In Q2 2018, the number of confidential information leaks globally grew by almost 5% year-on-year. This is a digest of the five largest incidents over the period from April to June, prepared by InfoWatch Analytical Center.
In late May, a hacker took control of the ticket distribution website Ticketfly, stealing names, emails, and phone numbers of more than 26 million people and bringing the website out of service for days. The hacker posted some of the stolen information online and threatened to post more, demanding a ransom of 1 bitcoin.
Panerabread.com, the website for a popular American chain of bakeries by the same name, exposed over 37 million customer records, including names, emails, birthdays, and the last four digits of the customers’ credit card numbers. The data available in plain text from the site appeared to comprise records for any customer who has signed up for an account to order food online. Surprisingly, it took the company eight months to fix the problem after it was first alerted about the data leakage by cybersecurity specialists.
LocalBlox, a data analysis and profiling firm, left a massive storage of profile data on a public but unlisted Amazon S3 storage bucket without a password, allowing anyone to download its contents. The data of 48 million users, scraped from their profiles on Facebook, LinkedIn, Twitter, and real estate site Zillow, was subsequently found by Chris Vickery, a well-known ethical data breach hunter. Spokespersons of the said websites said that scraping data from their services was strictly prohibited.
At the beginning of June, major family genealogy and DNA testing website MyHeritage announced a security breach, which exposed account details of over 92 million users. A data archive, containing emails and hashed passwords, was found on a third-party server. Based on the creation dates of some accounts, the data was open to public for over six months. It is yet unclear if the breach was the result of a hacker attack or employee actions.
Security researcher Vinny Troia discovered that Exactis, a U.S. marketing firm, leaked a database that contained close to 340 million records of both individuals and businesses on a publicly accessible server. The categories of data ranged from phone numbers and home addresses to interests and religion. While the lack of sensitive information, such as social security numbers, means the database isn't a straightforward tool for identity theft, the depth of personal info nonetheless could help scammers with other forms of social engineering, specialists say.