More than one billion people were affected by the loss of personal data through 13 data breaches at 11 different companies in the past year, according to personal virtual private network service provider NordVPN.
The biggest breach of the year exposed the data of half a billion customers of the Marriott hotel group’s Starwood properties , including the St Regis, Westin, Sheraton, Aloft, Le Meridien, Four Points and W Hotel brands.
Marriott said hackers had broken into its booking system and accessed customer data over the past four years. Stolen data included customers’ names, addresses, phone numbers, card numbers, passport numbers and even information about where and who they were traveling with.
“Because this information wasn’t used for any known financial gains or identity thefts, there are rumours that it could have been a state-sponsored attack,” said Daniel Markuson, digital privacy expert at NordVPN
“As a former British intelligence officer said, the aim of this attack could have been to get valuable information on spies, diplomats and military officials who have stayed in Marriott hotels over the years. It is strange that the attack remained unnoticed for such a long time and that none of the information was monetised.”
The second largest breach was at Twitter, affecting 330 million users when a software bug exposed passwords in plain text.Twitter said there was an issue with its password hashing system, which failed to encrypt passwords and was saving them in plain text.
“Twitter’s investigators claimed that no one had actually accessed the data, but if any of the affected accounts had been hacked, their passwords would have been visible to the attacker,” said Markuson. “Their information could then be used to access other accounts.”
Twitter advised a number of users to change their passwords as a precaution and said the bug had been fixed.
Next up is My Fitness Pal , a food and nutrition app owned by Under Armour, which leaked the data of 150 million users.
“Once the company noticed the breach, it notified its users in almost record time compared with other companies of just four days,” said Markuson.
Under Armour said hackers accessed usernames, email addresses and hashed passwords, but other information, such as credit card numbers, was not compromised because it was stored separately from generic user information.
It is still unknown how hackers broke into the systems, but Under Armour said it was working with data security firms to investigate the attack and take precautionary measures to avoid further break-ins.
Firebase, a Google-owned development platform, leaked the sensitive information of over 100 million users during the year. “The platform might not be well known to everyone, but it is widely used by mobile developers,” said Markuson.
Appthority researchers scanned 2.7 million iOS and Android apps that connect to, and store, their data on Firebase. They found that more than 3,000 of those apps were connected to a misconfigured database that could be accessed by anyone.
“These apps with ‘leaky back-ends’ had been downloaded on the Google Play Store over 620 million times and could have exposed highly sensitive data, including user IDs, plaintext passwords, users’ locations, bank details, bitcoin transactions, social media accounts and even health records,” said Markuson.
The question-and-answer website Quora was also hacked, putting 100 million users at risk . Quora representatives said they had noticed that a “malicious third party” had accessed sensitive information on the database. Compromised data included users’ names and IP addresses to their Q&A history, access tokens and private messages.
“Quora claimed that none of its partners’ financial information or any anonymous Q&As had been affected,” said Markuson. “The attack is under investigation, and no further comments have been made by the company.”
My Heritage, a company that can test people’s DNA to find their ancestors and build their family trees, leaked the email addresses and hashed passwords of more than 92 million users.
The attack was noticed in June when the company’s security researcher found users’ data sitting in a private server that does not belong to the company.
My Heritage said the most sensitive user data, such as DNA information and family trees, is stored on separate systems that were not compromised.Facebook breaches
One of the biggest brands hit by data breaches in 2018 was Facebook, with 147 million accounts exposed in three breaches.
The first came to light in March, when it emerged that political consulting firm Cambridge Analytica was given permission to use more than 50 million Facebook profiles for “research purposes”, but instead collected user information to create psychographic profiles to influence the US presidential campaign in 2016.
“This data mining and data analysis company was employed by Donald Trump and helped him shape and predict the votes,” said Markuson.
Then, in September, Facebook hit the headlines again when it compromised the security of almost 90 million users . A bug in Facebook’s “View As” feature was discovered that could be used to steal users’ access tokens, which keep the user logged into a website or an app during a browsing session.
“Access tokens do not save the user’s password, so Facebook logged out everyone potentially affected to restore the security,” said Markuson. “However, hackers still managed to steal usernames, genders, and information about their home towns.
“Facebook claims that, so far, it has not noticed any suspicious behaviour on compromised accounts. However, this doesn’t mean this data won’t be used at a later date.”
In December, user confidence in Facebook was shaken even further when another bug was announced.“It appears that hundreds of third-party apps had unauthorised access to seven million users’ photos,” said Markuson. “Worst of all, these included pictures people might have started uploading but never posted.
“It is unknown whether anyone had seen these photos or used them in any malicious way. However, this shows how much data Facebook collects and how little control they have over their cyber security.”Hefty fines for Uber
Although Uber admitted in November 2017 that it had covered up a data breach in 2016 that affected 57 million customers and drivers , Markuson said the company is worth a mention because of the resultant fines in 2018.
“Lack of communication with its users and failing to follow the procedures of the ‘bug bounty reward scheme’ resulted in Uber receiving a hefty fine of$148m in the US and385,000 in the UK,” he said.Also in 2018, event ticketing websiteTicket Fly was bre