Every year you trust companies with your data. You trust them to guard it, keep it out of the hands of cyber criminals and take adequate measures to ensure that your personal information is not accessible to freelance criminals with a crypto wallet. And some of these companies fail, resulting in customer details being sold on the dark web, or even on the open web.
This year has been no different to previous years – only the names and details of the worst offenders have changed. These are the biggest data breaches of 2022, not only based on the amount of data leaked, but also the type of information stolen.
1. Neopets: July 2022
Neopets is a virtual pet platform with hundreds of millions of users, and with two different types of virtual currency. Like the Tamagotchis of yesteryear, Neopets users must log in regularly to feed and care for their virtual charges, lest they get sick and die. Neopets is moderately controversial in that it makes money via immersive advertising aimed at children, and that one of the currencies can be purchased for cash.
In July, a spokesperson for Neopets announced on Twitter that “customer data may have been stolen”. It later emerged that around 69 million Neopets accounts may have been compromised. Stolen data including usernames, emails and passwords, dates of birth, country, zip code and gender were offered for sale along with direct access to the database, where intruders could change stats, pets and in-game credits. A measly four Bitcoins (about $65,000 in today’s money).
The 2022 incident is just the latest in a series of serious Neopets security embarrassments dating back to 2014.
2. Kiwi Farms: September 2022
Far from being an agricultural enterprise for large, edible berries, Kiwi Farms is a community forum best known as a haven for vitriol and hate, where users are free to organize trolling, harassment and stalking. Originally formed to harass a particular artist, Kiwi Farms has 16,000 active logins per day, and has been linked to several suicides.
On September 19, Kiwi Farm’s founder, Joshua Moon, wrote:
The forum was hacked. You should assume the following.
Suppose your Kiwi Farms password has been stolen.
Suppose your email has been leaked.
Suppose any IP you have used on your Kiwi Farms account in the last month has been leaked.
The attack was possible through the misuse of session cookies, and may have caused some forum members to reconsider their relationship with the toxic site.
3. Los Angeles Unified School District: September/October 2022
The Russian-linked hacking group, Vice Society, was behind this September hack that saw half a terabyte of data from the Los Angeles Unified School District held for ransom.
Neither Vice Society nor the Los Angeles Unified School District disclosed the ransom amount, and when the October 4 payment deadline passed, Vice Society dumped the entire 500 GB holding on their dark web.
Information included passport details, social security numbers, tax forms, contracts, legal documents, financial reports, bank account details, health information, COVID-19 test data, previous conviction reports and student psychological assessments.
Crypto.com was breached by criminals in January, and while the number of affected users was relatively low at 439, the thieves managed to make off with a staggering $30 million—consisting of 4,836.26 Etherium, 443.93 Bitcoin, and $66,200 in other currencies.
This marked the start of a very bumpy year for crypto investors, with later months seeing the price of almost all coins plummet through the floor and the collapse of more than one crypto exchange.
The hack may have been the best thing that could have happened to investors: if they cashed out their crypto as soon as they were refunded by crypto.com, the affected coin holders would now be $16.3 million better off overall.
5. Uber: September 2022
Uber barely makes this list for the September 2022 attack, in which an 18-year-old hacker joined the company’s internal Slack and messaged all employees announcing they had suffered a data breach. Reports at the time indicated that the intruder was likely able to access and modify Uber’s cloud services, along with mail, cloud storage and code repositories.
But the biggest news for Uber in 2022 is that the ubiquitous travel company finally admitted that they were hacked way back in 2016, with 57 million users affected. Uber’s former head of security, Joe Sullivan, is to be put on trial for the breach.
(Dis)honorable mentions: SuperVPN, GeckoVPN and ChatVPN
SuperVPN, GeckoVPN and ChatVPN were actually breached in 2021, revealing a selection of full names, usernames, countries, billing details, email addresses, randomly generated password strings and more from around 21 million users. Since VPN users typically use VPN apps to hide their online presence, identity, and location, the data loss is of particular concern.
The data was put up for sale on the dark web way back in 2021, but was dumped for free in a number of Telegram groups in May 2022.
Protect yourself from data breaches in 2023
Of course, companies can’t accidentally leak your data or leave it vulnerable to malicious hacks if they don’t have it to begin with, and you should be careful to give away as little as possible.
Hackers are going to hack
Losing account information, money or personal data due to a company’s inadequate security procedures is one of the potential costs of doing business in the third decade of the 21st century. Try to use virtual credit cards and email aliases whenever you can.
It’s not just businesses that get hacked. Criminals also target individuals, and you should ensure that your personal devices are as secure as possible.