Biggest breaches of 2016 - the year your personal data was probably compromisedThursday, December 29, 2016
A selection of data breaches from 2016 soon tallies up to nearly the entire online population, numerically speaking – mainly thanks to Yahoo. Are you one of the 0.6per cent that are still secure?
It’s been a turbulent 12 months by anyone’s measure, from two sets of divisive election results, the celebrity ‘curse of 2016’ which kept striking right till the end, through to record-breaking DDoS attacks and staggeringly huge data breaches. These data breaches, numerically, have impacted on nearly every person online in just this short period alone – so how do the figures stack up?
Top of the list has to be the troubled digital enterprise Yahoo, fresh from the damaging admission in September that 500 million user accounts had been compromised between 2014 and discovery earlier this year. This alone made international headlines, and stood as the biggest data breach in history at that point.
Ilia Kolochenko, CEO High-Tech Bridge commented at the time: “It's pretty worrying to see that even such companies as Yahoo cannot detect breaches when they occur, and start acting only once customer data is for sale in the public domain. Yahoo users can expect a huge rise in password reuse and spear-phishing attacks as a result of this breach, which they have now had no opportunity to prepare for.”
However, the 2016 fun wasn’t over for Yahoo yet, with Yahoo’s chief information security officer Bob Lord being forced to issue a statement in December:
“Based on further analysis of this data by the forensic experts, we believe an unauthorized third party, in August 2013, stole data associated with more than one billion user accounts. We have not been able to identify the intrusion associated with this theft.”
Sadly, for data fans it’s not clear how much duplication there was between these two breaches, but as Brian Krebs said in a blogpost: “For years I have been urging friends and family to migrate off of Yahoo email, mainly because the company appeared to fall far behind its peers in blocking spam and other email-based attacks. But also because of pseudo-security features (like secret questions) that tend to end up weakening the security of accounts. I stand by that recommendation.”
Yahoo received considerable infosecurity industry criticism back in 2013 over the lacklustre implementation of a bug bounty programme, which offered external researchers very little in the way of reward for reporting vulnerabilities, in an incident which became known as t-shirt gate.
Interestingly, the XSS vulnerabilities uncovered at that time by High-Tech Bridge allowed any @yahoo.com email account to be compromised simply by a logged-in Yahoo user clicking on a specially crafted link. Yahoo also disclosed that it has been investigating a more malicious method of account compromise, which involved the creation of forged cookies that could allow an intruder to access users’ accounts without a password. “We believe an unauthorized third party accessed our proprietary code to learn how to forge cookies. We have connected some of this activity to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016”, said Bob Lord.
While Yahoo may be the most recent and by far the biggest breach, there are plenty of other candidates not far behind in terms of scale, and many of them were only spotted long after the event, when user data was offered for sale on the dark web. For a fascinating animated visualisation, check out this breach list.
In May 2016, 167 million LinkedIn accounts were found for sale, but only 117 million of those accounts including email addresses and hashed passwords. These had been stolen in 2012, and forced the social network to reset user passwords. In the same month, a researcher found the login details for 65 million Tumblr users for sale on a dark web forum, and in a separate incident the login details for 360 million MySpace users were discovered on an online hacking forum - although MySpace was slightly coy about confirming the full extent of the breach.
In August, 68 million Dropbox login credentials were discovered, thought to have been stolen in 2012. They included two sets of login usernames and hashed passwords, a 29-year-old Russian citizen was subsequently arrested in the Czech Republic and indicted for both the breach of LinkedIn and Dropbox in 2012.
Of course, until Yahoo, these 660 million records seemed quite a large number, but it’s not always scale that counts the most, as the UK’s National Lottery operator, Camelot managed to prove. Although ‘only’ 26,500 players' accounts were accessed in November according to the company, the details compromised ‘might’ include name, contact details, date of birth, transaction history, account preferences, last four digits of their card number and expiry date of card - which is quite a full tranche of data. So much so that the Information Commissioner’s Office (ICO) formally commented on the breach: “We are aware of this incident and we have launched an investigation. The Data Protection Act requires organisations to do all they can to keep personal data secure – that includes protecting it from cyber attacks. Where we find this has not happened, we can take action. Organisations should be reminded that cyber-security is a matter for the boardroom, not just the IT department.”
UK network operator Three suffered a similarly detailed breach in November also, when the company’s upgrades database was attacked, potentially placing two thirds of the company's nine million customers could at risk. Data included names, phone numbers, addresses and dates of birth, but not financial information. Only the month before (October) TalkTalk was hit with a record fine of £400,000 by the ICO for an attack in 2015 that exposed personal details of more than 150,000 customers and cost the company more than £40 million to rectify. The information commissioner, Elizabeth Denham, said the telecoms provider had failed to apply “the most basic cyber security measures”, leaving its database vulnerable to a SQL injection attack after failing to apply a fix for a software bug that had been available for more than three years.
The question of prevention was picked up by an Internet Society report late in the year, which reckoned that 93 per cent of data breaches are preventable, and found that external attack was the most prevalent security issue, albeit covering off issues ranging from zero-day exploits through to attacks via known vulnerabilities that have not been patched.
In this short selection of 2016 breach ‘highlights’ we’re talking about 2.76 billion personal data records being compromised, or 39.43 per cent of the entire global population (approx. 7 billion). Given that only an estimated 40 per cent of that population have internet access, that’s a fairly damning indictment - less than 0.6 of the online population (numerically speaking) have not had data compromised in 2016. The real issue for individuals is the trickle down effect of compromised credentials, as demonstrated by the issues Groupon users began experiencing in late 2016, where Groupon itself has not been compromised, but log-in and password information has been accessed via third party websites.
As Ilia Kolochenko, CEO of web security firm, High-Tech Bridge commented on that news:
“Chained attacks, using compromised passwords and personal data from previous breaches, will continue growing in the future. Many people use the same password or secret question on all their accounts, and once a single account is hacked, others can be easily compromised in a domino effect.”
“Moreover, even if users have different passwords, they frequently use similar ones, making them easily guessable or brute-forcible. This is a real El Dorado for cybercriminals, who can leverage outcomes of one major breach to get profit during months or even years.”
“Large companies normally should have advanced anti-fraud systems, such as detection of unusual user activity or suspicious behaviour. Nowadays machine learning technologies can do this pretty well. For low-score alerts users should receive a notification and a possibility to instantly block the transaction. For high or repetitive low score alerts, accounts must be temporarily suspended until user identity is verified. This is not an easy task though, as you can erroneously block a legitimate user from making a purchase, and some companies prefer to allow criminal activities rather than investing in advanced anti-fraud systems with low level of false-positives, putting their users at great risk. If fraud prevention systems are not properly implemented, consumers may have a valid reason to sue negligent retailers and claim reimbursement for their financial losses.”
“For end-users, I suggest using strong and unique passwords for every service, enabling two-factor authentication where available, and using a dedicated pre-paid credit card for online shopping. These measures can significantly reduce the risk of falling victim to cybercriminals.”
So, will 2017 offer any solutions to the problem? Don’t hold your breath for too long!