Though this isn’t really a breach, it’s inexcusable for any company-especially one as well-equipped as Twitter-to store user passwords in plaintext. How did it happen: Twitter discovered a bug that stored passwords unmasked in an internal file. When was it disclosed to the public: Ma4. How: An “unauthorized party” acquired data associated with MyFitnessPal user accounts. Data imported from linked networks when authorized by usersĭisclosed to the public: Decem5.
How: A “malicious third party” accessed Quora’s systems and compromised user data. When: Octo(included all accounts created up to and including that day)ĭisclosed to the public: J6. MyHeritage added two-factor authentication options for users to protect against account takeover. How: A security researcher found a file containing email addresses and hashed passwords on a private server outside of MyHeritage. Facebook user preferences and interestsĭisclosed to the public: Ma7.It’s important to note that this isn’t really a breach, but more a misuse of user data. How: Cambridge Analytica exploited a loophole in Facebook’s API that allowed third-party developers to collect data not only from users of their apps but from all the people in those users’ friends network on Facebook. Facebook (via Cambridge Analytica): 87 million When: 2015 – March 2018 Novem– November 13, 2018įirst discovered: March 2018 Not providedĭisclosed to the public: OctoDecem8. Some other personal information collected by Google+.Then in December, Google revealed a second data breach that exposed the personal information of 52.5 million Google+ accounts for six days to third-party Google+ apps. That breach was disclosed by Google several months after it was discovered, in part because of fears that disclosing the breach would draw regulatory scrutiny and cause reputational damage, according to the Wall Street Journal. How: An initial breach affecting 500 thousand Google+ users was first reported on October 8, 2018. Interestingly, Chegg publicly disclosed the breach to the SEC, not to the affected customers.ĭisclosed to the public: Septem9. The company reset passwords for all 40 million customers. How: An “unauthorized party” gained access to a database of user data. Last four digits of customer credit card numbersĭisclosed to the public: Ap10.Eight months later, they secured the leak. Panera was notified on August 2, 2017, but ignored repeated requests by security researchers to fix the database leak. How: A database leak led to the plaintext exposure of customer records. Some other personal information collected by Facebookĭisclosed to the public: Septem11.How: Hackers exploited a flaw in Facebook’s “view as” feature that allowed hackers to “steal Facebook access tokens which they could then use to take over people’s accounts.” How: A hacker gained access to the Ticketfly platform through a “malicious cyber attack.” They provided no further explanation.ĭisclosed to the public: J12. Timehop has since added two-factor authentication to secure access.ĭisclosed to the public: J13. How: An attacker gained access to Timehop’s cloud computing environment, because it wasn’t protected with two-factor authentication.
How: A hacker seized a voter registration database the Bee had obtained from the state for reporting purposes and another of personal information of Bee subscribers.įirst discovered: A week before it was disclosed to the publicĭisclosed to the public: Febru14. How: Cathay Pacific discovered “unauthorized access to some of its information system.” They provided no further explanation.ĭisclosed to the public: Octo15. The hackers announced that they planned to sell the credit card numbers on the dark web.ĭisclosed to the public: April 1st, 2018 16. How: Hacking group JokerStash was able to infect the retailers’ point-of-sale systems with malware that was likely installed through phishing emails and steal credit card numbers. How: An “international group” of hackers accessed company servers through an API that “didn’t contain any financial data or other very sensitive data.” The attack was caught the same day.ĭisclosed to the public: Aug17. When: Janu– JOcto– December 22, 2017ĭisclosed to the public: Ma18. How: An attacker accessed a legacy company system (not ), which compromised customer data. When: August 21, 2018 – September 5, 2018ĭisclosed to the public: Septem19.
How: A known hacking group injected malicious code onto a poorly secured webpage on British Airways’ website in order to covertly capture personal and payment data. Click to enlarge Let’s count down 2018’s 20 biggest breaches: 20.