Rotors of M-209 cipher machine.

Major Breaches

Password and Data Breaches

Attackers can steal sensitive data directly some of the time. Poorly configured databases or cloud storage may send out the data if you simply know what to ask for.

Or, it may be a multi-step attack. First, get the passwords to accounts with access. Then uses those identities to request the sensitive data.

Malware can also leak passwords or the data itself. Steal passwords by logging keystrokes when the victim is typing in their password. Or, search the file system and any available network shares for potentially sensitive data, and exfiltrate that to a "command and control" system, often called C&C or C2.

BitCoin and similar blockchain currency systems have a poor track record. Not the blockchain itself, but the storage. The Blockchain Graveyard lists over 40 incidents in which cryptocurrency institutions have suffered intrusions. Most of them closed down afterward. Almost all could have been prevented, as they happened through social engineering, credential reuse, the takeover of the cloud hosting account, or vulnerable applications.
Blockchain Graveyard

Read about what's stored on a credit card:
Deconstructing a Credit Card's Data How Crooks Get the CVV

Breached Password Lists

My analysis of the RockYou2024 list and how you should respond

Because people re-use passwords across multiple accounts, lists of exposed passwords are extremely useful to attackers. The RockYou2024 list, made available for download in July 2024, is a plaintext list of almost 10 billion unique passwords exposed across many breaches.

How Password Cracking Attacks Work

Even though it's just a list of unique passwords, and not the corresponding account or user names, and doesn't include the site where they were used, it's still a valuable resource for password cracking.

When a person uses some password on one site, there's a very good chance that they will also use it somewhere else. Maybe the first site was one for which there is little need for security. But if that site is breached, the username and password might be directly useful on a far more sensitive site.

More importantly, because of human nature, we only select from a small subset of the possible passwords, ones that are easier to remember, easier to type, and more likely to come to mind when we suddently have to come up with a password. See my analysis for how this works, and how threatening that list of ten billion actual passwords really is.

Now, some specific breaches:

2024 National Public Data

National Public Data is an alternative identity of Jerico Pictures, Inc. The company collects personal data including criminal records and employment history in addition to various personal identity records, and then offers that for sale to corporate human resource departments as well as law enforcement and private investigators.

A breach, or multiple breaches, became public knowledge after data was offered for sale in April 2024. NPD acknowledged the breach 12 August 2024, referring to attacks in late December 2023, April 2024, and vaguely "summer 2024".

The stolen data was described as 2.9 billion database records, each with a name, mailing address, and social security or equivalent number for people in the U.S., Canada, and the U.K. At the time those countries had populations of 335 million, 41 million, and 68 million, respectively, a total of 0.444 billion — many of the records are duplicates, and many are for dead people.

The company's owner is described as "an actor and a retired sheriff's deputy" from Florida, and seems to be yet another manifestation of America's obsession with law enforcement and incarceration with military-style equipment and outfits.

Within a week we learned that a related operation, a background search service recordscheck.net, used the same data set and hosted a .zip archive with plain text usernames and passwords for its systems.

Brian Krebs' initial report 15 Aug 2024 Brian Krebs' followup 19 Aug 2024 The Verge on the weirdness of this breach Wired story

2024 AT&T

On 12 July 2024 AT&T publicly confirmed that a recent data breach exposed phone records of "nearly all" of its customers. The stolen data was basically detailed phone bills including records of calls and text messages, plus, for some records, cell site identification numbers that specifies approximate location of where the customer was when a call or text was made. The records were for calls and texts occuring May through October 2022 plus 2 January 2023. AT&T had learned of the breach on 19 April 2024, but did not make it public for almost three months.

The last part of that, the location detail, plus the fact that the Department of Justice determined on 9 May and 5 June 2024 that the incident should not yet be publicly disclosed due to law enforcement and national security, makes this sound as if it was actually a law enforcement data set that got exposed. In that case, there's the issue of governance — transferring data while maintaining definitions of responsibility and liability.

This was the second major breach for AT&T in 2024. In March 2024 a data breach broker dumped the full set of 73 million AT&T customer records on line. This included names, phone numbers and addresses. After a security researcher showed that it also included weakly encrypted passwords, AT&T forcibly reset its customers' passwords.

Brian Krebs analysis TechCruch report AT&T announcement AT&T report to SEC about the incident TechCruch on earlier breach

2023 T-Mobile

T-Mobile announced on 19 January 2023 that they had had a data breach exposing data from approximately 37 million current customer accounts. It included customer name, billing address, email, phone number, date of of birth, and T-Mobile account number, plus details on the number of customer lines and plan features.

T-Mobile had learned of the breach on 5 January, and later determined that the data theft began around 25 November 2022.

This came after a slightly larger breach in 2021, for which T-Mobile agreed to pay a $500 million settlement in 2022. T-Mobile report revenues of nearly $20 billion just in the third quarter of 2022 alone, so settlements of a few hundred million dollars here and there don't seem so bad to them.

Brian Krebs report T-Mobile's SEC filing about the event Dark Reading on the breach

2022 Experian

On 23 December 2022, KrebsOnSecurity alerted the consumer credit reporting bureau Experian that identity thieves had found a way to view any consumer's full credit report.

Experian, of course, did little and said nothing.

Four days later they told Brian Krebs that they had received his message. They repeatedly refused to respond to requests for their comments on the event.

One month later they sent a letter to Brian Krebs saying that the weakness existed from 9 November to 26 December 2022. Well, they didn't say that exactly, instead using the lawyer-crafted "During this time period, we experienced an isolated technical issue where a security feature may not have functioned."

With "isolated", "technical issue", and "may not have functioned", Experian packed three distracting and minimizing phrases into one sentence.

KrebsOnSecurity, 9 Jan 2023 KrebsOnSecurity, 25 Jan 2023

2022 Shields Health Care Group

Shields Health Care Group provides medical imaging and outpatient surgical services for healthcare providers. That led to the theft of data for two million patients from almost 60 healthcare providers.

A hacker had gained access to Shields systems for three weeks in March. The data includes names, Social Security numbers, dates of birth, contact details, diagnoses, billing information, insurance details, provider names, medical record numbers, and patient IDs.
SC media report

2021 Healthcare Breaches

The ten largest healthcare data breaches in 2021 impacted over 22.6 million patients. Four of the largest ten were the fault of vendors rather than the actual healthcare providers.
SC media on the largest ten SC media on vendors being the problem

2021 T-Mobile

T-Mobile was breached once again, in a major event. Data was stolen describing at least 47 million customers, some say as much as 100 million. Names, phone numbers, and physical addresses, but also social security numbers, dates of birth, driver's licence information, and IMEI numbers.
Wired story #1 Wired story #2 Vice TechCrunch Wall Street Journal Brian Krebs report

Also see T-Mobile's breach in early 2023, which was nearly as large.

2020 U.S. Federal Government Data Breach

The hacking group called Cozy Bear or APT29, backed by the Russian intelligence agency SVR, penetrated several components of the U.S. federal government, along with a few state and local government agencies and some corporations. It was publicly reported on December 13, 2020, but it had been going on for at least six to nine months. It was among the worst cyber-espionage attacks ever suffered by the U.S., with many highly sensitive targets compromised.

Solorigate: Winds of change
Excellent analysis by Orange Cyberdefense, with thoughts on what has led us to the point where these threats emerge

The initial entry was through a supply chain attack on SolarWindow's Orion software. The attackers were able to access internal emails and other documents, and create their own single sign-on credentials giving them access across federated architectures.

The New York Times
Dec 15 2020 FireEye analysis
Dec 13 2020 FireEye additional technical details
Dec 24 2020 Volexity
analysis "Detecting Abuse of Authentication Mechanisms"
National Security Agency "Customer Guidance on Recent Nation-State Cyber Attacks"
Microsoft "SunBurst: The Next Level of Stealth"
Reversing Labs Wikipedia article with
many links to references

One week before the breach was announced, Donald Trump had fired the head of CISA, the Cybersecurity and Infrastructure Security Agency, for not repeating Trump's lies that the 2020 election was "totally rigged". Six days after the breach was publicly reported, Trump announced that it could not have been Russia, it must have been China, "everything is well under control", and immediatedly pivoted to continuing his claims that he had won the recent election "by a landslide".

Sloppy Cloud Storage

Cloud storage platforms like Google Cloud and AWS or Amazon Web Services make it very easy to deploy and use high-capacity storage.

The problem may be that it's too easy. People who probably shouldn't be doing this, because they aren't careful enough, very likely don't know how to be properly careful, can now deploy storage in the public cloud and upload data.

Digital Shadows found over 12 petabytes of publicly accessible data belonging to organizations around the world, containing personal and financial information on customers, employees, and other data subjects. It was spread across over 1.5 billion files stored on AWS S3 storage buckets, rsync and SMB servers, FTP servers, NAS or Network Attached Storage devices, and misconfigured websites. You can read their April 2018 detailed report with registration, or read the overview in The Register.

Digital Shadows report The Register story

Data aggregator companies People Data Labs and OxyData.io stored 4 billion records on 1.2 billion people on unsecured servers at AWS and Google Cloud. It included names, email addresses, and home and mobile phone numbers plus what seemed to be data scraped from LinkedIn, Facebook, and other social media.

SC Magazine report Data Viper report

The 2019 breach of Capital One was based on misconfigured Amazon Web Services S3 storage buckets.

Capital One, March-July 2019

Names, birth dates, Social Security Numbers, bank account numbers, and more, for over 100 million people.

A former AWS employee accessed Capital One data through a misconfigured web application firewall. The access and data theft occurred from March 12 to July 17, 2019; the hacker then posted details to GitHub and the FBI was notified on July 19.

The New York Times on the breach Washington Post on the breach US FTC on the breach SC Magazine on the breach SC Magazine on the AWS S3 misconfiguration

Marriott, November 2018

Brian Krebs on Marriott breach

Marriott disclosed a data breach exposing personal and financial information on 500 million customers who had made reservations at any of its properties over the previous four years. That means any of the hotels in the several chains in the Starwood group. In March 2019, Mark Begor and Arne Sorenson, CEOs of Equifax and Marriott International, respectively, testified before a US Senate subcommittee and reported that the breach had compromised:

Sorenson stated, "To date, we have not found evidence that the master encryption keys needed to decrypt encrypted payment card and passport numbers were accessed, but we cannot rule out that possibility."
Begor's statement Sorenson's statement

GovPayNow.com / GovPayNet, September 2018

Brian Krebs on GovPayNow.com

"Let's privatize everything," they said. "What could possibly go wrong?"

GovPayNet, operating online as GovPayNow.com, serves approximately 2,300 state and local government agencies in 35 states. They handle online payments for parking and traffic citations, bail payments, court-ordered payments, licensing fees, and more. GovPayNet had been acquired in January 2018 by Securus Technologies, part of the enormous for-profit prison system in the U.S.

They leaked over 14 million customer records over six years, including names, addresses, phone numbers, and the last four digits of payers' credit cards.

The Paradise Papers, November 2017

International Consortium of
Investigative Journalists

The Paradise Papers started to become public in November 2017. That was 13.4 million confidential electronic documents relating to offshore investments. It was 1.4 TB in size, so there were more documents but a smaller total data size than the Panama Papers.

Many large companies, national leaders, and prominent individuals were involved. Apple, Avianca, Nike, African politicians with lavish overseas homes, the British royal family, a rock star who owns a Lithuanian shopping center, and on and on.

Süddeutsche Zeitung
Toronto Star
BBC News
The Guardian
Le Monde

Equifax, 2017

Equifax
data breah

Hackers gained access to personal and financial data of over 145 million U.S. consumers. Equifax is a credit bureau, so the data is pretty much everything you would need for identity theft.

The Panama Papers, Mossack Fonseca, May 2016

Panama law firm Mossack Fonseca was specializing in helping its clients shield their money from taxes. In May 2016, it became public that 11.5 million documents, some 2.6 terabytes, some dating back to the 1970s, had been leaked to investigative journalists. The team of journalists uncovered illegal activities involving prominent poiltical and business figures around the world. The collection was called the Panama Papers.

The leak was the largest to date by a wide margin — Wikileaks Cablegate was 1.7 GB, Ashley Madison 30 GB, and Sony Pictures about 230 GB. The Panama Papers breach was over ten times the size of the largest previous breach.

Panama Papers
Wikileaks Cablegate
Ashley Madison breach
Sony Pictures breach

Anthem Health Insurance, 2015

Anthem medical
data breach

Hackers gained access to 80 million Anthem Health Insurance records including Social Security numbers, birthdays, addresses, income data, and email and employment details.

Target / Neiman Marcus, 2013

Target
breach

Major U.S. discount retailer Target suffered a security breach between Nov 27 and Dec 15, 2013. Up to 40 million consumer credit and debit cards may have been compromised, including customer names, card numbers, expiration dates, and CVV codes, making this the second-largest retail cyber attack to this point (after the 2007 TJX Companies compromise affecting 90 million). Debit card PIN data was also stolen, although it was encrypted with Triple-DES (nice use of 1998 technology...), and the names, mailing addresses, phone numbers and email addresses of up to 70 million additional people was also been stolen.

The malware involved is called BlackPOS and Картоха. The second of those is spelled in the Cyrillic alphabet, maybe looking a little different in Italic, Картоха, and pronounced car-toe-kha and not cap-tock-sa.

News and details include:

Luxury retailer Neiman Marcus revealed a breach based on the same malware, running 16 July through 30 October 2014. See a Reuters story of 12 Jan 2014 and an initial Dark Reading report of 13 Jan 2014; then a Neiman Marcus announcement updated 21 Feb 2014 and Ars Technica (24 Jan) and Dark Reading (23 Jan) analyses of a theft of 1.1 million customers' debit and credit cards. Also see the New York Times story of 23 Jan 2014.

Heartland Payment Systems, 2008

A 2008 breach at Heartland Payment Systems compromised tens of millions of credit and debit card transactions.

Password Breaches

How to crack
passwords

Every large breach of a password database provides more information on how humans generate passwords. These insights go into the cracking software. There have been plenty of large databases exposed:

32 million from RockYou in 2009

6.4 million from LinkedIn leaked in 2012

24 million from Zappos in 2012

68 million email addresses and passwords from Dropbox, stolen in 2012 and released in 2016

177.5 million password hashes for 164.6 million users of LinkedIn, obtained in 2012 and leaked in 2016

50 million from Evernote in 2013

50 million from LivingSocial in 2013

150 million from Adobe in 2013

360 million from MySpace, stolen in June 2013 and published online in May 2016

Over 500 million Yahoo Inc. user accounts stolen in late 2014 The company described this as a "state-sponsored attack", but researchers said it was actually a theft by a criminal organization who then sold the data to an eastern European government.

32 million from Ashley Madison in 2015

200 million Yahoo Inc. user accounts offered for sale in August 2016 Nearly two months later Yahoo said that this was separate from the over 500 million stolen in 2014.

Over 412 million user accounts stolen from Friend Finder Network in October 2016 A total of 412,214,295 users of sex-related web sites including adultfriendfinder.com, cams.com, penthouse.com, stripshow.com, and icams.com. See reports in LeakedSource and CSO Online. Information on over 3.5 million AdultFriendFinder user data had been stolen and posted online in May 2015, as reported on CNN and Channel 4 News and CSO Online.

Over one billion user accounts stolen from Yahoo in August 2013 This was only noticed and announced over three years later in November 2016. This is completely separate from the 500 million stolen in 2014 and announced in September 2016.

Up to 143 million names, Social Security numbers, birthdates, and addresses stolen from Equifax in May through July 2017

340 million records left on an open database server by Exactis The data included including personal interests, religion, and the number, age, and gender of children. The data was stored on an open database server by the marketing firm until it was noticed in late June 2018.

This table and list of references points you to many more examples.

Other Prominent Breaches

U.S. DHHS
Breach Portal

The too-cutely named HITECH Act in the U.S. requires that the Secretary of the Department of Health and Human Services provide information to the public about all breaches affecting 500 or more individuals. See the department's breach portal for the details.

Back to the Security Page