Hollywood loves hacking in movies. White hats are able to perform miraculous feats with nothing more than mobile phones and subpar internet connections, while evildoers somehow manage to access banking and government systems worldwide as part of insidious plots for world domination.

Top Six Weird and Wacky 2016 Data Breaches

In truth, cyberattacks and responses are much more mundane, but that doesn’t mean the industry is entirely without cinema-worthy stories. Here’s a look at the weirdest and wackiest 2016 data breaches.

1. Hungry Hackers Dupe Deliveroo Customers

Burger with a side of breach? Online food ordering services have experienced exponential growth as companies tackle the common city-dweller problem of having to leave home for meals. Deliveroo, for example, has filled this gap by delivering a vast array of vittles across London. As noted by ZDNet, however, hungry hackers managed to gnaw their way into the system in early November and began frustrating users with fraudulent food orders.

Since Deliveroo accounts don’t require customers to enter the security code on their credit card for each purchase, cybercriminals were able to crack login details and change delivery addresses and phone numbers. This enabled them to place orders and receive fresh, hot food on someone else’s dime. Many users were none the wiser until they logged into their accounts or received “thank you” emails from restaurants for food they didn’t order.

The company blamed stolen data from other sites for the breach and refunded affected customers. Still, it’s a testament to the new mentality of cybercriminals.

2. Spotify Strangeness

According to Naked Security, music streaming service Spotify was also breached this year. It made the list of weirdest 2016 data breaches because even with user data available on Pastebin, the company remained steadfast that no breach had occurred. Music streamers begged to differ, however, as strange songs showed up on many of their playlists. Additionally, some users were kicked off in the middle of streaming sessions and others were entirely locked out of their accounts.

Spotify claimed that it had monitored Pastebin and similar sites and found nothing amiss. Tell that to users who found unfamiliar email addresses associated with their accounts or saw their account active in multiple locations at the same time. For a service that’s all about listening, the customer complaints didn’t exactly come through loud and clear.

3. Remember MySpace?

This is so 2008, but as noted by Fortune, MySpace, the Facebook-before-Facebook site popular among teens and tweens eight years ago, was breached in May. The breach gave cybercriminals access to more than 110 million usernames and 427 million passwords, which they then put up for sale.

But what’s the big deal? MySpace is nothing more than a memory, right? Not exactly. There are still around 50 million active users on the site, meaning their accounts were ripe for compromise. But the biggest problem is that many users tap the same username/password combination over and over again, putting accounts created on sites such as Amazon, Facebook and online banking portals at risk. It’s a lesson in longevity — security threats never really sleep.

4. Fraudsters Call the FBI’s Bluff

Sure, the FBI talks a big game about security and is making strides toward a safer cyber future. As noted by CRN, however, February 2016 was not a great month for the Bureau. First, cybercriminals claimed they had access to the FBI database and threatened to dump FBI and Department of Homeland Security (DHS) employee records online.

After a minimal response from the agency, the malicious actors did just that. They released 9,000 DHS and 20,000 FBI records, and told tech news sites they had access to even more data totaling 200 GB. Apparently, the name on the sign out front doesn’t make the FBI immune to cyber infiltration.

5. Russia Levels the Playing Field

Sometimes you just need to double down. Back in August, Russia received news that more than one-third of its athletes were banned from an international sporting event due to systematic performance-enhancing drug use. According to Tech.co, however, a group of Russian actors decided to air some of the U.S.’s dirty sport laundry by breaching the World Anti-Doping Agency and publicizing the medical data of high-profile American athletes.

While a significant breach of privacy, this incident didn’t exactly slow down Team USA during 2016.

6. Indecent Exposure

It’s a bad year to be looking for love in all the wrong places. According to Ars Technica, popular “community” site AdultFriendFinder was breached in November. More than 400 million account details were stolen, making it one of the largest single data breaches in history.

Using a Local File Inclusion exploit, which allows fraudsters to request files located elsewhere in the database to be included as part of specific application output, cybercriminals grabbed 339 million accounts from AdultFriendFinder, 62 million from Cams and 7 million from Penthouse.

Even worse, 15 million “deleted” accounts, which users thought were gone but hadn’t been purged from the server, were also taken. With passwords kept in either plaintext or hashed using the insecure SHA-1 algorithm, it was bad news all around for anyone looking for extramarital excitement. This isn’t the the kind of exposure they were looking for.

Looking Ahead to 2017

2016 data breaches ran the gamut from weird to wacky to just plain worrisome. Nothing is really safe online: Food services, old social sites and even the FBI are now targets of bored, hungry or chip-on-the-shoulder cybercriminal groups looking to prove a point or make a buck.

Expect more of the same — with the added layers of the Internet of Things (IoT) and massively connected mobile networks — in 2017. It’s going to be a wild ride.

Join the Dec. 8 webinar: The Year in Review and Cybersecurity Predictions for the Year Ahead

More from Data Protection

Third-party access: The overlooked risk to your data protection plan

3 min read - A recent IBM Cost of a Data Breach report reveals a startling statistic: Only 42% of companies discover breaches through their own security teams. This highlights a significant blind spot, especially when it comes to external partners and vendors. The financial stakes are steep. On average, a data breach affecting multiple environments costs a whopping $4.88 million. A major breach at a telecommunications provider in January 2023 served as a stark reminder of the risks associated with third-party relationships. In…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

SpyAgent malware targets crypto wallets by stealing screenshots

4 min read - A new Android malware strain known as SpyAgent is making the rounds — and stealing screenshots as it goes. Using optical character recognition (OCR) technology, the malware is after cryptocurrency recovery phrases often stored in screenshots on user devices.Here's how to dodge the bullet.Attackers shooting their (screen) shotAttacks start — as always — with phishing efforts. Users receive text messages prompting them to download seemingly legitimate apps. If they take the bait and install the app, the SpyAgent malware gets…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today