The Biggest Leaks of 2013: No Occasional Victims

Media called 2013 the ‘year of personal data leaks’, and for a good reason: last year credentials of hundreds of people fell into the wrong hands. In this post, we

Media called 2013 the ‘year of personal data leaks’, and for a good reason: last year credentials of hundreds of people fell into the wrong hands. In this post, we will list the largest incidents of this kind and try to find patterns amongst them.

It started with longstanding attacks on The New York Times and The Washington Post by – presumably – the Chinese hacker group APT1, who is reportedly tied to the government of China. Attackers eventually got away with hashed passwords of all NYT employees.

Twitter was even less lucky: an attack reported in February resulted in a leak of approximately 250 thousand users’ passwords. According to Twitter’s representatives, however, passwords were ‘salted’, which meant they were not easy to crack. Still, passwords had been reset as well as session tokens.

Also in February, the Federal Reserve acknowledged that notorious hacktivists, Anonymous, penetrated several governmental servers and hauled (in order to publish almost immediately) the personal data of 4600 major bank executives. That data included logins, IP addresses and some contact data.

Evernote notified its 50 million users to change their passwords in March, due to a successful intrusion into the company’s internal networks. Intruders managed to get access to logins, associated emails and password hashes, which Evernote fortunately had stored with ‘salt’.

Also in March, a large grocery network, Schnucks Market, suffered a formidable leak of payment data: cybercriminals planted malware into POS terminals in at least 79 stores of the network, which intercepted credit cards data before it got encrypted by Schnucks processing. At least 2 million cards could be compromised.

In April, hackers accessed the personal data of at least 50 out of 70 million users of LivingSocial service – names, email addresses, birthdays and encrypted passwords. No payment data was compromised, but then again, any stolen personal data can be valuable for criminals. For instance, they can used it in spear-phishing attacks.

Last year we wrote about an incident with a popular Drupal CMS: at least one million passwords could have been compromised. Drupal immediately notified its CMS users about the breach and recommended that they change their passwords ASAP.

The Washington State Court System acknowledged that up to 160 Social Security numbers had been compromised due to a breach, along with 1 million driver’s licenses. The situation was further aggravated by possible reputation damage: the data regarding people being booked into city or county jails in 2011-2012 and citizens indicted for DUI between 1989 and 2012 were leaked. It’s easy to imagine how such compromising data can be (mis)used by criminals.

Yahoo! Japan‘s administrator’s panel had been compromised in May 2013, with IDs of 22 million users possibly accessed. However, intruders failed to get any passwords.

Japanese Club Nintendo, however, was less lucky: hackers compromised users’ full names, phone numbers, mail and email addresses. Payment data had been stored separately, so it remained beyond intruders’ reach. Interestingly, it took quite some time for intruders to get in: between June 9th and July 4th they made at least 15 million attempts to get inside, with 24 thousand unauthorized logins eventually registered. The number of possible victims isn’t disclosed. The incident was isolated to Japan only.

Adobe suffered a leak of large proportions in August: personal and payment data of 38 million people (according to final estimates) had been stolen, along with source codes of Adobe’s multiple products – including Adobe Acrobat, ColdFusion, ColdFusion Builder and some others.

midpic1Experts from Hold Security company later announced they have discovered over 40 Gigabytes of encrypted archives containing leaked source codes – at servers associated with hackers who earlier attacked LexsNexis, Kroll, NW3C and some other resources. Adobe only reported the incident in October.

In November the MacRumors forum had been attacked with hackers accessing names, passwords and mail addresses of up to 860 thousands forum users. Fortunately passwords were hashed but MacRumors administrators claimed that with contemporary computing powers short passwords could be brute-forced with relative ease.

Criminals apparently hacked moderator’s account to elevate their privileges and get the access they needed.

70 million users’ data from Target Corporation retail stores had been stolen at the end of 2013. As with Schnucks Market, POS malware had been used, which intercepted data right from payment terminals. At first, 40 million credit and debit cards were reported stolen, along with CVV-codes and PINs. Later it became clear that even more people were affected: stolen names, mail addresses and phone numbers added up to approximately 70 million potential victims. It was an outright disaster for Target, both financially and in reputation.

In reference to all said above, two principal patterns can be observed. First: there were no occasional victims. All leaks were the result of focused actions, sometimes quite long-standing. Second: large-scale leaks have become somewhat ‘normal’, although none of those in 2013 could beat Heartland Payment Systems break-in of 2009, which resulted in 130 million credit card numbers being stolen.

Media called 2013 the ‘year of personal data leaks’, and for a good reason: last year credentials of hundreds of people fell into the wrong hands.

The good news: companies have shown at least some progress in the protection of users’ data. In the most cases, passwords and payment data had been encrypted/hashed/salted. But is it enough? Criminals today are interested in any personal data – since any of them can be used to harm someone. Most people tend to share their personal data online in troves (look at social networks!), and it’s not rocket science for a cybercrook to mine enough personal data about almost anyone in order to launch a successful spear-phishing attack.

This means that any personal data requires strong protection.

Security must include all possible options: encryption of data at any given point (as we observed with Target and Schnucks cases, criminals are capable of intercepting data straight from payment terminals), scrupulous audit of third-party software if there is one, automatic protection tools such as our Automatic Exploit Prevention which disallow exploiting any vulnerabilities, including 0days.

And, then again: personnel – and users – need education, need to learn the ABCs of security over the web: unique, long, non-repeating passwords. Users’ efforts are required (even though users themselves may think otherwise), but it’s the best way to prevent problems from happening.