The Worst Data Breaches (what you need to know and do)

Category: Privacy

Data breaches are getting bigger, more frequent, and more worrisome. That's the message from digital privacy experts at NordVPN, who just released a report detailing the most shocking data leaks of 2019. Eight of those breaches affected the personal data of millions of people worldwide. Read on for details on the biggest and worst data breaches of 2019, and what you need to know about protecting yourself in the age of vanishing privacy...

The Biggest Data Breaches of 2019

NordVPN, a VPN service provider with a focus on online privacy, does an annual report that focuses on just the opposite. Namely, how much personal and private data is released into the dark corners of the online world by malicious hackers.

Daniel Markuson, a digital privacy expert at NordVPN, says that in 2019 hackers did more than just hack — they also collected billions of consumer records from breaches and leaks that had occurred years ago, and packaged them up for sale. Some of those breaches were really shocking and affected millions of people worldwide.

“With so many breaches and leaks in 2019, it’s possible that your email address or other details ended up in the wrong hands,” says Markuson. But there are several online resources that can help you determine if any of your login credentials have been compromised.

The Worst Data Breaches (what you need to know and do)

You can check to see if your email address was leaked in a data breach by visiting Have I Been Pwned. Enter your email address and this site will tell you if it has been compromised at any time in the past. (The term "pwned" is geekspeak for "owned," or "defeated.")

NordPass is a free service that lets you anonymously measure the strength (hackability) of your password, and will tell you if your password was exposed to any known data breaches.

Breach Alarm is a similar but more proactive service that scans the dark corners of the Internet in search of stolen password lists that have been posted online. You can sign up to be notified about future password hacks that affect you.

Who Was Breached, and How Bad Was It?

Here's a list from the NordVPN report with eight of the worst recent data breaches. They're ordered from the smallest to the largest, with details on what specific types of personal data points were compromised.

American Medical Collection Agency (19.6 million). This breach affected two prominent lab testing companies. First, Quest Diagnostics was notified that someone had unauthorized access to AMCA’s databases for eight months. The hack affected almost 12 million of their customers. Hackers got access to very personal information such as credit card numbers, bank account information, medical information, and Social Security numbers. Then there was LabCorp, another company whose customers were affected by this breach. Almost 8 million customers’ personal and financial data was compromised.

Suprema (27.8 million). This security loophole left 27.8 million people’s biometric data exposed. Suprema is a security company responsible for the web-based Biostar 2 biometrics lock system. The system is used by almost 6,000 organizations in 83 countries, including governments and banks. Biostar uses fingerprints and facial recognition to allow employees into restricted buildings and areas. Security researchers from VPNmentor found that the Biostar database was left unprotected and largely unencrypted. Worst of all, they got access to tons of sensitive information. Really, a "security company" failed to protect sensitive confidental client information?

Houzz (48.9 million). Houzz, a home design website, started the year 2019 by announcing a breach in which hackers got unauthorized access to its customers' publicly available information, as well as usernames and encrypted passwords. The company noticed the breach at the end of 2018 and was pretty vague about it in their public statements. However, ITRC reported that the hack affected almost 49 million Houzz customers.

Capital One (106 million). In July 2019, Capital One announced that they suffered a massive data breach affecting 100 million Americans and 6 million Canadians. The hacker accessed credit card applications made between 2005 and 2019. They contained personal data including names, home addresses, email addresses, dates of birth, etc. What makes this one of the worst breaches of 2019 is that some bank numbers and social security numbers also ended up in the hands of the hacker.

Zynga (218 million). If you’ve ever played online games such as “Words with Friends” or “Draw Something,” you should be worried because their creator, Zynga, was breached in 2019. The hack affected a whopping 218 million users. Bad actors accessed log-in credentials, usernames, email addresses, some Facebook IDs, some phone numbers, and Zynga account IDs.

Facebook (419 million). A security researcher at the GDI Foundation found an unprotected server with a database containing approximately 419 million phone numbers belonging to Facebook users. The database was available to anyone, and it also included Facebook IDs, which makes finding user’s names and personal details even easier. The owner of the server wasn’t found, but the database was taken down shortly after it was discovered.

Collection by Gnosticplayers (1 billion+). This isn’t a breach per se, but rather a collection of breaches affecting more than 1 billion internet users. A hacker who calls himself Gnosticplayers collected databases from 45 companies and put them up for sale on the dark web. These batches contained data such as users’ full names, email addresses, passwords, location data, and social media account information. The companies whose data was released includes Dubsmash (162 million), MyFitnessPal (151 million), MyHeritage (92 million), ShareThis (41 million), Animoto (25 million), 500px (15 million), CoffeeMeetsBagel (6 million), and more.

Collections #1-5 (3 billion). A batch of leaked data dubbed "Collections #1-5" was probably the biggest leak of 2019. These collections of leaked and stolen data contained usernames and passwords collected over many years of breaches. These batches appeared on hacking forums and were noticed by security researcher Troy Hunt, who identified the link between them all and informed the public. The first batch was released in January and contained the data of 770 million people. Then, a few weeks later, Collections #2-5 appeared on the internet. They contained 25 billion unique records and roughly 2.2 billion unique usernames and passwords, making this one of the most significant leaks to date.

What Should You Do?

Now that the number of leaked records (usernames, passwords, phone numbers, social security numbers, credit card info, and other personal data) reaches into the billions, and new data breaches are announced like clockwork, how should you respond? My advice is to assume that at least some of your personal info HAS been compromised. Here's what I recommend:

* Change your passwords, and use a password manager to create strong passwords going forward.
* Use two-factor authentication to protect your online accounts (even if your password is stolen)
* Consider using disposable email addresses
* Keep tabs on your credit reports (see sidebar above)

I want to thank the folks at NordVPN for allowing me to share their reporting on recent data breaches. NordVPN offers VPN (virtual private network) services that let you browse the web securely and anonymously. And in case you're curious, I have no business relationship with NordVPN, and was not compensated for this article.

Have you been affected by a data breach? What steps did you take as a result? Your thoughts on this topic are welcome. Post your comment or question below...

Ask Your Computer or Internet Question

  (Enter your question in the box above.)

It's Guaranteed to Make You Smarter...

AskBob Updates: Boost your Internet IQ & solve computer problems.
Get your FREE Subscription!


Check out other articles in this category:

Link to this article from your site or blog. Just copy and paste from this box:

This article was posted by on 4 Feb 2020

For Fun: Buy Bob a Snickers.

Prev Article:
How Private Is Your Email?

The Top Twenty
Next Article:
Geekly Update - 05 February 2020

Most recent comments on "The Worst Data Breaches (what you need to know and do)"

Posted by:

04 Feb 2020

IMHO: Our collective (and collected) medical history database is the biggest gaping security hole for our private data, which is waiting to be fully breached and exploited.
We can use all of the recommended security provisions (including 2FA, strong passwords, disposable email addies, etc.) but such medical data trove, even if properly secured, is not under our personal control.
Me also thinx: A brief web search, using keywords "medical records breach 2019"; leads me to assume that NordVPN provided data-breaches may not to 100% accurate with respect to the theft of medical records in 2019.

Posted by:

04 Feb 2020

I'm with RadiO. There's nothing We the People can do to protect our medical data (or any other data for that matter) short of lying and submitting false info for every field. Then, what's the ponit?

Posted by:

Ken H
04 Feb 2020

FYI, while Breach Alarm found no breaches involving my email address, Have I Been Pwned? found 8!Including a few sites I have never, to the best of my knowledge visited.

Posted by:

05 Feb 2020

After years of your banging-on about security, Bob, about a year ago I finally set up each of my accounts with a unique quasi-random password generated by KeePass. It took about an hour. I also use 2FA wherever it's available.

Yes, my sign-up email appears on the lists at "Have I Been Pawned?", but, thanks to you, Bob, I'm not *too* worried. Keep up the good work!

BTW: Disposable emails (e.g. 10minutemail) are great, but you do need to consider whether you may want to retain the possibility of the organization communicating with you at some later date.

Posted by:

05 Feb 2020

Not being American or on FB there is only one name above that affects me but I find it terrifying and that is My Heritage, because there they have access to the entire family tree among other things and the potential for successful phishing is unlimited and there is no defence against it. I like to think I have my ear to the ground but don't recall hearing about that one. Oy!

Posted by:

05 Feb 2020

Heck they could even have access to DNA test results if they get lucky enough!

Posted by:

05 Feb 2020

That is kind of funny coming from Nord VPN they were breached also can't remember when it was though. S o I would take what they say with a grain of salt.

Posted by:

05 Feb 2020

@Joseph >> When first rolled out, I just wanted to see what the EULA terms of DNA test results were: At that time, it specifically had stated that YOUR DNA test results are OWNED by THEM....

Posted by:

06 Feb 2020

@RandiO - 1. My DNA results aren't owned by anybody as I haven't done the test.
2. It's one thing if DNA test results are owned by an organisation one may trust, having them available to anyone who buys a list on the dark net is a whole nother thing.

Post your Comments, Questions or Suggestions

*     *     (* = Required field)

    (Your email address will not be published)
(you may use HTML tags for style)

YES... spelling, punctuation, grammar and proper use of UPPER/lower case are important! Comments of a political nature are discouraged. Please limit your remarks to 3-4 paragraphs. If you want to see your comment posted, pay attention to these items.

All comments are reviewed, and may be edited or removed at the discretion of the moderator.

NOTE: Please, post comments on this article ONLY.
If you want to ask a question click here.

Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter

Copyright © 2005 - Bob Rankin - All Rights Reserved
Privacy Policy     RSS/XML

Article information: AskBobRankin -- The Worst Data Breaches (what you need to know and do) (Posted: 4 Feb 2020)
Copyright © 2005 - Bob Rankin - All Rights Reserved