A Timeline of Major Data Breaches in 2019
If there’s no rest for the wicked, there seems to be also no rest for malicious cyber attackers. 2019 has had its fair share of data breaches and many of them have affected the data of millions of people.
Let’s take a walk down memory lane, starting from January 2019, to see which major data breaches happened, which companies were involved, how many users were affected and what data was compromised.
January 2, 2019 – Blur
Affected users: 2.4 million
The password management company Blur announced a breach at the very beginning of the new year. An unsecured server exposed information from 2.4 million users, including names, email addresses, password hints, IP addresses, and encrypted Blur passwords. The good news was that the actual users’ passwords stored inside their Blur accounts were not exposed.
January 3, 2019 – BlankMediaGames
Affected users: 7.6 million
The online game Town of Salem, created by BlankMediaGames (BMG), was hacked and the information of 7.6 million gamers was stolen. The compromised data included email addresses, usernames, IP addresses, game and forum activity, passwords, and payment information.
January 16, 2019 – Fortnite
Affected users: exact number unknown (up to 200 million)
Fortnite is a popular online video game, which draws in around 80 million players each month. At the beginning of 2019, a security firm called Check Point discovered a vulnerability that could have allowed malicious hackers to take over the account of any player, view their personal information, make in-game purchases, and listen in to game conversations.
January 17, 2019 – Collection #1
Affected users: 773 million
Security researcher Troy Hunt discovered a massive database of leaked data in the dark web, specifically on a cloud storage site called MEGA. It was one of the biggest security breaches in 2019. This list was made up of many different individual data breaches from thousands of different sources. The collection was also shared in a popular hacking forum. The researcher also mentioned in his blog post that he found his own data and it was correct. If you are worried that your credentials have been compromised, look up your data on Have I Been Pwned?, a website that, coincidentally, was created by Troy Hunt himself.
January 23, 2019 – Online Casino Group
Affected users: 108 million
The four online betting sites kahunacasino.com, azur-casino.com, easybet.com, and viproomcasino.net, all owned by the same company in Limassol, Cyprus, stored a bunch of information on their users on an unsecured ElasticSearch instance. According to a report by ZDNet: “The user data […] included a lot of sensitive information, such as real names, home addresses, phone numbers, email addresses, birth dates, site usernames, account balances, IP addresses, browser and OS details, last login information, and a list of played games.”
February 14, 2019 – Coffee Meets Bagel
Affected users: 6 million
Names and emails of approximately 6 million users of the popular dating app Coffee Meets Bagel were exposed. It is unknown who was behind the hack or when it took place, but luckily no financial information or passwords were exposed.
February 15, 2019 – 500px
Affected users: 14.8 million
An unauthorized party gained access to the systems of 500px, a popular photo-sharing site, already in July 2018 exposing the personal information of 14.8 million users. The company became aware of this only in February 2019 and forced all users to reset their passwords as a precautionary measure. Information such as names, usernames, emails, locations, gender, and birth dates were leaked.
March 1, 2019 – Dow Jones
Affected users: 2.4 million
A Dow Jones watchlist containing records of individuals who are of interest to financial companies was leaked online on a publicly accessible database. The list included a list of senior PEPs (politically exposed persons) alongside their relatives and associates.
March 21, 2019 – Facebook
Affected users: 600 million
Facebook had been insecurely storing passwords from 600 million users since 2012, saving them in a plain text file, which could be accessed by thousands of Facebook employees. This It’s not the first time Facebook has been at the center of privacy abuses and breaches, and also not the only time in 2019 (see below).
March 29, 2019 – Verifications.io
Affected users: 982 million
This could probably be the biggest and most comprehensive database breach ever, with close to 1 billion email accounts leaked by the marketing company Verifications.io. Names, genders, employers and home addresses of these users were left unsecured on a database, which was available to find for anyone who knew where to look. The company has reportedly closed its website and its operations.
April 2, 2019 – Facebook
Affected users: 540 million
Facebook was again on the news in April 2019, when cybersecurity researchers found the data of 540 million Facebook users on an unsecured, publicly accessible database. Besides the user’s data, the data included also comments, likes, and reactions.
May 20, 2019 – Chtrbox
Affected users: 49 million
An unsecured database was discovered by security researcher Anurag Sen with contact information belonging to millions of Instagram influencers, celebrities, and brand accounts. The database, which was left public and openly accessible, was seemingly owned by Chtrbox, a Mumbai-based social media marketing firm.
May 25, 2019 – First American
Affected users: unknown, but 885 million files were leaked
The Fortune 500 giant First American Financial Corp exposed approximately 885 million financial documents, including bank account numbers, statements, and tax records. This was due to a bug inside their website (firstam.com). If you had received a document from First American via a link, just by changing a digit in this link, you could potentially view documents from other people. And no authentication was required to read those documents.
May 28, 2019 – Canva
Affected users: 139 million
The leading graphic design tool Canva suffered a data breach, in which data from its 139 million subscribers was exposed. The attack targeted usernames, email addresses, names, cities of residence, and passwords, which were stored as bcrypt hashes for users not using social logins. Credit card details were luckily not compromised.
June 3, 2019 – Quest Diagnostics
Affected users: 12 million
The clinical laboratory company Quest Diagnostics announced that “an unauthorized user had access to AMCA’s system containing personal information AMCA received from various entities, including from Quest”.
June 4, 2019 – Labcorp
Affected users: 7.7 million
Another medical testing giant, Labcorp, exposed data from 7.7 million consumers by a breach at the billing collections firm AMCA.
June 10, 2019 – Emuparadise
Affected users: 1.1 million
Although this security incident took place on April 1, 2018, it was only made public in June 2019. The retro gaming emulator Emuparadise exposed information from 1.1 million forum members.
June 24, 2019 – Mars Mission Data
Affected users: This breach did not affect directly any users from the general population.
This was a cyberattack on NASA’s Jet Propulsion Laboratory which began because of a rogue Raspberry Pi. Hackers went undetected for 10 months and managed to get access to the network via this Raspberry Pi. The attackers stole 23 files containing 500Mb of data. Out of these files, two included Internation Traffic in Arms Regulations information related to the Mars Science Laboratory Mission. This demonstrates how a single rogue device can provide the perfect gateway for an attack.
July 15, 2019 – Bulgaria’s National Revenue Agency
Affected users: 5 million
A massive cyberattack on the National Revenue Agency of Bulgaria was revealed in July 2019, whereby the hacker responsible for the breach sent an email to the media including information about the attack and the data he/she stole. This data included the names and national identification numbers of 5 million Bulgarian citizens, plus tax records, revenue, debts, and so on. Investigations are still underway to learn about who was responsible for this attack and what its ramifications are.
July 29, 2019 – Capital One
Affected users: 100 million
A software engineer in Seattle hacked into a server holding customer information for Capital One and obtained data of over 100 million people. This was one of the largest thefts of data from a bank. Thanks to a trail of breadcrumbs on social media, the police soon found the alleged perpetrator of this attack: Paige Thompson.
August 1, 2019 – Poshmark
Affected users: unclear, but up to 50 million
The fashion platform Poshmark announced with a blog post on their website that data from some Poshmark users was acquired by an unauthorized third party. Names, email addresses, usernames, and even clothing size preferences of users were leaked.
August 5, 2019 – CafePress
Affected users: 23 million
The custom t-shirt and merchandise company CafePress was hacked in February 2019, but the news came to the surface a couple of months later in August. The data was seemingly circulating in hacker forums for weeks and included names, usernames, email addresses, passwords, and physical addresses. It’s still unknown why CafePress themselves did not notify about this breach themselves. The work was left to Troy Hunt, the creator of the website Have I Been Pwned?.
August 25, 2019 – Hostinger
Affected users: 14 million
A hacker gained access to Hostinger’s systems including an API database, which contained customer usernames, email addresses, and passwords. Hostinger is a popular web hosting service, which has around 29 million users in total. Roughly half of them were affected and asked to change their passwords following this breach.
September 16, 2019 – Novaestrat
Affected users: 20 million
Ecuador was the second country to be hit by a breach in 2019, and it affected the population large-scale, including 6.7 million minors. The executive of Novaestrat was arrested after his company left the personal information of 20.8 million Ecuadorians on an unsecured Elasticsearch server. The information was compiled by several Ecuadorian government registries, automotive associations, and the Ecuadorian national bank.
November 22, 2019 – Unknown
Affected users: 1.2 billion
This was the biggest security breach in the year 2019. Security researchers Vinny Troia and Bob Diachenko discovered an Elasticsearch server containing around 4 billion user accounts, belonging to ca. 1.2 billion users. The data did not include sensitive information, but it contained profiles that included home and cell phone numbers, associated social media profiles, employers and email addresses. It is still unknown where the information came from. It seems to be four data sets cobbled together.
December 17, 2019 – LifeLabs
Affected users: 15 million
The medical testing company LifeLabs was victim to a hack in October 2019, which left 15 million records of patient data exposed. The breach was announced in December and in January 2020 a class-action lawsuit followed.
December 19, 2019 – Facebook
Affected users: 267 million
Facebook was yet again in the midst of a data breach at the end of 2019 when Bob Diachenko, a renowned security expert, discovered an Elasticsearch database containing data from 267 million Facebook users. It seems like hackers from Vietnam were responsible and the data was also posted to a hacker forum as a download. This leak was different from others because it included the Facebook IDs of those user’s profiles, which may have been scraped from publicly visible profile pages.
December 30, 2019 – Wyze
Affected users: 2.4. Million
The year 2019 ended with two data breaches aimed at the smart camera provider Wyze. The first data leak included email addresses, cameras in customers’ homes and tokens used to connect smartphones and smart home devices. Wyze did not disclose the contents of the second leak. The company’s response was to log out all customers to require them to create new tokens.