Stranger Than Fiction? The Six Weirdest 2016 Data Breaches
Hollywood loves hacking in movies. White hats are able to perform miraculous feats with nothing more than mobile phones and subpar internet connections, while evildoers somehow manage to access banking and government systems worldwide as part of insidious plots for world domination.
Top Six Weird and Wacky 2016 Data Breaches
In truth, cyberattacks and responses are much more mundane, but that doesn’t mean the industry is entirely without cinema-worthy stories. Here’s a look at the weirdest and wackiest 2016 data breaches.
1. Hungry Hackers Dupe Deliveroo Customers
Burger with a side of breach? Online food ordering services have experienced exponential growth as companies tackle the common city-dweller problem of having to leave home for meals. Deliveroo, for example, has filled this gap by delivering a vast array of vittles across London. As noted by ZDNet, however, hungry hackers managed to gnaw their way into the system in early November and began frustrating users with fraudulent food orders.
Since Deliveroo accounts don’t require customers to enter the security code on their credit card for each purchase, cybercriminals were able to crack login details and change delivery addresses and phone numbers. This enabled them to place orders and receive fresh, hot food on someone else’s dime. Many users were none the wiser until they logged into their accounts or received “thank you” emails from restaurants for food they didn’t order.
The company blamed stolen data from other sites for the breach and refunded affected customers. Still, it’s a testament to the new mentality of cybercriminals.
2. Spotify Strangeness
According to Naked Security, music streaming service Spotify was also breached this year. It made the list of weirdest 2016 data breaches because even with user data available on Pastebin, the company remained steadfast that no breach had occurred. Music streamers begged to differ, however, as strange songs showed up on many of their playlists. Additionally, some users were kicked off in the middle of streaming sessions and others were entirely locked out of their accounts.
Spotify claimed that it had monitored Pastebin and similar sites and found nothing amiss. Tell that to users who found unfamiliar email addresses associated with their accounts or saw their account active in multiple locations at the same time. For a service that’s all about listening, the customer complaints didn’t exactly come through loud and clear.
3. Remember MySpace?
This is so 2008, but as noted by Fortune, MySpace, the Facebook-before-Facebook site popular among teens and tweens eight years ago, was breached in May. The breach gave cybercriminals access to more than 110 million usernames and 427 million passwords, which they then put up for sale.
But what’s the big deal? MySpace is nothing more than a memory, right? Not exactly. There are still around 50 million active users on the site, meaning their accounts were ripe for compromise. But the biggest problem is that many users tap the same username/password combination over and over again, putting accounts created on sites such as Amazon, Facebook and online banking portals at risk. It’s a lesson in longevity — security threats never really sleep.
4. Fraudsters Call the FBI’s Bluff
Sure, the FBI talks a big game about security and is making strides toward a safer cyber future. As noted by CRN, however, February 2016 was not a great month for the Bureau. First, cybercriminals claimed they had access to the FBI database and threatened to dump FBI and Department of Homeland Security (DHS) employee records online.
After a minimal response from the agency, the malicious actors did just that. They released 9,000 DHS and 20,000 FBI records, and told tech news sites they had access to even more data totaling 200 GB. Apparently, the name on the sign out front doesn’t make the FBI immune to cyber infiltration.
5. Russia Levels the Playing Field
Sometimes you just need to double down. Back in August, Russia received news that more than one-third of its athletes were banned from an international sporting event due to systematic performance-enhancing drug use. According to Tech.co, however, a group of Russian actors decided to air some of the U.S.’s dirty sport laundry by breaching the World Anti-Doping Agency and publicizing the medical data of high-profile American athletes.
While a significant breach of privacy, this incident didn’t exactly slow down Team USA during 2016.
6. Indecent Exposure
It’s a bad year to be looking for love in all the wrong places. According to Ars Technica, popular “community” site AdultFriendFinder was breached in November. More than 400 million account details were stolen, making it one of the largest single data breaches in history.
Using a Local File Inclusion exploit, which allows fraudsters to request files located elsewhere in the database to be included as part of specific application output, cybercriminals grabbed 339 million accounts from AdultFriendFinder, 62 million from Cams and 7 million from Penthouse.
Even worse, 15 million “deleted” accounts, which users thought were gone but hadn’t been purged from the server, were also taken. With passwords kept in either plaintext or hashed using the insecure SHA-1 algorithm, it was bad news all around for anyone looking for extramarital excitement. This isn’t the the kind of exposure they were looking for.
Looking Ahead to 2017
2016 data breaches ran the gamut from weird to wacky to just plain worrisome. Nothing is really safe online: Food services, old social sites and even the FBI are now targets of bored, hungry or chip-on-the-shoulder cybercriminal groups looking to prove a point or make a buck.
Expect more of the same — with the added layers of the Internet of Things (IoT) and massively connected mobile networks — in 2017. It’s going to be a wild ride.