7 breaches, hacks, and leaks you might have missed this year

OtherPrivacy news
4 mins
The year 2021 with an open padlock replacing the zero.

Cybersecurity Awareness Month couldn’t have kicked off in more dramatic fashion: Facebook, WhatsApp, and Instagram went offline, the entirety of Twitch was leaked, CoinBase got hacked, and the company responsible for routing SMS messages for all major U.S. phone carriers says it had been compromised for years.

With big-name breaches stumbling over each other in the first week of October alone, it’s worth remembering that these cybersecurity events happen more often than you might think. Here are seven other times this year that personal information has been made public when it shouldn’t have been.

1. Mysterious data leak in Brazil exposes 220 million citizens

On January 19, 2021, PSafe’s cybersecurity laboratory, the dfndr lab, reported a leak in a Brazilian database that affected virtually the entire population of Brazil. The leaked data also contained information on 104 million vehicles and about 40 million companies.

This included: names, birth dates, and individual taxpayer registry identification, as well as distinct vehicle information like license plate numbers, municipality, color, make, model, year of manufacture, engine capacity and fuel type. While PSafe did not disclose the name of the company or how the information was leaked,  Brazil’s GDPR-like Data Protection Security Law lays the foundation for fines of up to 9 million USD for such infractions. Whether any entity will be fined is yet to be seen.

2. 10M+ affected by leaks from photo editing and stock photo services

123RF, a popular stock photo service used by over 8.3 million users, was hacked and sold online in late 2020.

BleepingComputer got a look at some of the stolen data, and found 123RF members’ full name, email address, MD5 hashed passwords, company name, phone number, address, PayPal email where used, and IP address.

Two months later, in January 2021, free online photo-editing app Pixlr was hit by a database leak containing 1.9 million user records. Both services are owned by Inmagine, and both leaks were claimed by a user known as ShinyHunters, who claims he also breached 123RF’s stock photo site.

Included in these records were email addresses, usernames, hashed passwords, users’ country location, and other sensitive information.

3. Facebook leak affecting half a billion users

April was an eventful month, with three major data leaks reported in a week: Facebook, Clubhouse, and LinkedIn. It’s no secret that Facebook is in the business of knowing who you are and selling that data to advertisers online. In April, the data of some 533 million users were posted online for free on a hacking forum. The data, obtained from a vulnerability that had been patched in 2019, included personally identifiable information: full names, emails, phone numbers, Facebook IDs, locations, birth dates, and bio descriptions.

The data itself wasn’t even hacked from Facebook servers. It was scraped by bots to extract data from websites. All data available in this leak was scraped from Facebook before September 2019.

Read more: 10 times Facebook violated your privacy

4. LinkedIn breach exposes 700 million users’ data

We also saw another leak of a similar magnitude in April, this time on LinkedIn. The hacker claimed 500 million LinkedIn user profiles had been scraped, sharing two million of these records for $2 to prove legitimacy. After apparently failing to sell the data by themselves, the entire database was released months later in September, revealing over 700 million users’ data, including their LinkedIn ID, profile URL, location information (town, city, country), and email addresses.

5. 1.3 million Clubhouse accounts posted online

The audio chat social network Clubhouse was also hit by a leak in April—1.3 million scraped Clubhouse user records were posted for free on a hacker forum. The database from the audio chat social network includes user ID, name, photo URL, username, Twitter handle, Instagram handle, number of followers, number of people followed by the user, and account creation date. Clubhouse CEO Paul Davison later claimed all the information leaked was public information, and therefore not a leak. Comforting.

6. Fitness tracker exposes Apple and Fitbit users

GetHealth, a fitness tracker that collects health data from Apple’s Healthkit and Fitbit devices, exposed over 61 million user records from an unsecured database. Given the nature of the data, GetHealth’s data leak had a lot more personal information, including names, birth dates, height, weight, and geolocations of the users.

7. Almost 2 million users exposed in Ticketcounter data breach

Dutch e-Ticketing platform Ticketcounter had its database of 1.9 million users stolen from an unsecured staging server. The hacker had originally posted the database on a forum to sell it, but was later released for free. The information revealed users’ full names, email addresses, phone numbers, IP addresses, and passwords.

***

With leaks, hacks, and breaches happening daily, you’d be forgiven for wanting to feel a little less aware of cybersecurity. But the fact remains that cybersecurity affects us all, whether on a personal, corporate, or national level.

While there is little you and I can do to prevent company databases from getting breached, we can strengthen our personal online security. You probably already use a VPN and strong passwords, and maybe even decline app permissions to track your location.

But if there are more things you want to do to stay on top of your cybersecurity game, read our 18 tips on elevating your personal cybersecurity measures. They’re all easy to do, even if you’re not tech savvy.

Ceinwen focused on digital privacy, censorship, and surveillance, and has interviewed leading figures in tech.