How hackers got in, what they stole, and how to prevent more incidents in 2019.
Data breaches have become commonplace — yet some industries are more vulnerable than others. Unfortunately, media is notorious for being a magnet for cyberthieves.
In the last decade, dozens of media companies, ranging from prestigious publications like the Washington Post to social media platforms like Facebook, have seen customers’ and the companies’ private data exposed.
Why? One reason is that billions of people have accounts with media companies. Facebook users alone hit 2.27 billion in Q3 2018. As more and more people consume their news online, the surface area for cybercriminals continues to expand. Another reason, according to Security Magazine, is that media companies often rely on outside vendors. Even if the media companies themselves are confident in their security processes, it’s hard to track how safe third parties are.
While some vendors like Auth0 take compliance seriously — acquiring security certifications such as ISO 27001 and 27018, as well as SOC 2 and HIPAA — this isn’t always the case with third parties.
Below is a roundup of 11 of the worst media breaches in the past decade. Hackers hit teams large and small, niche and high-profile, new and established. It’s clear that no company is immune.
We deliver tips for how all media teams can bolster their cybersecurity practices in 2019.
1. BuzzFeed Data Breach
In 2016 BuzzFeed was hacked by a group called OurMine. On several BuzzFeed articles, headlines read "HACKED BY OURMINE" with a link to the group's website. Several of the headlines also included profanities.
An article in Wired Magazine described how the group had a history of getting into systems using passwords that were previously leaked in large-scale data breaches. They used the compromised passwords to access BuzzFeed accounts with the same login data.
2. Dow Jones Data Breach
In October 2015, hackers uncovered the personal data of current and former Dow Jones subscribers between July 2012 and August 2015. Reports divulged that the hackers got credit card information from close to 3,500 individuals — along with names, addresses, email addresses, and phone numbers.
The hackers' goal was to send fraudulent solicitations, according to the Wall Street Journal. The company suspected the incident was part of a much larger, multi-company data breach.
3. Avid Life Media Incident
Also in 2015, the parent company to Ashley Madison, Avid Life Media, released a statement saying that hackers had gained access to computer networks and published nearly 10 gigabytes of sensitive personal information. These included customers' names, email addresses, and credit card details contained in individual accounts.
Hackers, part of a group called The Impact Team, released nearly 10 gigabytes of data stolen from Avid Life.
The company fought back, denying the severity of the attack:
Ultimately, the data breach led to Avid Life Media's CEO resigning. In 2017, Avid Life (now Ruby Corp) reached a settlement of $11.2 million with potential plaintiffs.
4. Facebook Scandal
Facebook's series of data breaches — including the Cambridge Analytics scandal, Russian interference in the U.S. elections, the realization that major apps continue to illegally share user data with the company, and recent exposure of 50 million accounts in September 2018 — are some of the most high-profile of the year.
To make matters worse, many believe the most recent breach of personal accounts actually began as far back as July 2017. For months, hackers were rooting around for private information, including names, sexes, hometowns, and photos. After obtaining the data, attackers used people's lists to steal access tokens for third-party apps like Spotify and Instagram.
While the hack didn't expose financial information, the breadth of personal data they were able to access still had enormous value.
5. Sony Data Breach
In 2014, hackers accessed and wiped personal data from Sony customer accounts. In addition, they alluded to attacking theaters set to release the film “The Interview,” with James Franco and Seth Rogen. (Sony was forced to release the film online instead.)
Hackers released information to the public like the salaries of tens of thousands of employees and Hollywood stars and sensitive email traffic between executives and movie moguls. Reports noted the incident amounted to 100 terabytes of data.
Sony employees immediately knew something was wrong when they arrived at work and found images of grinning red skulls on computer screens. Hackers identified themselves as #GOP — Guardians of Peace.
6. Washington Post Scam
In 2011, 1.27 million Washington Post user accounts were hacked. This was a major incident because it was one of the first attacks on a prestigious media institution. It shook public confidence in the security of the trusted company.
The company released an informational piece on online scams following the attack.
Because such an attack was relatively new at the time, the piece helped users understand the risksand what they could do to move forward.
7. DailyMotion Personal Data Theft
When DailyMotion was hacked in October 2016, it was one of the most visited sites online. A Russian hacker named Peace breached 85.2 million accounts and stole email addresses and usernames. The Hacker News reported that 18 million users had hashed passwords.
In 2018, DailyMotion was fined €50,000 for the incident.
8. Myspace Data Breach
At the time, the Myspace attack was suspected to be the largest data breach of all time. Although data was mostly from accounts that weren't currently active, because people reuse the same passwords, hackers had the potential to use the information to log into other active accounts of the users.
9. Quora Security Incident
The attack on Quora occurred just a few weeks ago — in December 2018. The company released a comprehensive statement detailing what occurred, what information was involved, and what Quora was doing to rectify the situation.
A portion of the statement is below:
The company continues to have up-to-date FAQ on security here.
10. Associated Press Attack
Taking a different approach, hackers in 2013 accessed the Associated Press's Twitter account and tweeted that there were explosions in the White House and that Obama was injured. In six minutes, before order was restored, the Dow Jones Industrial Average plummeted. The hack impacted the stock market by $136 billion.
A group called the Syrian Electronic Army claimed responsibility for the attack.
11. Twitter Data Breach
Finally, even Twitter hasn’t escaped unscathed. In May 2018, the company shared that they had identified a bug in their internal log of user passwords that prevented Twitter from completing the hashing process and fully securing them.
They asked users to re-set their passwords to prevent unwanted access — but the company's reputation suffered.
What These Data Breaches Have in Common
Many of these attacks have common threads:
- Cyberthieves use passwords that have been recycled — allowing them to access multiple accounts for a single individual.
- Hackers often get in through vulnerabilities in a company’s or third party’s system.
- Companies don’t always know how to respond to an incident in productive ways (although some are bold and clear with their communications).
Given similar issues among major data breaches, these are the areas to double down on to prevent future attacks.
What You Can Do to Protect Yourself
There is no one-size-fits-all solution to protect your company against a data breach. If you’re new to managing customer data you might start with comprehensive employee training or make it a point to store only the data you really need.
Outsourcing cybersecurity to an expert team is increasingly popular among companies that deal with vast amounts of customer information. While internal IT teams are usually quite capable, they simply have too much on their plates to stay on the cutting edge of security — which is where you need to be to keep up with cybercriminals.
Solutions like Auth0 that come with built-in security certifications can give you peace of mind knowing that you have a group working 24/7 on your security systems. It can free you up to build and roll out new products directly tied to your bottom line.
Among our many offerings, Auth0 has a special breached password detection feature that monitors large-scale data breaches and notifies your users when their credentials are leaked. You can opt to block access until the user has reset their password.
See here for our full suite of offerings to help you stay safe in 2019!