Hackers kept many of the world’s largest corporations on their toes this year. We’re going back through our weekly “Who Got Hacked” features and realizing something very disturbing: the worst cyber attacks in 2019 could have been avoided if everyone in those victim organizations had been on the same page.
The series of errors which led to the largest cyber attacks of 2019 are basically the same no matter what the victim org’s size. This means if you read the below list thinking, “these are mega-companies; the risk of a data hack at my organization is much smaller” … you’re in dire need of a reality check!
Here are some of the worst cyber attacks of 2019 in no particular order:
Almost every Ecuadorian citizen
One of the largest data breaches in 2019 happened in Ecuador, where the personal information of about 20 million people, including their president and Julian Assange, founder of WikiLeaks who was granted asylum by the nation.
It’s reported by security firm and breach discoverer vpnMentor that the exposed data came from the Ecuadorian national bank, Ecuadorian government registers, and an automobile organization.
Everything from date of birth to personal identification numbers and even driving records were involved in the incident.
First American Corporation (~885,000,000 files)
This hack of the American real estate title insurer First American Corporation’s website leaked over three quarters of a billion mortgage deal documents, including bank account numbers, tax records, Social Security numbers, wire transaction receipts, and driver’s license images, says KrebsOnSecurity.
Krebs says it was tipped off by a real estate developer who “said anyone who knew the URL for a valid document at the Web site could view other documents just by modifying a single digit in the link.”
The 885,000,000 files, which date as far back as 16 years, were available to view without authentication requirements.
Oklahoma Department of Securities (potentially millions of breached files)
The Oklahoma Department of Securities recently dealt with a breach of millions of files, some of which were involved with FBI investigations.
UpGuard data breach research says a storage server – with records dating as far back as 1986 – says it is unclear how long the records were publicly accessible, but an IP address search engine first registered it in November of 2018.
“The data was exposed via an unsecured rsync service at an IP address registered to the Oklahoma Office of Management and Enterprise Services, allowing any user from any IP address to download all the files stored on the server,” the UpGuard report says.
Trend Micro (about 70,000 people affected)
ZDNet reported an attack on “fewer than one percent” of security firm Trend Micro’s customer base was the alleged work of a former employee. Names, email addresses, support ticket numbers, and some telephone numbers were taken in the breach and used to conduct scams, ZDNet says.
The firm was made aware in August that customers were receiving phony calls from people claiming to be with Trend Micro.
“It is believed the information was sold on to a third-party, but the identity of the threat actor — or group responsible — is not yet known,” ZDNet’s report says.
Flipboard (150,000,000 people affected)
Content aggregation app Flipboard announced earlier this year that unauthorized access to databases containing Flipboard user information happened between June 2, 2018 and March 23, 2019, and between April 21, 2019 and April 22, 2019.
Those databases contain names, usernames, email addresses, and cryptographically-protected passwords, the company says. It is not yet known how many accounts were affected, but Flipboard reportedly serves 150,000,000 app users, and said in their announcement that not all of whom were involved.
While the fact that the hacked passwords were “cryptographically-protected” typically means more difficulty for the hacker, Flipboard did also report that passwords created or changed before March of 2012 were protected with a weaker algorithm, says a Forbes article about the data breach.
What’s more, the digital tokens used to connect Flipboard with social media accounts “may have” also been stored in the databases.
Facebook (over 540,000,000 people affected)
This is the news that prompted some tech publications to encourage all Facebook users to change their passwords. In April 2019, UpGuard reported on two third-party Facebook apps holding large datasets which left their data exposed to the public — one of the biggest data breaches in social media history.
The breach from media company Cultura Colectiva’s app contains over 540 million records, including FB id’s, likes, reactions, and more.
Another Facebook app backup titled “At the Pool” also contained user id’s, as well as columns for fb_likes, fb_music, fb_movies, fb_books, fb_photos, fb_events, fb_groups, fb+checkins, fb_interests, and much more, according to UpGuard. This affected at least 22,000 users.
“The data sets vary in when they were last updated, the data points present, and the number of unique individuals in each. What ties them together is that they both contain data about Facebook users, describing their interests, relationships, and interactions, that were available to third party developers. As Facebook faces scrutiny over its data stewardship practices, they have made efforts to reduce third party access.” — UpGuard report
Fortnite (potentially 200,000,000 accounts affected)
One of the most prominent games in pop culture lately, Fortnite sees roughly 200 million users worldwide vie to be the last player standing.
But Check Point Research found vulnerabilities which “could have allowed a threat actor to take over the account of any game player, view their personal account information, purchase V-bucks, Fortnite’s virtual in-game currency and eavesdrop on and record players’ in-game chatter,” according to the report.
It isn’t uncommon for cyber criminals to create fake landing pages surrounding these popular online games that advertise ways to earn in-game currency while phishing for credentials.
Check Point Research didn’t need to create a fake website to recreate the breach, though. They didn’t even need a user to hand over log in information whatsoever.
The researchers found a weakness in Fortnite’s sub-domains which allows an XSS attack if the user only clicks on a link sent by the attacker.