Web privacy company vpnMentor recently published one of those infographics that marketing people like under the somewhat clickbaity title "The Most Shocking Personal Data Hacks of All Times." It lists 11 large data hacks that happened over the last five years affecting over 5 billion accounts.
Although the graphic's focus is on the consumer side of the intrusions, when reading between the lines there are reminders of best security practices for IT professionals who are charged with keeping their customers' data secure and out of harm's way.
With this in mind, we're looking at five of the six largest breaches on the list, with an eye on what this means for IT pros.
The Yahoo breach should have come as no surprise to anyone. The company had a habit of neglecting valuable properties it purchased, and it turned out its treatment of security was no different. There were more than a few surprises found within the Yahoo breach, however, starting with the magnitude of the hack. In all, the cracker/hackers got data on 3 billion accounts, which represented every single account on Yahoo's servers.
There were actually two breaches. The first to be discovered, affecting 500 million users, occurred in 2014 and wasn't discovered until September 2016. The mother lode, however, was an intrusion that began a year earlier, in 2013 and wasn't found until February 2017. At first, that breach was thought to have affected about a billion accounts, but after Verizon took control of the company, it revealed in October that it had affected 3 billion accounts.
What was stolen: Names, email addresses and passwords were taken, but not financial information.
Who was responsible: In March 2017, the Department of Justice indicted three Russians, two of whom were Federal Security Service (FSB) agents, as well as a Canadian resident, for the breaches. Only the Canadian has been taken into custody. He pleaded guilty in November for his role in the incident and is scheduled to be sentenced on Feb. 20.
Details of attack: Hackers used forged cookies to gain access to user accounts without a password.
Lesson for IT pros: The issue here isn't so much the weakness the attackers found to exploit, but the fact that it took Yahoo four years to discover the intrusion. This illustrates the importance of security teams being proactive about looking for evidence of intrusions and not merely passively waiting for intrusion detection software to sound the alarm.
River City Media
Here's a case that proves even bad guys have to worry about bad guys. River City Media was a bad apple that passed itself off as a legitimate marketing firm while sending up to a billion emails daily. In other words, it was a spammer.
What was stolen: The company had amassed a database of 1.4 billion email accounts, complete with real names, user IP addresses and sometimes physical address -- all of which should now be presumed to be in the hands of other bad guys.
Who was responsible: In this case, River City Media pretty much did itsef in by placing the database online, unprotected by password or other measures, giving open access to anyone online.
Details of attack: A researcher with MacKeeper Security Research Center stumbled on the unprotected database in January 2017 and enlisted the aid of the security organization Spamhaus and cybersecurity news site CSO Online to investigate. Emails from River City have now been blacklisted, meaning they won't get through to online email services such as Gmail or to corporate email servers employing a watchdog agency to keep an eye on incoming mail.
Lesson for IT pros: Unfortunately, failure to lock valuable data with at least a password requirement is not uncommon. Several large data breaches have revolved around the low-hanging fruit of unprotected public facing data. Whenever data files are either created, moved or copied to a new location, at the very least it's prudent to log out of the system and then attempt to access the data again to make sure security precautions are properly executed.
You might be excused for thinking that an adult entertainment and dating outfit would employ all of the best security practices known to man and then put attack-trained dobermans on the scene -- just to make sure that "what happens in Vegas stays in Vegas." You'd be wrong. When the adults-only site was breached in late 2016, a lot of cheating spouses were unhappy to learn their passwords had been stored either totally unencrypted, or encrypted using obsolete and easy-to-crack SHA-1. The resulting divorce count is unknown.
What was stolen: User names, emails and passwords of over 412 million accounts, including some accounts that users had deleted. This included data from six databases and the sites Adult FriendFinder, Cams.com and Penthouse. The last was especially problematic for the company, since it no longer owned the Penthouse site, having sold it to Penthouse Global Media.
Who was responsible: The perpetrators in this event remain unknown.
Details of attack: Reportedly, the hackers took advantage of a local file inclusion exploit, which gave them access to all of the network’s sites.
Lesson for IT pros: As with the Yahoo data hacks, the big issue isn't that hackers found a weakness to exploit to get into the system. In this case it was the nonexistent to pathetically weak encryption used to protect the data. The company also should not have been holding on to Penthouse data that was no longer useful to them, for obvious reasons.
This 2017 breach at Equifax was potentially one of the two most damaging breaches in the history of cybersecurity, the other being the recent Experian fiasco. It's also one of the most puzzlingly boneheaded. The credit agency that keeps detailed records on just about everyone in the U.S. was hacked because it failed to apply a critical patch that had been issued several months earlier.
Although Equifax hasn't said so, it also appears that the purloined data was not encrypted. As Andrew Lewman of Owl Cybersecurity told the Denver Post, if the data were encrypted, Equifax would have probably said so. In cases like this, silence isn't golden.
What was stolen: In total, the records of 143 million households were affected, including up to 44 million UK residents. Included were Social Security numbers, birth dates, addresses, driver’s licenses and credit card information -- pretty much everything necessary for identity theft.
Who was responsible: That remains anybody's guess, although there have been grumblings that this might have been a state-sponsored attack involving China.
Details of attack: Equifax failed to apply a patch for an Apache Struts security vulnerability that was released in March, two months before the intrusion took place.
Lesson for IT pros: Patch, patch, patch. By the time a patch is issued to address a security issue, the bad guys are completely aware of the vulnerability and how to exploit it.
Although this video site's breach was ranked in sixth place by size on vpnMentor's infographic, it's been pushed up to the fifth position here because in spite of the breach, it indicates a degree of security done right -- if not for one little problem.
Here, most of the passwords that would allow access to the user accounts were not only encrypted, but further protected with Bcrypt, which slows down the hashing process, meaning it could take years or decades to brute-force a password. Unfortunately, about 20 percent of the passwords weren't protected and were handed over in plain text.
What was stolen: Information on 85.2 million users were taken, which included email addresses, user names and hashed passwords.
Who was responsible: Unknown.
Details of attack: Evidently, data thieves were able to enter through a vulnerable application on the site.
Lesson for IT pros: No matter how well servers are protected, eventually someone's going to find an opening and get into your system. Additional security measures are necessary to make sure that once inside, intruders will still find it difficult to access valuable data. This might seem like a no-brainer, but as we've seen, it's a lesson that some have had to learn the hard way.
The takeaway from this list is that there's no such thing as software without vulnerabilities, which means there's not a system that can't be cracked. That makes second and third lines of defense crucial, to mitigate any damage that can be done once a determined intruder manages to get inside.