With database leaks and mass hacking scandals on the rise, let’s learn about the biggest data breaches of 2020.
What is a data breach?
A data breach takes place when a company or institution leaks private information, as a result of hacking attacks or basic human errors. Cybercriminals are often involved in the incidents; they may initiate a breach, or just extract user data after the fact.
The stolen details could include passwords, payment information, and even social security numbers. Hackers can then use these to take over accounts and credit cards, access banking systems, launch phishing attacks, or sell the data on to other criminals.
However, not all data breaches are the work of cybercriminals. Sometimes they can happen due to human error or a deliberate inside job. But the end result is similar – your data gets out in the open and can quickly land in the wrong hands.
Top 10 biggest data breaches of 2020
2020’s digital landscape was truly unprecedented. Due to the Covid pandemic, people spent more time than ever online. The public became reliant on online services, stored massive amounts of data digitally, and worked remotely. And the hackers had a field day.
The global online shift may be one of the factors driving the scope and magnitude of the year’s breaches. 2020 saw leaks involving giant corporations and affecting billions of users. The average cost of a data breach rose to $3.86M.
There are lessons to be learned from these painful events, however, so we’re going to take you back through the biggest data breaches of 2020. We ranked them according to the data volume they affected. Some of the breaches happened earlier, but surfaced only in 2020.
1. CAM4 (10.88 billion)
An adult webcam platform CAM4 accidentally misconfigured its production server and left its data unprotected, without any password security. As a result, seven terabytes of data — containing a staggering 10.88 billion records — were exposed. Millions of users were put at risk as the records covered highly sensitive data, including full names, email addresses, credit card info, sexual orientation details, messaging and email correspondence, passwords, and payment logs. Though there is currently no evidence that cybercriminals have used the data, there is still a risk of future exploits. CAM4 fixed the server issue and has claimed that no one improperly accessed the data.
2. Advanced Info Service (8.3 billion)
Advanced Info Service, Thailand’s mobile operator, experienced their own CAM4-situation back in May. One of its databases was left open, exposing four terabytes of data (8.3 billion records). While the affected data did not include any personal details, anyone who accessed it could have seen the websites its users visited and the apps they used. The company immediately fixed the database issue after the discovery of the breach.
3. Keepnet Labs (5 billion)
Keepnet Labs, a UK cybersecurity company, confirmed that one of its contractors temporarily exposed a database of 5 billion emails and passwords from previous data breaches. The contractor disabled the firewall for 10 minutes while migrating the database, leaving a vulnerable window for cybercriminals to snatch the data.
Keepnet stored the breach data to notify its customers in case someone compromised their business domain. This is standard practice for many cybersecurity companies.
4. Whisper (900 million)
Whisper is a secret-sharing app, but back in March 2020, it wasn’t doing a great job of keeping its users’ secrets. 900 million user records became publicly accessible via an unprotected database. Not only could anyone see its users’ intimate confessions and personal correspondence, but they could also access all the metadata tied to those messages, including location info. Armed with this data, hackers could identify individual senders.
The company stated that the leak was due to improper querying of their database.
5. Sina Weibo (538 million)
In March 2020, a hacker tried to sell the data of 538 million Weibo users on the dark web. A person claimed to have infiltrated Weibo in 2019 and snatched the information from the company’s database. The data included personal details, such as names, usernames, gender, location, and phone numbers. As the passwords were not included, you could buy the data relatively cheaply, at only 250$. The company didn’t provide a clear explanation on how the hackers managed to steal their data.
6. Estée Lauder (440 million)
Jeremiah Fowler, a security researcher, discovered an unprotected database belonging to the cosmetics giant Estée Lauder, including more than 440 million records. The company claimed that it didn’t contain any customer data. However, the researcher stated that the database was a content management system with references to internal documents, sales data, email addresses, and IP addresses. The company closed the database once it found out about the issue.
7. Broadvoice (350 million)
In October 2020, the communications company Broadvoice experienced a leak exposing 350 million records of personal voice transcripts, names, and phone numbers. The organization accidentally left the database cluster unprotected and accessible to everyone, without any need for authentication.
8. Wattpad (268 million)
Back in July 2020, security researchers discovered a leaked database with more than 268 million unique emails and passwords. It also included users’ IDs, names, IP addresses, and locations. The breached SQL database belonged to Wattpad, a platform for publishing user-generated stories. The hack exposed the platform’s users to the risks of various cyberattacks such as spear-phishing and extortion.
9. Microsoft (250 million)
The software giant suffered a significant data leak due to their misconfigured server security rules. As a result, 250 million customer records were exposed. They included email and IP addresses as well as support case details. The company swiftly fixed the configuration faults.
10. Unknown (201 million)
In January, researchers discovered a database containing more than 200 million units of personal data, hosted on a Google Cloud server. To this day its owner is unknown. The database contained highly sensitive information on US residents, including names, addresses, credit ratings, income details, and property values. Google took down the exposed server. We still don’t know if anyone made use of the information exposed.
How not to become the victim of a data breach
While complete protection from data breaches is a hard promise for companies to keep, there are still steps that individuals can take to minimize the risks. Here are a few tips for improving your own security and limiting the threats posed by data leaks:
- Use strong passwords so that hackers won’t be able to crack them with brute-forcing methods. Also, don’t reuse the same details for different accounts. If you find it difficult to memorize them, our NordPass tool will help you;
- Encrypt your sensitive data. Then, even if a hacker steals the encrypted information, they will only be able to access scrambled code, and not the data itself. NordLocker provides safe and easy file encryption;
- Always check whether a website uses a secure HTTPS protocol before trusting it with your personal data;
- Keep an eye on your credit card statements and purchase histories. Immediately inform the bank or police if you find anything suspicious;
- Constantly update your software. Developers usually patch vulnerabilities once they find them, so always have the most recent updates installed.
We’ve compiled a list of cybersecurity predictions for 2021. Let’s hope that 2021 will be a less fruitful year for hackers.
Want to read more like this?
Get the latest news and tips from NordVPN.