Top 2019 Privacy Leaks
Here we go again, for our top leaked personal data report. If you haven’t read the 2018 edition, you can find it here: Top Privacy Leak of 2018!
At this point, privacy leaks aren’t a matter of if, but when they will happen. Some argue that people are being too careless in their online practices and others blame the service providers.
Whatever the case may be, 2019 was what you might call a banner year for data thieves. It includes big names that are no strangers to leaks (looking at you, Facebook), as well as the concerning trend of targeting vulnerable government institutions. It also had the largest collective leak in history so far, so read on to find out which ones made the list of top privacy leaks of 2019.
The Blur Leak
Might as well start at the beginning. This was the first recorded leak of the year and it happened on January 2. The password managing service, Blur, announced that a data breach exposed some 2.4 million of its users.
It was technically discovered in December of 2018 but it wasn’t until 2019 that a security audit revealed the extent of it.
Blur’s parent company Abine reported that the file containing sensitive information was left unsecured online. They score some points for transparency but that’s unlikely to assuage any of the affected users.
The information that was compromised includes email addresses, first and last names, their Blur passwords and IP addresses. The company was able to confirm, however, that none of the passwords that are actually managed by the software was exposed.
Social networks really changes our privacy. It’s now obvious. We have left too much personal data and we continue to do so. Today, we are paying the price when we see our data exposed.
At this point a usual suspect, Facebook coyly announced in March of 2019 that it had suffered a massive data breach. The leak mostly affected Instagram users whose passwords were being stored in plain text.
That’s right, the world’s largest social media company was storing user data in plain text. Snarky comments aside, this leak was part of a larger series of data breaches that ended up compromising over 400 million Facebook users. It contained Facebook IDs and the phone numbers associated with them.
It was particularly bad publicity for the Silicon Valley titan, which has vowed to take measures to better protect people’s data in recent years. Facebook’s CTO downplayed the severity of the leak, claiming that the compromised datasets were old and no evidence existed that Facebook accounts were leaked.
Orvibo is a Chinese company specializing in smart home systems. In July 2019, a research team at the VPN rating service, vpnMentor, discovered a massive leak of their user accounts. Their database was left unsecured online (noticing a trend?) and over two billion logs were compromised.
This leak is particularly worrisome as it included usernames, passwords, email addresses, and even the precise location of some users. According to vpnMentor’s team, the breach affected Orvibo users all over the world. Logs for users in China, Japan, the US, Mexico, France, and many others were discovered.
Orvibo decided to remain completely silent on the matter, but the leaked database has since been secured. This should serve as a cautionary tale of IoT enthusiasts willing to reach in excess of current security tools’ grasp.
If you want to learn more about how to protect yourself, you can read our post on how to install a VPN in a few minutes
The Gnosticplayers Hacks
Starting in February 2019, a hacker using the alias Gnosticplayers started dumping user records on the dark web for sale to the highest bidder. The leaks ultimately totaled close to a billion records from 44 companies.
The affected companies include Under Armour, Gfycat, 500px, and ShareThis, among others. Most of the companies confirmed the hacks, which also included some minor players in niche markets around the world.
Dream Market, the online marketplace where the leaks were posted for sale was forced to shut down and relocate in April following a slew of DDoS attacks.
Oklahoma Department of Securities
The ODS is just one of the many public bodies targeted in 2019. Government agencies are attractive to data lifters because they tend to be under-protected. Their limited budget often leaves a lot to be desired in terms of IT security.
In January, millions of ODS files were compromised through being left on an open storage server. The files include such sensitive information as FBI investigations and internal communications within the ODS.
Files from as early as 1986 were exposed to the leak. However, they responded posthaste and the leak was “plugged” on the very same day that it was revealed. It’s not clear how much, if any, information ended up in the wrong hands but the ODS hasn’t tried to deny the leak.
The Collections Numbers 1 Through 5
With a name resembling a series of classical music pieces, this leak might appear pretty tame. However, this was the biggest leak of the year by far and remains the biggest leak ever to date.
Starting with Collection #1, a set of email addresses and associated passwords appeared on dark web marketplaces in January of 2019. That first batch contained over 700 million email addresses.
Soon after, collections 2 through 5 appeared online comprising a total of 25 billion+ leaks. About 2.2 billion unique usernames and passwords were compromised as part of the Collections leak.
Cyber journalists in touch with the people selling the information learned that the collections were part of a set of seven. The last two collections haven’t seen the light of day as of yet but all signs point to the legitimacy of their existence.
A Brave New World
As we continue on a mad dash toward a supremely connected world, it would be good to remember that there’s no such thing as a free lunch.
Most of the privacy leaks on this list, and indeed most privacy leaks in general, aren’t the work of a Machiavellian mastermind with supreme technical skills. They’re most often the result of very human oversights or failure to follow protocols.
The fact that people are an essential part of the process will always expose that process to vulnerabilities. Perhaps instead of designing better locks, security efforts in the future will focus on taking better care of who gets to hold the keys.
Finally, remember that we’ve only dealt with data leaks here. But there is some invisible data that we leave lying around, namely metadata. Maybe one day we can do an article on top metadata leak….