The biggest and worst data breaches

9. The cloud service leak (2.3 billion files)

At the end of May, researchers from the Photon Research Team at Digital Shadows discovered that 2.3 billion files were accessible online due to configuration errors. The data was public across data-sharing and cloud services, online storage services, and companies’ servers. These files included medical scans, credit card details, payroll files, intellectual property patents, and at least 11 million photographs, many of which were considered private images. They went public on a Japanese photo-sharing platform called Theta360. Fortunately, the company reacted quickly and sealed the leak over the next 24 hours.

8. American Medical Collection Agency (11.9 million + 7.7 million)

The American Medical Collection Agency (AMCA) breach affected not one but two lab testing companies. First, Quest Diagnostics was notified that someone had unauthorized access to AMCA’s databases for eight months. At that time, AMCA was Quest Diagnostic’s vendor, so the hack affected almost 12 million of their customers. Hackers got access to very personal information such as credit card numbers, bank account information, medical information, and Social Security numbers.

Then there was LabCorp, another company whose customers were affected by this breach. Almost 8 million customers’ personal and financial data was compromised. LabCorp and Quest Diagnostics immediately terminated their contracts with AMCA. A few weeks after the breach was announced publicly, AMCA filed for bankruptcy.

7. Suprema (27.8 million)

This security loophole left 27.8 million people’s biometric data exposed. Suprema is a security company responsible for the web-based Biostar 2 biometrics lock system. The system is used by almost 6,000 organizations in 83 countries, including governments and banks. Biostar uses fingerprints and facial recognition to allow employees into restricted buildings and areas.

Security researchers from VPNmentor found that the Biostar database was left unprotected and largely unencrypted. They got access to tons of sensitive information, including admin panels, fingerprints, facial recognition data, facial photos, unencrypted usernames and passwords, facility access, security level and clearance logs, and staff personal data. Suprema was notified of the vulnerability, but they didn’t take it too seriously, responding by saying:

“If there has been any definite threat on our products and/or services, we will take immediate actions and make appropriate announcements to protect our customers’ valuable businesses and assets” – Andy Ahn, Head of Marketing, Suprema.

6. Houzz (48.9 million)

Houzz, a home design website, started the year announcing a breach in which hackers got unauthorized access to its customers’ publicly available information, as well as usernames and encrypted passwords. The company noticed the breach at the end of 2018 and was pretty vague about it in their public statements. However, ITRC reported that the hack affected almost 49 million Houzz customers.

5. Capital One (106 million)

In July, Capital One announced that they suffered a massive data breach affecting 100 million Americans and 6 million Canadians. The hacker accessed credit card applications made between 2005 and 2019. They contained personal data including names, home addresses, email addresses, dates of birth, etc. What makes this one of the worst breaches of 2019 is that some bank numbers and social security numbers also ended up in the hands of the hacker. To be precise, this affected 140K U.S. credit card customers and approximately 80K secured credit card customers who had their bank account information linked to Capital One.

4. Zynga (218 million)

If you’ve ever played online games such as “Words with Friends” or “Draw Something,” you should be worried because their creator, Zynga, was breached in 2019. The hack affected a whopping 218 million users. Bad actors accessed log-in credentials, usernames, email addresses, some Facebook IDs, some phone numbers, and Zynga account IDs. Anyone who installed Zynga’s iOS or Android mobile apps before September 2, 2019, could have been affected.

3. Facebook (419 million, possibly billions)

Facebook and its poor security standards have been hitting the headlines for the last couple of years, so it’s no surprise that Facebook had to appear on this list. A security researcher at the GDI Foundation found an unprotected server with a database containing approximately 419 million phone numbers belonging to Facebook users. The database was available to anyone, and it also included Facebook IDs, which makes finding user’s names and personal details even easier.

The owner of the server wasn’t found, but the database was taken down shortly after it was discovered. Facebook said that it appears that the data could’ve been scraped before they removed the feature allowing users to search for other users via phone number.

Other Facebook-linked breaches from 2019 included:

• In April, a cybersecurity firm called UpGuard found and reported that two third-party Facebook app developers – Mexico-based Cultura Colectiva and an app called At The Pool – stored a total of about 540 million Facebook user data entries on unsecured Amazon Web Services (AWS) servers. This included “comments, likes, reactions, account names, FB IDs, and more” from millions of Facebook users.
• In May, Facebook-owned WhatsApp was breached. Hackers found and exploited a security flaw that left its users vulnerable to spyware. The exact number of victims is unknown, but the app has 1.5 billion users, all of which could have been affected. An Israeli government surveillance agency called the NSO Group designed the spyware. It could turn on a device’s microphone and camera, gain access to emails and messages, and collect location data.
• In the second half of May, the contact details of nearly 50 million Instagram users became accessible on a massive unsecured online database. The breached data contains the personal information, such as emails and phone numbers, of high-profile influencers, celebrities, and brand accounts. The database itself was on an Amazon server and was not password-protected. It was traced to a Mumbai-based marketing company called Chtrbox.

2. Collection by Gnosticplayers (1 billion+)

This isn’t a breach per se as much as it is a collection of breaches affecting more than 1 billion internet users. A hacker who calls himself Gnosticplayers collected databases from 45 companies and put them up for sale on the dark web. He released them in 6 batches over the first six months of 2019. He said that his goal was to earn money and also show the world how little security some companies have.

These batches contained data such as users’ full names, email addresses, passwords, location data, and social media account information. The companies whose data was released includes Dubsmash (162 million), MyFitnessPal (151 million), MyHeritage (92 million), ShareThis (41 million), Animoto (25 million), 500px (15 million), CoffeeMeetsBagel (6 million), and more. Some of the companies agreed to pay a ransom so that their databases wouldn’t be sold to anyone else.

1. Collections #1-5 (3 billion)

Collections #1-5 were probably the biggest leaks of 2019. They contained usernames and passwords collected over many years of breaches. These batches appeared on hacking forums and were noticed by security researcher Troy Hunt, who identified the link between them all and informed the public. You can read more about this breach in our blog post.

The first batch was released in January and contained the data of 770 million people. Then, a few weeks later, Collections #2-5 appeared on the internet. They contained 25 billion unique records and roughly 2.2 billion unique usernames and passwords, making this one of the most significant leaks to date.

What should I do next?

With so many breaches and leaks in 2019, it’s possible that your email address or other details ended up in the wrong hands. You can check whether your email was in one of the databases by going to Have I been pwned (this article explains the “pwned” meaning in detail). You can also check whether your password has leaked and might be used in a credential stuffing attack by visiting Nordpass and checking if your password is secure.

If you found your details on any of these pages or you’ve noticed any suspicious activity, follow our guide and take immediate action to stay secure.

What about NordVPN?

Last year, we at NordVPN were also reminded that no company is 100% safe. Unfortunately, one of our servers we were renting from a third party was breached. However, thanks to our zero-knowledge policy, the bad actor couldn’t and didn’t find any user activity logs. Neither did they discover our users’ identities or usernames. You can read the full story here.

What did we do in the aftermath? We improved our security standards even more by preparing a NordVPN security plan. Here are some of the highlights from it:

1. We partnered with VerSprite, a top cybersecurity consulting firm that will help us to ensure the security of our customers.
2. We introduced a bug bounty program.
3. We’re launching a full-scale third-party independent security audit.
4. We’re moving towards exclusive ownership of our data centers.
5. We’re preparing to upgrade our entire infrastructure to RAM servers.