Did 2021 feel a bit busier for cybersecurity professionals? Yeah... it did, because it was. Early numbers show that it may have been the biggest year for security breaches yet. However, some were more 'special' than others.
First Published 4th January 2022 | Latest Refresh 25th January 2022
Let's use non-password-protected databases! Pow!! Let's click on this hyperlink! Wham!! Why is my cursor moving by itself?!?
4 min read | Reflare Research Team
The year that was
Now that 2021 is behind us (phew), we can clearly see it has been quite an interesting year in terms of data breaches. Although not all the end-of-year numbers are in as yet, it is asserted that the personal identifying information of 1.5 billion users was stolen across the calendar year. According to Identify Theft Resource Center (ITRC), the total number of data breaches through September 30, 2021, exceeded the total number of events in 2020 by 17% with 1291 reported breaches. This data, in conjunction with what we have seen play out in the fourth quarter of the year, reasonably demonstrates that 2021 was on course to be the worst year yet. Some of the most affected sectors include manufacturing, healthcare, and the financial sector.
The following is just a small sample of the more interesting data breaches we saw across the year.
GetHealth
Back in September, Jeremiah Fowler, a member of the WebsitePlanet research team, found a non-password protected database that contained over 61 million records belonging to users of the New York City based company which offers a unified solution to access health and wellness data from hundreds of wearables, medical devices and apps.
The company solution is known to support a large number of well-known wellness and fitness trackers that include Fitbit, Apple’s Healthkit, 23andMe, Daily Mile, FatSecret, Fitbit, GoogleFit, Jawbone UP, Life Fitness, MapMyFitness, MapMyWalk, Microsoft, Misfit, Moves App, PredictBGL, Runkeeper, Sony Lifelog, Strava, VitaDock, Withings, Apple HealthKit, Android Sensor, and S Health.
The unencrypted information exposed the users’ first and last name, display name, date of birth, weight, height, gender, geo-location etc. According to reports, the leak was due to misconfiguration, and it is still unclear how long these records were exposed or if anyone other than the security researchers had accessed the data.
It is also worth noting that this was not the first time security researchers found companies selling fitness products leaking sensitive information on the internet. In 2021, Kinomap – an exercise app company that also collected enormous amounts of data about its users – also failed to secure its database and made 42 million records available to the public.
Various applications on Google Play Store
In May, security researchers at Check Point discovered the personal data of more than 100 million Android users in total had been exposed by various applications on Google Play Store due to misconfigured cloud services.
Some of the information exposed included names, birthdates, email addresses, gender, photos, payment information, phone numbers, and private chat messages.
According to the researchers, many of these applications failed to follow even the most basic security practices, therefore putting their users’ data at risk.
Facebook (Meta)
Over 533 million Facebook users from 106 countries had their phone numbers, Facebook IDs, names, locations, and birthdates exposed to the public when a member of a hacking forum released the information for free in April.
According to Facebook, the data was scraped over a couple of years and made possible by a vulnerability that the company patched in 2019. That year, a vulnerability allowing millions of phone numbers to be scraped from Facebook’s servers was found, in violation of its terms of service.
Facebook recently announced that it is now expanding its bug bounty programs to include payouts for scraping attacks.
Robinhood
Online stock trading platform Robinhood was breached in early November after a malicious hacker managed to get access to its customer support systems by social engineering a customer service representative over the phone.
As a result, the hacker was able to obtain the names, email addresses, birthdates, and ZIP codes of 310 customers as well as email addresses for approximately five million people, and the full names of around two million customers.
Robinhood was not the first company to fall victim to social engineering attacks, though. In July 2020, a teenage hacker managed to get access to the company's internal admin tool by tricking its employees into thinking he was their colleague. He then hijacked high-profile Twitter accounts to spread a cryptocurrency scam, netting himself $100,000 in cryptocurrency.
Epik
Hackers identifying themselves as a part of the Anonymous hacktivist group announced on September 13 that they had gained access to large quantities of data belonging to Epik – one of the largest American domain registrar and web hosting companies.
Later, the group Distributed Denial of Secrets (DDoSecrets) announced that the leak consisted of "180 gigabytes of user, registration, forwarding, and other information” and that they were working on curating the leaked data for public download.
In total, over 15 million people were affected and the information made available to the public included unique email addresses, names, phone numbers, physical addresses, purchases, and passwords (some of the passwords were stored in plaintext).
GoDaddy
Epik was not the only domain registrar hacked in 2021. Godaddy – the biggest and most well-known domain registrar on the planet – also suffered from the same fate in November. However, unlike Epik, the damage was much smaller and only around 1.2 million users were affected.
According to reports, the hacker gained access to the company's WordPress hosting environment via a compromised password on September 6 and managed to avoid detection until November 17 when the organisation noticed suspicious activity and contacted an IT investigative firm and law enforcement.
Compromised information includes the email addresses and customer numbers of up to 1.2 million customers, database login information for active users; and the SSL private keys of some users.
Registro Nacional de las Personas (RENAPER)
A hacker in September managed to steal a government ID database for Argentina’s entire population including information related to the country's president, Alberto Fernandez, and Lionel Messi.
Researchers first learned about the breach when the hacker posted an ad on a well-known data leak forum, offering to provide information on any citizen of the country for a price. One day earlier, someone believed to be the same hacker also leaked the personal details of 44 well-known Argentinian celebrities on Twitter.
This incident was not the country's first major breach. A couple of years ago, a security researcher was arrested on suspicion of hacking and leaking data from government systems after tweeting about a hack that resulted in thousands of police officers getting doxed.
What does the future hold?
Those who predict the future of foolish at best. But, the disturbing insight from our analysis is the vast majority of the breaches seen across the last 12 months could have been easily avoided.
We here at Reflare believe you may find it somewhat unsurprising that an IT security training company would strongly advocate for the ongoing IT security capability development of all developers, administrators, and non-tech users of your systems. However, the lack of continuous security training beyond basic compliance requirements disturbs us.
Until organisations mature their views on cyber security training from a "just line item that sits under the L&D budget" (an actual 2021 quote!) to becoming a proactive, business-critical initiative, then we fear the number of successful breaches will continue to increase. Should there be a silver lining to this, you can use this opportunity to subscribe to our newsletter to stay up-to-speed with analysis of the next inevitable breach.
Happy New Year, and good health to you.