Many were shocked to find out that major consumer credit reporting agency Equifax took months to publically disclose the leak of over 43 million customers, exposing names, home addresses, and even social security numbers. Furthermore, the company has been heavily criticized for the way the situation was handled, with the CFO even citing that he was not aware of a data breach within the company.
While it took Equifax months to let the public know and an additional six weeks to try and mitigate the breach, revelations like this are not entirely new. In fact, a large majority of companies choose not to disclose whether or not they have experienced a data breach, with some companies even taking years to finally make public their data breaches. This blog post will cover some of the biggest data breaches that have only come to light during the second quarter of 2017.
1. We Heart It
We Heart It is a popular image-sharing site that is used by approximately 40 million users. It was revealed on October 16 that close to 8 millions users may have had their personal data compromised, including email addresses, usernames, and passwords from a breach that occurred sometime between 2008 and November 2013. Victims are only now being advised to change their passwords. Unlike other companies that typically force reset user passwords following a breach, We Heart It did not do so for its users. However, the company did state that it has made vast improvements to its password and database security following the data breach.
Microsoft’s “secret vulnerabilities database,” which tracks critical vulnerabilities and other bugs, was compromised in 2013. According to insiders, Microsoft became aware of the hack in early 2013 after an unknown hacking group broke into the systems of other top companies like Apple and Facebook, but Microsoft chose not to disclose the data breach. Later, former company employees came forth to admit the nondisclosure route that Microsoft took during that time. Insiders also believe the company most likely patched the vulnerabilities within months of discovering the breach, but Microsoft has not directly commented on the matter.
It’s an infamous data breach that keeps coming back and making news headlines: Yahoo’s 2013 data breach. On October 3, Yahoo made yet another announcement related to this particular cyber incident after new evidence was produced. It was initially believed that an already massive 1 billion accounts were affected but new findings suggest all 3 billion of Yahoo’s accounts were impacted by the breach. As was revealed in the first report, user account information including full names, email addresses, telephone numbers, DOBs, passwords, and even encrypted security questions as well as answers were leaked. Company representatives however claim that payment card data and bank account information were not stored in systems believed to have been affected. In any case, Yahoo said that when they announced the data breach publicly in 2016, proper actions were taken in protecting all accounts.
Disqus, a popular and widely-used comment hosting service, revealed recently on October 7 that it suffered a major data breach back in 2012, wherein a user database with information stored since 2007 was compromised. The breach is said to have affected 17.5 million users. The company has made efforts to mitigate the situation by resetting the passwords of all the affected users and also by reaching out personally to those whose information has been leaked online. Like how other companies have responded, Disqus stated that they’ve made upgrades to their database security and encryption services to prevent future breaches, and are now committed to promoting better password security.
According to research by Risk Based Security, the first half of 2017 saw 2,227 “data compromise events” with over 6 billion records being exposed. Data breaches present a devastating blow to any organization. Besides monetary losses, a company’s brand is tarnished and news of a data breach may haunt an organization for a long time. Customers value their privacy and expect big corporations to maintain data integrity. Unfortunately, even these big names don’t always implement the best security practices.
For now, customers should take matters into their own hands to protect their data as breaches can occur anytime, and customers’ can’t expect to find out about them until months or even years later. So, take simple measures of your own, like making sure you aren’t using the same password for all of your online accounts and routinely reviewing your accounts for suspicious activity. Also, avoid clicking on links or downloading attachments from unknown senders. Finally, consider if you’ve indeed got a strong password, by reading Cloudbric’s blog post on the Strong Password Paradox!