Reddit hit by data breach after hackers hijack SMS login system
We’re now more than halfway through 2018 and the number of data breaches is ramping up. This year has seen more third-party services being breached and customer data stolen from multiple companies in one go. We’re charting the biggest data breaches and privacy flaws, and the fines resulting from them throughout the year.
The latest firm to admit it has been hacked is Reddit. The social network lost some user data after employee accounts were compromised.
We’ll only be looking at the bigger ones, and some may not have happened this year – its common for cybersecurity incidents not to be detected for months, or even years – but if you want to track the big hacks, look no further. As the year goes on, we’ll be updating this page with new issues you should be aware of.
Data breach: Reddit
How many people: Reddit won’t say
What happened?: Reddit’s systems were accessed in June, the site announced in a blog post. As Reddit staff were trying to login to their systems using text messages sent via two-factor authentication, the messages were intercepted. Using the staff members’ accounts the unknown hackers were able to take email addresses of current Reddit users and a 2007 database. Reddit hasn’t admitted how many email addresses were compromised. The worry for users is that email addresses will be leaked and it will be possible to link anonymous accounts to real people.
Data breach: Timehop
How many people: 21 million
What happened?: Timehop connects to social networks and surfaces nostalgic posts from the past. On Facebook it shows users their previously popular posts in a bid to help people rekindle previous memories. However, the company detected an ongoing cyberattack in July and found names, email addresses and “keys” allowing access to previous posts had been taken. It delayed the tokens for accessing historic posts, it said.
Data breach: Polar Flow
What happened?: The fitness app Polar Flow revealed the locations of military personal inside secret bases around the world. In similarity with the Strava data privacy issue in January, researchers found it has been possible to monitor the movements of soldiers. Changing a URL let anyone see a person’s workouts.
Data breach: MyHeritage
When?: February – June
How many people: 92 million
What happened?: DNA testing firm MyHeritage suffered a huge data breach affecting 92 million people. While DNA data wasn’t made public, emails and some password information were. The data was stored on a private server and whoever obtained it sent it to third-party security researchers.
Data breach: Ticketmaster
When?: February – June
How many people: 40,000
What happened?: Ticketmaster revealed that the login information, payment data, addresses, name and telephone numbers of 40,000 people was at risk. The data breach was first spotted by digital bank Monzo, which told Ticketmaster about the insecurities.
Data breach: Typeform
When?: May – June
How many people: millions
What happened?: Data collected through Typeform surveys was left unsecured and was taken by hackers. As a result, adidas, Monzo, Revolut, England’s Shavington-cum-Gresty Parish Council, Fortnum and Mason’s and more were forced to admit that data had been compromised.
Data breach: Dixons Carphone
When?: July 2017
How many people: 5.9 million payment cards
What happened?: Dixons Carphone revealed 5.9 million payment cards and 1.2 million personal data records were stolen in 2017. The cards haven’t been used maliciously as most of them were protected by chip and PIN. Names, addresses and email addresses of more than one million people were also taken in the breach.
Fined: University of Greenwich
How much: £120,000
What happened?: The UK’s University of Greenwich exposed 19,500 student details – including names, addresses, phone numbers, signatures, health conditions, and dates of birth – through an insecure training website. The details were first published in 2004 but the Information Commissioner’s Office hit the university with a £120,000 fine.
When?: April – June
How much: $35m
What happened?: Following Yahoo!’s colossal data breach in 2014 where billions of usernames, email addresses, phone numbers, birthdates, passwords, security questions were taken, regulators have hit the firm with fines. The US Securities and Exchange Commission slapped the firm, now called Altaba, with a $35 million fine in April. The UK’s data protection watchdog also fined it£250,000.
Data breach: MyFitnessPal
When?: February 2018
How many people: 150 million
What happened?: In March, sports retailer Under Armour revealed its fitness app MyFitnessPal had lost the usernames, email addresses, and passwords of 150 million people were stolen from its systems. Although, the passwords were encrypted.
Data breach: Equifax
What’s new?: More victims
What happened?: In one of the worst data breaches of all time, Equifax lost the data of 145 million US citizens. It’s since emerged that another 2.4 million Americans also lost their data. Equifax said the data breach cost it $114m and separate investigations are still ongoing.
Data breach: Facebook
Who’s responsible: Cambridge Analytica
What happened?: The birth of Facebook’s biggest scandal. The Guardian reported more than 50 million people (this later rose to more than 100 million) had data harvested for data profiling company Cambridge Analytica. Facebook found out in 2015 but the details didn’t fully come to light until this year. The data was harvested through a quiz app that collected people’s personal information, it was then shared beyond the original researchers who had created the app.
Data breach: OnePlus
When?: Between mid-November 2017 and January 11, 2018
How many?: 40,000 people
What happened?: Chinese smartphone manufacturer admitted in January that 40,000 of its customers had data lost after a “malicious script was injected into the payment page code” of its website. The script collected people’s payment data and returned it to unknown attackers. Credit card numbers, expiry dates, and security codes entered at oneplus.net may have been compromised, the company said.
Data breach: Strava
What happened?: The huge public map of workouts from fitness company Strava revealed the locations of military personal and their movements. In rural locations heatmap data could show how people operated around military bases, plus it was possible to discover the names and heart-rates of individuals inside highly secretive bases.
Fined: Carphone Warehouse
When: August 2015
How much?: £400,000
What happened?: The UK’s data protection regulator, the Information Commissioner’s Office (ICO), hit Carphone Warehouse with a £400,000 fine after the details of three million customers were access in 2015. The ICO said there were “rudimentary” security flaws that allowed information to be accessed.
Data breach: US Homeland Security
When?: Between 2002-2014
Who’s responsible?: Unknown, but not a “cyber attack by external actors”
What happened?: On January 3, 2018, the US department of Homeland Security told 247,167 of its employees there had been a “privacy incident” with one of its databases for those that worked there in 2014. During the period of 2002-2014, an undisclosed number of people who were being investigated were also affected by the data loss. The lost information includes names, social security numbers and staff job roles. Officials first discovered the breach in May 2017 but took time to confirm it.
Data breach: Aadhaar
When?: January 3, 2018
Who’s responsible?: Former employees
What happened?: India’s giant one billion person public database has been compromised. The Tribune newspaper reported former staff members provided access to names, email addresses and phone numbers.