That Yahoo data breach actually hit three billion accounts

Yahoo originally claimed that one billion accounts were accessed by hackers. Now it's admitted it was actually three billion
iStock / dane_mark

2017 has been dominated by high-profile data breaches. The most recent major incident resulted in consultancy firm Deloitte have its systems breached.

To keep you in the loop on data breaches this year, WIRED will keep a running tally of hacks. The below list will be updated each time a hack is verified and will include historic hacks only just discovered in 2017. When you're finished with the list, here are the best iOS and Android security apps to help keep your data safe and secure.

Yahoo!

Last year, Yahoo admitted it had been hacked three years previously, leaking account details of one billion of its three billion users, making it one of the biggest breaches of all time. Now, Yahoo has admitted that all three billion accounts were actually accessed.

The revelation follows Yahoo's acquisition by Verizon, with an investigation by forensic security experts during the company's integration revealing that all Yahoo user accounts were affected by the hack.

Yahoo said it was sending notifications via email to all users. "The investigation indicates that the user account information that was stolen did not include passwords in clear text, payment card data, or bank account information," said a statement on the Oath website, the company formed by Verizon cramming together Yahoo and AOL.

Deloitte

Global consultancy firm Deloitte has been hit by a cyberattack, The Guardian has reported. The company's systems were compromised through an unsecured administrator account, which allowed access to internal files. Details compromised include emails, usernames, passwords, health information, and details from Deloitte's clients.

“In response to a cyber incident, Deloitte implemented its comprehensive security protocol and began an intensive and thorough review including mobilising a team of cybersecurity and confidentiality experts inside and outside of Deloitte,” the company said in a statement. It is believed Deloitte found the intrusion into its networks in March.

Equifax

Consumer credit score company Equifax has revealed that hackers accessed up to 143 million customer account details earlier this year. The data breach happened on July 29 and the details taken include names, social security numbers, drivers licences, and credit card numbers of around 200,000 people.

Company CEO Richard Smith said a vulnerability in its website allowed the information to be accessed and that those who wanted to check if they had been affected needed to provide their last name and the last six digits of their social security number. People in the UK have also been affected by the data breach but the company has not revealed how many. "This is clearly a disappointing event for our company, and one that strikes at the heart of who we are and what we do," Smith said in a statement.

Cex

Cex, the second-hand games, DVDs and hardware retailer has admitted around two million customers have had their details stolen. These include names, addresses, email addresses, phone numbers and encrypted credit card information from as far back as 2009. It said it stopped storing payment data in 2009 so nothing newer would have been taken. In a statement, the firm said it had been "subject to an online security breach" and is contacting people who registered on its website.

"We have no indication that in-store personal membership information has been compromised," a statement from CeX explained. The firm hasn't given any indication when the data was stolen, or who may have done it but says it is working with police and urges customers to change passwords.

Verizon

Phone numbers, names and pin codes of of six million Verizon customers were left online for around nine days. A misconfigured setting on a cloud server led to the details being posted online, CNN has reported.

Security firm UpGuard spotted the flaw and said the server was owned by third-party firm NICE Systems, a vendor for Verizon. The telecoms firm said the server has now been fixed and the data was secured.

AA

The car insurance and breakdown company left 13GB of customer information unsecured online. According to the BBC and security researcher Troy Hunt, the data was left viewable online for "a few days" in April. A server "misconfiguration" was blamed for allowing the data to be accessible online.

AA claimed the data was not sensitive, however, it is said 117,000 unique email addresses, credit card types, and final four digits of credit cards were left vulnerable. "We take any data issues incredibly seriously and would like to reassure our AA Shop customers that their payment details have not been compromised," Edmund King, AA's president said in a statement.

Deep Root Analytics
Getty Images / Mark Wilson / Staff

Voter data belonging to almost 200 million Americans has been found online. A conservative US data analytics firm contracted by the Republican National Committee, Deep Root Analytics, left the records available on an unsecured Amazon web server. The 1.1 terabytes of data included names, dates of birth, home addresses, phone numbers, voter registration details and 'modelled' ethnicities and religions, according to security firm UpGuard, which stumbled across the information.

Although the data wasn't hacked, being left on an unsecured server meant that anyone who happened to come across it would be able to download and take the information. There's no evidence to suggest this happened though. "That such an enormous national database could be created and hosted online, missing even the simplest of protections against the data being publicly accessible, is troubling," UpGuard said in a blog post.

OneLogin

Proving once again that nobody is immune to data breaches, identity management company OneLogin has seen customer details stolen. The firm, which essentially provides password management services for businesses, admitted that a "malicious actor" has taken details relating to its US customers.

"Our review has shown that a threat actor obtained access to a set of AWS keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the US," the company says. The attack took place on May 31 2017. "The threat actor was able to access database tables that contain information about users, apps, and various types of keys," the firm continues.

Worryingly, it also says that whoever took the data may have been able to decrypt it. OneLogin has not said how many customers were impacted during the incident.

Chipotle

In April 2017, American restaurant Chipotle announced its payment systems had been hacked. The firm has now revealed that malware which accessed payment card data was installed on point-of-sale terminals between March 24 and April 18. "The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device," the firm says in a statement.

While the attack only affected the US, Chipotle's security announcement reveals that the large majority of its stores were impacted by the malware. The restaurant also says it doesn't believe any other customer information was impacted but it hasn't given any details on the number of people who were hit in the attack.

Bell

Canadian mobile phone, TV, and internet service provider Bell has been hit by an "anonymous hacker" who has swiped 1.9 million email addresses. In a statement, the company confirmed the hack and said the incident isn't linked to the global WannaCry ransomware attacks.

However, it wasn't just email addresses taken. "The illegally accessed information contains approximately 1.9 million active email addresses and approximately 1,700 names and active phone numbers," the company said.

Edmodo

Education website Edmodo promises a way for "educators to connect and collaborate with students, parents, and each other". However, 78 million of its customers have had their user account details stolen by hackers. Vice's Motherboard reports that usernames, email addresses, and hashed passwords were taken from the service and have been put up for sale on the dark web for around $1,000 (£700).

Data breach notification website LeakBase also has a copy of the data and provided it to Motherboard. According to LeakBase around 40 million of the accounts have email addresses connected to them. The company said it is aware of a "potential security incident" and is investigating.

Guardian Soulmates

Dating hopefuls using the Guardian Soulmates website have been hit with "sexually explicit" spam, following their contact information being leaked. The BBC reports users of the service were being targeted after a third-party technology provider "may have made account information available".

The Guardian Media Group, in a statement, said it had been contacted by 27 of its users saying the email addresses used for the website had been sent spam email. It is not known how many of the customers, who pay £32 a month, were impacted. "Our ongoing investigations point to a human error by one of our third-party technology providers, which led to an exposure of an extract of data," a spokesperson for the firm said.

HandBrake

Video conversion app HandBrake recently revealed its Mac version has been infected with malware. In a statement from developers, the software creators revealed that between May 2 and May 6 those who downloaded the programme may have been infected with a Trojan.

"HandBrake-1.0.7.dmg was replaced by another unknown malicious file that DOES NOT match the SHA1 / SHA256 hashes on our website or on our Github Wiki," the statement said. The website the malicious download was hosted on has now been shut down, the developers say, but it is not possible to know how many people downloaded the infected version.

Debenhams Flowers

While not being the biggest hack, an attack on the flower selling arm of retailer Debenhams has seen the details for 26,000 customers compromised. Third-party e-commerce supplier Ecomnova was hit by an attack that saw payment details, names, and addresses taken.

BBC News reports the attack took place between February 24 and April 11, with the Debenhams Flowers website being taken offline. The company reported the data breach to the Information Commissioner's Office but said users of Debenhams.com had not been impacted.

HipChat

The workplace chat platform HipChat has sent a security notice to users warning that a third-party library used by Atlassian's software has been targeted by hackers. The breach is said to have affected a server in the HipChat Cloud web tier, and in a reported 0.05 per cent of cases Atlassian said messages and content in rooms may have been accessed using account information including names, email addresses and hashed passwords.

As a precaution, HipChat has invalidated passwords on all potentially affected accounts and sent users advice on how to reset their passwords. It is also due to roll out an update to fix the flaw. The company is also readying a HipChat Server update in response to the attack.

In the security notice, HipChat said: "While HipChat Server uses the same third-party library, it is typically deployed in a way that minimises the risk of this type of attack. We are preparing an update for HipChat Server that will be shared with customers directly through the standard update channel. We are confident we have isolated the affected systems and closed any unauthorised access. To reiterate, we have found no evidence of other Atlassian systems or products being affected."

Wonga

Payday loan firm Wonga's data breach is believed to have affected up to 245,000 customers in the UK. The firm said it was "urgently investigating illegal and unauthorised access to the personal data of some of its customers". Wonga began contacting customers on Saturday and has set up a help page, as well as a phone line, for borrowers to learn more about the breach.

It is advising customers to alert their bank and ask them to look out for any suspicious activity as well as exercise vigilance. If you have any questions, you can call Wonga on 0207 138 8330.

The information said to be stolen includes names, addresses, phone numbers, bank account numbers and sort codes. It may also include the last four digits of customers' bank cards. Wonga said it didn't believe the attackers had gained access to anyone's accounts but warned them to be vigilant.

Association of British Travel Agents

The abta.com web server for the Association of British Travel Agents (ABTA) was recently hacked by "an external infiltrator" who exposed the details of 43,000 individuals. Around 1,000 of these included files that could include personal identity information of customers of ABTA members uploaded since 11 January 2017, while around 650 may also include personal identity information of ABTA members. As the UK’s largest travel association, ABTA's members include travel agents and tour operators.

The unauthorised access was said to be possible due to a system vulnerability "that the infiltrator exploited" to access some data provided by some customers of ABTA Members and by ABTA Members themselves. On immediate investigation, ABTA said it identified that although ABTA’s own IT systems remained secure, there was a vulnerability to the web server managed for ABTA through a third-party web developer and hosting company.

"This, unfortunately, means some documentation uploaded to the website, as well as some information provided by customers, may have been accessed," ABTA's CEO, Mark Tanzer said. As a precautionary measure, it has taken steps to warn its members and customers of ABTA members who have the potential to be affected. The group has also alerted the relevant authorities, including the Information Commissioner (ICO) and the police.

Cellebrite

In March 2016, Israeli company Cellebrite was linked to the FBI's hacking of San Bernardino terrorist Syed Farook's iPhone 5C.

It's now been revealed that Motherboard was sent 900GB of the firm's data. This includes customer information, internal databases, and technical data on the company's mobile phone hacking products.

The data is said to have been taken from the servers of Cellebrite's website and also includes usernames and passwords to log into the my.cellebrite website.

Esea

On January 8, the E-Sports Entertainment Association League (Esea) published a statement saying it believed that user data recently posted online belonged to the company, even though its authenticity had not yet been confirmed.

"We notified the community on December 30th, 2016 about the possibility this could happen," Esea said. Overall, it is believed 1.5 million user profiles (with names, email addresses and more) were posted online.

The company continued: "We have been working around the clock to further fortify security and will bring our website online shortly when that next round is complete."

Supercell

On January 18 staff at Supercell warned users of their forum should change their passwords following a data breach.

The data grab happened in September 2016 and relates to third-party forum software. Motherboard initially reported the issue and verified the customer data and it is claimed the dataset being sold online has more than one million account details.

"We take any such breaches very seriously and we follow very strict policies when it comes to security," Supercell's statement said. "Please note that this breach only affects our Forum service. Game accounts have not been affected."

Freedom Hosting II

The web host has details on around 20 per cent of all sites on the dark web. In February the firm was hit by a hacker who swiped the company's database of customers.

In total, 74GB of data stored on servers was reportedly taken, with some of this being child pornography. As well as the files, a 2.3GB database of customer information was also taken. 381,000 email addresses were included in the MySQL database. It is said the data included "thousands" of .gov email addresses.

PlayStation and Xbox forums

More than 2.5 million gamers that use the XBOX360 ISO and PlayStation's PSP ISO forums had their account details compromised. The details taken include email addresses, passwords and IP addresses.

The Telegraph reported the data breach happened in 2015 but has only just been found and made public. PSP ISO had 1.3m account details taken and Xbox360 ISO had 1.2m accounts hit.

Cloudflare

Personal messages sent on dating websites, Uber trips, and more were all leaked online after a problem with internet company Cloudfare's software. A bug in the software, which is used by millions of websites, meant that unhashed and plaintext information was being published to the web between September 2016 and February 2017.

While technically not a hack, the passwords and sensitive personal information of customers who use the websites affected were cached by search engines after they were published online. It is not known how much personal data was leaked in the incident that has been dubbed Cloudbleed.

CloudPets

In 2016, more than 727,000 UK children had their information compromised following a cyberattack on VTech. Now, another internet connected range of children's toys has been found to be exposing the personal details of children.

CloudPets, the maker of Internet of Things teddy bears, left more than two million voice recordings from children online without any security protections. Ars Technica reported the company had been contacted about the vulnerability multiple times but had not responded.

While not directly a hack, the information has been able to be accessed by those who may want to misuse it. A MongoDB database of 821,296 account records, stored by a Romanian company, was accessible online.

Wishbone

Wishbone is a social app that allows its users to create polls and get feedback on their ideas. More than two million email addresses and 287,000 mobile phone numbers were stolen from the site, Motherboard has reported.

A group of "unknown hackers" is reported to have taken the emails, phone numbers, names, birthdates and genders from an unprotected database from the Wishbone app. Security researcher Troy Hunt was provided with the data, which had 2,247,314 unique email addresses. Science Inc. the company that owns Wishbone told Motherboard hackers "may have had access to an API without authorisation".

This article was originally published by WIRED UK