Unsecured servers, weak passwords, or social engineering attacks are the most prevalent causes of data breaches, which were at the forefront in 2021. The odds are this trend won’t change anytime soon.
While they’ve become one of the leading parts of what’s considered the cut-and-dry in the cybersecurity world, a data breach still prompts lots of frustration for the targeted companies and the affected customers alike.
Well, Ghosties, here’s a roundup of some of the biggest data breaches that occurred in 2021. In case you missed any and use the services of companies listed below, it’s never too late to change your password. Or at least, you’d know which companies don’t do a good job at protecting and securing user data.
SocialArks’s Faulty Database
SocialArks may not be a popular brand name, especially since it’s a Chinese owned company. Still, given the fact that it’s a marketing and brand building firm that manages data across all popular social media platforms, it was just a question of time before it became the target of an extensive attack.
Flaws in SocialArks’ElasticSearch database and server exposed personal and public details of more than 214 million social media platforms, including Facebook, Instagram, and LinkedIn users – among them several celebrities and influencers.
Security research firm Safety Detectives found the faulty database and server during a routine check. The server lacked any security key, encryption, or passwords, making it incredibly easy for cyber-attackers to scrape data from social media platforms.
Leaked SocialArks data covered social media users’:
- phone numbers
- email addresses
- the total number of followers
- most used hashtags
Facebook’s Older ‘Patched’ Vulnerability
Realizing a vulnerability when it’s too late would certainly fit the scenario of last year’s Facebook data breach. That’s because a database of 533 million Facebook records leaked on the dark web in April 2021 was actually the result of attackers who originally exfiltrated data in 2019.
Leaked Facebook data included personal information like:
- full names
- email addresses
- phone numbers
- other biographical details (including Facebook CEO, Mark Zuckerberg’s details)
Researchers’ analysis showed a vulnerability in the contact importer feature led to this breach; the feature helps users find friends on the social media app through their phone’s contact list. Facebook reported its staff patched this vulnerability in 2019. Yet, the company mentioned the incident isn’t exactly a breach since attackers scraped publicly available data from its services, so it wasn’t caused by malicious code that tempered the company’s security defenses.
The LinkedIn Exploit on API
This LinkedIn data breach exposed the personal data of over 700 million, around 92% of LinkedIn users. Cybercriminals scraped user data and put it on sale on the dark web.
Compromised personal data included:
- full names
- phone numbers
- email addresses
- geolocation records
- LinkedIn username and profile URLs
- personal and professional experience
- social media accounts
The breach resulted from cyber-attackers exploiting LinkedIn’s API (Application programming interface). APIs are a critical part of almost every business, as they transfer information between systems within a company or to external companies. For instance, when you log in to LinkedIn or any website or platform, an API handles your login credentials to verify they’re correct.
LinkedIn has denied the data breach, claiming it was just a violation of their terms of service through forbidden data scraping. Representatives of LinkedIn stated:
…have determined that it is actually an aggregation of data from several websites and companies. It includes publicly viewable member profile data that appears to have been scraped from LinkedIn. This was not a LinkedIn data breach, and no private member account data from LinkedIn was included in what we’ve been able to review.
The Refined Attack on T-Mobile
T-Mobile reported a data breach that was a result of a sophisticated cyber-attack. The outcome of the breach was leaked and stolen data of:
- 7.8 million customers had their names, dates of birth, social security numbers, driver’s licenses, phone numbers, as well as IMEI and IMSI information stolen
- 40 million former or prospective customers had their names, dates of birth, social security numbers and driver’s licenses leaked.
The attacker behind the security incident revealed his identity and publicly detailed how he conducted the attack from his home in Turkey. John Binns had been looking for security gaps in T-Mobile’s defenses through its internet addresses and accessed a data center where he could explore more than 100 of the company’s servers. From that moment, it was only a matter of a few days until he grabbed the personal data of millions.
Representatives of T-Mobile declared that apart from personal data, no financial information was exposed. Still, according to security experts, that personal data can create an enticing playground for cybercriminals. T-Mobile customers’ names and phones are somewhat easy to find, but a database that combines these together, along with details like phone carrier and home address makes it easier for cybercrooks to create successful phishing attacks. Similarly, they could use the same information for identity theft schemes.
Twitch’s Massive Data Exposure
The video game streaming service owned by Amazon faced a massive data breach that exposed Twitch’s almost entire code base and around 5 billion private business records. Cybercriminals published 125GB of sensitive data online, plus streamers’ financial records, AKA how much money Twitch streamers gain from playing online video games. Many streamers confirmed that the leaked data is accurate, while researchers showed that exposed financial records go back to over two years, so the vulnerability may have existed before 2021.
Twitch claimed a human error led to a vulnerability while working on a server, allowing unauthorized access by third parties. Soon, the company stated they remediated the vulnerability. Still, the streaming service went through similar incidents in 2014 and 2017, making security experts and casual users question Twitch’s security practices.
What’s interesting about the Twitch breach is that the bad actors behind it didn’t have the monetary gain as the main motive. Cybercriminals’ objective seems to have been a sort of punishment towards Twitch for supporting a toxic community of users.
The sensitive data that was posted on the anonymous forum 4chan includes:
- The entire Twitch’s source code
- Creators’ payout reports for creators (including high-profile creators)
- Code related to SDKs (software development kits) and internal AWS (Amazon Web Services) used by Twitch
- The identity of an unreleased steam competitor from Amazon Game Studios – “Vapor”
- Twitch’s internal ‘red teaming tools’ (used by internal security teams for simulating cyber-attacks)
A Social Engineering Attack on Robinhood Systems
Online stock trading platform Robinhood announced it was the target of an attack that compromised more than 5 million customer email addresses and 2 million customer names. Additionally, a small number of customers had ‘more extensive account details revealed.’ Yet, the trading company mentioned these details don’t include sensitive data like Social Security numbers, bank account or debit card numbers.
In Robinhood’s case, a vishing (social engineering over the phone) attack occurred, and a customer service employee was tricked and gave access to the company’s information to an unauthorized third party. The attacker succeeded in getting into the company’s customer support systems and capturing Robinhood users’ personal data. The attacker also accessed an internal tool and changed users’ accounts.
After Robinhood safeguarded its systems, the attacker ‘demanded an extortion payment.’ The company refused to pay and instead collaborated with law enforcement and an external cyber-security firm to investigate and deal with the breach.
Countering Data Breaches
The outcome of a data breach is quite a risky business. Cybercriminals can use your exposed personal information for a wide array of fraud schemes, like phishing attacks, backdoor attacks, browser hijacking, identity theft and even other unimaginable types of scams. Even marketers can take advantage of this data to bombard you with targeted but unwanted advertising.
You can’t prevent some data breaches, but at least hold on to the few safe habits that only you can enforce to protect your data.
Keep in mind to:
- Create complex and strong passwords
- Use a password manager
- Always use a VPN on open public Wi-Fis
- Improve the security of IoT devices
- Pay attention to tell-tale signs of phishing scams
- Use MFA (multi-factor authentication) or 2FA (two-factor authentication) whenever possible or at least for most important and sensitive accounts
*Plus: You can rely on a password monitoring security product like CyberGhost ID Guard. With its Leak Monitor feature, you can add your email addresses and get alerts whenever your passwords get exposed in a data breach.
Has your data been exposed in any of the listed data breaches?
Let me know in the comments below.