Gone are the days of mega-breaches when a single security incident would dominate customer attention for weeks at a time. Throughout 2016, customers and users were distracted by a seemingly endless stream of organizations hit by devastating breaches.
Information security missteps of previous years caught up with many organizations. Technology companies Tumblr, MySpace, LinkedIn, Dropbox, Yahoo, and others were affected when user data and credentials from breaches that occurred years ago appeared on criminal forums.
Even those companies that avoided this fate were affected by the poor cyber-hygiene of their consumers. Security professionals have long advised users to set up different passwords on each website or service they use – with minimal success.
Companies that were not affected by their own incidents often implemented new protocol to prevent wide-scale login credential attacks.
February – Department of Homeland Security, Federal Bureau of Investigation. A hacktivist with an apparent grudge against U.S. government personnel kicked off the year by publishing personal information of approximately 9,000 DHS employees and 20,000 FBI employees. The data dump included names, titles, job descriptions, email addresses and contact information.
March – Seagate. An employee at Seagate was tricked by a spear-phishing email that asked the worker to send the W-2 data of all current and former employees. The data storage company employs more than 52,000 workers worldwide, but only its U.S. workers were involved in the security event. The exposed income tax data opens the employees to income tax refund fraud or identity theft.
May – ADP, U.S. Bancorp. Hackers used an ADP portal to register accounts posing as employees at clients of the payroll software company to steal W-2 data. Victims include employees at more than a dozen ADP client companies, including U.S. Bancorp.
May – LinkedIn. Login information from a 2012 LinkedIn data breach was found for sale on the dark web, prompting the professional networking site to reset user passwords. The hacked credentials included 167 million accounts but only 117 million of those accounts included email addresses and hashed passwords.
May – Tumblr. A security researcher found login credentials for 65 million Tumblr users on sale on a dark web forum. The breach occurred in early 2013 and was not disclosed by the social network until this May. The breached login credentials included email addresses and salted SHA1 hashed passwords. Tumblr required users to create new passwords.
May – MySpace. Login credentials of MySpace users were discovered on an online hacking forum in May. The stolen credentials included usernames, passwords and email addresses registered before June 11, 2013. MySpace did not disclose an exact number of victims compromised, but confirmed that the reported 360 million credentials for sale “appear to be correct.”
October – Modern Business Solutions. An unsecured internet-facing database set up by the data management firm Modern Business Solutions (MBS) was accessed by a remote attacker who discovered the open port on Shodan.io. The hacker published at least 58 million records, including full names, IP addresses, birth dates, email addresses, vehicle information and occupations of the breach victims.
August – Dropbox. Leakbase found login credentials of 68 million Dropbox users that hackers stole after a 2012 breach. The dataset was verified by security researcher Troy Hunt and included two sets of login usernames and hashed passwords; one of the datasets used bcrypt hashes, while the other used SHA1 hashes. In October, a 29-year-old Russian citizen was arrested in the Czech Republic and indicted for the breach of LinkedIn and Dropbox in 2012.
September –Yahoo. The technology company announced a breach of 500 million users that occurred in late 2014. Yahoo initially said the breach was believed to have been carried out by a state actor, although the claim was later disputed by a security research firm that reported that the attack was linked to the same group of Eastern Europeans who were responsible for the MySpace, Tumblr, Dropbox and LinkedIn breaches.