As users of everyday online technology, we put our faith in various services that hold plenty of personal information and associated passwords. Tim Stackpool describes some of the biggest data breaches so far this century – and explains the easy way to check if your details have been compromised.
Yahoo, August 2013
The company first publicly announced the incident (which actually happened in 2013) in December 2016. At the time, it estimated that the account information of more than a billion of its customers had been accessed by hackers. But a year later, Yahoo announced that the real figure was three billion.
After investigation, it was discovered that the attackers only accessed account information like security questions and answers. Passwords, credit cards and bank data were not stolen.
Alibaba, November 2019
Over nearly a year, one developer working for an affiliate marketer ‘scraped’ customer data, including usernames and mobile numbers, from the Alibaba shopping website, Taobao. He used ‘crawler’ software that he created himself.
‘Scraping’ is a method of collecting data scattered across various parts of a service, rather than hacking an all-in-one goldmine file. Although the developer and his ‘client’ collected the information for their own use and did not sell it, both were sentenced to three years in prison by the Chinese authorities.
LinkedIn, June 2021
Networking giant LinkedIn saw data related to 700 million of its users posted on the dark web in June 2021, impacting more than 90% of its users. The hacker first published information from around 500 million customers and followed up by indicating they were selling the entire 700 million customer database.
LinkedIn argued that as no serious private personal data was exposed, the incident was more of a violation of its terms of service than an actual data breach. Note, however, that the ‘hack’ still contained information such as email addresses, phone numbers and genders that dark forces could use elsewhere.
Sina Weibo, March 2020
Sina Weibo is one of China’s largest social media platforms. In March 2020, it announced that an attacker obtained a portion of its database, impacting 538 million users and their details including real names, site usernames, gender, location, and phone numbers. The attacker is reported to have then sold the database on the dark web for a measly $250.
As with LinkedIn, the exposed data could be used to associate accounts to passwords if passwords are reused on other accounts. The company subsequently strengthened its security strategy.
Facebook, April 2019
In April 2019, it was revealed that data from Facebook apps had been exposed to the public internet. The information related to more than 530 million Facebook users and included phone numbers, account names, employers and Facebook IDs. Two years later the information was openly published on the dark web.
Given the sheer number of phone numbers impacted as a result of the incident, security researcher Troy Hunt added functionality to his HaveIBeenPwned website that permits users to verify whether their phone number has been included in the exposed information.
Have you been compromised?
The quick way to check if your email, password or phone number has been revealed in any of these breaches is to visit haveibeenpwned.com.
The name is odd, and has a history of its own (a story for another time) but using the exhaustive lists of personal data that has been exposed online, that site allows you to quickly check whether your credentials are at risk. You can also explore where and how they may have been compromised, and what steps you should take to quickly secure your information online.