The 20 Biggest Data Breaches of 2018

The digital information that we save and share online—our private, personal data—is sought after not only by hackers and cybercriminals, but even by foreign governments. Why? Because data is the new oil. Our information has value, and we need to collectively begin behaving as such. We need to stop reusing passwords, stop saving personal and payment information online as much as possible, and most importantly, we need to fight for our data. Big companies we trust are getting breached more often and on a larger scale than ever before. In 2018, newsworthy data breaches occurred, seemingly, every other week. We not only had more mega-breaches last year—including several with over 100 million people affected—but also more breaches of mega-companies like Marriott, Facebook, Google, Twitter, and Under Armour. Let’s count down 2018’s biggest data breaches, hacks, leaks, bugs, and abuses to see what we can learn about improving security practices in 2019.

Let’s count down 2018’s 20 biggest breaches:

20. British Airways: 380 thousand

How: A known hacking group injected malicious code onto a poorly secured webpage on British Airways’ website in order to covertly capture personal and payment data. What was included: 

• Names
• Addresses
• Email addresses
• Sensitive payment card details

When: August 21, 2018­ – September 5, 2018 First discovered: September 6, 2018 Disclosed to the public: September 7, 2018

19. Orbitz: 880 thousand

How: An attacker accessed a legacy company system (not Orbitz.com), which compromised customer data. What was included:

• Names
• Addresses
• Phone numbers
• Email addresses
• Other personal information
• Payment card information

When: January 1, 2016 – June 22, 2016; October 1, 2017 – December 22, 2017 First discovered: March 1, 2018 Disclosed to the public: March 20, 2018

18. T-Mobile: 2 million

How: An “international group” of hackers accessed company servers through an API that “didn’t contain any financial data or other very sensitive data.” The attack was caught the same day. What was included: 

• Names
• Email addresses
• Account numbers
• Billing information
• Encrypted passwords

When: August 20, 2018 First discovered: August 20, 2018 Disclosed to the public: August 23, 2018

17. Saks and Lord & Taylor: 5 million

How: Hacking group JokerStash was able to infect the retailers’ point-of-sale systems with malware that was likely installed through phishing emails and steal credit card numbers. The hackers announced that they planned to sell the credit card numbers on the dark web. What was included:

• Payment card numbers

When: May 2017 – March 2018 First discovered: Not provided Disclosed to the public: April 1st, 2018

16. Cathay Pacific: 9.4 million

How:  Cathay Pacific discovered “unauthorized access to some of its information system[s].” They provided no further explanation. What was included:

• Names
• Nationalities
• Dates of birth
• Addresses
• Email addresses
• Phone numbers
• Frequent flier numbers
• Some passport numbers
• Some credit card numbers

When: Unknown First discovered: Early March, 2018 Disclosed to the public: October 24, 2018

15. Sacramento Bee: 19.5 million

How: A hacker seized a voter registration database the Bee had obtained from the state for reporting purposes and another of personal information of Bee subscribers. What was included:

• Names
• Addresses
• Email addresses
• Phone numbers
• Party affiliations
• Dates of birth
• Places of birth

When: January, 2017 First discovered: A week before it was disclosed to the public Disclosed to the public: February 7, 2018

14. Timehop: 21 million

How: An attacker gained access to Timehop’s cloud computing environment, because it wasn’t protected with two-factor authentication. Timehop has since added two-factor authentication to secure access. What was included:

• Names
• Email addresses
• Dates of birth
• Phone numbers
• Other personal information

When: July 4, 2018 First discovered: July 4, 2018 Disclosed to the public: July 8, 2018

13. Ticketfly: 27 million

How: A hacker gained access to the Ticketfly platform through a “malicious cyber attack.” They provided no further explanation. What was included:

• Names
• Addresses
• Email addresses
• Phone numbers

When: Late May, 2018 First discovered: May 30, 2018 Disclosed to the public: June 7, 2018

12. Facebook 29 million

How: Hackers exploited a flaw in Facebook’s “view as” feature that allowed hackers to “steal Facebook access tokens which they could then use to take over people’s accounts.” What was included:

• Names
• Phone numbers
• Email addresses
• Some other personal information collected by Facebook

When: July 2017 – September 25, 2018 First discovered: September 25, 2018 Disclosed to the public: September 28, 2018

11. Panera Bread: 37 million

How: A database leak led to the plaintext exposure of customer records. Panera was notified on August 2, 2017, but ignored repeated requests by security researchers to fix the database leak. Eight months later, they secured the leak. What was included:

• Names
• Addresses
• Email addresses
• Dates of birth
• Last four digits of customer credit card numbers

When: August 2, 2017 – April 2, 2018 First discovered: August 2017 Disclosed to the public: April 2, 2018

10. Chegg: 40 million

How: An “unauthorized party” gained access to a database of user data. The company reset passwords for all 40 million customers. Interestingly, Chegg publicly disclosed the breach to the SEC, not to the affected customers. What was included:

• Names
• Shipping addresses
• Email addresses
• Usernames
• Passwords

When: April 29, 2018 – September 19, 2018 First discovered: September 19, 2018 Disclosed to the public: September 25, 2018

9. Google +: 52.5 million

How: An initial breach affecting 500 thousand Google+ users was first reported on October 8, 2018. That breach was disclosed by Google several months after it was discovered, in part because of fears that disclosing the breach would draw regulatory scrutiny and cause reputational damage, according to the Wall Street Journal. Then in December, Google revealed a second data breach that exposed the personal information of 52.5 million Google+ accounts for six days to third-party Google+ apps. What was included:

• Names
• Email addresses
• Dates of birth
• Some other personal information collected by Google+

When: 2015 – March 2018; November 7, 2018 – November 13, 2018 First discovered: March 2018; Not provided Disclosed to the public: October 8, 2018; December 10, 2018

8. Facebook (via Cambridge Analytica): 87 million

How: Cambridge Analytica exploited a loophole in Facebook’s API that allowed third-party developers to collect data not only from users of their apps but from all the people in those users’ friends network on Facebook. It’s important to note that this isn’t really a breach, but more a misuse of user data. What was included:

• Facebook user profile data
• Facebook user preferences and interests

When: 2013-2015 First discovered: Not provided Disclosed to the public: March 17, 2018

7. MyHeritage: 92 million

How: A security researcher found a file containing email addresses and hashed passwords on a private server outside of MyHeritage. MyHeritage added two-factor authentication options for users to protect against account takeover. What was included:

• Email addresses
• Encrypted passwords

When: October 26, 2017 (included all accounts created up to and including that day) First discovered: June 4, 2018 Disclosed to the public: June 4, 2018

6. Quora: 100 million

How: A “malicious third party” accessed Quora’s systems and compromised user data. They provided no further explanation. What was included:

• Names
• Email addresses
• Encrypted passwords
• Data imported from linked networks when authorized by users

When: Unknown First discovered: November 30, 2018 Disclosed to the public: December 3, 2018

5. Under Armour (MyFitnessPal): 150 million

How: An “unauthorized party” acquired data associated with MyFitnessPal user accounts. No further explanation was provided. What was included:

• Usernames
• Email addresses
• Encrypted passwords

When did it happen: February 2018 First discovered: March 25, 2018 When was it disclosed to the public: March 29, 2018

4. Twitter: 330 million

How did it happen: Twitter discovered a bug that stored passwords unmasked in an internal file. Though this isn’t really a breach, it’s inexcusable for any company—especially one as well-equipped as Twitter—to store user passwords in plaintext. Twitter asked all of its users to reset their passwords as a result. What was included:

• Plaintext passwords

When did it happen: Unknown First discovered: Not provided When was it disclosed to the public: May 3, 2018

3. Exactis: 340 million

How did it happen: Exactis was notified of a comprehensive collection of leaked data by security researcher Vinny Troia. Exactis secured the database after Troia notified them but never publicly addressed the leak. Morgan & Morgan, a national law firm headquartered in New York, filed a class action lawsuit against Exactis. What was included:

• Names
• Addresses
• Email addresses
• Phone numbers
• Other personal information including habits and hobbies, and the number, ages, and genders of the person’s children

When: Unknown First discovered: Early June, 2018 Disclosed to the public: June 27, 2018

2. Marriott: 500 million

How: Marriott received an alert from an internal security tool about an attempt to access the Starwood guest reservation database. During the investigation, Marriott learned that there had been unauthorized access to the Starwood network since 2014, and that an unauthorized party had copied and encrypted information and had taken steps to remove it. What was included:

• Names
• Addresses
• Phone numbers
• Email addresses
• Passport numbers
• Dates of birth
• Other personal information

When: 2014 – September 10, 2018 First discovered: September 8, 2018 Disclosed to the public: November 30, 2018

1. Aadhaar: 1.1 billion

How: The Indian government, which manages the ID database “Aadhaar,” ignored repeated attempts by security researchers to secure a database leak caused by an unsecured API endpoint connected to a state-owned utility company. It was only after the vulnerability was publicly disclosed that the government secured the database. What was included:

• Names
• Unique 12-digit identity numbers
• Information about services they are connected to, such as bank details and other private information

When: Unknown First discovered: Not provided Disclosed to the public: March 23, 2018

---

Takeaways:

1. Any company can be breached. Securing user data is highly complex and requires a tremendous investment. And even with sizable security investments, behemoths like Facebook and Google are still failing. Which leads us to takeaway number two…
2. Assume that your user data is exposed. This isn’t to scare you or make you think that identity theft is imminent—this is just a reality check. There have been too many hacks, breaches, leaks, data abuses, and misuses across too many services to honestly believe that your data isn’t available somewhere it shouldn’t be. It’s why we’re so adamant about eliminating password reuse. Yet, despite the data in question being our own, we currently have very limited control over it, which leads us to our final takeaway…
3. New and improved legislation around data privacy is critical. To truly own our personal data, we first must demand legislation that punishes those that store it unnecessarily, insecurely, or without our explicit consent. The E.U.’s recent GDPR legislation is a good blueprint. It requires companies who collect data on E.U. residents to explain what they plan to use it for, to get explicit consent from each consumer in order to use their data, and to delete any data associated with an individual if requested. If it’s the government’s imperative to protect its citizens, then keeping our private data out of the hands of hackers, criminals, and foreign governments is a good place to start.