SecureMac, Inc.

Checklist 51: Five of the Most Notable Data Breaches in History

August 24, 2017

Today, we are looking at five of the biggest data breaches and most notable hacks in history. Who got hit? What data was stolen? How did they happen?

Checklist 51: Five of the Most Notable Data Breaches in History

Today, we are looking at five of the biggest data breaches and most notable hacks in history. Who got hit? What data was stolen? How did they happen?

With everyone from businesses to governments creating massive amounts of data these days, it’s a field day for hackers who are out to make big scores. With persistence and the right targets, they can penetrate systems and steal massive amounts of data. It seems every year we hear about more and bigger data breaches — but what are some of the most notorious breaches in recent history?

This week we’re examining some of the biggest and most notable hacks in history and the data involved. From stolen credit card numbers to leaked usernames and passwords, poor security practices have left the door open for some major cyber security incidents — and they don’t show any signs of abating, either. A good place to start our discussion today is right at the top, with the biggest breach we know about so far — the infamous Yahoo hacks, disclosed near the end of last year.

  • A billion users: Yahoo & the biggest breach ever
  • Compromised employee accounts lead to big eBay leak
  • Sony Pictures suffers at the hands of nation-state hackers
  • The Heartland hack exposes tons of payment details
  • Adobe insecurities result in major password theft

A billion users: Yahoo & the biggest breach ever

If you weren’t paying close attention to the news last year, it was easy to miss the fact that Yahoo was forced to disclose not one but two separate major breaches of their systems. The first hack Yahoo reported took place sometime in 2014, and involved about half a billion user accounts — already a huge number. The second breach occurred earlier, in August of 2013, and it was this news that sent shock waves across the web: the hackers compromised information relating to more than a billion user accounts.

The best estimates we have indicate there are over 3 billion users of the Internet worldwide – roughly half the world’s population — so the Yahoo hacks collectively represent a huge chunk of the world’s population. Many of those accounts may be abandoned, and many people hold more than one account. Even so, the numbers are mind boggling. For one of the old titans of the Web, these breaches represent a stunning failure regarding security and concern for users. There were plenty of people angry at Yahoo for the way they handled reporting of the breaches, especially when it came out that they were aware of the 2014 hack soon after it occurred.

So, what happened here? How could hackers pilfer so much information and what did they do with their stolen goods? While the US government brought charges against several people for their roles in the 2014 breach, the bigger theft is a story that remains full of question marks. Yahoo claimed that “state sponsored” hackers orchestrated both breaches, but some security firms doubt that claim after their own analyses. Let’s go over what we do know.

When hackers obtained information on 500 million accounts, it wasn’t something they accomplished overnight. The exact methodology used by the hackers to enter Yahoo’s networks remains unknown, or at least it hasn’t been publicly disclosed. After penetrating their systems, the hackers spent some time exploring the network and probing for valuable information. Ultimately, they procured two things that enabled them to take so much data: first, a backup copy of at least a portion of Yahoo’s user database, and second, the administrative tools necessary to edit and interact with that database.

Contained inside were tons of personal information: usernames, passwords, phone numbers, and even users’ birthdates. User security questions, some unencrypted altogether, were also present in the database. While Yahoo used the secure hashing algorithm called bcrypt for many user passwords, a large number were also hashed using the now-broken MD5 method. On its own, this would represent a huge risk to users everywhere — especially with the leak of security questions. With this information available, it’s not difficult for identity thieves to start finding other accounts to compromise. Yahoo’s disclosure of such a large breach led many to scramble to change passwords across the web.

It gets worse, though: for an undetermined period, the attackers could log in to any Yahoo account whatsoever without a password. How? They figured out how Yahoo created their login cookies and learned how to forge them. Now they could masquerade as any user on the network, and it seems the individuals charged by the FBI may have used this capability to target some people of interest. In the end, four people were indicted for this hack, including two members of Russia’s federal security service.

As for the hack that compromised more than a billion accounts in 2013, we aren’t sure how those attackers got in either, but we do know where the information ended up. It didn’t take long before much of this stolen information appeared on the Dark Web, fetching a high price when sold to spammers. One researcher uncovered evidence that at least one potential buyer may have been a nation-state, though, as they requested data on specific individuals within the database.

There’s no doubt these hacks represent the biggest breaches in history so far, yet it’s hard to tell just how sophisticated the attackers were. The fact that Yahoo left some critical information stored insecurely also demonstrates that even multi-billion-dollar companies can grow complacent and overlook common security flaws. As we’ll see, that’s a common theme in many of the biggest breaches.

Compromised employee accounts lead to big eBay leak

While Yahoo was getting hacked for the second time in 2014, eBay was in the process of suffering from an attack of their own. As one of the biggest e-commerce sites around, it makes a tempting target for hackers trying to find a way to make some cash or cause chaos. The numbers: 150 million users affected.

At the time, that was practically all of eBay’s user base, and at the time it represented one of the largest known breaches of user information up to that point. The hackers made off with the email and password databases for all the site’s users. Thankfully, eBay never correlated those details with any account’s payment information. Even so, the thieves got away with a ton of information.

Not only that, but it took almost three months for the company to detect the problem and make an announcement to users. Asking more than a hundred million people to change their passwords is no small task. Meanwhile, all of this came amid other problems for the site, such as rampant phishing schemes abusing cross-site scripting vulnerabilities.

The company reassured users that they hadn’t detected any fraudulent activity associated with the hacks, of course, but the damage was already done. It wasn’t out of line to think twice about using eBay at the time given the prevalence of scam artists and phishers. When users can’t place confidence in a company’s security, its business will feel the impact.

Aside from the disruption and the damage to eBay’s reputation, the most interesting part of this breach isn’t necessarily the large amount of data stolen, but how the hackers might’ve pulled it off. There were some indications at the time that eBay employees had been the victims of social engineering. If you had the opportunity to listen to our Checklist episode on that subject, you already know what that is — for those who haven’t yet, we can use a quick working definition.

Sometimes, before you can hack a system, you need to hack a human — and that means playing a convincing role. All it takes is finding an employee with sensitive information or access to critical systems that the hacker wants to probe. Then, through careful manipulation, the social engineer tricks the employee into giving access to the information or data they want. For more on that, check out the episode!

eBay has only said that some of its employee credentials were “compromised,” though the exact method used wasn’t made public. Researchers who joined the discussion online reported that about 100 eBay employee accounts were involved. Perhaps the attackers sent clever phishing emails to extract their passwords or dump malware onto their machines, or maybe they took a more direct approach and impersonated someone from the IT department. Either way, they had access for only a few months — relatively short in terms of hack durations. Even with the limited time frame, they could steal the majority of the company’s user information.

While a robust algorithm protected the passwords included in the database, other personal information, including addresses and phone numbers, did fall into the hands of the attackers. As we might expect, some of this data may later have shown up for sale on the Dark Web. Others have pointed out that with the large amount of personal info available from this dump, someone could easily carry out more social engineering attempts targeting those in the database.

What can we learn from the eBay breach? Obviously, good data security is essential — no protection is 100% foolproof, so companies must protect users in the event of a breach. While mundane details may not seem like they need the same protection as passwords, it’s important to safeguard those, too. Finally, and perhaps most importantly, businesses absolutely must do more to train employees on recognizing social engineering and phishing. Computer security isn’t just firewalls, anti-virus software, and regular malware sweeps: we need to remember there is a critical human element, too.

Sony Pictures suffers at the hands of nation-state hackers

The next attack we’ll discuss today isn’t necessarily one of the largest in history — in fact, there are plenty of other hacks that have compromised far bigger volumes of data. Nonetheless, the hacks that targeted Sony Pictures Entertainment are notable for a few reasons. First, it’s a case study in what can happen when a major corporation suffers an attack that demolishes their IT infrastructure. Second, the hack resulted in not just the theft of sensitive information, but of many embarrassing internal emails as well, fueling a high level of media attention. Third, given the fact that the government quickly pinned the hack on North Korean-sponsored actors, it’s one of the most direct cases of nationally-backed cyber crime.

Sony is an excellent real-world example of just how bad a severe attack can get, and the kind of disruptive damage it can do; of course, the fact that the deal between Yahoo and Verizon changed because of hacks is also a testament to that. It was a long-term attack, too; the intruders had plenty of time to exfiltrate tons of data, like unreleased films, while also gathering emails. Though there is some disagreement over the level of sophistication in the way it was planned and executed — and how prepared Sony was for such an attack — what’s important is that the malicious efforts succeeded.

Though Sony did not experience problems with malware until the 24th of November in 2014, the hackers had broken into the system at least several months before. This long time frame allowed them to set up numerous tools, probe the network for information, and steal vast amounts of data. Whether they triggered the malware attack because they had what they wanted or due to a time deadline, the damage swept across the company like wildfire and caused significant problems.

After stealing so much data and leaving behind Trojan payloads, the attackers — who called themselves the Guardians of Peace, or GOP — unleashed the most destructive element of their intrusion. Not only was much of the critical data wiped from thousands of employee workstations, but the malware also employed a “wiper.” By destroying the boot record for the machine, many computers would not even boot up properly. They even used forensic-level overwriting techniques to ensure that as little data as possible was recoverable.

While the GOP leaked unreleased films online, posted lengthy email exchanges involving Sony Pictures executives, and shared data like the social security numbers for thousands of employees, business operations ground to a halt. Suddenly, even basic tasks — like making payroll — became a Herculean effort. Staff were forced to rely on couriered messages to communicate, paper checks made a comeback, and production footage underwent physical shipment for processing. It took a year for the company to properly recover business operations after the conclusion of the hack.

Ultimately, these efforts included threatening messages related to Sony’s film “The Interview,” a satirical take on North Korea’s leader. With the film’s theatrical release canceled in favor of a digital premiere and Sony’s systems in flames for more than a month after the attack, it’s hard to say the bad guys did anything other than succeed here. In the wake of the attack, several contractors claimed they had warned Sony of the potential danger they faced. It’s not hard to see that when bad actors set out to cause deliberate digital harm to a company, they can create all kinds of problems with vast and unforeseen consequences.

The Heartland hack exposes tons of payment details

Let’s shift gears now and move from the entertainment industry to the financial sector. E-commerce is a target in its own right, but what about the rest of the business that happens electronically? Think about it: how often do you use cash these days? For most people, payment always takes the form of a plastic card. Every time you swipe your card or insert it into a chip reader, what happens? For many merchants, there is an intermediary step between your card and your bank — the payment processor. These are the businesses that ensure every transaction runs smoothly. These middlemen work with companies like MasterCard and Visa to provide a safe, secure service.

At least, that’s the idea. It didn’t quite work out that way for Heartland Payment Systems, which ultimately saw intruders on their systems steal well over 100 million valid credit card numbers. More than that, it eventually turned out that some of those responsible for hacking Heartland were also involved in even more widespread credit card and financial data thefts affecting numerous other companies. We’ll touch on that more in a minute — for now, let’s focus on what happened to Heartland. If the Sony hack wasn’t evidence enough of the financial harm attackers can cause to companies, the $200 million in costs associated with this hack should be sufficient.

Despite the extensive damage and huge amount of stolen data, the Heartland attack had humble beginnings as a simple SQL injection attack. In other words, it used one of the most common and basic methods for attacking vulnerable web pages and web applications. Old versions of SQL database software and poorly coded web forms offer hackers extraordinary opportunities to do damage. Once the hacker involved found a place to inject arbitrary code successfully, he could begin prowling through Heartland’s databases. In no time, he had access to tens of millions of credit card numbers, thanks to the large amount of business Heartland conducted with major credit card providers.

It was those providers that ultimately alerted Heartland to suspicious activity emanating from accounts they processed. Upon a closer examination, they noticed the presence of malicious software and unusual activity on their servers. With cardholder names and numbers, the information would have fetched a high price on the black market — even without the other personally identifiable information missing from the databases.

In the end, it turned out that Heartland was not the only company struck by the hackers on the hunt for credit card data. TJ Maxx, 7-Eleven, and even the NASDAQ stock exchange were all hit at one point or another by various members of a cybercrime ring. One of those men, Miami-based Albert Gonzalez, was tried and jailed for his role in these hacks. Several years later, associates of Gonzalez, including two Russians, were also indicted for their roles in the hack.

Though there have been few problems as large as the Heartland hack based on SQL injections since then, this incident shows us that it doesn’t take sophisticated tools for the bad guys to find a way inside. Sometimes, all it takes is poor implementation of a sometimes-buggy system. Incidents like this one served as a reminder of the need to harden systems and databases to many companies. The vast sums Heartland paid in settlements to companies like Visa, totaling tens of millions of dollars, also provide a strong incentive to protect customer data.

Adobe insecurities result in major password theft

Poor Adobe — for all the products they’ve introduced, like Photoshop and Premiere, it can sometimes seem like they only ever make the news for the wrong reasons. Whether we’re talking about vulnerabilities in Flash providing inroads for attackers or some other zero-day exploit, there’s always something happening. Back in 2013, something did happen because hackers breached the company’s networks and ultimately stole millions of usernames and “encrypted” passwords. That word — encrypted — will be important as we delve into what exactly happened here and what Adobe did wrong.

Initially, Adobe estimated hackers stole data for about 38 million accounts — but later analyses revealed that probably around 150 million records made their way into the hacker’s hands instead. This data included user accounts for many Adobe products. As a result, many regular users suddenly were at risk of password exposure. We already know people have a habit of reusing passwords even when they shouldn’t, so a hack of this scale could potentially let someone access tons of sensitive accounts.

More than that, the hackers stole source code for several Adobe products. It should be obvious that when there’s something of value in a digital system, hackers won’t mind helping themselves if they can penetrate the protections around the data. With the source code in hand, there were concerns that malicious developers might uncover new zero-day exploits to use. We can’t say for sure whether that ever happened — especially given the steady flow of Adobe vulnerabilities in a typical year.

In the end, while the source code theft was troubling for Adobe, it’s the user information that is the most important at the end of the day. Beyond just Adobe ID numbers, emails, and user passwords, the stolen database also contained credit card info and more: a perfect target for identity thieves.

We’ve discussed the way websites protect their passwords using a method called hashing and salting in the past. Every password goes through an algorithm that mathematically scrambles the characters it contains; to ensure that even the same passwords won’t produce identical hashes, a random “salt” value exists alongside the password. In this way, it’s almost impossible for anyone to reverse engineer a password from a properly hashed database. Unfortunately, Adobe didn’t do this — not anything like it, in fact.

Security experts took note of the language used by Adobe in their announcement of the breach, which was that user information was “encrypted” (not hashed). This turned out to be a true assertion: the company wasn’t hashing user information at all – which is the widely preferred method that should be used with this type of data. Worse yet, this information was stored alongside password hints — making it much easier to narrow down the possibilities. Sophos researchers examining some of the leaked data very quickly determined the cipher used by Adobe. From there, they could learn much more information about the encoded passwords. A dedicated attacker could figure them out in no time.

With so many customer records out in the open, many people found out it was time to change their passwords once again. Given the weak protections Adobe had on this data, it’s no surprise that it ended up being posted for public consumption by cyber criminals. It also reveals something telling: when a major company like Adobe doesn’t put the best protections in place for your data, the individual user’s efforts to be secure matter even more. If you used a throwaway and unique password for your Adobe account, you’d be fairly safe. It’s why unique passwords are so important.

While these five hacks represent some of the biggest and most high-profile breaches, there are many others out there that have exposed tens of millions of user records. Even this year, we’ve seen further examples of companies and government agencies around the world suffering from intrusions. Meanwhile, hackers continue to make off like bandits as they hawk their stolen data on the Dark Web or exploit it for financial gain. With sophisticated malware tools in the hands of hackers, we need to see the guardians of this sensitive data take better steps to protect it — and to be transparent when they make mistakes.

That’s everything we have for you on this weekly edition of The Checklist. We’ll return next week with another detailed discussion on an important security topic!

Do you have a topic you’d like to see us cover in a future episode, or a security question in need of an answer? If you have anything to ask us, send us an email at checklist@securemac.com!