2021 will be a record-breaking year for data breaches. According to Identity Theft Resource Center (ITRC) research, the total number of data breaches through September 30, 2021 has already exceeded the total number of events in 2020 by 17%, with 1,291 data breaches in 2021 compared to 1,108 breaches in 2020.
In particular, manufacturing & utilities sector's data security was deeply impacted, with 48 compromises and a total of 48,294,629 victims. The healthcare sector followed, with 78 compromises and more than 7 million victims. Other sectors with more than 1 million victims included financial services (1.6 million victims), government (1.4 million victims) and professional services (1.5 million victims).
Even more worrisome, there has been an increase in a lack of transparency in data breach notices at both the organization and government level. If the trend was to continue, the ITRC says, it could lead to a significant impact on individuals and organizations.
This year, Security magazine brings you a list of 2021’s top 10 data breaches and exposures, and a few other noteworthy mentions.
10. Android Users Data Leak — 100+ million
In May, security researchers discovered the personal data of more than 100 million Android users exposed due to several misconfigurations of cloud services. Unprotected in real-time databases used by 23 apps, the downloads ranged from 10,000 to 10 million and included internal developer resources.
Check Point researchers discovered anyone could access sensitive and personal information, including names, email addresses, dates of birth, chat messages, location, gender, passwords, photos, payment information, phone numbers and push notifications.
In addition, of the 23 apps that Check Point researchers analyzed, a dozen had more than 10 million installations on Google Play. Most of them had the real-time database unprotected, exposing sensitive user information. While the misconfigured databases are not a surprise, the findings show the lack of basic security practices in many applications. The misconfigurations also put users’ personal data at risk.
9. Thailand Visitors — 106+ million
In August, Comparitech cybersecurity researcher Bob Diachenko stumbled across his own data online after discovering an unsecured database, which contained the personal information of millions of Thailand visitors.
The unprotected Elasticsearch database dated back ten years and contained the personal information of more than 106 million international travelers, including:
- Date of arrival
- Full name
- Passport number
- Residency status
- Visa type
- Arrival card number
Diachenko alerted Thai authorities, who acknowledged the incident and secured the data the following day.
8. Raychat — 150 million
Iran business and social messaging application Raychat suffered a large data breach. Millions of its user records were exposed to the internet and then destroyed by a cyberattack involving a bot.
According to a Gizmodo report, the company stored its user data on a misconfigured MongoDB database, a NoSQL database used by companies who handle large volumes of user data. When misconfigured, the database can leave millions of documents vulnerable. Diachenko, who discovered the breach, said he found the vulnerability using publicly accessible open-source search tools. In a Twitter DM to Gizmodo, Diachenko said that several NoSQL databases like Mongo are targets “for bot attacks operated by malicious actors who scan the internet for open and unprotected dbs [databases] and wipe their contents, with only a ransom note left.” Diachenko says a README ransom note demanded 0.019 in bitcoin (or $700).
7. Stripchat — 200 million
Diachenko discovered an Elasticsearch database containing 200 million records belonging to Stripchat — an adult cam site. The database included 65 million user records that contained email addresses, IP addresses, the number of tips they gave to models, a timestamp of when the account was created and the last payment activity.
Diachenko also found another database containing about 421,000 records for the platform's models, including usernames, gender, studio IDs, tip menus and prices, live status, and the model's “strip score.”
Stripchat’s Max Bennet told Threatpost by email, “Information on 134 million transactions occurring were exposed; however, no information was leaked regarding the payment details. Finally, information on at least 719,000 chat messages (was exposed). No content of the private messages was revealed, though.”
Diachenko said the exposure could pose risks for both Stripchat viewers and models.
6. Socialarks — 214+ million
Safety Detectives researchers, led by Anurag Sen, discovered a server belonging to Socialarks — a cross-border social media management company — that contained scrapped profiles of more than 214 million social media users, obtained from Facebook, Instagram and LinkedIn. The database had more than 408GB of data and more than 318 million records.
Safety Detectives discovered:
- 11,651,162 Instagram user profiles
- 66,117,839 LinkedIn user profiles
- 81,551,567 Facebook user profiles
- A further 55,300,000 Facebook profiles were summarily deleted within a few hours after our team first discovered the server and its vulnerability.
Given the size of the data leak, Safety Detectives said it was challenging for the team to unravel the full extent of the potential damage caused. But, from the data examined, researchers could determine people's full names, country of residence, place of work, position, subscriber data and contact information and direct links to profiles.
5. Brazilian Database — 223 million
In January, the largest personal data breach in Brazilian history was discovered. The data sets were discovered by PSafe and then reported by Tecnoblog. The databases included names, unique tax identifiers, facial images, addresses, phone numbers, email, credit score, salary and more. The data also contains the personal data of several million deceased individuals. In addition, 104 million vehicle records were available.
The information, Open Democracy says, is typically used by credit scoring bureaus, which led researchers to suspect the leak may have originated from Serasa Experian, the leading Brazilian credit-scoring bureau.
The data was offered for free on a Darknet forum.
4. Bykea — 400 million
Led by researcher Sen, the Safety Detectives team discovered an Elastic server vulnerability during routine IP-address checks on specific ports. The exposed server contained API logs for Bykea — transportation, logistics and cash on delivery payments company with headquarters in Karachi, Pakistan.
Researchers discovered Bykea publicly exposed all its production server information without password protection or encryption and allowed access to more than 200GB of data containing more than 400 million records. The data contained people's full names, locations, and other personal information that hackers could potentially harness to cause financial and reputational damage.
Bykea’s CEO, Muneeb Maayr, described the cyberattack as “nothing out of the ordinary given that Bykea is a mobility-based tech firm, Safety Detectives reports. It remains unclear whether this latest breach is related to a hack the company suffered earlier, during which attackers reportedly deleted the company’s entire customer database.”
3. Facebook — 553 million
Security researcher Alon Gal discovered a leaked database belonging to Facebook, containing 533 million accounts.
The data includes the personal information of Facebook users from 106 countries, including more than 32 million records on users in the U.S., 11 million on users in the U.K. and 6 million on users in India. Insider reviewed a sample of the leaked data and verified several records by matching known Facebook users’ phone numbers with the IDs listed in the data set. Insider also confirmed records by testing email addresses from the data set in Facebook's password-reset feature, which can be used to partially reveal a user's phone number.
According to Gal, “A database of that size containing the private information such as phone numbers of a lot of Facebook's users would certainly lead to bad actors taking advantage of the data to perform social-engineering attacks [or] hacking attempts.”
2. LinkedIn — 700 million
The personal data of 700 million LinkedIn users, nearly 93% of the company’s members, was on sale online. The data appeared to be recent, with samples from 2020 and 2021. Though the data did not include login credentials or financial information, it did include personal information that could be used to assume someone’s identity, including:
- Full names
- Phone numbers
- Physical addresses
- Email addresses
- Geolocation records
- LinkedIn usernames and profile URLs
- Personal and professional experiences and backgrounds
- Other social media accounts and usernames
In a statement to Fortune, a LinkedIn spokesperson disputes this, saying, “We’ve investigated, and there is no evidence that this is new data or that the data is from 2020 and 2021. LinkedIn’s current investigation indicates phone number, gender, inferred salary, and physical address in this data set did not come from LinkedIn.”
The threat actor said they had used the same method to obtain the data that was used in an April infiltration, which also saw data from 500 million users being sold online. The company issued a statement, saying the data was not the result of an attack but a threat actor pulling data that was publicly available on a large scale.
“Our teams have investigated a set of alleged LinkedIn data that has been posted for sale,” the company said. “We want to be clear that this is not a data breach and no private LinkedIn member data was exposed. Our initial investigation has found that this data was scraped from LinkedIn and other various websites and includes the same data reported earlier this year in our April 2021 scraping update. When anyone tries to take member data and use it for purposes LinkedIn and our members haven’t agreed to, we work to stop them and hold them accountable.”
1. Cognyte — 5 billion
Diachenko discovered a massive database of more than 5 billion records, collected from previous data incidents, exposed on the web without a password or any other authentication required to access it, according to Comparitech.
The database was stored by Cognyte, a cybersecurity analytics firm that stored the data as part of its cyber intelligence service, which is used to alert customers to third-party data exposures. Diachenko alerted Cognyte, who secured the database three days later.
“Thanks to the information provided by the security researcher, Volodymyr “Bob” Diachenko, Cognyte was able to rapidly respond to and block a potential exposure. We appreciate such a responsible and constructive approach, which helps raising awareness and induces companies and organizations to implement security safeguards and better protect their data,” Cognyte said in a statement to Comparitech.
Stored on an Elasticsearch cluster, the database was exposed for four days and contained 5,085,132,102 records. Not all of the data breaches from which the data was sourced included passwords, however we could not determine an exact percentage of records that contained a password, Comparitech says.
All or some contained the following information:
- Email address
- Data source
Some of the previous data breaches from which data was sources include Zoosk, Tumbler, Antipublic, MySpace, Canva, Verification.io, iMesh, Edmodo, VK, Exploit, Master Breach Comp, Rambler, Onebip, Scentbird, Appen.com, Toondoo, Wishbown, Wattpad, Mathway, Promo.com, MGM, and Estante (Brazilian book shop).
Though the data breach had been breached before, it could have posed risks to end users if threat actors had accessed it.
Other noteworthy data breaches include:
- Colonial Pipeline
*Editor’s note: All care is taken to provide up-to-date information with the aim to publish accurate and relevant information.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.