The target: India’s national ID database, Aadhaar.
The take: Names, unique identity numbers, bank details and other private information for more than 1.1 billion registered Indian citizens.
The attack vector: One utility’s channel to access the Aadhaar database was without any access control in place, used a hardcoded access token, and enforced zero rate-limiting – meaning that an attacker could cycle through all possible Aadhaar numbers and obtain information every time a valid number was hit.
The target: Firebase, a Backend-as-a-Service offering from Google that is marketed towards mobile app developers .
The take: Over 100 million records from thousands of mobile apps, including plaintext user id & password combinations, GPS location records, financial records, health records and session tokens.
The attack vector: Security researchers discovered that the default configuration for Firebase databases does not secure data or require authentication, allowing unauthorized third parties to view and exfiltrate application data.
The target: Investment Management firm BlackRock.
The take: Three separate spreadsheets, containing names, e-mail addresses, and assets invested in iShares ETFs for about 20,000 financial advisers.
The attack vector: The spreadsheets were accidentally made publicly available on the firm’s website for more than a month, prompting concerns that if harvested, the data could be a goldmine for phishing campaigns and targeted attacks.
The target: The SEC's EDGAR filing system.
The take: Nonpublic 'test filings' containing earning results and other material data were obtained and used to make profitable securities trades before the information was publicized. Seven individuals and two organizations were recently charged by the SEC in connection with the hack and are reported to have profited to the tune of $4.1M from the scheme.
The attack vector: An undisclosed software vulnerability reportedly allowed attackers to bypass the system's authentication controls.
The target: The German Government.
The take: The personal data of hundreds of politicians in Germany were exposed. The hacked data includes contacts’ email addresses, private chats, mobile numbers, photographs and credit card details, which were all published on Twitter.
The attack vector: The prime suspect in the case indicated that he had acted alone, and it is believed he would not have been able to obtain the personal data had it not been for his target's use of weak passwords on their personal accounts.
The target: The reservation database for Marriott hotel chain’s recently acquired Starwood subsidiary was compromised from 2014 until September of 2018.
The take: 170 million customers had only names, addresses & e-mail addresses stolen, while 327 million more lost some combination of name, home address, e-mail, date of birth, gender, and passport numbers. Marriott have confirmed that over 5 million unencrypted passport numbers were accessed by attackers.
The attack vector: It is suspected that the merging of information systems after the Starwood acquisition created the vulnerabilities that were exploited by suspected state actors. Marriott hotels are often the preferred hotel of US government and military officials.