Top 10 biggest data breaches of 2020
January 2021 by NordVPN
Last year, hackers were as active as never before, taking advantage of users’ vulnerabilities and the economic disruption amid the global COVID-19 pandemic.
The number of cyberattacks is growing steadily every year, and 2020 was again the year that saw a great peak in cybercrime. According to the Risk Based Security report, 2,953 breaches were publicly reported in the first three quarters of 2020 alone, bringing the number of exposed records to a staggering 36 billion. In comparison, there were 15.1 billion records breached throughout the entire year of 2019.
“The still ongoing pandemic has drastically altered the way people work, shop, communicate, and entertain themselves,” explains Daniel Markuson, a digital privacy expert at NordVPN. “Our lives had to move online, making us leave more digital footprint, which has been attracting all types of scammers, fraudsters, and hackers who look for security vulnerabilities to exploit.”
Out of the enormous number of data breaches that happened in 2020, NordVPN experts picked the top 10 biggest leaks in terms of the data volume. The list includes leaky databases that were not necessarily breached per se but exposed sensitive data to the public. Some of the data breaches outlined below might have happened some years ago but surfaced only in 2020.
10. Unknown (201 million). In January, security researchers found a database of more than 200 million sensitive personal records exposed online. The leaky database with an undetermined owner was hosted on a Google Cloud server and consisted of highly sensitive personal and demographic data about US residents and their properties with names, addresses, email addresses, credit ratings, income, net worth, property market value, investment preferences, and other explicit details. It remains unknown if any unauthorized parties accessed the dataset, which was considered to be a gold mine for cybercriminals. Google was alerted about the case, and, after more than a month, the exposed server was taken offline.
9. Microsoft (250 million). In January 2020, Microsoft disclosed a data breach on its servers storing customer support analytics. The breach took place in December of 2019. 250 million entries, including email addresses, IP addresses, and support case details were accidentally exposed online without password protection. The leaky database consisted of five ElasticSearch servers, which are used to simplify search operations. Misconfigured security rules were blamed for the accidental server exposure, which Microsoft swiftly fixed.
8. Wattpad (268 million). In June 2020, a database of more than 268 million records belonging to Wattpad, a Canada-based website and app for writers to publish new user-generated stories, was breached. The malicious actors compromised Wattpad’s SQL database containing user account credentials, email addresses, IP addresses, and other sensitive data. After the incident, the company reset its users’ passwords.
7. Broadvoice (350 million). In October 2020, news surfaced that Broadvoice, the US VoIP provider to businesses, exposed more than 350 million customer records, such as names, phone numbers, and call transcripts, including voicemails left with medical outlets and financial services firms. 10 databases belonging to the company were easily accessible to security researchers due to a configuration error which left them open without any authentication required for access. Broadvoice patched the security flaw and notified the relevant legal authorities about the incident.
6. Estée Lauder (440 million). In January 2020, the US cosmetics giant Estée Lauder had its unprotected database containing 440 million internal records exposed online. Researchers who found the unencrypted database say the exposed information included email addresses, internal documents, IP addresses, and other information belonging to the company-owned education platform. Once made aware of the issue, the company closed the database off.
5. Sina Weibo (538 million). In March 2020, it was reported that the biggest Chinese social media platform called Weibo was breached, and personal details of more than 538 million users were up for sale on the dark web and other places online. The exact timing of the data breach is unclear, but there’s speculation that it might date back to 2019. The hacker claimed that the sensitive data, including 172 million users’ real names, gender, location, and even phone numbers, was obtained from an SQL database dump.
4. Whisper (900 million). In March 2020, news broke that a popular secret-sharing app Whisper left 900 million user records exposed online. Anonymous personal confessions and all the metadata related to those posts, including the location coordinates and other sensitive information, were publicly viewable on a non-password-protected database, which, if accessed by hackers, could result in user identification and blackmail. After the company was informed about the incident, access to the data was removed.
3. Keepnet Labs (5 billion). In March 2020, Keepnet Labs, a UK-based cybersecurity firm, experienced a cyber incident during which a contractor temporarily exposed a database containing 5 billion email addresses and passwords from previous data breaches. According to the threat intelligence company, which collects historic breach data to notify its business customers in case their data was compromised, it was migrating the ElasticSearch database and disabled the firewall for about 10 minutes to speed up the process. The risky decision enabled security researchers to access the data without a password via an unprotected port.
2. Advanced Info Service (8.3 billion). In May 2020, Advanced Info Service, Thailand’s largest GSM mobile phone operator, had to take down one of its databases following an alleged data breach. A security researcher found an open ElasticSearch database online containing 4TB of internet usage data, or 8.3 billion records. The sitting-to-be-found information, such as DNS queries and Netflow data, could be used to map a user’s internet activity. The leaky database is secure now.
1. CAM4 (10.88 billion). In March 2020, researchers found an unprotected ElasticSearch server of the adult video streaming website CAM4, which was leaking 7TB of data, or nearly 11 billion records. The exposed records included user sensitive information, such as full names, email addresses, sexual orientation, chat and email correspondence transcripts, password hashes, IP addresses, and payment logs. The database error was fixed, however, it remains unknown if any hackers accessed the highly sensitive information of members of the adult site, who usually prefer to stay anonymous.