The year 2021. LinkedIn, a professional networking leader, discovers data of 700 million users on a dark web forum, which impacts over 90% of the total user base. A hacker scraped and exploited the API to then dump a set of information on around 500 million customers, also boasting about selling the full database.
LinkedIn argued that, on the bright side, no private data was exposed, meaning the incident was a violation of service terms, not a data breach. Still, a posted sample listed email addresses, geolocation records, phone numbers, genders, and more details. More than enough to plot massive social engineering hacks, so a warning from the UK’s NCSC followed.
Lesson learnt: Beware of the API abuse. Here’s more on the topic from Radware.
SolarWinds
Piggybacking on official updates is a distressingly popular way to access millions of devices around the globe. In 2020, over 18,000 enterprises and government entities found themselves at such a risk while updating Microsoft software. The thing is, for those companies, software updates arrived from SolarWinds IT management company.
Unknown hackers surreptitiously planted malware into the provider firm’s updates while digitally signing them so that they seem legitimate from the outside. And just like that, receiving networks couldn’t recognize the malware, readily accepting the new packages.
The Trojan-like malware easily let the attackers in a number of business networks, the U.S. government agencies’ included, making them admit the failure would likely have a "grave impact."
Lesson learnt: The attack was possible due to the intrusion through multiple servers based in the United States and mimicking legitimate network traffic. Read a detailed security failure analysis from TechTarget.
Sina Weibo
With more than 600 million users, Sina Weibo is one of China’s top social media platforms. In 2020, they announced an attack on a part of their database, affecting 538M users. Compromised personal details included real names, gender, site usernames, phone numbers, and locations. What’s even worse, the attacker has allegedly sold the base on the dark web.
China’s Ministry of IT reacted by ordering the platform to enhance its data security while notifying users and authorities in cases of incidents. As a public response, Sina Weibo argued that it didn't store passwords unhashed. Anyways, the exposed data could further compromise accounts in case they reused passwords, which made the company improve its security strategy.
Lesson learnt: One in many cases of a dictionary attack where the hackers matched the data such as passwords with a predetermined list of data.
Aadhaar
Disclosed in 2018, the incident involved exposure of 1.1 billion ID records. Aadhaar, the Indian government ID database granting access to certain resources, experienced a massive breach that gained publicity after reporters unveiled a weird deal on WhatsApp.
The purchase in question was a code enabling unauthorized access to the ID base’s names, emails, birthdates, phone numbers, and more, under the price as little as around $8. Additionally, the offering included software that allowed printing unique ID cards. The seller appeared to be a former Aadhaar employee.
Lesson learnt: The leak happened due to an unsecured ID verification API used by a state-owned utility enterprise to run the host system.
Equifax
In 2017, a flaw in one of Equifax’s websites led to a major breach, affecting 148 million records, from Social Security numbers, birth dates, and addresses, to credit card information and driver license numbers. Given that the careless victim of the breach is a credit bureau company, the compromised data was uniquely sensitive.
By causing the massive loss, unknown hackers forced the app’s decision makers to cover $700 million for the reputational damage.
Lesson learnt: Despite the fact that Equifax did have top class security gear in place, it was poorly implemented and managed. More on the case from CSO.
Yahoo
In 2016, the giant reported that somewhere around 2014 an unknown actor phished 500 million user accounts, along with passwords, real names, birth dates, email addresses, phone numbers, and security questions for good measure.
The timing couldn’t have been worse for Yahoo, as they were in the middle of a deal, being purchased by Verizon. As a result, the company’s value decreased by $350 million. After the acquisition completion in 2017, the truth was unveiled that the actual number of hacked accounts was 3 billion, which makes the case one of the largest among software security failures in history.
For a reason, the platform has been criticized for the untimely disclosure and poor security measures, let alone struggling through lawsuits and the United States Congress’s investigation.
Lesson learnt: A loud security scandal can save you a good $350 million if you’re in for a bargain. Go back to 2014 and see how it all went yourself (covered by The New York Times)
A short break before we come back with more software security stories
As evidenced by the cases from above, the list of data breaches’ reasons seems endless. From legacy, vulnerable networks to careless employees tricked into phishing, the security failures crush entire businesses like 1-2-3, affecting up to billions of people all at once. We’ve placed a few more common reasons for you in the chart below.
Stats by helpnetsecurity.com
The question arises – if no one is immune to software security failures, how can I protect my digital assets, given the giants like LinkedIn fell prey to the attack? Wait for the answer – and more software security failure stories – in our next article on the topic.