Hollywood loves hacking in movies. White hats are able to perform miraculous feats with nothing more than mobile phones and subpar internet connections, while evildoers somehow manage to access banking and government systems worldwide as part of insidious plots for world domination.

Top Six Weird and Wacky 2016 Data Breaches

In truth, cyberattacks and responses are much more mundane, but that doesn’t mean the industry is entirely without cinema-worthy stories. Here’s a look at the weirdest and wackiest 2016 data breaches.

1. Hungry Hackers Dupe Deliveroo Customers

Burger with a side of breach? Online food ordering services have experienced exponential growth as companies tackle the common city-dweller problem of having to leave home for meals. Deliveroo, for example, has filled this gap by delivering a vast array of vittles across London. As noted by ZDNet, however, hungry hackers managed to gnaw their way into the system in early November and began frustrating users with fraudulent food orders.

Since Deliveroo accounts don’t require customers to enter the security code on their credit card for each purchase, cybercriminals were able to crack login details and change delivery addresses and phone numbers. This enabled them to place orders and receive fresh, hot food on someone else’s dime. Many users were none the wiser until they logged into their accounts or received “thank you” emails from restaurants for food they didn’t order.

The company blamed stolen data from other sites for the breach and refunded affected customers. Still, it’s a testament to the new mentality of cybercriminals.

2. Spotify Strangeness

According to Naked Security, music streaming service Spotify was also breached this year. It made the list of weirdest 2016 data breaches because even with user data available on Pastebin, the company remained steadfast that no breach had occurred. Music streamers begged to differ, however, as strange songs showed up on many of their playlists. Additionally, some users were kicked off in the middle of streaming sessions and others were entirely locked out of their accounts.

Spotify claimed that it had monitored Pastebin and similar sites and found nothing amiss. Tell that to users who found unfamiliar email addresses associated with their accounts or saw their account active in multiple locations at the same time. For a service that’s all about listening, the customer complaints didn’t exactly come through loud and clear.

3. Remember MySpace?

This is so 2008, but as noted by Fortune, MySpace, the Facebook-before-Facebook site popular among teens and tweens eight years ago, was breached in May. The breach gave cybercriminals access to more than 110 million usernames and 427 million passwords, which they then put up for sale.

But what’s the big deal? MySpace is nothing more than a memory, right? Not exactly. There are still around 50 million active users on the site, meaning their accounts were ripe for compromise. But the biggest problem is that many users tap the same username/password combination over and over again, putting accounts created on sites such as Amazon, Facebook and online banking portals at risk. It’s a lesson in longevity — security threats never really sleep.

4. Fraudsters Call the FBI’s Bluff

Sure, the FBI talks a big game about security and is making strides toward a safer cyber future. As noted by CRN, however, February 2016 was not a great month for the Bureau. First, cybercriminals claimed they had access to the FBI database and threatened to dump FBI and Department of Homeland Security (DHS) employee records online.

After a minimal response from the agency, the malicious actors did just that. They released 9,000 DHS and 20,000 FBI records, and told tech news sites they had access to even more data totaling 200 GB. Apparently, the name on the sign out front doesn’t make the FBI immune to cyber infiltration.

5. Russia Levels the Playing Field

Sometimes you just need to double down. Back in August, Russia received news that more than one-third of its athletes were banned from an international sporting event due to systematic performance-enhancing drug use. According to Tech.co, however, a group of Russian actors decided to air some of the U.S.’s dirty sport laundry by breaching the World Anti-Doping Agency and publicizing the medical data of high-profile American athletes.

While a significant breach of privacy, this incident didn’t exactly slow down Team USA during 2016.

6. Indecent Exposure

It’s a bad year to be looking for love in all the wrong places. According to Ars Technica, popular “community” site AdultFriendFinder was breached in November. More than 400 million account details were stolen, making it one of the largest single data breaches in history.

Using a Local File Inclusion exploit, which allows fraudsters to request files located elsewhere in the database to be included as part of specific application output, cybercriminals grabbed 339 million accounts from AdultFriendFinder, 62 million from Cams and 7 million from Penthouse.

Even worse, 15 million “deleted” accounts, which users thought were gone but hadn’t been purged from the server, were also taken. With passwords kept in either plaintext or hashed using the insecure SHA-1 algorithm, it was bad news all around for anyone looking for extramarital excitement. This isn’t the the kind of exposure they were looking for.

Looking Ahead to 2017

2016 data breaches ran the gamut from weird to wacky to just plain worrisome. Nothing is really safe online: Food services, old social sites and even the FBI are now targets of bored, hungry or chip-on-the-shoulder cybercriminal groups looking to prove a point or make a buck.

Expect more of the same — with the added layers of the Internet of Things (IoT) and massively connected mobile networks — in 2017. It’s going to be a wild ride.

Join the Dec. 8 webinar: The Year in Review and Cybersecurity Predictions for the Year Ahead

More from Data Protection

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today