10 Largest Data Breaches in 2018

data breaches

This post is also available in: עברית (Hebrew)

Data breaches compromised the personal information of millions of people around the globe in 2018. Data breaches are security incidents in which information is accessed without authorization. They  can happen for a variety of reasons, e.g. hacking, data can be mishandled or sold to third parties, holes in a website’s security system, etc.

The data breach that caused the largest number of users affected was against India government ID database.

Here are the 10 biggest data breaches that were revealed this year, ranked by the number of users affected, according to businessinsider.com:

10. Facebook — 29 million

This breach affected highly sensitive data, including locations, contact details, relationship status, recent searches, and devices used to log in between July 2017 — September 2018.

“The hackers were able to exploit vulnerabilities in Facebook’s code to get their hands on ‘access tokens’ — essentially digital keys that give them full access to compromised users’ accounts.

9. Chegg — 40 million

Personal data including names, email addresses, shipping addresses, and account usernames and passwords were affected. An unauthorized party gained access to an American education company database that hosts user data, according to ZDNet.

8. Google+ — 52.5 million

Private information on Google+ profiles was affected, including name, employer and job title, email address, birth date, age, and relationship status. A software glitch caused Google to expose the personal profile data of 500,000 Google+ users. Google has decided to shut down Google+ for good in April 2019.

7. Cambridge Analytica — 87 million

Facebook profiles and data identifying users’ preferences and interests were were compromised. In 2015, a personality prediction app called “this is your digital life,” improperly passed on user information to third parties that included Cambridge Analytica, a data analytics firm that assisted President Trump’s presidential campaign by creating targeted ads using millions of people’s voter data.

Only 270,000 Facebook users actually installed the app, but due to Facebook’s data sharing policies at the time, the app was able to gather data on millions of their friends.

6. MyHeritage — 92 million

This breach affected email addresses and encrypted passwords of users who have signed up for the service, as they were sitting on a private server somewhere outside of the company.

5. Quora — 100 million

The breach affected account info including names, email addresses, encrypted passwords, data from user accounts linked to Quora, and users’ public questions and answers. A “malicious third party” accessed one of Quora’s systems, according to Reuters.

4. MyFitnessPal — 150 million

Usernames, email addresses, and encrypted passwords were affected when an “unauthorized party” gained access to data from user accounts on MyFitnessPal, an Under Armour-owned fitness app.

3. Exactis — 340 million

Detailed information compiled on millions of people and businesses including contact details, personal interests and characteristics, and more was affected. A security expert spotted a database “with pretty much every US citizen in it” left exposed “on a publicly accessible server,” although it’s unclear whether any hackers accessed the information, according to WIRED.

2. Marriott Starwood hotels — 500 million

Guest information including phone numbers, email addresses, passport numbers, reservation dates, and some payment card numbers and expiration dates was compromised by hackers who accessed the reservation database for the hotel chain and copied and stole guest information.

1. Aadhar — 1.1 billion

This breach affected private information on India residents, including names, their 12-digit ID numbers, and information on connected services like bank accounts. India’s government ID database, which stores citizens’ identity and biometric info, experienced “a data leak on a system run by a state-owned utility company Indane.” Indane hadn’t secured their API, which is used to access the database, which gave anyone access to Aadhar information, according to ZDNet.