March 27, 2019 | 9 min read
The Biggest Data Breaches of 2018
Currently, there are over 4 billion internet users in the world. Most of these people create accounts on various platforms hoping for a smooth and enjoyable experience chatting, sharing photos, making deals, playing games, shopping, and more. Often these accounts accumulate important personal information—names, email addresses, payment card details, and so on.
Unfortunately, many web users will eventually face the theft of their personal records. In fact, more than 3.3 billion records were compromised in the first half of 2018 alone. It's hard to imagine, but the average computer with an internet connection faces a hacking attack every 39 seconds. You can only take about 12 breaths in this amount of time.
At times, users fall victim to such attacks because they carelessly used a simple password or clicked a suspicious link. But even the most cautious users may have their personal data stolen. It happens when hackers attack companies that hold account data of millions of users. Sometimes human error leads to data misuse and a company accidentally exposes its database.
Last year saw some truly enormous data breaches and leaks. Let’s have a look at the largest incidents of 2018.
Marriott breach—colossal amounts of hotel data was stolen
383–500 million accounts compromised
Marriott became the largest hotel chain in the world in 2014, when it bought Starwood Hotels and Resorts. Yet, back at that time, hackers already had access to the Starwood database. They were able to steal passport data, phone numbers, email addresses, and some credit card details from the guests.
This hotel data breach was discovered in 2018, and initially, the company announced that about 500 million guests were affected. Later, at the beginning of 2019, it was specified that “only” 383 million records were compromised in the Marriott data security breach, which is still a major setback to the company’s cybersecurity.
Exactis incident—marketing firm leaked personal information database
340 million accounts compromised
Exactis is a marketing and data aggregation company, which wasn’t very well-known until June 2018, when it accidentally leaked a database with 340 million records. This number is comparable to the entire population of the United States—about 326 million in 2018.
Security researcher Vinny Troia found this database on a publicly accessible server. The data collection included phone numbers, home addresses, emails, and even the interests and gender of the person's children. It isn’t proven whether fraudsters took advantage of the Exactis data breach, but due to the advanced nature of contemporary search software, it is quite easy to spot such a database and exploit it quickly.
Dubsmash data breach—bad news for wannabe singers
161 million accounts compromised
Dubsmash is a video messaging application that allows users to lip-sync to popular pieces of music and record themselves. Since its launch in 2014, Dubsmash has become quite trendy; contacts of over 161 million users were stored in its database.
In December 2018, this huge collection of personal records was hacked and put up for sale on a dark web marketplace. The database contained user IDs, encrypted passwords, usernames, email addresses, languages, countries and, in some cases, real names. The price set for the database was equal to $1,976 in bitcoin.
Under Armour mishap—accounts for fitness app exposed
150 million accounts compromised
If you are looking for excuses to avoid a healthy lifestyle, here is one: fitness geeks aren’t immune to cybersecurity threats. In 2018, Under Armour, the owner of the MyFitnessPal app, announced that someone managed to hack data for about 150 million users. Compromised details included email addresses, passwords, and usernames.
Later it appeared that for some reason a segment of the passwords were encrypted in a stronger way than other portions. Hence, some users were less protected against identity theft.
Quora security breach—Q&A website hacked
100 million accounts compromised
In the tenth year of its existence, Quora, a popular question-and-answer platform, fell victim to a hacker attack. Five days after discovering the data breach, Adam D’Angelo, Quora’s CEO, announced it to the public. He stated that a third party gained unauthorized access to one of the company’s systems.
User data stolen in this cybersecurity breach included names, emails, encrypted passwords, data from linked networks as well as public and private engagement actions (except for anonymous questions and answers). Luckily, by its nature, Quora did not collect payment card information or data on private preferences. But those who’d reused their Quora password on other websites risked having other online accounts hacked, too.
MyHeritage data leak—a DNA-testing service database exposed
92 million accounts compromised
MyHeritage offers its customers the possibility to test their DNA and track their ancestry. In June 2018, a MyHeritage database was found on an external server by a security researcher. MyHeritage published an announcement on the day it was notified, but the database appeared to be stolen much earlier, in October 2017.
The exposed database included emails and encrypted passwords of more than 92 million users. Luckily, other sensitive personal records, such as family trees and DNA data, were kept separately and weren’t affected. Credit card information was not stored on MyHeritage at all. There was no evidence of the use of any leaked data, but, as in other cases, those who’d reused MyHeritage passwords elsewhere were unsafe.
Facebook–Cambridge Analytica scandal—personal data misused in political campaigns
87 million accounts compromised
One of the most discussed data scandals of 2018 was not the biggest in terms of affected accounts, yet it involved Facebook and Donald Trump’s presidential campaign, so it received a lot of media attention. The story about Facebook security problems traces back to 2014, but it was confirmed only in 2018 by an ex-employee of Cambridge Analytica, a political consulting company.
In 2014, about 270,000 Facebook users installed a personality-quiz app that collected data about them and their Facebook friends to the benefit of Cambridge Analytica. As a result, the company obtained a database with millions of records, enabling it to create profiles of voters by their political beliefs. Eventually, Cambridge Analytica used the profiles to target online ads within the Brexit campaign, Ted Cruz’s presidential stump, and the Trump campaign. In 2018, Facebook confirmed that the personal data of up to 87 million people had been inappropriately shared with Cambridge Analytica.
Google+ security flaws—vulnerabilities leading to social platform closure
52.5 million accounts compromised
At the end of 2018, Google revealed a critical security vulnerability in its social network, Google+. Information on more than 52.5 million users, including their names, email addresses, occupation, age, and more was exposed to developers of various apps. It happened due to a bug in the Google+ API, a piece of software that allows different applications to communicate with each other.
It is not the first cybersecurity flaw discovered in Google+. A similar bug was detected earlier in 2018, but back then the number of affected accounts was estimated at about 500,000. Google+ as a platform was unpopular overall and upon such unfortunate revelations, Google decided to shut it down for good.
As we can see, even big and reputable companies lose control over their users’ data. Right now, some intruders may be hacking other databases with millions of records. Maybe they even contain your accounts…
Thus, be sure to use different passwords on different platforms and make your passwords strong and uncommon. Consider getting a password manager if you have a hard time remembering multiple secret words. Stay protected!