8 Biggest Password Breaches of 2018
Unfortunately, 2018 revealed that many companies are not prepared for cyber-attacks and cannot protect our personal information as a lot of massive data breaches that exposed data belonging to millions of users around the world happened last year. However, in this article, we will concentrate only on the password breaches that among other sensitive information exposed users’ passwords and so may have compromised their accounts. Naturally, if we cannot trust organizations to keep our data safe, it is only up to us ourselves to protect our privacy. Of course, even if you take all recommended precautions, the risk of your sensitive data being compromised is still there. The difference is that if you take action, you can lessen the risk of your private information being stolen by hackers and one of the ways of doing it is setting up unique passwords. If you are not sure how to create passcodes that would protect your accounts along with the information stored on them, we invite you to read our full article, as further in it, we will tell how to secure and strengthen passwords.
For starters, we would like to present the most significant password breaches that occurred last year. Understanding how these attacks occur is necessary in order to understand what might get compromised during them or what to do if you are affected by such attacks. Thus, without further ado, we give you the top 8 password breaches of 2018.
MyFitnessPal is used by many people who seek recipes, motivation, and other means to reach their fitness goals. Sadly, the application’s users learned it was hit by a password breach on March 29. Its owners revealed it is possible the attack occurred in late February, which means it took about a month for the company to realize what has happened. Some data breaches take months, or even years to be discovered, so it is not as bad as it may sound. Especially, when some of the data that got stolen might take years of deciphering. Apparently, MyFitnessPal is using a robust password hashing mechanism that makes it nearly impossible to crack passcodes secured by it. Still, to be on the safe side, users are encouraged to replace their passwords. This way even if the cybercriminals ever find the means to decipher hashed data, it would become worthless.
Besides hashed passwords, the cybercriminals were able to obtain email addresses and usernames of approximately 150 million application’s users. Cybersecurity experts advise keeping an eye on the content users might receive via the compromised emails. Perhaps, the attackers will be unable to hack the account if it has a complex password, but it will not stop them from sending phishing emails to it or selling the address to various scammers.
At the end of 2018 around 100 million Quora’s, popular question-and-answer website’s, users were warned about their data being hacked. According to the company’s security update, their systems were accessed by a malicious third party. During the password breach, the cybercriminals behind it were able to steal a lot of various user data, for example, users’ names, email addresses, data imported from linked networks, and encrypted passwords. Same as MyFitnessPal, Quora is using a complex hashing algorithm that turns all users passwords stored in their systems into random data. To be more precise, hashed passwords cannot be read and need to be deciphered first, but in case a strong hashing mechanism (e.g., hashing with salting) is used, it becomes challenging and costly to do so. On the other hand, users should realize the hackers might be able to crack their passcodes without decrypting them if they are easy to guess. Meaning, knowing your username the attackers could try dictionary passwords like pasword123 or 123456. It is best not to take any chances with weak passwords and replace compromised combinations right away.
Those of you who ever tried finding your ancestors with the help of the online genealogy platform known as MyHeritage might have heard about a data breach that was discovered in June. This password breach affected about 92 million users. The interesting part is the company learned about the attack not by noticing anything unusual on their systems, but by accidentally coming across a database titled myheritage. It was sent to the platform’s owners by a cybersecurity researcher who located it on a private server, owned by someone outside the organization. What’s more, the research revealed the database contained email addresses and hashed passwords of all users who registered to MyHeritage up to October 26, 2017. Luckily, no payment information was found as the company relies on third-party services to handle their users’ payments. As for DNA data and family trees, they are safe as well as such information is kept on a server separate from the one containing usernames and hashed passwords. Thus, users ought to simply change their passwords just in case, and they should have nothing to worry about. You can also read more about this on our blog post.
Chegg is an education technology company Based in the United States. It specializes in online textbook rentals, online tutoring, internship matching, and homework help. Nonetheless, it looks like the organization may need to be educated itself both on its cybersecurity and communication practices. The password breach it experienced might have compromised around 40 million accounts. Chegg representatives took their time to notify the public and the platform’s users about the incident as according to Phil Hill, a cybersecurity expert, they waited for a week after filling the needed SEC form. Moreover, the breach was discovered on September 19, which could be months after the password breach actually happened, since the research shows it might have occurred on April 29. The information taken includes names, email addresses, shipping addresses, usernames, and hashed passwords. In this case, it is unknown how safe the stolen passwords might be as the company does not say what hashing algorithm was used to protect them.
As you can see by now, hackers steal data from wherever they can, and online clothing stores is not an exception. Those who like shopping via SHEIN, a popular fashion retailer in the United States, have learned this on September 21 as the company notified the public about experiencing a password breach. It is said the actual incident took place in June. Also, the organization’s report revealed there were backdoors in the SHEIN servers that allowed cybercriminals to drop malware on the system. Naturally, the malicious software has been removed, and the website is working with cybersecurity experts to prevent anything like this from happening in the future. The number of compromised accounts was around 6.42 million. It would seem the attackers were able to obtain users’ email addresses and encrypted passwords. Given it is not disclosed what encryption algorithm was used, it would be wise to change the compromised password as fast as possible. More information on what happened, and what affected users should do, can be found in this FAQ article.
Another company that made it to the list is a well-known multinational corporation that designs and manufactures shoes, clothing, and accessories. Adidas announced the discovery of a data breach affecting users who purchased from adidas.com/US on June 26. The announcement did not say how many users, in particular, were affected, but according to CBS News, the organization’s spokesman estimated it could have been a few million users. As for the data that might have been obtained by cybercriminals, it is said it could have been users’ contact information, usernames, and encrypted passwords. All affected users were being notified about the incident via email. Changing the compromised password is most likely the best course of action as the company does not say how strong the encryption algorithm was and whether it could have efficiently protected adidas.com/US users’ passcodes.
T-Mobile, the United States based wireless network operator, was also not prepared for cyber-attacks as it experienced a password breach on August 20. According to Motherboard specialists, the company’s representatives claimed the attack affected around 2 million users and that no passwords were compromised, although later on the organization’s representative admitted that the hackers were able to obtain encrypted passwords. Cybersecurity experts advise users affected by the breach to assume their passwords were cracked already and to change them right away as they discovered the company used a rather weak encryption method. T-Mobile’s announcement does not urge users to change their passwords, although it is said: “As a reminder, it’s always a good idea to regularly change account passwords.” The mentioned statement can be found in the FAQ section. We want to add that it is just as important to know how to secure and strengthen passwords and we will discuss it shortly below this list.
8. MBM Company Inc.
The last organization in our list compromised information belonging to approximately 1.3 million users. MBM Company Inc. is a Walmart partner, which operates Limoges Jewelry. The company used a misconfigured Amazon S3 bucket (Amazon storage service) that created an opportunity for hackers to breach the organization’s systems and steal their customer’s personal information. The incident was reported by Kromtech cybersecurity experts, who discovered a file containing users’ names, addresses, zip codes, phone numbers, email addresses, IP addresses, and passwords. The most shocking discovery was that the passwords were in plain text or, to be more precise, they were not encrypted in any way and could be easily read. Unfortunately, in such cases, even knowing how to secure and strengthen passwords might be useless.
Now that we have presented the most significant password breaches of 2018, it is time to talk about how to protect your privacy and what precautions you can take to lessen the damage you could receive during such an incident. The first golden rule is not to share personal information like names, email addresses, or telephone numbers with websites that cannot guarantee such information’s safety. How to know if the company can protect your privacy? We recommend doing a little research about its privacy protection practices. Even if the organization experienced a data breach before, it does not mean it can no longer be trusted.
On the contrary, some companies value their reputation and do all in their power to make sure their customers’ information will never get compromised again. In other words, it says a lot about how organizations handle such incidents, whether they notify their users right away, invest in hiring experts, and so on. In case you do not know if the company will handle your information with care, you should not use your main email address and provide as little data as you can.
Another thing you should always keep in mind is that if your email address or telephone number ever get compromised, you ought to monitor the content received with emails or text messages. As you see, if such information gets into the hackers’ hands there is no knowing of how it could be used. The cybercriminals may even sell it to multiple parties, and as a result, your email address or telephone number could be used for various purposes, for example, to attempt to scam you or spread malware. We do not say you have to fear every message or email you receive, but it would be wise to be cautious if such content comes from unknown sources or raises suspicion.
Next, to make it more difficult for hackers to access your accounts, you should always use complex passwords. As we mentioned earlier, even if the breached website stores only encrypted passwords, it does not mean your account will be safe if you are using a weak password. In other words, the cybercriminals could brute-force it. Consequently, to ensure maximum protection it is necessary to use strong passwords. For users who cannot come up with complex combinations on their own or fear they will forget them, we advise using a dedicated password manager. For instance, Cyclonis Password Manager has an integrated Password Generator that creates unique passcodes from the chosen length and characters. Its complexity bar also shows how secure the combination is so you can alter your choices till your password is strong enough. Meaning while using it, you do not have to worry about how to secure and strengthen passwords as the application does it for you.
Cyclonis can also remember passcodes, so you do have to memorize them yourself. Plus, it analyzes all saved passwords to estimate your Total Strength Score and tell you which of your login credentials might need to be changed to ensure maximum security. Of course, the application can be handy not only when creating new passwords, but also when replacing old ones, which is usually necessary in case of password breaches. The user affected by a data breach should replace not only the compromised account’s password but also all other accounts’ passcodes if they share the same or similar combination. Cybercriminals know that many people tend to use the same or just slightly different login credentials everywhere, so if they obtain your username or password, they might use this information to look for your other possible accounts and hack into them. This is why it is best to use unique passwords and usernames.
Lastly, we highly recommend using extra safety features some web pages provide. Quite a lot of social media platforms and email providers can offer Two-Factor Authentication options. For example, Cyclonis offers Two-Factor Authentication via email; it is when a user can log in only after providing a verification code sent to his email address. Another example is Facebook’s Login Notifications feature. Users who enable it can get alerts when someone tries to log in to their accounts from unknown devices (e.g., phones or computers the account’s owner never used before). As the problem of protecting users’ accounts and personal information on them keeps growing more and more, companies integrate various features to help prevent it, so checking up for new safety features you could take advantage of is highly advisable if you wish to protect your privacy.
All in all, 2018 proved to be a challenging year for a lot of companies that were not ready for cyber-attacks, such as password breaches. Hopefully, more and more organizations will take the necessary means to ensure they keep their users’ sensitive data protected in 2019. However, all of us should do our part as well in making sure our personal information does not get into the wrong hands. Many users are concentrated on protecting their banking information or sensitive data alike, but attacks on, for example, social media websites or fitness applications, only prove that any piece of information is valuable to hackers. Therefore, we highly recommend asking yourself if your information will be safe every time you provide it to a website, as well as making use of tips on how to secure and strengthen passwords discussed in the article.