Smartphones are a prevalent feature in modern life. With more than three billion smartphone users around the world, who downloaded over 200 billion apps in 2019, it comes as no surprise that applications have become an increasingly common attack vector for hackers.
This presents a greater risk to the many businesses and organisations that use applications to provide their customers and users with services. Here are six major app-related data breaches – in no particular order – that have taken place in recent years.
Date: June 2021
Impacted: 700 million users
Data scraped from the 700 million users appeared on a dark web forum earlier this year, impacting more than 90% of LinkedIn’s total user base.
Although LinkedIn argued that there was no sensitive, private personal data that was exposed, the data scraped from profiles included email addresses, phone numbers, geolocation records, genders, and other social media details. This level of information would give malicious actors plenty of data to follow up with convincing, follow-on social engineering attacks.
Date: June 2012
Impacted: 165 million users
LinkedIn suffered an additional breach almost a decade prior, after 6.5 million passwords (unsalted SHA-1 hashes) were stolen and published on a Russian hacker forum, but it wasn’t until four years later that the full extent of the incident was revealed when the email addresses and passwords of 165 million users were posted for sale for just 5 bitcoins (approximately $2,000 at the time).
Date: July 2017
Impacted: 143 million consumers
Personal information (including Social Security Numbers, birth dates, addresses, and in some cases drivers’ license numbers) of 143 million consumers; 209,000 consumers also had their credit card data exposed.
Equifax, one of the largest credit bureaus in the U.S. came forward in September 2017 to disclose an application vulnerability on one of their websites that resulted in a data breach, exposing 143 million consumers. The data exposed included social security numbers, birth dates, addresses, and even some drivers’ license numbers.
Although the breach was discovered in July, Equifax stated that it likely began in mid-May.
Date: December 2018
Impacted: 162 million user accounts
Dubsmash acknowledged the breach and sale of information had occurred and provided advice around password changing. However, it failed to state how the attackers got in or confirm how many users were affected.
Dubsmash, a video-based social media platform suffered a data breach that revealed the personal information of 162 million users. The data included email addresses, usernames, PBKDF2 password hashes, and other personal information including dates of birth in December 2018. The following December, the stolen data was listed for sale on the Dream Market dark web market as part of a collected dump which also included MyFitnessPal, MyHeritage, and ArmorGames.
4. My Fitness Pal
Date: February 2018
Impacted: 150 million user accounts
Popular diet and exercise app MyFitnessPal exposed approximately 150 million email addresses, IP addresses, and login credentials stored as SHA-1 and bcrypt hashes. The data resurfaced a year later up for sale on the dark web.
The company acknowledged the breach and took action to notify users, making the following statement:
“Once we became aware, we quickly took steps to determine the nature and scope of the issue. We are working with leading data security firms to assist in our investigation. We have also notified and are coordinating with law enforcement authorities,”
Date: Late 2016
Impacted: 57 million Uber users & 600,000 drivers
Hackers successfully compromised the personal information of 57 million app users, as well as the driving license details of 600,000 Uber drivers.
Uber’s response was a prime example of how not to handle a data breach. The company failed to confirm the attack until almost a year later, after paying a $100,000 ‘bug-bounty’ to the hackers to destroy the data they’d stolen – without any proof of confirmation. The blame for this faux pas fell largely on the CSO, who was fired shortly after.
The breach heavily impacted Uber’s reputation, with its company valuation falling from $68 billion to $48 billion during sale negotiations the following year.
Date: April 2019
Impact: 533 million users
Two datasets originating from Facebook apps were exposed on the public internet in April 2019, consisting of phone numbers, account names, and Facebook ID’s of more than 530 million Facebook users.
The data has resurfaced in April 2021, which indicates a renewed criminal intent surrounding the data. Security researcher troy Hunt has added a new feature to HaveIBeenPwned to allow users to check if their mobile numbers had been included in the exposed datasets.