From the massive Equifax hack to the widespread damage of WannaCry, hacking dominated headlines in 2017. As the number of large, highly-publicized hacks continue to increase, it’s clear that our personal information stored online is becoming more vulnerable to hacks and breaches. Below, we look into the top 10 most impactful hacks of 2017.
Researchers discovered in November that the email addresses and passwords of over 1.7 million Imgur users were compromised in a data breach in 2014. The company assured users that no other data was stolen in the breach. While the passwords were encrypted, they could have been cracked using brute force.
CloudFlare, a web security provider that helps over 5.5 million sites improve their safety and performance, was found to have a severe security vulnerability that may have exposed passwords, as well as cookies and tokens used to authenticate users. CloudFlare’s servers had an overflow issue that caused private data to be returned after a request, with many search engines caching the leaked information.
The scope of the attack was found to be minimal, as CloudFlare found that only 0.00003% of requests resulted in memory leakage. There are helpful tools that can tell you if a site you use was affected by Cloudbleed. If so, it’s recommended to change your passwords for those sites, and turn on two-factor authentication.
8. Password Database
Researchers from the security firm 4iQ found a database on the dark web and torrenting sites that contained 1.4 billion plain text usernames and passwords. Credentials were leaked from Bitcoin, Pastebin, LinkedIn, Exploit.in, Anti Public, Minecraft, Runescape, Redbox, Zoosk, YouPorn, Netflix, MySpace, and Badoo, among others.
At the time of publishing, the password database is still available online. It is recommended that you update your passwords (and turn on two-factor authentication) if you used one of the compromised sites.
7. IoT Devices
IoT devices had a bad year, thanks to several critical vulnerabilities found in a range of devices. A flaw, called Devil’s Ivy, gave hackers full access to security cameras, sensors, and access card readers. Smart cars were also found to have a vulnerability that allowed hackers to control safety features, including airbags, power steering, parking sensors, and anti-lock brakes. The vulnerability has been deemed unpatchable.
6. Nissan Finance
Nissan Canada Finance and INFINITI Financial Services Canada became aware of a data breach in December, which may have allowed hackers to access customer names, home addresses, vehicle makes and models, VINs, credit scores, loan amounts, and monthly payments.
Over 1.13 million customers may have been affected by the hack, and all customers received 12 months of free credit monitoring through TransUnion. The perpetrators of the attack are still unknown.
5. Deep Root Analytics
Over 198 million U.S. voters had their data exposed after Deep Root Analytics, a third-party vendor, stored the information on an unsecured server. Compromised information included names, addresses, email addresses, telephone numbers, dates of birth, and voter ID numbers. The company is now at the center of a class-action lawsuit brought by customers affected by the breach.
4. South Africa
In October, the names, identity numbers, phone numbers, incomes, genders, employment histories, and home addresses of over 30 million South Africans were leaked online. The information was likely stolen around April 2015.
The data was traced to Jigsaw Holdings, a holding company for real estate franchises including Realty1, ERA, and Aida. The website was found to have very little security, allowing hackers to easily gain access to personal details stored on the site.
3. Bad Rabbit
Over 200 organizations in Russia, Ukraine, Turkey, and Germany were targeted by ransomware dubbed Bad Rabbit in October. The ransomware was distributed through fake Adobe Flash Player installers and required users to pay $285 to regain access to their data.
The ransomware is no longer being circulated, but the hackers have not been caught. Organizations affected by the attack included Kiev’s subway, the Ministry of Infrastructure of Ukraine, Odessa’s airport, Interfax, and Fontanka.
Ransomware, dubbed WannaCry, affected more than 300,000 computers in 150 countries in less than three days. Affected users had to pay Bitcoin to regain access to their data, and the bug caused several hospitals and businesses to shut down temporarily.
The ransomware has been attributed by several researchers to the Lazarus Group, which works on behalf of the North Korean government. The North Koreans deny that they are linked to WannaCry or the Lazarus group.
In one of the biggest leaks of sensitive personal data in history, credit monitoring agency Equifax compromised the sensitive information of 145.5 million American and Canadian customers. The hacked data included names, birth dates, addresses, Social Security numbers, and driver license numbers.
The initial hack was discovered in July, but not disclosed to consumers until September. Attempts at passing legislation to regulate companies responses to hacks failed to pass in Congress.