Worst Data Breaches of 2019
We’ve seen a lot of nasty data leaks this year. So many that I would be surprised if you were not influenced by at least one, if not more. And while I’m not going to talk about more disasters in 2020, I think it’s important to look back at some of the worst, biggest, and most annoying hacks of the year that have impacted you and your data.
Yes, we’re talking about hacks like hacking into your account, not creative ways to improve your life. If you have not heard of these serious violations or are still using the affected services, you may need to reconsider your approach. If not, at least check out this year’s worst hacks again so you can better prepare for this kind of nonsense in 2020.
Capital one bank
It was a complete mess . Not only did this affect quite a large proportion of people – roughly 100 million in the United States alone – but Capital One has done an absolutely terrible job of notifying victims. In his press release to mea culpa, he stated that “no credit card account numbers or login credentials have been compromised and over 99 percent of social security numbers have not been compromised,” only to point out that “about 140,000 numbers our social security credit card customers ”and“ about 80,000 associated bank account numbers of our secured credit card customers ”were effectively compromised by the hack.
Conclusion? Always read the fine print when a company discloses a data breach, and don’t be afraid to look for secondary sources of information – for example, a press release – if the initial notification of the company to you through their service seems to be downplaying what is actually happening.
Zynga
Who hasn’t played Scrabble Words With Friends or spent countless hours building virtual farms on their smartphones? Chances are, a lot of people have a Zynga account , making this giant breach all the more dangerous. Credentials were stolen from 172.8 million accounts, including usernames, passwords, phone numbers and Zynga IDs.
Conclusion? It would be nice if Zynga offered two-factor (or even two-step) authentication for accounts. If not, this is a great example of why you should always use unique passwords for a service. And you should always change yours as soon as the service you are using shows up in a new data breach, as the company might not even recommend it in their initial ad.
Amazon Ring
I still maintain that Amazon Ring cameras were not hacked on their own , rather that attackers use stolen credentials from other data leaks to hack Ring owners’ accounts and then view feeds from their cameras. However you describe it, people’s accounts get hacked. This is not good, especially if you have placed the camera in a sensitive location.
Conclusion? Use. Two. Factor. Authentication. If a company offers it, you need to take advantage of it. When a simple login and password is the only thing between you and someone watching a live stream of your home, you need to spend some time going through the service settings menu and make sure you have everything and everything turned on to protect your Account. Ring takes some of the blame for not being able to better inform people about the nuances of account security – for example, how the only way to kick people out with access is to change their password. Enabling two-factor authentication is oddly enough. But if you’re reusing the same old password across multiple services and don’t even bother enabling 2FA, you’re setting yourself up for disaster.
Disney +
The second verse is the same as the first. Attackers have used leaked logins to hack into other people’s Disney + accounts thanks to the huge popularity of Disney’s streaming service (as a result of everything related to Baby Yoda). Like Zynga, Disney does not offer any kind of two-factor or two-step authentication for your Disney + account. Worse, hacking a streaming service will likely give you access to human activities across the board as well – check out their trips, plans, purchases, and every other Disney-related stuff they’ve ever done. This includes photographs from their travels, if they purchasedsuch a service , and all of their ESPN activities (and the content they subscribe to).
Conclusion? It confuses me that companies are not providing better security for their user accounts. Even a cursory email or text message asking you to confirm a recent login attempt will go a long way. As always, use unique passwords and, well, feel free to change yours as your first line of defense if anything looks odd with your ESPN account / travel booking / streaming.
“Collection number 1”
While I am not a website or service per se, I would be overlooked if I did not mention what is known as a Digest # 1 violation. The numbers speak for themselves: 772 unique email addresses (with associated passwords) for a total of 2.7 billion entries. Chances are, your email address is mentioned somewhere in this database, if not a few times, but you can always see it for yourself on Have I Been Pwned?
Takeaway: You should regularly check a monitoring service such as Have I Been Pwned, which can help you find out which email addresses are detected by data breaches. You can also enter a password on the site – just that, and not any other data associated with it – to see if it has been disclosed as a result of a data breach. Between these tools and any similar tools built into ( or offered ) by your browser or browser maker, you have a variety of options to stay on top of the latest (and worst) data breaches. (And don’t forget to change your passwords as soon as you get this warning.)