The worst security breaches of 2020
The new decade definitely gave us a rough start in 2020, with the COVID-19 pandemic that radically transformed life all around the world, reshaping networks by pushing people to work and study from home, creating a scramble to access vaccine research by any means — and generating new opportunities for criminals to launch all kinds of scams.
There’s little wonder that in such circumstances, cyberattackers didn’t give anyone a break this year. Data breaches, network infiltrations, data and identity theft, and ransomware outbreaks — all that occurred over 2020.
Let’s have a look at some of the biggest and baddest hacks and security breaches that happened in the past year.
Estee Lauder security breach
One of the biggest data breaches of the year was the Estee Lauder breach in February 2020. The cosmetic company had 440 million records accessed in a staggering breach of its security.
Criminals uploaded an unprotected database to the Internet, which contained over 440 million pieces of information. Of the 440 targeted files, an unknown amount were plain-text email addresses.
The rest were mostly middleware, software used by the company to manage everything from internal messaging to account authentication.
It is unclear what method the hackers used to take the information or how long it had been available. However, hackers could use the information from the breach to create numerous back doors into Estee Lauder’s security, potentially compromising the website in the future.
T-Mobile security breach
T-Mobile is a company with a poor reputation for cybersecurity, and 2020 saw another big hack of this mobile service provider. In March, the company began notifying users of a mysterious hack that exposed real names, addresses, phone numbers, and other sensitive information.
T-Mobile eventually revealed that hackers had gained access to an employee email address. It is unknown how many people may have been affected by the breach, as the company did not make any numbers public.
Zoom account data stolen
As Zoom gained in popularity in the past year, it also became popular for fraudsters — and increasingly vulnerable to security threats.
In April, it was reported that 500,000 stolen Zoom passwords were for sale on dark websites, with some of the accounts’ credentials being given away for free.
On top of this, victims’ personal meeting URLs and HostKeys were available too. Zoom said the details were the result of a data breach at another company and hackers had discovered that users had used the same username and password combinations for their Zoom accounts.
A popular straw poll app Wishbone had a 40 million user records leak in May 2020. The hacking group ShinyHunters leaked the data on RaidForum, a popular database leaks marketplace.
The leaked database contained a lot of users’ information, including usernames, email addresses, mobile numbers, and even some password information. The password information was encrypted using the MD5 algorithm that has been considered unsafe for use for over a decade. This outdated encryption makes it much easier for hackers to crack those hashes.
Hackers have also targeted Wishbone in the past, leaking 2.2 million email addresses and passwords back in 2017.
Grand Theft Twitter
In July 2020, a huge data breach saw many high-profile Twitter accounts, including Barack Obama, Elon Musk, and Bill Gates, get simultaneously hacked. Out of a total of 130 accounts targeted, the hackers managed to alter the passwords of 45 users.
In what was later named one of the “most brazen online attacks in memory”, the compromised Twitter accounts of the rich and powerful people then proceeded to send tweets requesting to send money to an unknown Bitcoin address.
As the tweets came from verified accounts of well-known people, a lot of people fell for the scam and sent money to the associated Bitcoin address. Overall, the hackers managed to get a total of $121,000 (£90k) in Bitcoin from 300 transactions.
It’s also unclear how much information the hackers were able to get from the accounts they compromised. If they were able to access the accounts’ direct messages, they might have stolen private information they could leak later to embarrass or blackmail people whose accounts were hacked.
For more on how this hack occurred, check out our earlier article on social engineering.
Hackers obtained 17 million users’ information from the hospitality exchange service Couchsurfing. The information was believed to have been stolen during a breach in early July 2020 before appearing on hacking channels and forums for sale, where hackers offered the leaked email addresses and real names for 700 USD.
Luckily, as far as investigators could tell, the stolen data did not include passwords, but user emails can be added to spam lists and used for malware distribution operations in the future.
A dark web data broker claimed hackers might have extracted the data from an old backup file, which would explain the lack of any password information.
In September 2020, a database with the customer information of approximately 100,000 gamers who made purchases with the game tech company Razer was found online and unprotected.
The exposed information included names, emails, phone numbers, customers’ internal IDs, order numbers, order details, and billing and shipping addresses.
On September 21, 2020, over 500,000 gamer accounts of Activision, a well-known video game publisher, were targeted in a credential stuffing attack.
It has been reported that login data, such as email and password, was released publicly online, granting hackers access to the Call of Duty accounts, often locking the rightful owners out of their accounts.
Barnes & Noble e-book disruption
On October 15, 2020, a popular bookseller, Barnes & Noble, notified their customers that a cybersecurity attack led to exposed customer information and caused service disruption of Nook e-reader books.
The company has not disclosed how many customers have been impacted but noted that billing and shipping addresses, telephone numbers, and email addresses were all accessed in the data leak.
Google going down
On December 14, 2020, Google experienced an outage that prevented users from accessing various services and lasted for more than an hour, causing outrage on social media.
Cybersecurity expert Will Geddes claimed that the Alphabet Inc. outage could be part of the same cyberattack that affected the US government and said that this attack “could be the 9/11 of cyber hack attacks”.
Whether he’s right or not, the damage done has definitely been huge — the potential hack against Google has affected nearly 70 million users across various services.
Hacks and data breaches will be a fact of life for as long as people make mistakes, whether that’s misconfiguring a database or using the same password for their bank account that they used for their social media account. Besides, 2020 presented a lot of uncertainty for hackers and social engineers to prey on.
What we can do is learn from these stories and do our best to ensure that the next story about a hack won’t be ours.
One thing you can do to protect yourself in case a company you do business with gets hacked is to always use a unique password for each account. That way if one account becomes compromised, you won’t face security breaches down the line. And always protect your accounts with two-factor authentication so that if someone does get your password, they can’t access your data. Here at Namecheap, we offer multiple methods to lock down your account with 2FA.