Breaches and leaks

Here we go. Takes deep breath

  • Boomoji: the animated avatar app exposed the personal data of its entire user base, over 5.3 million people, in two Elasticsearch databases. Including user locations, what schools some users go to, and all phonebook entries of all users who allowed the app access to contacts.
  • NASA: a server from the HR departement was compromised, and attackers stole personal information of thousands of employees. The data is already for sale on the Dark Web.
  • Facebook: Not so much a breach as a bug, but it was heavily reported on. Normally apps with picture permissions only get to see timeline pictures. But due to a bug in the API they could temporarily get access to more, including unposted pictures.
  • Facebook, again: I guess we can call this a breach-by-design. Over 150 companies got "special treatment" by Facebook, getting wider access to personal data than disclosed to the users. Long but worthy read.
  • Save The Children Federation: an attacker infiltrated the charity and got them to wire $1 million into his account through false documents and invoices.
  • Wall Street Journal: their website was hacked and defaced with PewDiePie-related messages.
  • Amazon: sent 1700 Alexa recordings to the wrong person by mistake.
  • Experian: infamous for previously having the information of 15 million people stolen. This time it was discovered that they included real customer data as part of a public training manual.
  • 2018 overview: If you're feeling nostalgic, here's a nice overview of big 2018 data breaches.
Dieter Van der Stock