.png?width=200&height=78&name=CH%20Diligence%20(thicker%20line).png "CH Diligence (thicker line).png")
The target: Instagram, a Facebook-owned picture-sharing social network.
The take: 49 million user records, including name, number of followers, location, phone number and e-mail addresses.
The attack vector: An AWS database belonging to social media marketing firm Chtrbox was discovered to be publicly exposed and accessible to anyone with an internet connection.
The target: Saks Fifth Avenue and Lord & Taylor, high-end department stores.
The take: 5 million credit and debit card account numbers.
The attack vector: Attackers appear to have gained complete access to the breached department stores’ networks, and installed card-scraping malware on point-of-sale terminals at all 51 Lord & Taylor and 83 Saks Fifth Avenue locations. The compromise appears to have initiated in May of 2017 and was discovered and remediated one year later.
The target: Uber, a ridesharing service.
The take: The personal data of 57 million customers and drivers, including names, e-mail addresses and phone numbers, as well as driver’s license numbers for hundreds of thousands of American drivers.
The attack vector: Attackers gained access to an AWS-hosted server with credentials an Uber engineer left publicly exposed in a Github repository.
Uber later came under fire for failing to report the breach at the time that it occurred, and attempting to pay the hackers a $100,000 ransom to delete the stolen data. The handling of the incident resulted in the dismissal of Uber’s Chief Security Officer.
The target: Home Depot, an American home improvement retailer.
The take: 53 million e-mail addresses and 56 million credit and debit accounts.
The attack vector: Beginning in April 2014 and lasting several months, attackers used compromised credentials belonging to a third-party vendor to initially breach Home Depot’s network. Once inside, they exploited unpatched Windows vulnerabilities and installed malware on self-checkout registers to skim customer information.
The target: Microsoft’s personal e-mail service, Outlook.com.
The take: E-mail accounts under the Outlook.com, Hotmail.com, and MSN.com domains were compromised – while Microsoft has offered that ‘only 6%’ of accounts were compromised, they would not confirm the number of accounts that percentage represents. While they initially denied that the attackers had access to customers’ inboxes beyond contacts, folder names, and subject lines, it was later confirmed that email contents could have been viewed.
The attack vector: Attackers were able access Microsoft’s infrastructure by compromising the credentials of a customer support representative.
The target: Orbitz, a subsidiary of online travel agency Expedia Inc.
The take: Payment card information and personal data such as billing addresses, phone numbers, and emails.
The attack vector: About 880,000 payment cards had been hit by a security breach. The attacker may have accessed personal information that was submitted for certain purchases made during an entire year.
The target: Timehop, an application which aggregates old posts and photos from user’s social media feeds.
The take: Personal information including some combinations of name, e-mail address and phone number, to a total of 21 million records.
The attack vector: An account with administrative access to Timehop’s cloud computing environment was not protected with two-factor authentication – the attacker accessed the account, created a separate administrator credential for their own use in December of 2017. The attacker maintained access and performed reconnaissance for eight months until they proceeded to exfiltrate user data in July of 2018.
The target: Delta Air Lines, a major American airline.
The take: Hackers may have accessed names, addresses, credit card numbers, CVV numbers and expiration dates for “several hundred thousand” customers during approximately two months.
The attack vector: [24]7.ai, Delta's online chat services provider, suffered a malware attack and failed to notify its client of the breach until a few months following the intrusion.
The target: Verification.io, who offer ‘e-mail validation’ services to advertisers.
The take: Over two billion records were exposed, consisting of e-mail addresses, often with associated names, social media accounts, phone numbers, dates of birth, ZIP codes – as well as credit score information, mortgage amounts, interest rates, and other data. Also exposed were names, revenues, and other business-specific data for a number of companies.
The attack vector: A database server was discovered by security researchers to be exposed to the public web, completely unencrypted and without any form of password protection or access control in place.
The target: Social media giant Facebook.
The take: Passwords for between 200 and 600 million user accounts.
The attack vector: Passwords were stored in plaintext on internal systems dating back to 2012 and were accessible to more than 20,000 Facebook employees. Access logs show that at least 2,000 engineers or developers made approximately 9 million internal queries for datasets that contained plain text user passwords.
Castle Hall helps investors build comprehensive due diligence programs across hedge fund, private equity and long only portfolios More →
Montreal
1080 Côte du Beaver Hall, Suite 904
Montreal, QC
Canada, H2Z 1S8
+1-450-465-8880
Halifax
168 Hobsons Lake Drive Suite 301
Beechville, NS
Canada, B3S 0G4
Tel: +1 902 429 8880
Manila
10th Floor, Two Ecom Center
Mall of Asia Complex
Harbor Dr, Pasay, 1300 Metro Manila
Philippines
Sydney
Level 15 Grosvenor Place
225 George Street, Sydney NSW 2000
Australia
Tel: +61 (2) 8823 3370
Abu Dhabi
Floor No. 15 Al Sarab Tower,
Adgm Square,
Al Maryah Island, Abu Dhabi, UAE
Tel: +971 (2) 694 8510
Prague
2nd Floor, The Park
V Parku 8
Chodov, Praha, 148 00
Czech Republic
Copyright © 2021 Entreprise Castle Hall Alternatives, Inc. All Rights Reserved.
Terms of Service and Privacy Policy