Data breaches are part of the furniture of our digital lives. Barely a day goes by without another company leaking your data. And while these events are becoming more commonplace, something else changed in 2018 too.
The implementation of the EU’s General Data Protection Regulation (GDPR) means that businesses now commit to disclose any breaches within 72 hours. It can be hard to keep up with all the latest hacks, so we’ve rounded up some of the year’s most notable breaches.
1. Under Armour
Users Affected: 150 million
Data Exposed: Usernames, email addresses, and hashed passwords
For many people around the world, the diet and exercise tracking app MyFitnessPal (MFP) is a daily companion on their fitness journey. So it came as little surprise when the sportswear company Under Armour acquired MFP as a part of their digital offering. In March 2018, Under Armor (UA) released a statement that MyFitnessPal had been compromised, with the usernames, email addresses, and hashed passwords of the app’s 150 million users exposed.
The company acted quickly. Within four days of learning about the breach, MyFitnessPal sent an email update to all users and put together an FAQ website. They recommended that all users immediately change their passwords and that they would continue to, somewhat vaguely, “make enhancements to [their] systems to detect and prevent unauthorized access to user information.”
On the surface, it appears as though Under Armour was doing right by its users. However, while some passwords were hashed using bcrypt—a process to transform your password into an unreadable string of characters—others weren’t so lucky. Although they didn’t reveal the numbers, a portion of MFP’s substantial user-base was only protected with SHA-1, widely regarded as the weakest form of hashing.
Although the leak happened early in the year, as of September 2018, there had been no further updates on the cause of the breach, or how UA hopes to prevent future attacks. The company has also not detailed whether they will continue to use SHA-1 hashing.
2. British Airways
Users Affected: Unknown
Data Exposed: Customer’s personal and financial data
As the summer drew to a close in early September, the UK’s largest airline, British Airways (BA), said they were urgently investigating the theft of customer information. On their incident information website, the company said the theft affected “customers who made bookings or changes to their bookings […] between 22:58 BST August 21, 2018 and 21:45 BST September 5, 2018.” The stolen data included names, email address, billing address, and bank card details.
If you were among the unfortunate victims of the attack, BA has promised that you won’t be out of pocket as a direct result of the theft. However, it’s worth noting that they haven’t said what they consider a “direct result.” In the days following the disclosure, The Register reported that an external payment script might have been to blame for the attack. The security firm RiskIQ said the attack was likely pulled off by a group known as Magecart, who were responsible for a very similar attack on Ticketmaster earlier in 2018.
Just over a year before the attack, BA was also at the center of a massive computer power failure. The failure brought the company’s IT systems to a screeching halt, grounding all planes and affecting thousands of passengers. Despite making headlines around the world, BA has said little about the cause of the unprecedented outage.
Users Affected: Unknown
Data Exposed: Survey data including personally identifiable information
If you’ve filled out an online survey in the past few years, you probably used the data collection website Typeform. Their surveys are popular with businesses as they are easy to set up and user-friendly. Typeform’s customers are businesses, not end users. So when the company discovered a breach in June 2018, they alerted their customers.
Typeform’s incident response site lacks detail and focuses on how businesses should tell customers about the disclosure. All we do know of Typeform’s breach is that it was the result of unauthorized access to a partial backup dated May 3rd, 2018. Though it’s not clear how far back that data stretches. As Typeform elected not to provide a detailed breakdown, the total number affected is also unclear.
However, the list of organizations caught up in the breach is quite extensive. British retailers Fortnum & Mason, and John Lewis were among those affected, along with the Australian bakery chain Bakers Delight. Other known victims include Airtasker, Rencore, PostShift, Revolut, Middlesex University Student’s Union, Monzo, the Tasmanian Electoral Commission, Travelodge, and the UK’s Liberal Democrats.
Users Affected: 340 million
Data Exposed: Everything imaginable, minus Social Security and credit card numbers
In our modern economy, we trade our data in return for free products and online services. However, there is a growing movement against this kind of data collection. They refer disparagingly to the practice as Surveillance Capitalism. This sentiment has become even more popular in the wake of 2017’s Equifax hack and Facebook’s Cambridge Analytica Scandal. You were probably surprised that Equifax had been collecting detailed information about you behind your back. Sadly then, you won’t be too shocked to learn they weren’t the only ones.
In June, security researcher Vinny Troia used the computer search engine Shodan to uncover a database containing 340 million records. The database was left unsecured on a publicly available server by the marketing firm Exactis. While the 145.5 million records of the Equifax hack received widespread coverage, the Exactis database eclipsed that at 340 million records. However, unlike the aggregated Equifax data, the Exactis database was found by a security researcher. There is currently no evidence that it was accessed maliciously.
Exatis is a data broker, trading in our personal information—which is how they came to be in possession of nearly 214 million individuals and 110 million businesses data. According to WIRED, the records included “more than 400 variables on a vast range of specific characteristics: whether the person smokes, their religion, whether they have dogs or cats, and interests as varied as scuba diving and plus-size apparel.”
There is a silver lining here though. Despite the phenomenal amount of identifiable data, unlike Equifax, they held no financial information. However, if it turns out a malicious party did access the database, there are plenty of opportunities for social engineering.
Users Affected: 21 million
Data Exposed: Names, email addresses, dates of birth, gender, country codes, and phone numbers
Our collective nostalgia for years gone by has become big business. No company has been able to capitalize on this love of the past more than Timehop. The Timehop app connects to your social networks and resurfaces your old posts to remind you of what you were doing on this day in the past. In July 2018, Timehop announced that it had interrupted a network intrusion on Independence Day.
Despite stopping the attack in just over two hours, the intruder was able to take a lot of data. Unfortunately, this included names, email addresses, dates of birth, gender, and in some cases, phone numbers of the app’s 21 million users. They were, however, able to prevent the attacker from gaining access to social media posts and private messages.
The attacker did manage to get to stored OAuth2 keys, which grant access to a user’s connected social networks. Before disclosing the breach, Timehop worked with the social networks to deactivate these keys, forcing users to re-authenticate connected accounts.
Unlike many of their contemporaries, their incident website was clearly presented. The attack was explained both in technical and straightforward terms. They even provided an easily digestible table of the combinations of accessed data and how many people were affected. Of course, this will come as little comfort to the nostalgic app’s 21 million victims.
Protect Yourself From the Next Data Breach
Services we once thought of as secure are rapidly becoming unraveled thanks in part to their poor security practices. You may even start to wonder if anywhere on the internet is safe. Especially given how many times data harvesting has exposed your personal info. If you are worried that something is amiss, you should check if your online accounts have been hacked.
The responsibility to protect you falls at the feet of the affected companies. However, there are ways to improve your cyber hygiene that’ll strengthen your defenses. Passwords are one of our biggest headache, but there is good news. You may not have to wait too much longer before we start to see exciting password alternatives hit the mainstream.
Image Credit: stevanovicigor/DepositPhotos