Software Integrity Blog


Biggest 2019 data breaches: Some of the worst of the worst

How do you evaluate the impact of a data breach? Here are six of the biggest data breaches in 2019 in terms of millions, even billions, of people affected.

Biggest 2019 data breaches: Some of the worst of the worst

“Another day, another data breach” is, unfortunately, not just a cliché. It is a reality. But all data breaches are not equal. While they are all bad, some are much worse than others.

And 2019 has had its share of “much worse” data breaches. So, while we’re not trying to spoil “the most wonderful time of the year,” it is clear we need reminders that we have a long way to go to make the online world a safe place.

Yes, it is criminal hackers, scammers, and fraudsters who are directly to blame for data breaches. But the troubling reality is that most data breaches from 2019, including all those summarized below, could have been prevented with basic security hygiene. It’s a bit like a car getting stolen or vandalized. Those who committed the crime are directly responsible, but if the owner left the doors unlocked and windows open in a sketchy neighborhood, it’s appropriate to ask, “What were you thinking?”

Here are a half dozen of the worst data breaches in 2019 (so far) in terms of the number of people affected.

The data breach affected up to 2 billion people

Date reported: March 7, 2019

Impact: 800 million to 2 billion records worldwide

Security failure: No authentication required, an email validation service, apparently left a massive database of records in the open, according to Security Discovery researcher Bob Diachenko. He reported in a March 7 blog post that on Feb. 25 he had found the trove in a “non-password protected” 150 GB MongoDB database containing more than 808 million records. When he tracked it back to and reported it to the company, the site was taken offline.

Diachenko also connected with Troy Hunt, the ethical hacker who runs the Have I Been Pwned website. After analyzing the database, they determined that while the compromised information didn’t include credit card details or passwords, it did include names, physical addresses, phone numbers, email addresses, dates of birth, genders, employers, geographic locations, IP addresses, and job titles.

A day later, however, UK-based DynaRisk told SC Media that the data breach was nearly three times larger, at more than 2 billion records. DynaRisk also reported that the data breach included more information: credit scores, interest rates, personal mortgage amounts, and emails linked to social media profiles on Facebook, Instagram, and LinkedIn.

The First American breach exposed 885 million files

First American Financial

Date reported: May 25, 2019

Impact: About 885 million files related to mortgage deals

Security failure: Lack of authentication control

First American Financial Corp., a Fortune 500 financial services company, exposed about 885 million records of mortgage transactions dating back to 2003. The vulnerability was first reported by security blogger Brian Krebs in May, who wrote that he had been tipped off by a real estate developer.

Krebs confirmed what the tipster had told him: Anyone who had ever been emailed a link to a document by the company could access the records, simply by changing a single digit in the document link.

The digitized records included bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and driver’s license images.

First American shut down the compromised website after Krebs notified the firm.

In a response to Krebs, First American called the vulnerability a “design defect.” Krebs wrote that he had no evidence that the data had been mass harvested. However, he said, it “would be a virtual gold mine for phishers and scammers involved in so-called Business Email Compromise (BEC) scams, which often impersonate real estate agents, closing agencies, title and escrow firms in a bid to trick property owners into wiring funds to fraudsters.”

Collection #1 contained 773 million email addresses and more than 22 million passwords

“Collection #1”

Date reported: Jan. 17, 2019

Impact: Nearly 773 million unique email addresses and more than 22 million unique passwords

Security failure: Multiple and varied

This massive and unique collection, presented by Troy Hunt on his Have I Been Pwned website, was sitting in a cloud storage service called MEGA.

Hunt, a Microsoft Regional Director, wrote about it on his blog after “multiple people reached out” and directed him to MEGA. Hunt said by the time of his writing, the data had been removed from MEGA.

He said the collection included more than 12,000 separate files and more than 87 GB of data.

“One of my contacts pointed me to a popular hacking forum where the data was being socialized,” where the root folder identified it as “Collection #1.”

He said he hadn’t verified the origin of all the data breaches listed. But, he said, “my own personal data is in there and it’s accurate; right email address and a password I used many years ago.”

Hackers are most likely using the data for credential stuffing, a brute force attack cited by Synopsys CSO Deirdre Hanford in a recent interview at the end of National Cybersecurity Awareness Month.

The Facebook data breach exposed more than 540 million records


Date reported: April 3, 2019

Impact: More than 540 million records exposed

Security failure: Publicly accessible server hosted by a third party

It was Jan. 10, 2019, when security firm Upguard Cyber Risk first notified the Mexico-based digital media company Cultura Colectiva that it had discovered more than 540 million Facebook user IDs, account names, likes, and comments exposed on a publicly accessible server.

Upguard sent another notification on Jan. 14. It got no response.

The company then notified Amazon Web Services on Jan. 28, since the data was stored on an Amazon S3 cloud storage bucket. Amazon replied Feb. 1 that it had notified Cultura Colectiva.

But it wasn’t until April 3, after Bloomberg contacted Facebook for comment, that the bucket was finally secured.

In an Oct. 30 post, Upguard said while the social media giant has tried to limit third-party access, “the data genie cannot be put back in the bottle. Data about Facebook users has been spread far beyond the bounds of what Facebook can control today.”

“Combine that … with storage technologies that are often misconfigured for public access, and the result is a long tail of data about Facebook users that continues to leak.”

The company added in the same post, updated 11 months after they first notified Cultura of the compromised data, that “to this day there has been no response.”

Vulnerabilities in the Fortnite platform affected 200 million gamers


Date reported: Jan. 16, 2019

Impact: About 200 million gamers worldwide

Security failure: Multiple vulnerabilities in the online platform

According to Check Point Research, hackers were able to gain access to user accounts through “multiple vulnerabilities in (owner) Epic Games’ online platform.” The vulnerability allowed a cross-site scripting (XSS) attack if a user clicked on a link sent by the hacker.

Check Point reported that the vulnerability could allow hackers to “take over the account of any game player, view their personal account information, purchase V-bucks, Fortnite’s virtual in-game currency, and eavesdrop on and record players’ in-game chatter and background home conversations.”

Check Point reported it to Epic Games, which patched the vulnerability.

The Elasticsearch breach exposed 108 million betting records

Elasticsearch cloud storage

Date reported: Jan. 21, 2019

Impact: 108 million betting records

Security failure: No password required for access to a server

An online casino group turned out to be a bad bet (sorry, couldn’t resist) for users when the records of their activities and personal information were stored on an Elasticsearch server that hadn’t been secured with a password.

ZDNet reported that security researcher Justin Paine found that the database contained players’ names, email addresses, home addresses, phone numbers, bets, wins, deposits, and withdrawals. There were also some credit card details, but they were partially redacted and therefore unusable to hackers.

Despite only one server being unsecured, it handled “a huge swath of information that was aggregated from multiple web domains, most likely from some sort of affiliate scheme, or a larger company operating multiple betting portals,” ZDNet reported.

Elasticsearch, described as a “portable, high-grade search engine that companies install to improve their web apps’ data indexing and search capabilities,” is meant to be kept on internal networks, not exposed online.

The company told Infosecurity that the data breach was “not related to defects or vulnerabilities in Elastic-developed software.” Instead, it occurred because “individuals or organizations have actively configured their installations to allow unauthorized and authenticated users to access their data over the internet.”

Which may have happened because those organizations failed to realize that they had to pay for Elastic’s security features.

“The free version of the software only includes the security options as a trial. You have to pay for the premium product to turn the security features on,” Infosecurity noted.

Get the eBook: Anatomy of an Application Security Weakness


More by this author