Preface

Why this list is important

Keeping your personal information secure is more important than ever. This compiled list of the top 2018 data breaches will help you understand why. With the ever-increasing amounts of malicious attacks by both private as well as state-sponsored actors it’s important to keep your identity and personal information secure. Secret and sensitive data of hundreds of millions of people was hacked, exposed and even sold on darkweb markets. Data breaches, are to put it bluntly, simply terrifying. Everyone thinks it won’t happen to them, but it’s happening right now.

Private and state-sponsored actors are out there right now searching for new companies and data-rich databases to target.

Biggest Data Hacks of 2018

Hacks that affected the biggest amounts of people

Panera Bread

  • Affected Accounts: 37 million
  • Targeted: All PaneraBread.com customer accounts.
  • Data Exposed: Names, Email Addresses, Physical Addresses, Birth dates, Last 4 Digits of Credit Cards
  • Timeframe: Disclosed on April of 2018
  • Details: Panara Bread was warned in August of 2017 that their website was leaking customer data by a cyber security expert, however, their IT team failed to act until 8 months down the line when they announced the leak and took their website offline for security maintenance.

Newegg

  • Affected Accounts: 50 million
  • Targeted: Newegg online shoppers.
  • Data Exposed: Names, Email Addresses, Physical Addresses, Credit Card Information
  • Timeframe: August 14, 2018 – September 18, 2018
  • Details: Newegg’s website was hacked by the cybergang Magecart. They injected a credit card skimming code into their website so that whenever a customer purchased something online from the Newegg website, all that payment information was also sent over to Magecart’s command and control server.

Elasticsearch

  • Affected Accounts: 82 million (57M customers, 26M businesses)
  • Targeted: Various users and online businesses
  • Data Exposed: Names, Email Addresses, Physical Addresses, Phone Numbers, IP Addresses, Employers, and Job Titles of customers. Businesses had names, company details, zip codes, carrier routes, census tracts, phone numbers, web addresses, email addresses, employee counts, revenue numbers and much more.
  • Timeframe: Discovered on November 14, 2018
  • Details: A regular security audit led a researcher upon an unguarded databases with over 80 million sensitive aggregated data records.

Facebook

  • Affected Accounts: 87 Million
  • Targeted: Facebook users
  • Data Exposed: Profile information, friends, private messages, political beliefs.
  • Timeframe: Disclosed September 2018
  • Details: The notorious Cambridge Analytica scandal. For the unware, this is where the aforementioned data-collecting company illegally harvested user information. The operation was politically motivated and mainly used to influence the 2016 US presidential election.

MyHeritage

  • Affected Accounts: 92 millions
  • Targeted: MyHeritage users
  • Data Exposed: Hashed passwords and email addresses.
  • Timeframe: Alerted on June of 2018
  • Details: A group of cybersecurity researchers alerted the genealogy site on June 2018 that an outside server had been discovered with sensitive MyHeritage information. The company confirmed that the information was legitimate and alerted its users that any account holders who had signed up prior to October 26, 2017 were at risk and should change their passwords.

Quora

  • Affected Accounts: 100 million
  • Targeted: Quora users
  • Data Exposed: Names, hashed passwords, profile information, public and non-public actions as well as email addresses.
  • Timeframe: Discovered on December 3, 2018
  • Details: There are still many questions regarding the details of this breach as Quora had only reported to its users that a third party had gained unauthorized access to one of their systems with no additional information.

UnderArmour

  • Affected Accounts: 150 million
  • Targeted: MyFitnessPal users
  • Data Exposed: Usernames, email addresses, hashed passwords.
  • Timeframe: February 2018
  • Details: MyFitnessPal, a food and nutrition app owned by UnderAmour was hacked, opening up the above information to attackers.

Exactis

  • Affected Accounts: 340 million (230M users, 110M businesses)
  • Targeted: Users and online businesses
  • Data Exposed: Over 400 different categories of details such as phone numbers, email and physical addresses, interests, ages and much more.
  • Timeframe: June 2018
  • Details: Exactis is a data collection firm that had somehow relocated 2 terabytes of data to a publicly accessible site. It is unknown who or how many people accessed this information before it was discovered.

Starwood

  • Affected Accounts: 500 million
  • Targeted: Starwood guests
  • Data Exposed: Names, Email Addresses, Physical Addresses, Phone Numbers, Passport Numbers, Account Information, Birth Dates, Gender, Travel Information, Accommodation Information and hashed credit card information.
  • Timeframe: Discovered on September 10, 2018
  • Details: Starwood, a Marriot-owned hotel chain issued a statement that its server had suffered unauthorized access.

Aadhaar

  • Affected Accounts: 1.1 billion
  • Targeted: Indian citizens.
  • Data Exposed: Aadhar numbers, names, emails, physical addresses, phone numbers and photos.
  • Timeframe: August 2017 – January 18, 2018
  • Details: Anonymous sellers charged Rs 500 ($7) and lower for a portal into India’s Unique Identification Authority where the records of virtually every citizen were stored.

Aftermath

Just some of the precautions and things you should do to prepare yourself for a breach.

If you had an account or utilizing any of the companies/websites on our list of 2018 data breaches, you need to do this immediately:

  • Change any passwords similar to the password that was breached.
  • Change all other passwords to prevent password re-using.
  • Follow today’s best password practices.
  • Ensure no authorized access has occurred to any such accounts.

If you’d like to protect yourself in 2019 there are lots of things you can do:

  • Use a password manager such as KeePass, LastPass, or any other thoroughly reviewed and accepted password managers to implement a no password-reuse policy and help you keep the best password practices mentioned above.
  • Utilize services that don’t retain unnecessary data and don’t make it their business to sell or even store your data in the first place. (shameless self-plug: PrivacyMountain was created in order to provide anonymous hosting solutions that keep your data and personal information private)
  • Do not trust companies keeping your data to be a ‘good custodian’ of your private information.
  • Active two-factor authentication wherever possible.

We hope you start taking your privacy and personal information more seriously now that you have more of a general idea on the list of 2018 data breaches and the amount of users and data that was stolen this year.