Greatest Software Security Failures of the Last Decade (and What We Can Learn from It). Part I

undefined
5 min read
Best Practices
Enterprise
Startup

What seems to be a simple software error can have pretty shattering consequences. Have a look at the one that occurred in the sixties. 

It’s NASA’s Mariner 1 on a mission to reach Venus. Yet, shortly after taking off, the spacecraft gets off course, ending up self-destructed. The cause was quite shocking. A hyphen that was omitted in a code line predestined the craft to get wrong guidance signals. 

Now that times have changed, what’s different? In fact, it’s the amount of mess happening to software, here and there. Drop a search request — and you’re drowning in headlines about phishing, cyberattacks, and all sorts of breaches. Add to this the worldwide damage it all brings, estimated in trillions of dollars annually.

So, here we are again, calculating the number of other mistakes’ victims, data exposed, money lost or accounts getting unwanted publicity. As a means to emphasize the importance of tech security, we at Symfa have made up our minds to assemble a comprehensive list of the harshest examples of software failures.

No particular order is followed. To make the selection more representative, we just took care to pick cases from all across the industries while including details on the records affected, who was labeled as an attacker, if anyone, and how the victim companies reacted. So, here are the loudest security failures of the last decade and what we can learn from them.

Table of Contents

  • LinkedIn
  • SolarWinds
  • Sina Weibo
  • Aadhaar
  • Equifax
  • Yahoo
  • A short break before we come back with more software security stories

LinkedIn

The year 2021. LinkedIn, a professional networking leader, discovers data of 700 million users on a dark web forum, which impacts over 90% of the total user base. A hacker scraped and exploited the API to then dump a set of information on around 500 million customers, also boasting about selling the full database. 

LinkedIn argued that, on the bright side, no private data was exposed, meaning the incident was a violation of service terms, not a data breach. Still, a posted sample listed email addresses, geolocation records, phone numbers, genders, and more details. More than enough to plot massive social engineering hacks, so a warning from the UK’s NCSC followed.

Lesson learnt: Beware of the API abuse. Here’s more on the topic from Radware.

SolarWinds

Piggybacking on official updates is a distressingly popular way to access millions of devices around the globe. In 2020, over 18,000 enterprises and government entities found themselves at such a risk while updating Microsoft software. The thing is, for those companies, software updates arrived from SolarWinds IT management company. 

Unknown hackers surreptitiously planted malware into the provider firm’s updates while digitally signing them so that they seem legitimate from the outside. And just like that, receiving networks couldn’t recognize the malware, readily accepting the new packages. 

The Trojan-like malware easily let the attackers in a number of business networks, the U.S. government agencies’ included, making them admit the failure would likely have a "grave impact."

Lesson learnt: The attack was possible due to the intrusion through multiple servers based in the United States and mimicking legitimate network traffic. Read a detailed security failure analysis from TechTarget.

Sina Weibo

With more than 600 million users, Sina Weibo is one of China’s top social media platforms. In 2020, they announced an attack on a part of their database, affecting 538M users. Compromised personal details included real names, gender, site usernames, phone numbers, and locations. What’s even worse, the attacker has allegedly sold the base on the dark web.

China’s Ministry of IT reacted by ordering the platform to enhance its data security while notifying users and authorities in cases of incidents. As a public response, Sina Weibo argued that it didn't store passwords unhashed. Anyways, the exposed data could further compromise accounts in case they reused passwords, which made the company improve its security strategy.

Lesson learnt: One in many cases of a dictionary attack where the hackers matched the data such as passwords with a predetermined list of data.

Aadhaar

Disclosed in 2018, the incident involved exposure of 1.1 billion ID records. Aadhaar, the Indian government ID database granting access to certain resources, experienced a massive breach that gained publicity after reporters unveiled a weird deal on WhatsApp. 

The purchase in question was a code enabling unauthorized access to the ID base’s names, emails, birthdates, phone numbers, and more, under the price as little as around $8. Additionally, the offering included software that allowed printing unique ID cards. The seller appeared to be a former Aadhaar employee. 

Lesson learnt: The leak happened due to an unsecured ID verification API used by a state-owned utility enterprise to run the host system.

Equifax

In 2017, a flaw in one of Equifax’s websites led to a major breach, affecting 148 million records, from Social Security numbers, birth dates, and addresses, to credit card information and driver license numbers. Given that the careless victim of the breach is a credit bureau company, the compromised data was uniquely sensitive.

By causing the massive loss, unknown hackers forced the app’s decision makers to cover $700 million for the reputational damage. 

Lesson learnt: Despite the fact that Equifax did have top class security gear in place, it was poorly implemented and managed. More on the case from CSO.

Yahoo

In 2016, the giant reported that somewhere around 2014 an unknown actor phished 500 million user accounts, along with passwords, real names, birth dates, email addresses, phone numbers, and security questions for good measure. 

The timing couldn’t have been worse for Yahoo, as they were in the middle of a deal, being purchased by Verizon. As a result, the company’s value decreased by $350 million. After the acquisition completion in 2017, the truth was unveiled that the actual number of hacked accounts was 3 billion, which makes the case one of the largest among software security failures in history. 

For a reason, the platform has been criticized for the untimely disclosure and poor security measures, let alone struggling through lawsuits and the United States Congress’s investigation. 

Lesson learnt: A loud security scandal can save you a good $350 million if you’re in for a bargain. Go back to 2014 and see how it all went yourself (covered by The New York Times)

A short break before we come back with more software security stories

As evidenced by the cases from above, the list of data breaches’ reasons seems endless. From legacy, vulnerable networks to careless employees tricked into phishing, the security failures crush entire businesses like 1-2-3, affecting up to billions of people all at once. We’ve placed a few more common reasons for you in the chart below.

Сompanies' Highest Loss Security Issues

Stats by helpnetsecurity.com

The question arises – if no one is immune to software security failures, how can I protect my digital assets, given the giants like LinkedIn fell prey to the attack? Wait for the answer – and more software security failure stories – in our next article on the topic.

Credits

Andy Lappo
Andy Lappo

Tech Critic

Andy Lappo

Andy Lappo

More Like This

BACK TO BLOG

Contact us

Our team will get back to you promptly to discuss the next steps