Even the world’s biggest organizations aren’t immune to data breaches. They seem to have all the money and resources to invest in preventing hackers from compromising their systems, but recent history shows that whatever they are doing simply isn’t enough.
The Yahoo! and Equifax data breaches are just a couple of high-profile attacks that made headlines within the past five years and there have been plenty of others. Sadly, 2018 has been no different. According to non-profit privacy advocate PRC, over 1.35 billion records are believed to have been exposed or compromised through breaches just this year.
These attacks illustrate how relentless the nasty kind of hackers can be, especially given how little they have to gain. Financial and personal data may fetch only a few dollars each in the black market, but given that companies can have millions of these records stored, a breach of a sizable database could be a massive payday for attackers.
Breaches also aren’t cheap to deal with, costing large companies millions of dollars on the average. So, it’s a wonder why they continue to commit lapses that leave their data vulnerable.
Here are three big-name businesses that exposed their customers’ data in 2018.
Last September, hackers were able to exploit errors in Facebook’s code allowing them to gain access to users’ personal information. A bug in Facebook’s “View As” feature, which lets users see how their profile pages look like to other users, allowed attackers to see all the data on a victim’s profile. Third-party websites that let users authenticate and log on using Facebook accounts were also reported to have possibly been affected.
Facebook has since patched the vulnerability and forced affected users to change passwords to prevent further exposure.
Around 50 million users were estimated to have been affected by the breach who are now exposed to an increased risk of identity theft. This is the largest security breach the company had experience since it was created back in 2004. Yet, this isn’t the only data-related issue that Facebook faced recently given its recent scandal involving Cambridge Analytica.
Athletic apparel company Under Armour has taken its place among the likes of Nike and Adidas as the industry’s giants. It has since diversified into fitness tech, with the acquisition of fitness app MyFitnessPal. The app lets users set fitness goals, log their workout activities and meals and track their calorie intake.
Last March, it was revealed that an unauthorized party had gained access to the app’s database a month prior to the disclosure, potentially exposing the private information of 150 million users including their usernames, emails, and hashed passwords.
The company has yet to reveal how its database was hacked, but it did state that not all user data were exposed as a result of the breach. For instance, credit card data shared by customers to the service to make purchases was not compromised. The app also doesn’t collect other identifiers such as social security and driver’s license numbers.
MyFitnessPal claims that most of the stolen passwords used the Bcrypt hashing function, which, when applied to lengthy and complex passwords, should result in a hash that will be difficult and time-consuming for attackers to crack. Unfortunately, some user passwords were still stored using weak SHA-1 encryption which are less secure and prone to decryption should the hackers make the effort.
While Tinder wasn’t compromised directly, a third-party integration solution ended up being the weak link, which saw the popular dating app’s user data left for bare. Branch.io, a mobile engagement solution used by many top shelf companies, had contained a cross-site scripting (XSS) flaw that was recently found in a Tinder subdomain used as part of Branch.io’s mobile traffic attribution mechanism.
Personal information of 685 million users are estimated to have been exposed by the vulnerability.
XSS vulnerabilities are quite dangerous, since hackers can inject client-side scripts that can perform all sorts of malicious acts on victims. For instance, clicking on a link containing the affected subdomain may trigger scripts that could steal data or hijack systems. Given that that code is made to appear to come from a legitimate origin, attackers could even bypass access controls and gain deeper access into systems.
News about the Branch.io flaw has been downplayed in mainstream news, but one can’t overlook the scale of the issue. Tinder is already reported to be working on fixing the issue. Unfortunately, the exposure was not limited to the dating service and appears to have affected other Branch.io users as well. Fortunately, there has been no reports yet where the flaw was actually exploited by malicious actors.
It’s quite scary that even big companies are vulnerable to cyberattacks. These brands are popular, and they are bound to attract more customers who will share information with them. With big data comes big responsibilities.
Cyberattacks are expected to grow even more rampant as hackers come up with more ingenious ways to breach systems. Companies should take all measures available to prevent the exposure of their customers’ information to malicious actors.