Recent data from Risk Based Security revealed that the number of records exposed has increased to a staggering 36 billion in 2020. There were 2,935 publicly reported breaches in the first three quarters of 2020, with the three months of Q3 adding an additional 8.3 billion records to what was already the “worst year on record.”
There were a number of notable data breaches that took place this year. But the compromise of the Twitter accounts held by several high profile celebrities probably garnered the most headlines, says Chris Hallenbeck, Chief Information Security Officer (CISO) for the Americas at Tanium.
“While the victim’s and subject matter made it easy click-bait, it offers a valuable lesson for organizations of all sizes – employee education matters. Three teenagers managed to gain access to the accounts of public figures by simply convincing employees at the social media company that they were colleagues who needed access to the customer service portal. While this sounds simple, social engineering is more common – and more successful – than most people realize.”
This alarming rise of social engineering and its increasing sophistication teaches us that employee education and creating a culture of cybersecurity is just as important as any other form of IT hygiene, Hallenbeck says.
Companies need to encourage employees to embrace the idea that they are gatekeepers for corporate information and that they play a tremendous role in keeping it safe, he argues. “Crucial systems and the accounts that access them should be protected with multi-factor authentication. Zero Trust initiatives will play a much bigger role for protecting key systems and data,” Hallenbeck explains. “Longer term, the frequency and sophistication of these attacks is a good reminder that prevention is only half the battle. You need to have visibility and detection capabilities across all of your operations, and especially in the case of ransomware, a way to rapidly shut down or quarantine infected devices. When it comes to ransomware, being able to push "the big red button" quickly can make all the difference.”
Security magazine brings you a list of 2020’s top 10 data breaches and a few honorable mentions. Stay tuned for Hallenbeck’s predictions for the cybersecurity landscape in 2021 at the end.
10. Microsoft – 250 million records
On January 22, Microsoft disclosed a data breach that took place December 2019. In a blog post, the company said a change made to the database’s network security group on December 5, 2019 contained misconfigured security rules that enabled exposure of the data.
According to ZDNet, the servers contained 250 million entries, with information such as email addresses, IP addresses, and support case details.
Engineers remediated the configuration on December 31, 2019 to restrict the database and prevent unauthorized access. The misconfiguration was specific to an internal database used for support case analytics, Microsoft says, and did not represent an exposure to its commercial cloud services.
Microsoft’s investigation found no “malicious use and most customers did not have personally identifiable information (PII) exposed. Bob Diachenko, security researcher, alerted Microsoft to the exposed database.
9. Wattpad – 268 million records
In June 2020, the user-generated stories website Wattpad suffered a huge data breach that exposed almost 268.745.495 million records.
The data was initially sold in private sales of over $100,000, and then published on a public hacking forum where it was broadly shared for free, according to BleepingComputer.
The incident exposed extensive personal information including names and usernames, email and IP addresses, genders, general geographic location, birth dates and passwords stored as bcrypt hashes.
8. Broadvoice – 350 million records
Security researcher Bob Diachenko discovered an exposed cluster of databases belonging to the Voice over IP (VoIP) telecommunications vendor Broadvoice that contained the records of more than 350 million customers.
Diachenko uncovered the database information on October 1 and found it included caller names, phone numbers, and locations, among other data. One database included transcriptions of hundreds of thousands of voicemails, many involving sensitive information such as details about medical prescriptions and financial loans. More than 2 million voicemail records were included in that subset of data, 200,000 of which had been transcribed.
Most of these records contained caller name (full name, business name, or a generic name such as “wireless caller”), caller phone number, a name or identifier for the voice mailbox (for example, a first name or general label, such as “clinical staff” or “appointments”), and internal identifiers.
7. Estée Lauder – 440 million records
On January 30, security researcher Jeremiah Fowler discovered a database online that contained what he says was "a massive amount of records." The database belonged to cosmetics giant Estée Lauder and contained a total of 440,336,852 records.
In a statement, the company noted that the database was from an “education platform,” which did not contain consumer data. No evidence was found of unauthorized use of the data.
Fowler told Forbes that the entire database was accessible to anyone with an internet connection, so anyone could have potentially had access or stolen the data while it was unprotected. The records contained user emails in plain text, references to reports and other internal documents, IP Addresses, ports, pathways, and storage information.
6. Sina Weibo – 538 million records
In March, news broke that the personal details of more than 538 million users of Chinese social network Weibo were available for sale online. A hacker then claimed to have breached Weibo in mid-2019 and obtained a database that allegedly contained the details of 538 million users and was selling the data for $250 on the dark web.
The database was allegedly not particularly valuable in terms of “hacking potential” since it contained no passwords of payment information. However, the records contained PII, such as real names, site usernames, gender, location as well as phone numbers for 172 million users. The exposed information could lead to scam, fraud, and other types of impersonation attempts.
5. Whisper – 900 million records
An unprotected database, containing 900 million Whisper posts, and all the metadata related to those posts, was found online earlier in March.
A “secret-sharing” app, Whisper, who called itself the “safest place on the Internet,” exposed PII, including, intimate confessions, ages, locations and other details, and allowed anyone to access all of the information tied to anonymous “whispers” posted to the app.
The exposed records did not include real names but did include a user’s stated age, ethnicity, gender, hometown, nickname and any membership in groups, many of which are devoted to sexual confessions and discussion of sexual orientation and desires.
According to The Washington Post, the database was discovered by independent researchers and consultants Matthew Porter and Dan Ehrlich, who said they were able to access almost 900 million user records from the app’s release in 2012 to the present day.
4. BlueKai – billions of records
In June 2020, security researcher Anurag Sen found an unsecured BlueKai database accessible on the open Internet. The database held billions of records containing names, home addresses, email addresses, and web browsing activity like purchases and newsletter unsubscribes.
A startup, BlueKai was bought for over $400 million in 2019 by Oracle. TechCrunch reported the app had amassed one of the largest banks of web tracking data outside of the federal government, using website cookies and other tracking technology to follow users around the web.
According to Cyware, BlueKai tracks 1.2% of all web traffic and tracks some of the world’s biggest websites: Amazon, ESPN, Forbes, Glassdoor, Healthline, MSN.com, Levi’s, Rotten Tomatoes, and The New York Times. Given the volume of data on this unsecured server, this was one of the largest cybersecurity breaches of 2020.
3. Keepnet Labs – 5 billion records
In March 2020, Bob Diachenko reported coming across a leaky Elasticsearch database which appeared to be managed by a U.K.-based security company, according to SSL certificate and reverse DNS records.
Diachenko noted that “the irony of the discovery is that it was a ‘data breach database’, an enormously huge collection of previously reported security incidents spanning 2021-2019 era.”
Though company data and customer records were not exposed, the incident involved previously reported data breaches collections. Diachenko discovered the data had been indexed by BinaryEdge, and the Elasticsearch cluster had two collections: leaks_v1 with 5,099,635,374 records and leaks_v2 with more than 15 million records, updating in real-time. Diachenko noted the data was “very well structured” and included:
- hashtype (the way a password was presented: MD5/hash/plaintext etc)
- leak date (year)
- password (hashed, encrypted or plaintext, depending on the leak)
- email domain
- source of the leak (Diachenko was able to confirm a few of the most prominent ones: Adobe, Last.fm, Twitter, LinkedIn, Tumblr, VK and others).
In June, Keepnet Labs released a public statement, admitting to the data leak. According to the statement, in March 2020, they started to work with a new service provider, who “was performing scheduled maintenance and was migrating the ElasticSearch database…During this operation, regrettably, the engineer responsible later reported that he had to disable the firewall for approximately 10 minutes to speed up the process. During this window, the Internet indexing service, BinaryEdge indexed this data.”
Keepnet reached out to Diachenko, as well as other media outlets, to have stories amended so a “reader is not misled over this incident, however unintentional that may have been.” For the full statement, including actions Keepnet Labs has taken, click here.
2. Advanced Info Service (AIS) – 8.3 billion records
Security researcher and head of Trust & Safety at Cloudflare Justin Paine discovered an open ElasticSearch database when browsing BinaryEdge and Shodan on May 7. According to Paine’s summary of the incident, the database appeared to be controlled by a subsidiary of a major Thailand-based mobile network operator named Advanced Info Service (AIS). AIS is a large GSM mobile phone operator with 39.87 million customers.
The database contained a combination of DNS query logs and NetFlow logs for what appeared to be AWN customers. Based on data available in BinaryEdge, Paine says the database was first observed as exposed and publicly accessible on May 1, 2020. Over the course of the three weeks the database had been exposed, the volume of the data grew significantly, adding approximately 200 million new rows of data every 24 hours.
As of May 21, there were 8,336, 189, 132 records stored in the database. AIS confirmed the data leak, acknowledging their “procedures fell short,” and thanking Paine for his diligence in addressing the issue and contacting AIS, as well as the Thailand National CERT team.
The company also verified that the data leaked related to Internet usage patterns and did not contain PII that could be used to identify any customer.
For more information, please visit https://rainbowtabl.es/2020/05/25/thai-database-leaks-internet-records/
1. CAM4 – 10.88 billion records
Anurag Sen, at Safety Detectives, discovered a significant data leak belonging to adult live-streaming website CAM4.com. The website is owned by Irish company Granity Entertainment.
The database, according to the research team, exceeded 7 terabytes with production logs dating from March 16, 2020 and increasing daily, containing 10.88 billion records with PII, including:
- First and last names
- Email addresses
- Country of origin
- Sign-up dates
- Gender preference and sexual orientation
- Device information
- Miscellaneous user details such as spoken language
- Payments logs including credit card type, amount paid and applicable currency
- User conversations
- Transcripts of email correspondence
- Inter-user conversations
- Chat transcripts between users and CAM4
- Token information
- Password hashes
- IP addresses
- Fraud detection logs
- Spam detection logs
The logs revealed user password information and the email count exceeded several million. This data, according to SafetyDetectives, could be weaponized to compromise other individuals and groups; and full names, emails, and password hashes could also be used to identity users’ real identity and commit various types of deception and fraud.
Honorable mentions include:
- Facebook’s data breach – 267 million records
- Instagram, TikTok, and YouTube breach – 235 million records
- Cit0Day – 226 million records
- Unprotected Google Cloud Server breach – 201 million records
- MGM – 142 million records
- Barnes & Noble – unknown
Predictions for 2021
With 2021 just days away, what will the cybersecurity landscape look like? Any cybersecurity professional will tell you that cybersecurity is a moving target, says Hallenbeck. “Organizations must continually reassess and redeploy their cybersecurity strategies, but many had to lower their guards in 2020. The realities of a global pandemic, resourcing and finances meant sidelining new security projects or accepting less visibility across the IT estate,” he adds.
Recent Tanium research conducted during the first two months of the pandemic revealed 93% of business leaders said their IT teams delayed security projects and 43% have since delayed or stopped patching altogether. Eighty-five percent said they experienced more cyberattacks in the first two months of the pandemic than before it. “I predict this trend will continue well into 2021, and that when these employees, and their endpoints, do return to the office, then there will be even greater fallout,” he notes.
Hallenbeck also predicts a huge uptick and shift in ransomware and explains that over the course of time, ransomware tactics have dramatically changed direction. “Cybercriminals went from a spray and pray effort – hit everyone they could – to a targeted and sophisticated plan of attack. Criminals started going after a particular company, doing recon and gaining access to their systems via targeted spear phishing. Then AV started getting pretty good at the detection aspect. So criminals shifted gears again. Now, they’re skipping malware altogether – they steal credentials, gain access and extort the company for a ransom. This evolution robs defenders of a key piece of the detection puzzle.”
To stay ahead of ransom attacks, Hallenbeck says, “Organizations will need the ability to see, manage and control each and every endpoint in 2021.”
Now, we ask again, will 2020 be the worst year on record? Reach out to firstname.lastname@example.org with your thoughts!
*Check out 2019's Top 12 Data Breaches here.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.