2016 is a record-breaking year for cybersecurity fails. They range from embarrassing slip-ups to dangerous information leaks that could financially affect an entire country. The danger with these breaches is that they have the ability to shut down an entire business and cause serious damage to their reputation, finances, and users. Cybersecurity breaches should never be taken lightly. While the incidents we outline in this article are large scale and high profile, business owners from every sized company can learn from the mistakes of others so they can learn what from the failures of others and take steps to prevent it from happening to them. Not all of the following breaches and slip-ups we list occurred in 2016, but this is the year they became made public – either because they were only discovered now or because the stolen information was put up for sale on the dark web.
University of Central Florida
In January 2016, the University of Central Florida experienced a breach that impacted 63,000 of their faculty, staff, current, and former students. The university reported the breach to law enforcement and performed an internal investigation before announcing it to the public a month later. An unknown group of attackers stole Social Security numbers, names, and ID numbers of students and faculty. More information about the breach can be found on the university’s Data Security page, and the university offered a year of free credit monitoring and identity protection services from Experion.
U.S. Department of Justice
In February, 2016 Computerworld reported that hackers were able to gain access to a DOJ email account used to social engineer access to databases on the DOJ intranet. The attack compromised a directory containing over 9,000 Department of Homeland Security names, email addresses, locations, phone numbers, and titles of employees. The hacker used social engineering to gain access by calling a department at the DOJ and telling them he did not understand to gain access beyond the portal. The hacker said he was asked for a token code and when he replied that he did not have one, the department let him use one of theirs. Once in, the hacker was able to access a personal computer that took him to a virtual machine where he entered the credentials of the account he already hacked. From there, he got into the machine of the person he hacked to access documents on that machine and the local network.
Internal Revenue Service
In late February, 2016 the IRS publicly announced a breach they discovered in May 2015 that turned out to be bigger than they initially thought it was. CBS News reported how hackers used a “Get Transcript” program, which the IRS began using to allow taxpayers to request tax history online. The online service ended up risking identity theft of taxpayers. Some people noted that somebody else was trying to claim a refund using their Social Security number. The IRS reported at least 334,000 taxpayer accounts were accessed.
Dropbox was breached back in 2012 and just recently, email and password information for over 68 million users went up for sale on the darknet marketplace as reported by the Washington Post via a DropBox official. Dropbox sent out an announcement via email to those affected by the breach telling them their passwords would be reset. DropBox knew of the breach in 2012 but did not completely understand the scope of it until this year. The company believed it took preventative action by resetting passwords, however; it is unknown if those user passwords were already breached and sold.
Among many individuals who were hacked this year, Facebook founder Mark Zuckerberg was among the most famous. Zuckerberg’s Twitter and Pinterest accounts were attacked by OurMine, a Saudi Arabian group, on June 5th. The group claimed Zuckerberg used a low-security password for both of his accounts. The password Zuckerberg used for his accounts was “dadada”. Facebook officials deny Zuckerberg’s Instagram account was compromised as there was no evidence to prove it. Computerworld reported the breach of Zuckerberg’s accounts could be related to the LinkedIn breach of 2012 where Zuckerberg’s password was discovered. Zuckerberg rarely used his Twitter account, his last tweet before the breach was in January 2012.
OurMine struck again by defacing TechCrunch’s site and telling site visitors the attack was a security test. TechCrunch uses WordPress, which is the content management system OurMine gained access to. The Guardian reported that the attack was among the most recent in high-profile breaches OurMine was able to conduct. The TechCrunch breach was removed within a couple of hours and occurred around 7:20 AM EST in late July.
In February, Snapchat was scammed and leaked employee information. Personal information was stolen from 700 current and former employees. Fortune reported that the breach occurred when a scammer impersonated Snapchat’s CEO, Evan Spiegel, and sent out a phishing email that requested payroll information. The employee who received the phishing attempt did not realize this was a scam and disclosed the data to the attacker. Snapchat claimed to take action within four hours of the incident, confirmed it as an isolated phishing event, and reported it to the FBI. As a result, Snapchat has offered identity theft insurance and monitoring to those employees affected by the breach and is increasing security training to employees to avoid future leaks.
Last and largest, Yahoo just announced that it lost personal information for 500 million users at the end of 2014, and this could be the biggest hack of all time. Yahoo claims that the hack was pulled off by a state sponsored actor, and announced that the leaked info includes names, emails, phone numbers, birthdays, hashed passwords, and some “encrypted or unencrypted security questions and answers.” We’re still waiting to see how this affects the company’s valuation and finances, but for this is not the kind of attack most companies could withstand.
Were you directly affected by one of these breaches? We’d love to hear your story in the comments.