There’s no such thing as “too big to fail” these days, especially when it comes to [cybersecurity and cyberattacks](https://hackernoon.com/6-cybersecurity-tools-youll-need-to-know-about-in-2019-6232eeb1c9ca).\n----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------\n\nEven the world’s biggest organizations aren’t immune to data breaches. They seem to have all the money and resources to invest in preventing hackers from compromising their systems, but recent history shows that whatever they are doing simply isn’t enough.\n\n!(https://hackernoon.com/hn-images/1*vpNluhjp3K73Dg5OM5WRDg.gif)\n\nThe [Yahoo!](https://techcrunch.com/2017/11/08/yahoo-senate-commerce-hearing-russia-3-billion-hack/) and [Equifax](https://hackernoon.com/is-equifax-the-new-normal-3b4beb279efc) data breaches are just a couple of high-profile attacks that made headlines within the past five years and there have been plenty of others. Sadly, 2018 has been no different. According to non-profit privacy advocate [PRC](https://www.privacyrights.org), [over 1.35 billion records](https://www.privacyrights.org/data-breaches?title=&taxonomy_vocabulary_11_tid%5B%5D=2436) are believed to have been exposed or compromised through breaches just this year.\n\nThese attacks illustrate how relentless the nasty kind of hackers can be, especially given how little they have to gain. Financial and personal data may fetch only [a few dollars each](https://www.mcafee.com/enterprise/en-us/security-awareness/hidden-data-economy.html) in the black market, but given that companies can have millions of these records stored, a breach of a sizable database could be a massive payday for attackers.\n\n!(https://hackernoon.com/hn-images/1*iqI7dboA1HyGdGcrE1RJFw.png)\n\n_Image source:_ [_https://www.mcafee.com/enterprise/en-us/security-awareness/hidden-data-economy.html_](https://www.mcafee.com/enterprise/en-us/security-awareness/hidden-data-economy.html)\n\nBreaches also aren’t cheap to deal with, costing large companies [millions of dollars](https://www.ibm.com/security/data-breach) on the average. So, it’s a wonder why they continue to commit lapses that leave their data vulnerable.\n\nHere are three big-name businesses that exposed their customers’ data in 2018.\n\n### Facebook\n\n[Facebook](https://hackernoon.com/tagged/facebook) is the world’s biggest social platform. Based on its most recent figures, the company claims to have [2.27 billion active users monthly](https://newsroom.fb.com/company-info/), with more than half using its product daily.\n\nLast September, hackers were able to [exploit errors](https://www.nytimes.com/2018/09/28/technology/facebook-hack-data-breach.html) in Facebook’s code allowing them to gain access to users’ personal information. A bug in Facebook’s “View As” feature, which lets users see how their profile pages look like to other users, allowed attackers to see all the data on a victim’s profile. Third-party websites that let users authenticate and log on using Facebook accounts were also reported to have possibly been affected.\n\n!(https://hackernoon.com/hn-images/1*MVMLLH0H3XkmHN8O8rEhGw.gif)\n\nFacebook has since patched the vulnerability and forced affected users to change passwords to prevent further exposure.\n\nAround 50 million users were estimated to have been affected by the breach who are now exposed to an increased risk of identity theft. This is the largest [security](https://hackernoon.com/tagged/security) breach the company had experience since it was created back in 2004. Yet, this isn’t the only data-related issue that Facebook faced recently given its recent [scandal](https://hackernoon.com/facebook-data-scandal-50eedc7762b6) involving Cambridge Analytica.\n\n### Under Armour\n\nAthletic apparel company [Under Armour](https://www.underarmour.com/en-us/) has taken its place among the likes of [Nike](https://www.nike.com) and [Adidas](https://www.adidas.com/) as the industry’s giants. It has since diversified into fitness tech, with the acquisition of fitness app [MyFitnessPal](https://www.myfitnesspal.com/). The app lets users set fitness goals, log their workout activities and meals and track their calorie intake.\n\nLast March, it was revealed that an unauthorized party had [gained access](https://www.cnbc.com/2018/03/29/under-armour-stock-falls-after-company-admits-data-breach.html) to the app’s database a month prior to the disclosure, potentially exposing the private information of 150 million users including their usernames, emails, and hashed passwords.\n\n!(https://hackernoon.com/hn-images/1*gMp5ddEi6FVfVFOTMeQyVw.gif)\n\nThe company [has yet to reveal](https://www.washingtonpost.com/news/the-switch/wp/2018/03/29/under-armour-announces-data-breach-affecting-150-million-myfitnesspal-app-accounts/) how its database was hacked, but it did state that not all user data were exposed as a result of the breach. For instance, credit card data shared by customers to the service to make purchases was not compromised. The app also doesn’t collect other identifiers such as social security and driver’s license numbers.\n\nMyFitnessPal claims that most of the stolen passwords [used the Bcrypt hashing function](https://www.wired.com/story/under-armour-myfitnesspal-hack-password-hashing/), which, when applied to lengthy and complex passwords, should result in a hash that will be difficult and time-consuming for attackers to crack. Unfortunately, some user passwords were still stored using weak SHA-1 encryption which are less secure and prone to decryption should the hackers make the effort.\n\n### Tinder\n\nWhile Tinder wasn’t compromised directly, a third-party integration solution ended up being the weak link, which saw the popular dating app’s user data left for bare. [Branch.io](https://branch.io/), a mobile engagement solution used by many top shelf companies, had contained a cross-site scripting (XSS) flaw that was recently found in a Tinder subdomain used as part of Branch.io’s mobile traffic attribution mechanism.\n\nPersonal information of [685 million users](https://www.theregister.co.uk/2018/10/12/branchio_xss_flaw/) are estimated to have been exposed by the vulnerability.\n\nXSS vulnerabilities are quite dangerous, since hackers can inject client-side scripts that can perform all sorts of malicious acts on victims. For instance, clicking on a link containing the affected subdomain may trigger scripts that could steal data or hijack systems. Given that that code is made to appear to come from a legitimate origin, attackers could even bypass access controls and gain deeper access into systems.\n\n!(https://hackernoon.com/hn-images/1*2RDCmH0w4_i15HdPwSPnkg.gif)\n\nNews about the Branch.io flaw has been downplayed in mainstream news, but one can’t overlook the scale of the issue. Tinder is already [reported](https://latesthackingnews.com/2018/10/17/flaws-in-branch-io-affected-over-685-million-users/) to be working on fixing the issue. Unfortunately, the exposure was not limited to the dating service and appears to have affected other Branch.io users as well. Fortunately, there has been no reports yet where the flaw was actually exploited by malicious actors.\n\n### The Future of Security\n\nIt’s quite scary that even big companies are vulnerable to cyberattacks. These brands are popular, and they are bound to attract more customers who will share information with them. With big data comes big responsibilities.\n\nCyberattacks are expected to grow even more rampant as hackers come up with more ingenious ways to breach systems. Companies should take all measures available to prevent the exposure of their customers’ information to malicious actors.