What causes a company like the stock price of Facebook to fall in just two hours by 6 percent? It is likely that two major data breaches will be announced in one year. In 2018, the dark side had a pretty good year with more than 700 million records exposed in just 10 big data breaches, with lots of nice big names dragging along the way through the mud. Literally, hundreds of millions of people’s secret and sensitive data were torn open and exposed, then aggregated for sale on various Dark Web lists. It doesn’t matter what you do, what’s interesting about cybersecurity, it’s never enough and you have to keep improvising and improving. If you stagnate, you die, and it was pure negligence in a few cases last year that hackers just stumbled across data treasure troves. Let’s take a look at the five biggest 2018 data breaches:
Last year, the athletic wear company Under Armor had its share of issues as data from 150 million users linked to its MyFitnessPal fitness app was infringed. The stolen information included usernames, email addresses, and passwords, most of which were bcrypt hashed. However, for some, a portion has been hashed using a notoriously weak function called SHA-1, which is much easier to crack than bcrypt. Like Quora, Under Armour responded quickly after the March 25 hack was discovered. Under Armour started notifying users four days after it occurred. The company said it was working with law enforcement and “leading data security firms,” but the cause of the breach has not yet been found.
Matthew Green, a Johns Hopkins University cryptographer, speculates that it could be the result of keeping too much IT work in-house rather than looking for more specialized experts. He explains that it was probably a shift from SHA-1 to bcrypt combined with the need for customers who have not recently logged in to keep old data available. Whatever the reason, the lesson here is to proactively vet and audit security and discover shortcomings before the black hats do. It is also a good idea to have a specialized security team involved to ensure that your breach is not caused by an amateur error.
Elasticsearch cannot seem to catch a break with breaches and after leaking information about NFL players in 2017, An Elasticsearch server left open on the Internet without a password leaked nearly 57 million Americans ‘ personal information for nearly two weeks. While many Elasticsearch-based leaks occur as server administrators simply don’t set up passwords for their servers, authentication issues are one of the main reason hackers can break in easier. Elastic, the company behind Elasticsearch, said in a blog post that their servers were not designed to be exposed on the Internet, the lesson here is to use tools that can provide you with the security that you need to handle your data.
All in all, there was one common thread in 2018 data breaches: the fact that organizations normally don’t have any clue about what caused their breach and most can only speculate about possible causes. Being safe is always better than being sorry, and safety has to change from being reactive to being proactive. Only when that happens will we find the bugs before the bad guys do in our own systems.