Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Bad News In Tech: 2016's biggest data breach fails (so far...)

By Tamlin Magee | Dec. 19, 2016
2016 was no exception for security breaches

FriendFinder Networks

The company that operates the largest network of 'casual dating' adult websites in the world - previously Penthouse and including AdultFriendfinder.com and Penthouse.com - was subject to an enormous compromise of 412 million accounts in November this year.

Perhaps worse still, the business seemed to have been storing the details of deleted users - their original email with the suffix @deleted1.com. According to LeakedSource, which discovered the data, the passwords had been stored in either a plain visible format or SHA1 hashed, but as the website notes, neither are considered secure.

Not only is the leak at a tremendous scale, the highly confidential nature of the websites opened customers up to the potential of blackmail. Of course, some of the users did not help themselves, with the top six most common passwords used being some variation of 123456789 in numerical order. The next most popular password was 'password'.

Tesco Bank

The chief executive of Tesco Bank was forced to admit it had been subject to a "systematic, sophisticated attack" that saw some of the 20,000 compromised users lose money from their accounts. According to CEO Benny Higgins, 40,000 accounts registered suspicious transactions, and half of these had money removed.

The attack saw Tesco Bank suspend all online banking until the problems were resolved. It promised to refund users who had money stolen from their accounts - however, many claimed that they were left out of pocket at the time.

Worse still, rival banks accused Tesco of issuing sequential debit card numbers. Critics say that this means it's easier to conduct fraud undetected because all of the card numbers would have been genuine. Tesco has avoided commenting on exactly how the attacks took place because it is an "ongoing investigation", but did claim that no customer data was lost, and that the system itself was not breached.

The banking wing of the supermarket giant is in the process of paying back £2.5 million to customers who had their accounts compromised.

LinkedIn

Way back in 2012, LinkedIn disclosed a major breach of 6.5 million user passwords, which it alleged was the work of Russian cyber criminals. But four years later it emerged that the hack was much more severe than initially thought - with 167 million user details up for grabs in exchange for Bitcoin on the dark web. A hacker who called himself Peace told Motherboard at the time that the data was available on darknet market The Real Deal for roughly $2,200 - and paid hacked data website LeakedSource also said it had the data.

LinkedIn began to invalidate passwords for all accounts that were created before the 2012 breach that hadn't been updated since, and alerting users to reset their passwords. In a statement, LinkedIn's CISO Cory Scott told users to create strong passwords and enable two-step verification to keep their accounts safe.

 

Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.