Last year, hackers didn’t just hack — they also collected billion-account databases from breaches and leaks that had occurred years ago, only to sell them for profit. Let’s review the worst ones that affected the most people in the past year.
The American Medical Collection Agency (AMCA) breach affected not one but two lab testing companies. First, Quest Diagnostics was notified that someone had unauthorized access to AMCA’s databases for eight months. At that time, AMCA was Quest Diagnostic’s vendor, so the hack affected almost 12 million of their customers. Hackers got access to very personal information such as credit card numbers, bank account information, medical information, and Social Security numbers.
Then there was LabCorp, another company whose customers were affected by this breach. Almost 8 million customers’ personal and financial data was compromised. LabCorp and Quest Diagnostics immediately terminated their contracts with AMCA. A few weeks after the breach was announced publicly, AMCA filed for bankruptcy.
This security loophole left 27.8 million people’s biometric data exposed. Suprema is a security company responsible for the web-based Biostar 2 biometrics lock system. The system is used by almost 6,000 organizations in 83 countries, including governments and banks. Biostar uses fingerprints and facial recognition to allow employees into restricted buildings and areas.
Security researchers from VPNmentor found that the Biostar database was left unprotected and largely unencrypted. They got access to tons of sensitive information, including admin panels, fingerprints, facial recognition data, facial photos, unencrypted usernames and passwords, facility access, security level and clearance logs, and staff personal data. Suprema was notified of the vulnerability, but they didn’t take it too seriously, responding by saying:
“If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers’ valuable businesses and assets” – Andy Ahn, Head of Marketing, Suprema.
Houzz, a home design website, started the year announcing a breach in which hackers got unauthorized access to its customers' publicly available information, as well as usernames and encrypted passwords. The company noticed the breach at the end of 2018 and was pretty vague about it in their public statements. However, ITRC reported that the hack affected almost 49 million Houzz customers.
In July, Capital One announced that they suffered a massive data breach affecting 100 million Americans and 6 million Canadians. The hacker accessed credit card applications made between 2005 and 2019. They contained personal data including names, home addresses, email addresses, dates of birth, etc. What makes this one of the worst breaches of 2019 is that some bank numbers and social security numbers also ended up in the hands of the hacker. To be precise, this affected 140K U.S. credit card customers and approximately 80K secured credit card customers who had their bank account information linked to Capital One.
If you’ve ever played online games such as “Words with Friends” or “Draw Something,” you should be worried because their creator, Zynga, was breached in 2019. The hack affected a whopping 218 million users. Bad actors accessed log-in credentials, usernames, email addresses, some Facebook IDs, some phone numbers, and Zynga account IDs. Anyone who installed Zynga’s iOS or Android mobile apps before September 2, 2019, could have been affected.
Facebook and its poor security standards have been hitting the headlines for the last couple of years, so it’s no surprise that Facebook had to appear on this list. A security researcher at the GDI Foundation found an unprotected server with a database containing approximately 419 million phone numbers belonging to Facebook users. The database was available to anyone, and it also included Facebook IDs, which makes finding user’s names and personal details even easier.
The owner of the server wasn’t found, but the database was taken down shortly after it was discovered. Facebook said that it appears that the data could’ve been scraped before they removed the feature allowing users to search for other users via phone number.
This isn’t a breach per se as much as it is a collection of breaches affecting more than 1 billion internet users. A hacker who calls himself Gnosticplayers collected databases from 45 companies and put them up for sale on the dark web. He released them in 6 batches over the first six months of 2019. He said that his goal was to earn money and also show the world how little security some companies have.
These batches contained data such as users’ full names, email addresses, passwords, location data, and social media account information. The companies whose data was released includes Dubsmash (162 million), MyFitnessPal (151 million), MyHeritage (92 million), ShareThis (41 million), Animoto (25 million), 500px (15 million), CoffeeMeetsBagel (6 million), and more. Some of the companies agreed to pay a ransom so that their databases wouldn’t be sold to anyone else.
Collections #1-5 were probably the biggest leaks of 2019. They contained usernames and passwords collected over many years of breaches. These batches appeared on hacking forums and were noticed by security researcher Troy Hunt, who identified the link between them all and informed the public. You can read more about this breach in our blog post.
The first batch was released in January and contained the data of 770 million people. Then, a few weeks later, Collections #2-5 appeared on the internet. They contained 25 billion unique records and roughly 2.2 billion unique usernames and passwords, making this one of the most significant leaks to date.
With so many breaches and leaks in 2019, it’s possible that your email address or other details ended up in the wrong hands. You can check whether your email was in one of the databases by going to Have I been pwned. You can also check whether your password has leaked and might be used in a credential stuffing attack by visiting Nordpass and checking if your password is secure.
If you found your details on any of these pages or you’ve noticed any suspicious activity, follow our guide and take immediate action to stay secure.
Last year, we at NordVPN were also reminded that no company is 100% safe. Unfortunately, one of our servers we were renting from a third party was breached. However, thanks to our zero-knowledge policy, the bad actor couldn’t and didn’t find any user activity logs. Neither did they discover our users’ identities or usernames. You can read the full story here.
What did we do in the aftermath? We improved our security standards even more:
You can read more about our pledge to NordVPN customers here.
For more news on cybersecurity subscribe to our monthly blog newsletter below!