We saw a lot of unpleasant data breaches this year. So many, that I’d be surprised if you weren’t affected by at least one, if not more. And while I’m not looking forward covering even more calamity in 2020, I think it’s important to take a look back at some of the year’s worst, biggest, and most annoying hacks that affected you and your data.
Yes, we’re talking about hacks—as in, people hacked your account, not creative ways to improve your life. If you didn’t hear about these big breaches, or are still using the services that got hit, you might want to rethink your approach. If not, at least reacquaint yourself with this year’s worst hacks so you can be better prepared to deal with similar crap in 2020.
This one was a complete and total mess. Not only did it affect a pretty significant chunk of people—approximately 100 million in the United States alone—but Capital One did an absolutely terrible job of notifying those affected. In its mea culpa press release, it stated that “no credit card account numbers or log-in credentials were compromised and over 99 per cent of Social Security numbers were not compromised,” only to go on to indicate that “about 140,000 Social Security numbers of our credit card customers” and “about 80,000 linked bank account numbers of our secured credit card customers” were actually compromised in the breach.
The takeaway? Always read the fine print when a company discloses a data breach, and don’t be afraid to search for secondary sources of information—a press release, for example—if a company’s initial notification to you, via its service, feels like its downplaying what’s actually happening.
Who hasn’t played Scrabble Words With Friends or spent countless hours building virtual farms on their smartphones? Odds are good that a lot of people have a Zynga account, which makes this gigantic breach even more concerning. A whopping 172.8 million accounts had their credentials stolen, which includes user names, passwords, phone numbers, and Zynga IDs.
The takeaway? It would sure be nice if Zynga offered two-factor (or even two-step) authentication for accounts. Otherwise, this is a great example of why you should always use unique passwords for a service. And you should always change yours the minute a service you use is identified in a new data breach, as the company might not even recommend that in their initial announcement.
I still argue that Amazon’s Ring cameras weren’t hacked per se, rather, attackers are using stolen account credentials from other data breaches to break into Ring owners’ accounts—and then view their camera feeds. However you want to describe it, people’s accounts are being broken into. That’s not good, especially if you’ve placed your camera in a sensitive place.
The takeaway? Use. Two. Factor. Authentication. If a company offers it, you need to use it. When a simple login and password are the only thing standing between you and someone viewing a live feed of your home, you need to take some time, go through the service’s settings menu, and make sure you’ve enabled everything and anything to protect your account. Ring takes some blame for not doing a better job informing people about the nuances of account security—like how the only way to boot people out who have access is to change your password; switching on two-factor authentication, oddly, isn’t enough. But if you’re reusing the same ol’ password across multiple services and not even bothering to enable 2FA, you’re setting yourself up for disaster.
Second verse, same as the first. Attackers have been using leaked logins to break into peoples’ Disney+ accounts, thanks to the huge popularity of Disney’s streaming service (as a result of all things Baby Yoda). Just like Zynga, Disney doesn’t offer any kind of two-factor or two-step authentication for your Disney+ account. Worse, breaking into the streaming service likely also grants you access to a person’s activities Disney-wide—see their trips, plans, shopping, and every other Disney-related thing they’ve ever done. That includes photos from their trips, if they’ve purchased such a service, and all of their ESPN activity (and subscribed content).
The takeaway? It baffles me that companies don’t provide stronger protections for their users’ accounts. Even a cursory email or text message asking a person to verify a recent login attempt would go a long, long way. As always, use unique passwords and, well, don’t hesitate to change yours as a first line of defence if something looks weird about your account / travel reservations / ESPN streaming.
Though not a website or service per se, I’d be remiss in not mentioning what’s known as the “Collection #1” breach. The numbers speak for themselves: 772 unique email addresses (with associated passwords) across 2.7 billion records in total. Odds are good your email address is mentioned somewhere within this database, if not a few times, but you can always see for yourself over at Have I Been Pwned?
The takeaway: You should be checking a monitoring service like Have I Been Pwned regularly, which can help let you know what email addresses are found in data breaches. You can also type a password into the site—just that, not any other data associated with it—to find out if it’s been exposed in a data breach. Between these tools, and any similar tools built into (or offered by) your browser or browser’s creator, you have plenty of options to stay informed about the latest (and worst) data breaches. (And make sure to change your passwords once you get that heads-up.)