CHOICE membership

Some more Data Breaches of 2016, 2017, 2018 & 2019


#1

From a Networking Blog I subscribe to here are 10 breaches that seem to have occurred in 2016 plus one that was only reported in 2016 and it isn’t Yahoo.

i-Dressup 2.2 million accounts stolen

DLH.Net 3.3 million accounts stolen

Leet 5 million accounts stolen

ClixSense 6.6 million accounts stolen

Lifeboat 7 million accounts stolen

Dailymotion 18 million accounts stolen

Mail.ru 25 million accounts stolen

Weebly 43 million accounts stolen

VerticalScope 45 million accounts stolen

FriendFinder Networks 412 million accounts stolen (this consisted of 20 years worth of accounts) and included data from AdultFriendFinder & Penthouse.com among 5 others

and Myspace had 427 million accounts stolen earlier but it was disclosed in 2016.

Perhaps this might encourage us all to be more careful with whom we trust our private data and how much we provide of it.


31 Jan 2017

Just a small and hopefully useful update. If you would like to check if your data (it checks against your email address) has been hacked by data breaches there is a free site where you can check against many of the worldwide hacks go to:

You can also subscribe to this site to be informed if in future your email address is stolen in a data breach.

And on the same site have a look at this list of data breached sites:


Kathmandu significant data breach - credit card details potentially accessed
Hacking horror story
#2

That list details a staggering total of 994.1 Million accounts’ information stolen in 2016. PLUS all the others that have not been publicised yet.


#4

Thanks @grahroll. I can breathe a sigh of relief now that I have checked.

Much appreciated once again.


#5

For your information, I just received this email from Change.org about another exposure, this time at Cloudflare.

"We wanted to share some information we received recently from Cloudflare, a popular web services provider that we use at Change.org, about a security issue that may have exposed the personal information of some users who utilize their services. We have received confirmation from Cloudflare that there is no evidence that Change.org has been directly affected by this issue. However, when issues like this occur, it’s always a good idea to change your password to provide an extra level of security, which you can do at the link below:

We want you to feel safe when using our services and we have been monitoring this situation closely to ensure it does not affect our users. If you are ever in doubt about the security of your accounts with us, feel free to contact Change.org directly through our Help Center.

The Change.org Team"


#6

Two new lists of Data Breaches have been posted on “Have I been pwned” see the link https://www.troyhunt.com/password-reuse-credential-stuffing-and-another-1-billion-records-in-have-i-been-pwned/ for details but broadly this is it

"In late 2016, a huge list of email address and password pairs appeared in a “combo list” referred to as “Exploit.In”. The list contained 593 million unique email addresses, many with multiple different passwords hacked from various online systems. The list was broadly circulated and used for “credential stuffing”, that is attackers employ it in an attempt to identify other online systems where the account owner had reused their password. For detailed background on this incident, read Password reuse, credential stuffing and another billion records in Have I been pwned. "

If you aren’t listed for contact on https://haveibeenpwned.com/ I recommend you sign up and check your email addresses there. If you appear on any of the latest lists then I also recommend you visit your important sites and change your passwords, and maybe think about getting a password manager if you don’t have one.


#7

A new list on “Have I been pwned” has been released with around 711 Million email addresses from a Spambot that was listed August 2017. To read more about it see a blog post by Troy Hunt (operator of Have I been pwned) https://www.troyhunt.com/inside-the-massive-711-million-record-onliner-spambot-dump/

If you want to check (and I do recommend you do check) if your email address/es was/were affected you can use the HIBP site to check https://haveibeenpwned.com/


#8

Another largish list of user details has been located on the Web and HaveIbeenpwned has listed those affected. The amount of accounts is around 111,000,000. The name given to the breach is “Pemiblanc”.

To read more about how this breach/list was used by nefarious people see

To check if you may have been affected if you don’t or haven’t used HaveIbeenpawned before is go to https://haveibeenpwned.com/ and put your email address/es into the search box near the top of the page and see if you get any results. Hopefully you don’t but if you do you are at least aware of possible problems and can take any needed actions if not already done by you to protect your account/s.


#9

The teen is alleged to have downloaded 90 gigabytes of secure files and accessed customer accounts without exposing his identity, the paper said.

A 16yo from Melbourne. Only 90 Gigs of data - clearly had slow NBN :wink:

Thankfully no customer data was compromised in the hack - of course not, it was probably taken in perfect condition !!!


#10

Obviously the data was compromised as you point out so well :-), if someone downloaded it and accessed Customer Accounts, that is compromised as both you and I and probably a whole slew of others know. What Apple is doing is to placate the people who don’t know and who also help keep the business ticking over by buying products from Apple. While Apple know about this data hack now how many others might yet remain unknown/undiscovered. This is not just an issue affecting Apple as can be seen from the listings above of other hacked sites and businesses. If a 16 year old attempted it & succeeded you can almost certainly say that it was done by others and more successfully as Apple haven’t found it yet.

What at least our laws are trying to do a bit more successfully is give users of any service more timely knowledge of attacks/hacks so that we can take some action sooner rather than being informed years after the attacks.

Like you I ignore the spin and look to the reality.


#11

2019 brings us a newly advised Breach that could be affecting about 770 million users. Troy Hunt who runs haveibeenpwnwned wrote about the breach in his blog:

You may wish to check via his service if your details have possibly been compromised. It is a good reminder as well that to regularly change your passwords for all your logins is very good practice and by regularly that means at least every couple of months if not more frequently.


#12

Yes, my email has been pawnd. AVG also recommends to change passwords frequently. I use Note Pad (Windows) to handle all of them. I think it is safer than trusting p/w sites as we do not know how secure their data is.


#13

In that regard

I think you might find Keepass a better alternative to Notepad. It is free, it encrypts your data, it is stored locally though you can share across some/most devices including Apple Mac OS (this requires the 2.x editions), it is portable eg USB stick (database is still encrypted on the USB stick or CD/DVD, SD Card). You can use key files or key files and password protection…

To check it out see:

https://keepass.info/


#14

Very sound advice grahroll, thank you, I will check immediately.

Oh, btw, which password manager do you use and is it free?

Thank you for your ongoing help in all things!


#15

Checking out Keepass now! :wink:


#16

Hi @njfking

I use Lastpass for it’s online convenience across some of my devices. I also use Keepass for anything I don’t ever want stored online, your needs may likely differ to mine. Lastpass can be either free or paid but I actually use the paid version for a couple of the extras I like to use but that are not really needed by anyone who has a password manager.

For the best security of password managers you can get I have to recommend Keepass and as I said it is the one I use when I want total control of the password data (and associated notes I keep).


#17

Thanks for the sensible advice grahroll, you are a star *


#18

He also now offers a ‘password search’ function, in case you think you’ve lost control of something but are not entirely sure. I don’t particularly like the concept, but tried a password I once used on several sites and it came up positive.

I have spent the last week sending support requests asking people to delete my account. (Interestingly, I have not yet had a ‘no, we can’t do that’.) They tend to ask for a lot of information to confirm that I’m the owner, but I had way too many unused accounts that present an attack surface even if they don’t individually have a lot of my personal details.

While I don’t think it has yet been mentioned yet, you can subscribe to haveibeenpwned, and get an email when your email address inevitably shows up in some password list. Just click the “Notify Me” button on the menu bar at the top of the page.

If you are paranoid about your passwords, I would suggest Password Safe. It was developed by a chap named Bruce Schneier, and is totally offline.

As a side note, one of his current blog posts refers to a rather interesting ‘Request for Comments’ - the means by which Internet standards are set. Well worth a glance, even if it was written back in 1990 and remains a work in progress.


#19

Indeed it is very worthwhile to sign up and yes it has been mentioned about the subscription service but a reminder in these situations is always a worthwhile step.


#20

Got one this morning …

https://content.myfitnesspal.com/security-information/FAQ.html

from the site:

  1. What happened?
    On March 25, 2018, we became aware that during February of this year an unauthorized party acquired data associated with MyFitnessPal user accounts.

  2. What did MyFitnessPal do when it discovered the issue?
    Once we became aware, we quickly took steps to determine the nature and scope of the issue. We are working with leading data security firms to assist in our investigation. We have also notified and are coordinating with law enforcement authorities.

    We are taking steps to protect our community, including the following:

    We are notifying MyFitnessPal users to provide information on how they can protect their data.
    We will be requiring MyFitnessPal users to change their passwords and urge users to do so immediately.
    We continue to monitor for suspicious activity and to coordinate with law enforcement authorities.
    We continue to make enhancements to our systems to detect and prevent unauthorized access to user information.

  3. What information was affected by this issue?
    The affected information included usernames, email addresses, and hashed passwords - the majority with the hashing function called bcrypt used to secure passwords.

    The affected data did not include government-issued identifiers (such as Social Security numbers and driver’s license numbers) because we don’t collect that information from users. Payment card data was not affected because it is collected and processed separately.
    [… etc]

sad thing is, I’m not fit … :rofl:


#21