Have you been victim to a data breach?
As we enter 2023 the number of pwned accounts on the website “have I been pwned” is forever getting larger. Data breaches have become more commonplace in recent years and it opens up hundreds of millions of people to phishing and brute force attacks. Personally I’m hopeful that “Zero Knowledge Proof” will contribute towards the web 3 revolutions and begin to alleviate some of the massive concerns as we look to alleviate the amount of data 3rd party providers hold on us. With that said let’s take a look at some of the largest company data breaches that happened in recent years (starting with smallest number of records).
#8 Door Dash Data Breach (367k Records)
Incident Date: Aug 2022
Door Dash starts off our list with a “mere” 367,000 records stolen in August 2022, the food ordering and delivery service DoorDash disclosed a data breach that impacted a portion of their customers. DoorDash attributed the breach to an unnamed “third-party vendor” they stated was the victim of a phishing campaign. The incident exposed 367k unique personal email addresses alongside names, post codes and partial card data, namely the brand, expiry data and last four digits of the card.
#7 Slideteam Data Breach (1.4m Records)
Incident Date: April 2021
In April 2021, the “world’s largest collection of pre-designed presentation slides” SlideTeam had 1.4M records breached and later published to a popular hacking forum the following year. Allegedly sourced from a compromised Magento instance, the data included names, email addresses and passwords stored as salted hashes.
#6 Coin Tracker Data Breach (1.5m Records)
Incident Date: Dec 1st, 2022
In December 2022, the Crypto & NFT taxes service CoinTracker reported a data breach that impacted over 1.5M of their customers. The company later attributed the breach to a compromise SendGrid in an attack that targeted multiple customers of the email provider. The breach exposed email addresses and partially redacted phone numbers, with CoinTracker advising that the later did not originate from their service.
#5 Gemini Data Breach (5.7m Records)
Incident Date: Sept 2022
In late 2022, data allegedly taken from the Gemini crypto exchange was posted to a public hacking forum. The data consisted of email addresses and partial phone numbers, which Gemini later attributed to an incident at a third-party vendor (the vendor was not named). The data was provided to HIBP by a source who requested it be attributed to “ZAN @ BF”. An early attempt to monetise the database was in September. The author did not mention how fresh the info was but asked for 30 bitcoins (about $520,000 at the current exchange rate).
#4 Last Pass Data Breach (30m users)
Incident Date: Aug 2022
An unauthorized party gained access to a third-party cloud-based storage service, which LastPass uses to store archived backups of their production data. Based on their investigation to date, it became clear that an unknown threat actor accessed a cloud-based storage environment leveraging information obtained from the incident they previously disclosed in August of 2022. While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt a backup of ALL customer vaults.
This means the hackers are in possession of over ~30million customer vaults. It also became apparent that not all data housed within LastPass in actually encrypted meaning anything within password file notes and the URL field are viewable in plain text format.
#3 Twitter Data Breach (200m Records)
Incident Date: 2021-current (data gradually released by hackers)
In early 2023, over 200M records scraped from Twitter appeared on a popular hacking forum. The data was obtained sometime in 2021 by abusing an API that enabled email addresses to be resolved to Twitter profiles. The subsequent results were then composed into a corpus of data containing email addresses alongside public Twitter profile information including names, usernames and follower counts. These data sets were created in 2021 by exploiting a Twitter API vulnerability that allowed users to input email addresses and phone numbers to confirm whether they were associated with a Twitter ID. Initial price tags for the data we’re in the region of $30,000 but today can be obtained for a mere $2.
#2 Deezer Data Breach (240m Records)
Incident Date: 2019 – Current
In late 2022, the music streaming service Deezer disclosed a data breach that impacted over 240M customers. The breach dated back to a mid-2019 backup exposed by a 3rd party partner which was subsequently sold and then broadly redistributed on a popular hacking forum. Impacted data included 229M unique email addresses, IP addresses, names, usernames, genders, DoBs and the geographic location of the customer.
based on the data breach investigations report by RestorePrivacy’s, the exposed information includes: First and last names, Dates of birth, Email addresses, Gender, Location data (City and Country), Join date, User ID. According to Deezer, no passwords or payment details have been compromised as a result of this attack.
#1 Facebook Data Breach (500m Records)
Incident Date: June 2020 – Current
The biggest data breach for a single company is Facebook. The stolen data first surfaced on a hacking community in June 2020 when a member began selling the Facebook data to other members. What made this leak stand out was that it contained member information that can be scraped from public profiles and private mobile numbers associated with the accounts. In April 2021, a large data set of over 500 million Facebook users was made freely available for download. Encompassing approximately 20% of Facebook’s subscribers, the data was allegedly obtained by exploiting a vulnerability Facebook advises they rectified in August 2019. The primary value of the data is the association of phone numbers to identities; whilst each record included phone, only 2.5 million contained an email address. Most records contained names and genders with many also including dates of birth, location, relationship status and employer.
What to do if you have been a victim?
The cost of a data breach can be exponential for some people, this isn’t purely about financials but includes aspects of their identity as well. You should begin immediately resetting any passwords ensuring you keep to best practices. Start with any passwords that would provide access to financial data (i.e. banks, crypto wallets, stock exchanges etc), moving onto sites where you might hold personal data (i.e. emails, file storage, government websites, doctors etc). When resetting your password try to use a combination of letters, numbers, uppercase and lowercase letter keeping your password length above 12 characters.
As a final note there is no “Data breach prevention” we can take as end users. The best we can do is be vigilant, don’t re-use passwords and ensure we’re keeping up to date on the minimum requirements – you also might want to consider using a password manager.
Something in the article peaked your interest? We’re never more than a contact form or a quick call away so please don’t hesitate to get in touch!