2019 will go into the books as a bad year for data privacy, as sensitive personal details of many millions of users were leaked, breached, or left wide open by the Silicon Valley Masters of the Universe. Breitbart News has collected some of the biggest data breaches of the year.
2019 was the year when user data privacy became a more closely watched issue by members of the public; following some high profile data breaches in 2018 such as the Facebook Cambridge Analytica scandal and the Equifax data breach of 2017, people began to keep a closer eye on their personal data and who was accessing it. Even as scrutiny increased, massive data breaches from the richest and most powerful companies in Silicon Valley continued unabated.
Breitbart News has compiled a list of some of the biggest data breaches of 2019:
1: Capital One breach puts 100+ million at risk
In July of 2019, Breitbart News reported that a 33-year-old transgender woman who worked as a software engineer in Seattle was arrested in relation to a massive data breach which put over 100 million Capital One credit card applicants at risk. Paige A. Thompson allegedly accessed information from the Capital One bank through an improperly managed security feature and posted this information on a data-sharing site, a criminal complaint alleges.
Capital One told NBC News in a statement that the breach affected approximately 100 million individuals in the United States and approximately 6 million in Canada. Capital One insists, however, that no credit card account numbers of login details were accessed in the breach, and that less than one percent of social security numbers have been compromised.
Capital One was contacted on July 17 by an anonymous individual alleged that the leaked data which was later discovered to belong to Thompson had been posted GitHub, a website used by software engineers to post and collaboratively develop digital projects. The post was investigated by Capital One staff and appeared to include detailed instructions on how to access Capital One’s private information. The bank stated that 140,000 Social Security numbers and 80,000 bank accounts were potentially put at risk as a result of the data breach.
FBI cyber investigators successfully matched the Github account to a transgender person named Paige Thompson who previously workers as a systems engineer for Cloud Computing Company. Further investigation also showed that Thompson has created a messaging channel in which she claimed to have obtained other data using the code she posted to Github. The FBI also believes that Thompson owns a Twitter account which contacted Capital One on July 18 stating that it was in possession of social security numbers.
In a Twitter message obtained by the FBI, Thomspon going by the pseudonym “erratic” said that he had “basically strapped myself with a bomb vest, f—ing dropping capitol one dox and admitting it.” Thompson stated that he was in possession of social security numbers and other personal details, implying that he planned to distribute this information publicly writing: “I wanna distribute those buckets I think first.”
Capital One has since issued a statement on the data breach, which reads:
We have directly notified by mail all individuals whose Social Security numbers or linked bank account numbers were accessed. We will continue to make free credit monitoring and identity protection available to everyone affected.
The outside individual who took the data was captured by the FBI. While the government has stated they believe the data has been recovered and that there is no evidence the data was used for fraud or shared by this individual, we encourage anyone who may have any concerns about this incident to reach out to us at 1-844-388-8999.
2: DoorDash data breach exposes millions of customers
Breitbart News reported in September of 2019 that the popular food delivery company DoorDash was the victim of a data breach that puts the personal info of 4.9 million customers, delivery workers, and merchants at risk.
According to a blog post by the company, the breach happened on May 4; the firm noted that users that joined after April 5, 2018, were not affected by the breach. Mattie Magdovitz, a spokesperson for DoorDash, blamed the breach on “a third-party service provider,” but failed to name them.
Magdovitz added: “We immediately launched an investigation and outside security experts were engaged to assess what occurred.” According to DoorDash, users that joined the platform before April 5, 2018, had their name, email, delivery addresses, order history, phone numbers, and hashed and salted passwords stolen.
The company added that users had the last four digits of their payment cards stolen but the full numbers and card verification values were not accessed. Delivery workers and merchants had the last four digits of their bank account numbers stolen.
100,000 delivery workers also saw their driver’s license information stolen as a result of the data breach. This news comes exactly one year after DoorDash customers reported that their accounts had been hacked. The firm stated at the time that no data breach had taken place and claimed that hackers were running credential stuffing attacks in which they take a list of stolen username and passwords and try them on multiple sites that use the same passwords.
Many customers said at the time, however, that the passwords they used were unique to DoorDash which would rule out such an attack. At the time, DoorDash could not explain how the affected accounts were breached.
3: Twitter user emails, phone numbers leaked “globally”
In October of 2019, Breitbart News reported that social media site Twitter admitted to “inadvertently” using email addresses and phone numbers meant to be used for user account security for targeted advertising purposes. The firm stated that third-party marketers may have been able to reach specific Twitter users based on contact details even if the user had specifically requested for their information to not be used in this way.
The firm said in a statement that it: “cannot say with certainty how many people were impacted” but BBC News believes that it affects users globally. The company is not proactively contacting customers directly to inform them of the breach, which is unusual in this situation. Twitter claims that it addressed the issue “as of September 17th” but did not state when it discovered the issue.
The firm stated that it was “no longer using phone numbers or email addresses collected for safety or security purposes for advertising.” Twitter, which has its E.U. HQ based in Dublin, Ireland, did not confirm whether or not it had notified the Irish Data Protection Commissioner about the issue but said that it was communicating with regulators “where appropriate.”
“When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes,” the company explained. “This was an error and we apologize.”
We recently found that some email addresses and phone numbers provided for account security may have been used unintentionally for advertising purposes. This is no longer happening and we wanted to give you more clarity around the situation: https://t.co/bBLQHwDHeQ
— Twitter Support (@TwitterSupport) October 8, 2019
4: Smart home data breach exposed 2 billion user records
In July, Breitbart News reported that a team of “hacktivist” security researchers exposed a huge data vulnerability as part of a web-mapping project. The researchers stated that they had discovered a major security flaw in a user database belonging to Chinese firm Orvibo, which offers an Internet of Things (IoT) and smart home management platform.
Orvibo is a Chinese firm based out of Shenzhen that offers a “reliable smart home cloud platform,” and specifically states that it “supports millions of IoT devices and guarantees the data safety.” vpnMentor researchers claim that the data breach performed on Orvibo was quite simple, the researchers discovered a misconfigured and unsecured Elasticsearch database with no password whatsoever to protect users data. A web-based app that was used to navigate the user data, called Kibana, was also left without a password.
The general manager of Vizion.ai, Geoff Tudor, told Forbes: “When first installed, Elasticsearch’s API is completely open without any password protection. … Then it takes a single command to search through the data stored in it.”
The report from vpnMentor claims that the data included in the database included:
- Email addresses
- Account reset codes
- Precise geolocation
- IP address
- Family name
- Family ID
- Smart device
- Device that accessed account
- Scheduling information
vpnMentor reportedly found logs for users based in China, Japan, Thailand, Mexico, France, Australia, Brazil, the United Kingdom and the U.S. in the database. The researchers said that the reset codes in the database were the most vulnerable pieces of data. “These would be sent to a user to reset either their password or their email address,” the report states, “with that information readily accessible, a hacker could lock a user out of their account without needing their password. Changing both a password and an email address could make the action irreversible.”
5: 419 million Facebook users’ phone numbers found unprotected
Breitbart News reported in September that a server holding Facebook users’ phone numbers was leaked online with 419 million records over several databases left exposed. The server contained 133 million records on U.S. Facebook users while 18 million records of UK users were discovered. The contact details of 50 million users in Vietnam were also exposed.
The server was not password protected whatsoever meaning anyone that found it could easily access the personal details stored there. The records contained users’ unique Facebook ID along with the phone number linked to that account, making it easy to link an individual’s Facebook account to their phone number.
A few years ago, Facebook users’ phone numbers were publicly available on their account pages, but these were made private over a year ago. TechCrunch verified several of the phone numbers against Facebook user profiles, and checked others using Facebook’s password reset feature which reveals the last four digits of an account’s linked phone number.
Some of the records on the server contained details such as users’ name, gender, and location by country. Sanyam Jain, a security researcher and member of the GDI Foundation, discovered the database and contacted TechCrunch after being unable to locate the owner of the server; TechCrunch was also not able to contact the database owner.
A Facebook spokesperson commented on the server stating: “This data set is old and appears to have information obtained before we made changes last year to remove people’s ability to find others using their phone numbers. The data set has been taken down and we have seen no evidence that Facebook accounts were compromised.”
These are just a few of the biggest data breaches that took place last year. Breitbart News will continue to report on the data breaches and various online security issues that are likely to arise in 2020.