The biggest data breaches of 2022
The term “data breach” has never been said as many times in Australia as it has in recent months. But it’s not just Optus and Medibank, there have been quite a few data breaches in 2022 that you may or may not know about.
Data breaches are a big deal, but they’re more common than you might think. As former FBI Director Robert Mueller famously said:
“I firmly believe that there are only two types of companies: those that have been hacked and those that will be. And even they are lumped into one category: companies that have been hacked and will be hacked again.”
Just like we did last year, we thought we’d make a small summary of the biggest data breaches in 2022.
Biggest data breach in 2022
Some of these are Australian companies, some are international organizations with an Australian customer base and some are local victims of a larger, more global breach. Just a note: the date listed on a few occasions is when the breach was made public.
Shout out to Have I Been Pwned for help filling in the blanks.
The cloud-based scheduling platform FlexBooker suffered a major data breach affecting around 3.7 million people. Caught up in this breach was Bunnings, the home of hot dogs in Australia. FlexBooker sells an online scheduling tool that helps you set up meetings, reservations and appointments. It is understood that Bunnings used this platform to assist with the Drive & Collect service.
Massive international cryptocurrency exchange Crypto.com finally confirmed that a hacker made off with $30 million worth of cryptocurrency stolen from 483 users’ digital wallets. The company initially called the situation “an incident” and said “no customer funds were lost.”
More than 71,000 employees’ credentials were stolen and some of them leaked online after a data breach that hit American chip maker Nvidia in February.
OpenSea, arguably the world’s largest NFT exchange, was caught up in a massive breach, with the source of the attack confirmed to be a phishing attack. It lost $1.7 million after an employee of Customer.io, the company’s email delivery provider, “abused employee access to download and share email addresses provided by OpenSea users … with an unauthorized external party” .
Medlab Pathology (owned by Australian Clinical Labs) experienced a cyber incident involving some personal information of its patients and staff. It was informed of the breach by the Australian Cyber Security Center in June. That investigation began, but months later, on October 27, in fact.
A service dedicated to finding friends on Discord known as E-Pal disclosed a data breach in April. The compromised data included over 100,000 unique email addresses and usernames spanning approximately 1 million orders.
SuperVPN, GeckoVPN, ChatVPN
A breach involving a number of widely used VPN companies led to 21 million users having their information leaked onto the dark web. Full names, usernames, country names, billing details, email addresses and randomly generated password strings were among the information available.
Australian retailer Amart Furniture advised that its warranty claims database on Amazon Web Services had been the target of a cyber attack. It is believed that around 108,940 records containing email and physical addresses, names, phone numbers and passwords stored as bcrypt hashes were exposed and shared online by the attacker.
The personal details of 46,980 current and former Deakin University students were leaked into the wild in July. According to Deakin, the information was accessed via software uni user. An employee’s username and password were “hacked” and used by an unauthorized person to access information held by a third-party vendor. The details breached included student name, student ID, student mobile number, Deakin email address and comments such as recent unit results.
Neopets, the company that sells virtual pets to tweenagers (and a strange amount of adults too), suffered a pretty devastating data breach earlier this year. In July, the company announced that it had been hacked and that data on its members – believed to be around 69 million people – had potentially been accessed. In September, the company revealed new details about the incident, revealing that, among other things, cybercriminals were able to linger inside the company’s IT systems for about 18 months.
American Airlines experienced a not quite major data breach of customer and employee data in early July. The company announced the hack more than two months later in a letter to affected customers.
Technology conglomerate Cisco confirmed that the Yanluowang ransomware gang had breached the company’s network after the group published data stolen online.
Streaming service Plex sent out emails notifying many of its customers that a serious security breach may have led to account information falling into the wrong hands. Plex stated that “all account passwords that could have been accessed were hashed and secured in accordance with best practices.”
University of Western Australia
The University of Western Australia was the victim of a data breach, accessing personal information of current and former students. Uni told Gizmodo Australia that it had discovered unauthorized login activity to Callista, the Student Information Management System used by the university, and that the breach was limited to personal data belonging to students and alumni.
Twilio first announced that it had been attacked in August. The company provides communication tools and services to thousands of customers, including Facebook, Uber, Lyft, AirBnb, Twitter and DoorDash. According to Twilio, employees were targeted with a phishing link and message asking them to reset their login information. When some employees fell for the trick, attackers could use these employees’ credentials to gain access to internal systems and customer data.
About 1,900 users of Signal, the messaging app often considered the gold standard for privacy, may have had their phone numbers or text verification codes accessed by hackers. The breach was part of the aforementioned phishing attack on Twilio, which provides Signal’s SMS verification service.
LastPass, a popular password management service used by many to achieve cybersecurity nirvana, confirmed that some of its internal source code had been stolen in a “security incident” experienced back in August.
A vulnerability in Twitter’s platform allowed an attacker to build a database of email addresses and phone numbers of millions of users. It wasn’t until August (when Twitter published an announcement) as the users were told. The affected data included either email address or phone number along with other public information including username, display name, biography, location and profile picture. The data included 6.7 million unique email addresses across both active and suspended accounts.
Rumors began to circulate that TikTok had been hacked after a Twitter user claimed to have stolen the social media site’s internal backend source code. However, it has been determined that a breach was “inconclusive” and TikTok has denied it.
The north side
Outdoor clothing brand The North Face was targeted in a large-scale credential attack that resulted in the hacking of 194,905 accounts on thenorthface.com website.
Uber, the ride-sharing app used by almost everyone you know, suffered a major data breach in September. Uber’s computer network had been breached, with several engineering and communications systems disconnected. Uber employees discovered their systems had been breached after the hacker broke into an employee’s slack account and sent out messages confirming they had compromised their network.
Gambling company behind Grand Theft AutoRockstar, was the victim of a hack that saw unreleased footage Grand Theft Auto VI game leaked by the hacker. In addition, the hacker also claimed to have the game’s source code. Although no customer data was affected, this breach is a pretty big deal.
Needing no introduction is the Optus data breach which saw the personal data of thousands of people leaked into the wild. One of the biggest data breaches of 2022, at least in terms of interest.
Get revenge on your ex
Revenge website Get Revenge On Your Ex suffered a data breach that exposed nearly 80,000 unique email addresses. The data spans both customers and victims, including names, IP and physical addresses, phone numbers, purchase history and plain text passwords.
In early October, Telstra admitted that a third party it uses for its employee rewards program had suffered a breach, with “limited” Telstra employee information from 2017 (around 30,000) affected by the incident.
Woolworths Group confirmed that 2.2 million customer records had been accessed after a compromised credential was used to trawl the MyDeal system. MyDeal, if you’re not familiar, is an online store that provides customers with “quality products from a select selection of trusted retailers”. It has been a listed company on the ASX since October 2020, but the Woolworths Group completed the acquisition of approximately 80 per cent of MyDeal on 23 September 2022.
The wine retailer Vinomofo was exposed to a cyber attack in October, with the names, dates of birth, addresses, e-mail addresses, phone numbers and gender of customers at risk as a result. The Guardian notes that Vinomofo has around 500,000 people on its books, but it is not clear whether all were exposed.
The private health insurer told shareholders on October 12 that it had fallen victim to a “cyber incident”. But the incident is far worse than first thought, and Medibank confirmed by the end of the month that every single one of its customers has been breached – the organization has 3.9 million customers, making this one of the biggest breaches of 2022.
Doomworld, one of the oldest unofficial news sites dedicated to Downfall game, suffered a data breach that exposed just under 34,000 member records. The data included email and IP addresses, usernames and bcrypt password hashes.
It emerged that a communications platform used by Australian defense – ForceNet – was yet another victim of a ransomware attack. It is believed that around 30,000 to 40,000 records are at risk.
Reports emerged last night from clients of Australian property group Harcourts that the company is the latest victim of a data breach. Breached data includes full legal name, email, addresses, phone number, copy of a signature, bank details and photo ID. Tenants, rental suppliers and craftsmen are the customers in the danger zone.
The gaming website dedicated to classic DOS games Abandonia suffered a data breach resulting in exposure of 920,000 unique user records. This breach was in addition to another 7 years earlier in 2015. The data contained email and IP addresses, usernames and salted MD5 hashes of passwords.
A ransom gang claims to have stolen 375 gigabytes of employee and customer data from a franchise of Australian property giant LJ Hooker, including passport scans, credit card details and loan data. According to a report from VICE Au, LJ Hooker was added to the victim list of the Russian-linked ransom gang ALPHV, also known as “BlackCat”, on November 30.
There you have it.
Here’s hoping we don’t have to update this list with more major data breaches before 2022 is over.
This article has been updated since it was first published.