The target: Verification.io, who offer ‘e-mail validation’ services to advertisers.
The take: Over two billion records were exposed, consisting of e-mail addresses, often with associated names, social media accounts, phone numbers, dates of birth, ZIP codes – as well as credit score information, mortgage amounts, interest rates, and other data. Also exposed were names, revenues, and other business-specific data for a number of companies.
The attack vector: A database server was discovered by security researchers to be exposed to the public web, completely unencrypted and without any form of password protection or access control in place.
The target: Social media giant Facebook.
The take: Passwords for between 200 and 600 million user accounts.
The attack vector: Passwords were stored in plaintext on internal systems dating back to 2012 and were accessible to more than 20,000 Facebook employees. Access logs show that at least 2,000 engineers or developers made approximately 9 million internal queries for datasets that contained plain text user passwords.
The target: Cathay Pacific Airlines, a Hong Kong airline.
The take: Personal information including names, dates of birth, addresses, and some passport numbers and e-mail address for 9.4 million clients.
The attack vector: It’s believed that vulnerabilities were discovered and exploited due to poor planning and a failure to adapt security practices and postures during a transition from legacy IT systems to cloud-based infrastructure.
The target: Sonic Restaurants, an American fast-food chain.
The take: An estimated five million credit and debit payment card accounts were compromised as a result of the attack.
The attack vector: The success of the attack was attributed to the age of Sonic’s Point-of-Sale systems, which were no longer receiving security updates and which were inherently vulnerable to manipulation and data exfiltration.
The target: Target, an American retailer.
The take: PPayment card information, and/or names, phone numbers and e-mail addresses for up to 70 million customers.
The attack vector: Attackers accessed Target’s network via credentials stolen from a third-party HVAC vendor, installed malware and exfiltrated the data in what was one of the first major data breaches to make headlines.
The target: British Airways, the largest airline in the United Kingdom.
The take: Payment card information for more than 380,000 customers.
The attack vector: By injecting altered scripts into third-party webpages called during the payment and check-out process, malicious actors performed a digital ‘card skimming’ attack, stealing payment card information from BA’s clients from August and September of 2018.
The target: India’s national ID database, Aadhaar.
The take: Names, unique identity numbers, bank details and other private information for more than 1.1 billion registered Indian citizens.
The attack vector: One utility’s channel to access the Aadhaar database was without any access control in place, used a hardcoded access token, and enforced zero rate-limiting – meaning that an attacker could cycle through all possible Aadhaar numbers and obtain information every time a valid number was hit.
The target: Firebase, a Backend-as-a-Service offering from Google that is marketed towards mobile app developers .
The take: Over 100 million records from thousands of mobile apps, including plaintext user id & password combinations, GPS location records, financial records, health records and session tokens.
The attack vector: Security researchers discovered that the default configuration for Firebase databases does not secure data or require authentication, allowing unauthorized third parties to view and exfiltrate application data.
The target: Investment Management firm BlackRock.
The take: Three separate spreadsheets, containing names, e-mail addresses, and assets invested in iShares ETFs for about 20,000 financial advisers.
The attack vector: The spreadsheets were accidentally made publicly available on the firm’s website for more than a month, prompting concerns that if harvested, the data could be a goldmine for phishing campaigns and targeted attacks.
The target: The SEC's EDGAR filing system.
The take: Nonpublic 'test filings' containing earning results and other material data were obtained and used to make profitable securities trades before the information was publicized. Seven individuals and two organizations were recently charged by the SEC in connection with the hack and are reported to have profited to the tune of $4.1M from the scheme.
The attack vector: An undisclosed software vulnerability reportedly allowed attackers to bypass the system's authentication controls.