Top 10 Breaches and Leaky Server Screw Ups of 2019


* [![Data Breach](https://media.threatpost.com/wp-content/uploads/sites/103/2019/12/22134902/Data-Breach.jpg)](<https://threatpost.com/category/privacy/> "Data Breach" ) **Top 10 Breaches and Leaky Server Screw Ups of 2019** From massive credential spills on the Dark Web and hacked data to card-skimming and rich profiles exposed by way of cloud misconfigurations, 2019 was a notable year for data breaches. Big names like Capital One, Macy’s and Sprint were impacted, as was the entire country of Ecuador and supply-chain companies like the American Medical Collection Agency. Here are our Top 10 data leak moments of the year. * [![Password draft](https://threatpost.com/wp-content/plugins/soliloquy/assets/css/images/holder.gif)](<https://threatpost.com/773m-credentials-dark-web/140972/> "Password draft" ) **Collections 1-4 Spill Millions of Credentials on the Dark Web** The year started out with a bang when a huge trove of data – containing 773 million unique email addresses and passwords – [was discovered](<https://threatpost.com/773m-credentials-dark-web/140972/>) on a popular underground hacking forum. The credential spill was dubbed “Collection #1” and totaled 87GB of data, with records culled from breaches that occurred as far back as 2010, including the well-known compromise of Yahoo. It was one of the largest jackpots ever seen when it comes to account-compromise efforts. [Collections 2-4 soon followed](<https://threatpost.com/fourth-credential-spill-dreammarket/142901/>), and ultimately more than 840 million account records from 38 companies appeared for sale on the Dark Web in February. * [![amca draft2](https://threatpost.com/wp-content/plugins/soliloquy/assets/css/images/holder.gif)](<https://threatpost.com/amca-healthcare-hack-widens-opko/145453/> "amca draft2" ) **AMCA Supply-Chain Breach Impacts 20.1 Million** A hack of the American Medical Collection Agency (AMCA), a third-party bill collection vendor, impacted 20.1 million patients [over the summer](<https://threatpost.com/amca-healthcare-hack-widens-opko/145453/>), exposing personally identifiable information such as names, addresses and dates of birth, and also payment data. Three clinical laboratories offering blood tests and the like that relied on AMCA to process a portion of their consumer billing were hit: 12 million patients from Quest Diagnostics, another 7.7 million patients from LabCorp and 400,000 victims from OPKO Health. * [![capital-one](https://threatpost.com/wp-content/plugins/soliloquy/assets/css/images/holder.gif)](<https://threatpost.com/aws-arrest-data-breach-capital-one/146758/> "capital-one" ) **Capital One: Another Year, Another Major FinServ Breach** In July, a massive breach of Capital One customer data hit more than 100 million people in the U.S. and 6 million in Canada. Thanks to a cloud misconfiguration, a hacker [was able to access](<https://threatpost.com/aws-arrest-data-breach-capital-one/146758/>) credit applications, Social Security numbers and bank account numbers in one of the biggest data breaches to ever hit a financial services company — putting it in the same league in terms of size as the Equifax incident of 2017. The FBI arrested a suspect in the case: A former engineer at Amazon Web Services (AWS), Paige Thompson, after she boasted about the data theft on GitHub. Researchers said that Capital One victims are going to be phished for years to come – long after their 12 months’ of credit monitoring is done. * [![Facebook draft](https://threatpost.com/wp-content/plugins/soliloquy/assets/css/images/holder.gif)](<https://threatpost.com/267m-facebook-phone-numbers-exposed-online/151327/> "Facebook draft" ) **Facebook ‘s Year of Breach Problems** Facebook had a bad year for breaches, including the December emergence of a [hacked database](<https://threatpost.com/267m-facebook-phone-numbers-exposed-online/151327/>) containing the names, phone numbers and Facebook user IDs of 267 million platform users. The data may have been stolen from [Facebook’s developer API](<https://threatpost.com/facebook-privacy-breach-developers-group-data/149930/>) before the company restricted API access to phone numbers and other data in 2018. And in September, an open server was [discovered leaking](<https://techcrunch.com/2019/09/04/facebook-phone-numbers-exposed/>) hundreds of millions of Facebook user phone numbers. In April, [researchers found two separate datasets](<https://threatpost.com/facebook-and-amazon-are-locked-in-a-blame-game-over-leaked-data-whos-really-to-blame/143467/>), held by two app developers (Cultura Colectiva and At the Pool). The actual data source for the records (like account names and personal data) in these databases was Facebook. * [![Ecuador](https://threatpost.com/wp-content/plugins/soliloquy/assets/css/images/holder.gif)](<https://threatpost.com/marketing-analytics-leaks-deep-profiles-ecuador/148363/> "Ecuador" ) **Deep Profiles for the Entire Population of Ecuador Are Exposed** In September it came to light that the entire population of Ecuador (as well as Julian Assange) [had been impacted](<https://threatpost.com/marketing-analytics-leaks-deep-profiles-ecuador/148363/>) by an open database with rich, detailed life information collected from public-sector sources by a marketing analytics company. The trove of data offered any attacker the ability to cross-reference and combine the data into a highly personal, richly detailed view of a person’s life. The records, for 20 million individuals, were gleaned from Ecuadorian government registries, an automotive association called Aeade, and the Ecuadorian national bank. Ecuador has about 16.5 million citizens in total (some of the entries were for deceased persons). * [![data profile](https://threatpost.com/wp-content/plugins/soliloquy/assets/css/images/holder.gif)](<https://threatpost.com/data-enriched-profiles-1-2b-leak/150560/> "data profile" ) **1.2B Rich Profiles Exposed By Data Brokers** In a similar incident to the Ecuador debacle, an open Elasticsearch server emerged in December that exposed the rich profiles of more than 1.2 billion people. The database [consisted of scraped information](<https://threatpost.com/data-enriched-profiles-1-2b-leak/150560/>) from social media sources like Facebook and LinkedIn, combined with names, personal and work email addresses, phone numbers, Twitter and Github URLs and other data. Taken together, the profiles provide a 360-degree view of individuals, including their employment and education histories. All of the information was unprotected, with no login needed to access it. The data was linked to People Data Labs (PDL) and OxyData[.]io. * [![Imperva](https://threatpost.com/wp-content/plugins/soliloquy/assets/css/images/holder.gif)](<https://threatpost.com/imperva-data-breach-cloud-misconfiguration/149127/> "Imperva" ) **Security Specialist Imperva Smarts from Cloud Misconfiguration** In an ironic turn of events, cybersecurity company Imperva allowed hackers to steal and use an administrative Amazon Web Services (AWS) API key in one of Imperva’s production AWS accounts, thanks to a cloud misconfiguration. Hackers used Imperva’s Cloud Web Application Firewall (WAF) product to access a database snapshot containing emails, hashed and salted passwords, and some customers’ API keys and TLS keys. Because the database [was accessed as a snapshot](<https://threatpost.com/imperva-data-breach-cloud-misconfiguration/149127/>), the hackers made off with only old Incapsula records that go up to Sept. 15, 2017. However, the theft of API keys and SSL would allow an attacker to break companies’ encryption and access corporate applications directly. * [![Sprint draft](https://threatpost.com/wp-content/plugins/soliloquy/assets/css/images/holder.gif)](<https://threatpost.com/att-verizon-subscribers-exposed-mobile-bills/150867/> "Sprint draft" ) **Sprint Contractor Lays Open Phone Bills for 260K Subscribers** A cloud misconfig was also behind hundreds of thousands of mobile phone bills for AT&T, Verizon and T-Mobile subscribers [being exposed](<https://kasperskycontenthub.com/threatpost-global/wawa-data-breach-malware-stole-customer-payment-card-info/151337/>) to the open internet in December, thanks to the oversight of a contractor working with Sprint. More than 261,300 documents were stored – mainly cell phone bills from Sprint customers who switched from other carriers. Cell phone bills are a treasure trove of data, and include names, addresses and phone numbers along with spending histories and in many cases, call and text message records. * [![Magecart](https://threatpost.com/wp-content/plugins/soliloquy/assets/css/images/holder.gif)](<https://threatpost.com/magecart-infestations-saturate-web/148911/> "Magecart" ) **Magecart Siphons Off Millions of Payment Card Details** Magecart, the digital card-skimming collective encompassing several different affiliates all using the same modus operandi, is now so ubiquitous that its infrastructure is [flooding the internet](<https://threatpost.com/magecart-infestations-saturate-web/148911/>), researchers said earlier this year. Magecart attacks, which involve inserting virtual credit-card skimmers into e-commerce check-out pages, affected a range of companies throughout 2019; these included [bedding retailers](<https://threatpost.com/magecart-mypillow-emerisleep-attack/143022/>) MyPillow and Amerisleep, the subscription website for the [Forbes print magazine](<https://threatpost.com/magecart-card-skimmer-forbes/144811/>), at least [80 reputable brands](<https://threatpost.com/magecart-ecommerce-card-skimming-bonanza/147765/>) in the motorsports industry and luxury apparel segments, popular skin care brand First Aid Beauty, [Macy’s](<https://threatpost.com/magecart-attack-skin-care-site/149580/>) and streaming video and podcast content company [Rooster Teeth](<https://threatpost.com/rooster-teeth-attack-magecart/151216/>). * [![equifax](https://threatpost.com/wp-content/plugins/soliloquy/assets/css/images/holder.gif)](<https://threatpost.com/equifax-to-pay-700-million-in-2017-data-breach-settlement/146579/> "equifax" ) **Equifax Settlement Rankles Consumers** Equifax made notable news this year when it agreed to pay as much as $700 million to settle federal and state investigations on the heels of its infamous 2017 breach, which exposed the data of almost 150 million customers. That includes $300 million to cover free credit monitoring services for impacted consumers, $175 million to 48 states in the U.S, and $100 million in civil penalties. Some consumers are furious over what they view as an unfair settlement though, with 200,000 of them signing a petition against the deal. The petition argues that very little of that cash will trickle down to those who actually suffered because of the breach. ![Data Breach](https://media.threatpost.com/wp-content/uploads/sites/103/2019/12/22134902/Data-Breach.jpg)![Password draft](https://media.threatpost.com/wp-content/uploads/sites/103/2019/12/22134741/Password-draft.jpg)![amca draft2](https://media.threatpost.com/wp-content/uploads/sites/103/2019/12/23120121/amca-draft2.jpg)![capital-one](https://media.threatpost.com/wp-content/uploads/sites/103/2019/12/22134001/capital-one.jpg)![Facebook draft](https://media.threatpost.com/wp-content/uploads/sites/103/2019/12/22134728/Facebook-draft.png)![Ecuador](https://media.threatpost.com/wp-content/uploads/sites/103/2019/12/22134719/Ecuador.jpg)![data profile](https://media.threatpost.com/wp-content/uploads/sites/103/2019/12/22134005/data-profile.jpg)![Imperva](https://media.threatpost.com/wp-content/uploads/sites/103/2019/12/22134732/Imperva.jpg)![Sprint draft](https://media.threatpost.com/wp-content/uploads/sites/103/2019/12/22134745/Sprint-draft.jpg)![Magecart](https://media.threatpost.com/wp-content/uploads/sites/103/2019/12/22134736/Magecart.jpg)![equifax](https://media.threatpost.com/wp-content/uploads/sites/103/2019/12/22134723/equifax.jpg)