--- title: "11 of the Worst Data Breaches in Media" description: "How hackers got in, what they stole, and how to prevent more incidents in 2019." authors: - name: "Diego Poza" url: "https://auth0.com/blog/authors/diego-poza/" date: "Feb 18, 2019" category: "Identity & Security,Security,Breaches" tags: ["security", "data-breaches", "breaches", "media", "hackers", "privacy", "data", "data-breach", "leak", "data-leak", "authentication"] url: "https://auth0.com/blog/11-of-the-worst-data-breaches-in-media/" --- # 11 of the Worst Data Breaches in Media > [Data breaches](https://auth0.com/blog/what-is-a-data-breach/) have become commonplace — yet some industries are more vulnerable than others. Unfortunately, media is notorious for being a magnet for cyberthieves. In the last decade, dozens of media companies, ranging from prestigious publications like the *Washington Post* to social media platforms like [Facebook](https://mashable.com/2018/06/08/facebook-media-company-news-shows/#UMeaOo_oDsqI), have seen customers’ and the companies’ private data exposed. Why? One reason is that billions of people have accounts with media companies. Facebook users alone hit [2.27 billion](https://www.statista.com/statistics/264810/number-of-monthly-active-facebook-users-worldwide/) in Q3 2018. As more and more people consume their news online, the surface area for cybercriminals continues to expand. Another reason, according to [Security Magazine](https://www.securitymagazine.com/articles/89404-media-and-entertainment-industry-unprepared-for-cyber-risks), is that media companies often rely on outside vendors. Even if the media companies themselves are confident in their security processes, it’s hard to track how safe third parties are. While some vendors like Auth0 take compliance seriously — acquiring [security certifications](https://auth0.com/security/) such as ISO 27001 and 27018, as well as SOC 2 and HIPAA — this isn’t always the case with third parties. Below is a roundup of 11 of the worst media breaches in the past decade. Hackers hit teams large and small, niche and high-profile, new and established. It’s clear that no company is immune. We deliver tips for how all media teams can bolster their cybersecurity practices in 2019. ## 1. BuzzFeed Data Breach In 2016 BuzzFeed was hacked by a group called OurMine. On several BuzzFeed articles, headlines read "HACKED BY OURMINE" with a link to the group's website. Several of the headlines also included profanities. An [article in *Wired Magazine*](https://www.wired.com/2016/10/hack-brief-hackers-breach-buzzfeed-retaliation-expose/) described how the group had a history of getting into systems using passwords that were previously leaked in large-scale data breaches. They used the compromised passwords to access BuzzFeed accounts with the same login data. ## 2. Dow Jones Data Breach In October 2015, hackers uncovered the personal data of current and former Dow Jones subscribers between July 2012 and August 2015. [Reports](https://www.wsj.com/articles/dow-jones-discloses-customer-data-breach-1444406517) divulged that the hackers got credit card information from close to 3,500 individuals — along with names, addresses, email addresses, and phone numbers. The hackers' goal was to send fraudulent solicitations, according to the [*Wall Street Journal*](https://www.wsj.com/articles/dow-jones-discloses-customer-data-breach-1444406517)*. *The company suspected the incident was part of a much larger, multi-company data breach. ## 3. Avid Life Media Incident Also in 2015, the parent company to Ashley Madison, Avid Life Media, released a [statement](https://www.prnewswire.com/news-releases/ruby-corp-and-plaintiffs-reach-proposed-settlement-of-class-action-lawsuit-regarding-ashley-madison-data-breach-634551783.html) saying that hackers had gained access to computer networks and published nearly 10 gigabytes of sensitive personal information. These [included](https://www.wsj.com/articles/ceo-of-ashley-madison-parent-steps-down-1440773362?mod=article_inline) customers' names, email addresses, and credit card details contained in individual accounts. Hackers, part of a group called The Impact Team, released nearly 10 gigabytes of data stolen from Avid Life. The company fought back, denying the severity of the attack: ![Avid Life Media Incident](https://images.ctfassets.net/23aumh6u8s0i/3wCntqxyboNdz1k6lpLMyo/062ee3dc8df5e5a760fd672bde6a2feb/avid-life-media) [Image Source](https://www.databreaches.net/statement-from-avid-life-media-august-19-2015/) Ultimately, the data breach led to Avid Life Media's CEO resigning. In 2017, Avid Life (now Ruby Corp) [reached a settlement of $11.2 million](http://www.prnewswire.com/news-releases/ruby-corp-and-plaintiffs-reach-proposed-settlement-of-class-action-lawsuit-regarding-ashley-madison-data-breach-634551783.html) with potential plaintiffs. ## 4. Facebook Scandal Facebook's series of data breaches — including the [Cambridge Analytics scandal](https://auth0.com/blog/what-data-did-facebook-really-give-cambridge-analytica/), Russian interference in the U.S. elections, the realization that major apps continue to [illegally share user data](https://siliconangle.com/2018/12/31/report-finds-major-apps-illegally-sharing-data-facebook/) with the company, and recent exposure of [_50 million accounts_](https://www.nytimes.com/2018/09/28/technology/facebook-hack-data-breach.html) in September 2018 — are some of the most high-profile of the year. To make matters worse, many believe the most recent breach of personal accounts actually began as far back as July 2017. For months, hackers were rooting around for private information, including names, sexes, hometowns, and photos. After obtaining the data, attackers used people's lists to steal access tokens for third-party apps like Spotify and Instagram. While the hack didn't expose [_financial information_](https://auth0.com/blog/how-two-factor-authentication-can-help-financial-institutions-reduce-data-breaches/), the breadth of personal data they were able to access still had enormous value. ## 5. Sony Data Breach In 2014, hackers [accessed and wiped personal data](https://www.forbes.com/sites/josephsteinberg/2014/12/11/massive-security-breach-at-sony-heres-what-you-need-to-know/#23bcec9144d8) from Sony customer accounts. In addition, they alluded to attacking theaters set to release the film “The Interview,” with James Franco and Seth Rogen. (Sony was forced to release the film online instead.) Hackers released information to the public like the salaries of tens of thousands of employees and Hollywood stars and [sensitive email traffic between executives and movie moguls](http://time.com/3629480/sony-pictures-hack-amy-pascal-emails/). Reports noted the incident amounted to [100 terabytes](http://time.com/3639275/the-interview-sony-hack-north-korea/) of data. Sony employees immediately knew something was wrong when they arrived at work and found images of grinning red skulls on computer screens. Hackers identified themselves as #GOP — Guardians of Peace. ## 6. Washington Post Scam In 2011, [1.27 million](https://www.pcmag.com/article2/0,2817,2388200,00.asp) *Washington Post* user accounts were hacked. This was a major incident because it was one of the first attacks on a prestigious media institution. It shook public confidence in the security of the trusted company. Hackers were able to get in via the *Washington Post*'s Jobs site.They stole usernames and email addresses — likely in order to conduct [phishing scams](https://auth0.com/blog/phishing-attacks-with-auth0-facts-first/), according to [*PC Mag*](https://www.pcmag.com/article2/0,2817,2388200,00.asp). The company released an informational piece on online scams following the attack. ![Washington Post Scam](https://images.ctfassets.net/23aumh6u8s0i/7ikzMFxC9eaSZVyOhAzsIt/f294320bf73f546245712e4b8f80632c/washington-post) [Source: Washington Post](http://www.washingtonpost.com/wp-srv/jobs/product-pages/fraud-email.html?noredirect=on) Because such an attack was relatively new at the time, the piece helped users [understand the risks](http://blog.idonethis.com/security-ringcaptcha/)and what they could do to move forward. ## 7. DailyMotion Personal Data Theft When DailyMotion was hacked in October 2016, it was one of the most visited sites online. A Russian hacker named Peace breached 85.2 million accounts and stole email addresses and usernames. *The Hacker News* reported that [18 million users](https://thehackernews.com/2016/12/dailymotion-video-hacked.html) had [hashed passwords](https://auth0.com/blog/hashing-passwords-one-way-road-to-security/). In 2018, DailyMotion was fined [€50,000](https://www.broadbandtvnews.com/2018/08/03/dailymotion-fined-for-data-breach/) for the incident. ## 8. Myspace Data Breach Hackers were suspected of taking usernames and passwords from [360 million stolen Myspace accounts](https://techcrunch.com/2016/05/31/recently-confirmed-myspace-hack-could-be-the-largest-yet/) and selling them to a forum online in 2016, according to [TechCrunch](https://techcrunch.com/2016/05/31/recently-confirmed-myspace-hack-could-be-the-largest-yet/). At the time, the Myspace attack was suspected to be the largest data breach of all time. Although data was mostly from accounts that weren't currently active, because people [reuse the same passwords](https://auth0.com/blog/avoiding-password-reuse-attacks/), hackers had the potential to use the information to log into other active accounts of the users. ## 9. Quora Security Incident The attack on Quora occurred just a few weeks ago — in December 2018. The company released a [comprehensive statement](https://blog.quora.com/Quora-Security-Update?awc=15748_1545351800_5f9ec96c657ae3bee293392a15c47366&uiv=6&txtv=8&source=awin&medium=ad&campaign=uad_mkt_en_acq_us_awin&set=awin) detailing what occurred, what information was involved, and what Quora was doing to rectify the situation. A portion of the statement is below: ![Quora Security Incident](https://images.ctfassets.net/23aumh6u8s0i/5dP0e79zrDmeTkosePu77k/0aec22bc42bd30ac30c2a74e1024ed95/quora-security-update) [Image Source: Quora Blog](https://blog.quora.com/Quora-Security-Update?awc=15748_1545351800_5f9ec96c657ae3bee293392a15c47366&uiv=6&txtv=8&source=awin&medium=ad&campaign=uad_mkt_en_acq_us_awin&set=awin) The company continues to have up-to-date FAQ on security [here](https://help.quora.com/hc/en-us/articles/360020212652-Quora-Security-Update-FAQ). ## 10. Associated Press Attack Taking a different approach, hackers in 2013 accessed the Associated Press's Twitter account and [tweeted](https://www.marketwatch.com/story/this-day-in-history-hacked-ap-tweet-about-white-house-explosions-triggers-panic-2018-04-23) that there were explosions in the White House and that Obama was injured. In six minutes, before order was restored, the Dow Jones Industrial Average plummeted. The hack impacted the stock market by [$136 billion](https://www.washingtonpost.com/news/worldviews/wp/2013/04/23/syrian-hackers-claim-ap-hack-that-tipped-stock-market-by-136-billion-is-it-terrorism/?utm_term=.6795bf505121). A group called the Syrian Electronic Army [claimed responsibility](https://www.marketwatch.com/story/this-day-in-history-hacked-ap-tweet-about-white-house-explosions-triggers-panic-2018-04-23) for the attack. ## 11. Twitter Data Breach Finally, even Twitter hasn’t escaped unscathed. In May 2018, the company [shared](https://blog.twitter.com/official/en_us/topics/company/2018/keeping-your-account-secure.html) that they had identified a bug in their internal log of user passwords that prevented Twitter from completing the [hashing](https://auth0.com/blog/hashing-passwords-one-way-road-to-security/) process and fully securing them. ![Twitter Data Breach](https://images.ctfassets.net/23aumh6u8s0i/27CklKf5h0eco99KcmDXEi/98504ef54775e3f97b08b80fd18bf00a/twitter) [Image Source](https://blog.twitter.com/official/en_us/topics/company/2018/keeping-your-account-secure.html) They asked users to re-set their passwords to prevent unwanted access — but the company's reputation suffered. ## What These Data Breaches Have in Common Many of these attacks have common threads: * Cyberthieves use [passwords that have been recycled](https://www.godaddy.com/garage/10-best-practices-for-creating-and-securing-stronger-passwords/) — allowing them to access multiple accounts for a single individual. * Hackers often get in through [vulnerabilities](https://auth0.com/blog/four-cybersecurity-attacks-you-need-to-know/) in a company’s or third party’s system. * Companies don’t always know how to respond to an incident in productive ways (although some are bold and clear with their communications). Given similar issues among major data breaches, these are the areas to double down on to prevent future attacks. ## What You Can Do to Protect Yourself There is no one-size-fits-all solution to protect your company against a data breach. If you’re new to [managing customer data](https://blog.getbase.com/8-ways-to-effectively-manage-your-customer-data) you might start with comprehensive employee training or make it a point to store only the data you really need. _[Outsourcing cybersecurity to an expert team](https://auth0.com/forrester-total-economic-impact/)_ is increasingly popular among companies that deal with vast amounts of customer information. While internal IT teams are usually quite capable, they simply have too much on their plates to stay on the cutting edge of security — which is where you need to be to keep up with cybercriminals. Solutions like Auth0 that come with [built-in security certifications](https://auth0.com/security/) can give you peace of mind knowing that you have a group working 24/7 on your security systems. It can free you up to build and roll out new products directly tied to your bottom line. Among our many offerings, Auth0 has a special [breached password detection feature](https://auth0.com/breached-passwords) that monitors large-scale data breaches and notifies your users when their credentials are leaked. You can opt to block access until the user has reset their password. See [here](https://auth0.com/) for our full suite of offerings to help you stay safe in 2019!