What The Hack 2018?

As the current year comes to an end, many of us take this time to look back and reflect on how we can be a better version of ourselves for the upcoming new year. Let’s reflect on the data breaches that occurred in 2018, to encourage the companies we trust with our data to try and do better in 2019.  

The past year brought us an unusual number of high profile breaches, with alarming amounts of data being exposed. Here are our 12 Hacks of Christmas:

1) The largest, in terms of records breached, was Aadhaar. For those of you who may not have heard of Aadhaar before, it’s the Unique Identification Authority of India (UIDAI). The UIDAI is mandated to assign a 12-digit unique identification (UID) number (termed "Aadhaar") to all the residents of India. According to a report by the Tribune News Services, there was a software patch that could be bought for as little as 500 Rupees and reportedly allowed unauthorized persons to generate Aadhaar numbers. An additional payment of 300 Rupees got you access to software through which anyone could print an ID card for any Aadhaar number. The data breach is believed to have compromised the personal information of nearly all 1.1 billion citizens registered in India.

2) More recently, there was a data breach of the Starwood guest reservation database, newly owned by Marriott International. This breach exposed the personal information of up to 500 million people. Hackers were able to access guests’ names, addresses, phone numbers, email addresses, passport numbers, dates of birth, genders, Starwood loyalty program account information, and reservation information. In some cases, they were also able to steal payment card numbers and expiration dates. According to Marriott, the payment card numbers were encrypted, but they are not sure yet if the hackers were also able to access the information needed to decrypt them. 

3) Exactis is a marketing and data aggregation firm based in Florida that left a database containing two terabytes of information exposed on a publicly accessible server, including the personal details of hundreds of millions of Americans and businesses. This led to an estimated 340 million records being breached. The data exposed included email addresses, physical addresses, phone numbers, and highly sensitive details such as the names and genders of consumers’ children.

4) MyFitnessPal, now owned by Under Armour, was compromised, leading to 150 million records being exposed. The data exposed included customers' usernames, email addresses, and hashed passwords. Some welcome news was that their users’ payment information was not compromised, as Under Armour stores that database separately. 

5) MyHeritage, an online genealogy platform, left 92 million of their users' emails exposed after a security researcher informed the company’s CISO of a file found on an external server. According to MyHeritage, they store family tree and DNA data on servers separate from those that store email addresses and they use third-party service providers to process payments, so other than email addresses, the rest of their customers’ data was not exposed. 

6) The main hack most of us heard about was the whole Facebook / Cambridge Analytica exposé. Upwards of 87 million records were breached. Later, Inti De Ceukelaire (a security researcher) revealed another app, Nametests.com, had publicly exposed information of more than 120 million Facebook users as well.

7) One of the latest breaches happened to Informed Delivery, a service created by the US Postal Service (USPS), which allows customers to view their mail before it arrives at their home mailboxes. In addition to emailing the images,  the USPS offers an API to allow users to connect their mail to specialized services like CRMs. However, it was discovered that the service accepted wildcards for many searches, allowing any user to see other users on the site. According to reports, hackers who accessed the data got to see where important documents and checks were being mailed, so they could go and steal them once they were delivered. The USPS has advised people sign up for the Informed Delivery service with your own email address before someone else signs up as you. Estimates say that 60 million records were exposed.

8) Panera Bread exposed 37 million of its customers’ records in early April. What was more concerning was that in August 2017, security researcher Dylan Houlihan attempted to disclose the vulnerability to Panera Bread, letting them know they had a weakness that resulted in Panerabread.com leaking customers’ records in plaintext. That data could then be scraped and indexed using automated tools. Houlihan claims that his disclosure was dismissed for almost eight months, until Houlian reached out to Brian Krebs (an investigative information security journalist) who reported the story. This finally forced Panera Bread to deal with the issue by taking their website temporarily offline so they could fix the vulnerability. 

9) Ticketfly was asked to cough up a ransom for a vulnerability that was discovered by a hacker. When the company refused, the hacker vandalized, took down, and disrupted their site for a week. The hacker was also able to replace Ticketfly’s homepage and make off with 27 million records of customer and employee data, including names, physical addresses, email addresses, and phone numbers. 

10) The Sacramento Bee newspaper was attacked by an anonymous hacker early in the year. The hacker gained access to 19.5 million records, after seizing two of their databases, and trying to get the paper to pay a ransom for their release. One of the databases contained data from California voter registration provided by California’s Secretary of State, and the other database stored the Sacramento Bee’s subscriber contact information. Sacramento Bee refused to pay the ransom and deleted the databases to prevent additional attacks. However, the attack still left 53,000 of their subscribers’ information and 19.4 million California voters’ data vulnerable.

11) It’s suspected that the fitness app, PumpUp, exposed 6 million of its users’ records after a backend server was found to be exposed to the Internet with no password to protect it. This vulnerability leaked sensitive customer data, such as user-entered health information, photos, and private messages sent between users. The exposed data also contained Facebook access tokens and, in some cases, unencrypted credit card data including card numbers, expiration dates and CVV numbers. ZDNet reported the story and reached out to PumpUp, after security researcher Oliver Hough discovered the vulnerability and reached out to ZDNet to disclosed the issue. PumpUp did not respond to ZDNet, but they did end up securing the server. It’s unclear for exactly how long the server had been sitting exposed.

12) Saks Fifth Avenue and Lord & Taylor became the source of 5 million credit and debit card records which were for sale on the JokerStash hacking syndicate. The discovery was made by security firm Gemini Advisory. After the discovery was disclosed, both Saks Fifth Avenue and Lord & Taylor took immediate steps to fix the issue. A class action lawsuit was filed against them by the customers whose data had been exposed and put up for sale. 

Hacking Image

In most of these situations, it was a journalist, outside researcher or a white hat hacker that found and disclosed the vulnerabilities. Often, it was too late to be dealt with. One of our Tinfoil Engineers wrote about this issue with disclosing vulnerabilities in a previous blog post. We still believe there are more good folks out there than bad folks, so we look forward to bringing joy and hope to the world of cybersecurity in 2019 and beyond!


Neda Blocho

With a background in running the world's top accelerator program out of Stanford University and a tour as a seed stage investor in Silicon Valley, Neda has seen first hand the great need for solving issues around cyber security! Neda makes sure the world knows how much better and safer their DevOps lives can be by partnering with Tinfoil.