Update: This article has been updated to include the latest Yahoo breach of 1 billion user accounts, the largest data breach in history.
For the year that brought you the deaths of David Bowie, Alan Rickman, and Lemmy Kilmister, plus the catastrophic political bonus balls of Brexit and the election of Donald Trump, these technology disasters might seem like they pale in comparison. Nonetheless, there's a strong mixture of misery to sift through this year.
Barely a day goes by without some high-level data breach putting customers at risk and 2016 was no exception. Here are just some of the worst.
Yahoo has discovered that one billion of its accounts had been compromised, in what is being described as the largest data breach in history.
In a statement, CISO Bob Lord said law enforcement provided Yahoo with reams of data that a third party had claimed belonged to Yahoo. Yahoo and “outside forensic experts” took a look at the data and believed that claim to be true. Yahoo was unable to identify exactly when it was compromised, but it does appear to be a separate incident to the September disclosure.
The stolen details “may have included” names, email addresses, telephone numbers, dates of birth, hashed passwords, plus encrypted and unencrypted security questions and answers – although there were no passwords in clear text, payment card data, or bank account information. Nevertheless, the rest of the details are sound basis for identity theft.
Yahoo believes that the breach occurred due to the creation of forged cookies, which could have allowed access to accounts without a password.
“We believe an unauthorised third party accessed our proprietary code to learn how to forge cookies,” Lord said. “The outside forensic experts have identified user accounts for which they believe forged cookies were taken or used. We are notifying the affected account holders, and have invalidated the forged cookies.”
Lord went on to say that Yahoo is “taking steps” to secure compromised accounts, including requiring users to change their passwords. Yahoo has also invalidated unencrypted security questions and answers, invalidated the forged cookies, and “hardened our systems to secure them against similar attacks”.
But it might be a case of too little too late.
"When a breach is disclosed after three years, it has almost zero value,” said Javvad Malik, security advocate at AlienVault. “The damage has been long done and people could have ended up victims without realising the source. The lack of breach detection is extremely worrying, and should serve as a reminder to all organisations of all sizes that if you hold user data, you have a responsibility to secure it.”
And Oliver Pinson-Roxburgh, EMEA director at cloud security company Alert Logic, noted that the investigators seem to still be in the process of uncovering information. “This supports the fact that on average, an attacker will be in 205 days or more before detection,” Pinson-Roxburgh said. “It also supports the fact that in many cases, organisations are unable to self-detect.”
In September this year, Yahoo disclosed that a "copy of certain user account information" had been compromised in 2014 – to the tune of 500 million user accounts.
New-ish Yahoo CISO Bob Lord said at the time in a statement that the business believed the compromise was linked to a "state-sponsored actor" and could have included everything from names to email addresses, telephone numbers, dates of birth, hashed passwords, and encrypted or unencrypted security questions and answers.
The announcement came less than a year after a blustering interview in which Lord described the creation of a new team called the Paranoids, who would work tirelessly to protect Yahoo's billion users.
Senators were quick to criticise Yahoo for its apparent reluctance to disclose the hack.
"Millions of Americans' data may have been compromised for two years," they said. "This is unacceptable." Yahoo responded at the time by claiming to have only discovered the extent of the attack in an unrelated security audit following a separate incident.
Most recently, Yahoo admitted in a securities filing that some employees were aware of the attack in 2014, however, the timeline remains unclear – and the company did not say if this was communicated to senior management.
According to the New York Times, 23 lawsuits have been filed against Yahoo, both in the US and elsewhere.
A secure payment system. Image credit: Wikimedia Commons
Database and cloud supremo Oracle disclosed that its Micros payment subsidiary had been compromised by a Russian criminal group, and commentators suggested that the attack was likely linked to a series of cash-grabs and online fraud.
Independent infosec journalist Brian Krebs unearthed the evidence, and noted that when Oracle acquired Micros in 2014, the latter was in use at more than 200,000 food and drink outlets, 30,000 hotels, and at least 100,000 retail stores – providing wide scope for financial gain.
Krebs' source believed that the breach probably began with one infected system in Oracle's network – which was then used to gain access to others. The attackers were also believed to have installed malware on the Micros support forum which was then used to steal Micros customer usernames and passwords.
Two adult friends find each other and exchange flowers. Image: iStock
The company that operates the largest network of 'casual dating' adult websites in the world – previously Penthouse and including AdultFriendfinder.com and Penthouse.com – was subject to an enormous compromise of 412 million accounts in November this year.
Perhaps worse still, the business seemed to have been storing the details of deleted users – their original email with the suffix @deleted1.com. According to LeakedSource, which discovered the data, the passwords had been stored in either a plain visible format or SHA1 hashed, but as the website notes, neither are considered secure.
Not only is the leak at a tremendous scale, the highly confidential nature of the websites opened customers up to the potential of blackmail. Of course, some of the users did not help themselves, with the top six most common passwords used being some variation of 123456789 in numerical order. The next most popular password was 'password'.
The chief executive of Tesco Bank was forced to admit it had been subject to a "systematic, sophisticated attack" that saw some of the 20,000 compromised users lose money from their accounts. According to CEO Benny Higgins, 40,000 accounts registered suspicious transactions, and half of these had money removed.
The attack saw Tesco Bank suspend all online banking until the problems were resolved. It promised to refund users who had money stolen from their accounts – however, many claimed that they were left out of pocket at the time.
Worse still, rival banks accused Tesco of issuing sequential debit card numbers. Critics say that this means it's easier to conduct fraud undetected because all of the card numbers would have been genuine. Tesco has avoided commenting on exactly how the attacks took place because it is an "ongoing investigation", but did claim that no customer data was lost, and that the system itself was not breached.
The banking wing of the supermarket giant is in the process of paying back £2.5 million to customers who had their accounts compromised.
Way back in 2012, LinkedIn disclosed a major breach of 6.5 million user passwords, which it alleged was the work of Russian cyber criminals. But four years later it emerged that the hack was much more severe than initially thought – with 167 million user details up for grabs in exchange for Bitcoin on the dark web. A hacker who called himself Peace told Motherboard at the time that the data was available on darknet market The Real Deal for roughly $2,200 – and paid hacked data website LeakedSource also said it had the data.
LinkedIn began to invalidate passwords for all accounts that were created before the 2012 breach that hadn't been updated since, and alerting users to reset their passwords. In a statement, LinkedIn's CISO Cory Scott told users to create strong passwords and enable two-step verification to keep their accounts safe.
But LinkedIn came under fire for failing to 'salt' the passwords, which were originally hashed with SHA1. Salting a password amounts to placing random digits at the end of hashes, to make them more difficult to crack.
LinkedIn said that although the breach was much larger than first thought, the compromised usernames and passwords were not as a result of a new security breach.
A suspect, Russian citizen Yevgeny Nikulin, 29, was arrested in Prague and now faces extradition to the United States.
Find your next job with computerworld UK jobs