.4 percent over the previous year. While the cost for each stolen record came in at $148, an increase of 4.8 percent over the previous year. According to the same study, your chances of experiencing a data breach are as high as one in four.
Doesn’t it make sense to be proactive about data security and avoid a breach in the first place? If you answered yes, and we hope you did, here are some best practices to help keep your business and your data secure.
Practice data segmentation. On a flat data network, cybercriminals are free to move around your network and steal every byte of valuable data. By putting data segmentation into place, you slow criminals down, buying extra time during an attack, and limiting compromised data. Data segmentation also helps with our next tip.
Enforce the principle of least privilege (PolP). PolP means each user account only has enough access to do its job and nothing more. If one user account is compromised, cybercriminals won’t have access to your entire network.
Invest in a good cybersecurity program. If you have the misfortune of clicking a malicious link or opening a bad attachment, a good cybersecurity program will be able to detect the threat, stop the download, and prevent malware from getting onto your network. Malwarebytes, for example, has protection products for business users just like you.
For all the latest news on data breaches, be sure to visit the Malwarebytes Labs blog.