Discover the ranking of the worst data breaches that occurred throughout 2019. Disastrous incidents that remind us that data protection remains a real issue …
As time goes by, one would expect data leakage to become scarce and be better controlled. After all, companies now know this danger and know what steps to take to avoid it …
However, in reality, things are going from bad to worse. The more and more coveted, and therefore represent a precious booty for criminals of all stripes. In fact, in addition to being ever more numerous, hackers redouble their efforts to steal personal information.
The increase in data leaks is also proportional to the massive increase in the volume of data generated by humanity. Thus, according to the RiskBased Data Breach QuickView Report 2019 Q3, the number of data leaks in the third quarter of 2019 was up 33.3% compared to the same period in 2018. The number of records exposed, on the other hand, increased by 112%.
In 2018, the total number of stolen records was 500 million. As 2019 draws to a close, the question is: know if this number will be higher this year. Disclosure: it’s highly likely, if we review the worst data leaks of 2019 …
108 million records leaked
In January 2019, the website ZDnet announced the leakage of more than 108 million records from of the online casino group Mountberg Limited. The records in question were bets made by customers of the group’s casinos, and collected personal information about them as well as the amount of their deposits and withdrawals.
These data were exposed on an ElasticSearch server that was not password protected. They were discovered by security researcher Justin Paine. It is not known, however, whether criminals have got hold of this information …
130 million records leaked
In May 2019, the Canva online graphics tool was the victim of a massive data breach impacting 139 million users. Some of the leaked information includes usernames, real names, email addresses, passwords and geographic information from users.
Of the 139 million victims, 78 million had a linked Gmail account to their Canva account. The hacker behind the leak then released data for 932 million users from 44 companies on the Dark Web.
Chinese job seekers
Leak of 202 million records
In January 2019, cybersecurity researcher Bob Diachenko from Hacken discovered 854 Gb MongoDB database exposed on the web. This database gathered 202,730,434 records on Chinese job seekers.
Among the data are: candidates’ skills and professional experience. Personal information about them has also been disclosed, such as their phone numbers, email addresses, marital status, political orientation, body measurements and even their salary ambitions …
According to the Chinese company BJ.58.com, this data was aggregated by a third party company collecting information from many websites professionals. A week after Diachenko discovered the breach, the database was finally secure.
275 million records leaked
In May 2019, shortly after Chinese job seekers’ data leaked, Bok Diachenko again announced a disaster discovery. This time, the exposed MongoDB database contained 275,265,298 Indian citizen registrations containing very confidential personal information.
Among the leaked data are the names, genres, dates of birth, email addresses, telephone numbers and professional information of the victims. The database remained unprotected for more than two weeks. It was hosted on AWS.
Third-party Facebook applications
540 million records leaked
In April 2019, security researchers at UpGuard discovered that data sets from two Facebook applications developed by third parties were exposed on the web. The first database came from the Mexican company Cultura Colectiva. It weighed 146 gigabytes and contained more than 540 million records such as victims’ comments, likes, reactions, account names and Facebook identifiers.
The second application, “At the Pool”, has been exposed on the web through an Amazon S3 bucket. Again it contains information such as usernames, friend lists, interests or Facebook identifiers of users …
Data from 16 sites for sale on the Dream Market
620 million records leaked
In February 2019, The Register announced that 617 million accounts had been stolen from 16 hacked websites and listed on the Dream Market of the Dark Web.
These websites are 8fit, Whitepages, EyeEm, Artsy, DataCamp, Fotolog, 500px, Armor Games, BookMate, CoffeeMeetsBagel, Dubsmash, MyFitnessPal, MyHeritage, ShareThis, HauteLook, and Animoto.
By taking these stolen accounts, buyers were able to get their hands on user names, email addresses and passwords. However, passwords were hashed and therefore had to be decrypted before they could be used.
Collection # 1
773 million records leaked
In January 2019, Troy Hunt discovered a dataset including a total of 2,692,818,238 entries. The information exposed was mainly email addresses and passwords from more than a thousand data breaches. The number of unique email addresses reached 772,904,991.
The 87GB of data was grouped in Collection # 1 hosted on the MEGA Cloud service, and advertisements were posted on a popular forum with hackers…
808 million records leaked
The MongoDB database containing 150 Gb of marketing data exposed on the big day was discovered by Bob Diachenko and Vinny Troia in April 2019. It belonged to the email validation company Verifications.io.
Immediately warned by Diachenko, the firm deactivated its database. The latter contained four separate data collections for a total of 808,539,939 records.
885 million records leaked
In July 2019, the First American Financial Corp, first real estate insurance company in the United States, was affected by a data breach. The transaction records of 885 million individuals were exposed.
The oldest data dates back to 2003. Some of the information on the run includes bank account numbers, social security numbers, driver’s license photos, and transaction receipts. Anyone could access it via a web browser without needing to identify themselves …
Over a billion records leaked
It was in December 2019 that the third biggest data breach of the year occurred. Researchers Noam Rotem and Ran Locar of vpnMentor have discovered an exposed data base belonging to the American communications company TrueDialog.
This Austin, Texas-based company develops SMS solutions for small and large businesses. It works with more than 990 telecom operators and has more than 5 billion subscribers worldwide.
Unfortunately, his image is very likely to be tarnished following this incident. The leaked database, hosted on Microsoft Azure and running on the Oracle Marketing Cloud, contained 604 GB of data. In total, over a billion records of highly sensitive data were exposed.
Millions of text messages, full recipient and user names, email addresses, phone numbers, account details and of course the content of the messages were in free access…
Leak of 2 billion records
Just like for TrueDialog, the linked database Orvibo connected home products was discovered by Rotem and Locar of vpnMentor. Over two billion records have been exposed.
of the users around the world have been affected, since researchers have discovered user logs from France, the United Kingdom, the United States, Mexico, China, Japan, Thailand, Australia and Brazil.
Leaked data includes email addresses, passwords, precise geolocation coordinates, IP addresses, usernames, and more. the list of IoT devices used by victims.
Contacted by email on June 16, 2019, Orvibo did not immediately react. Even when researchers tried to alert him via Tweet, the reaction was long overdue. In total, we had to wait two weeks so that this database is finally secure.
Leak of 4 billion records
It’s simply the biggest data breach of 2019, and one of the biggest Data Leaks from a single source throughout the history of computing.
In October 2019, researchers Diachenko and Troia discovered a database that is easily accessible via the web since it is stored on an unsecured ElasticSearch server. This database contained 4 terabytes of personal data for a total of 4 billion records.
The leaked data includes the names, email addresses, phone numbers, as well as the Facebook and LinkedIn profiles of the victims. This gargantuan dataset actually came from two companies specializing in data enrichment…
In addition to having poorly protected the server, the data aggregator therefore obtained and used personal information of victims without their consent. This is what makes this data breach particularly scandalous …