The Largest Data Breaches in US History: Part II

biggest data breaches. That's an interesting adjective biggest, because the scope of the attack isn't always a case where the data breach affected more people than, say, the previous one on the list. There are cases in which fewer people were affected, but the types of information made the breach more severe. For example, in our last episode, I talked about al hackers stole information from millions of FriendFinder Networks customers.

So friend Fighter Networks op rates lots of different businesses, including some that fall into the adult entertainment and adult lifestyle categories. So for some customers, the revelation that they were patronizing such a business could be embarrassing or damaging due to the taboo nature of the services, and so they're less likely to put up a big fuss about a data breach, because if they did, it would be

admitting that they were using the service. And if you're a hacker, that kind of target is really tempting because your victims are incentivized to not come forward. Now, we left off in the last episode talking about the Cambridge Analytica scandal with Facebook. That scandal was a doozy and was hitting right around the time when Facebook, now known as Meta, was in the US government's crosshairs for multiple reasons.

In fact, I'd argue that those events are in part what led to Facebook changing its name to Meta in the first place. It was an attempt to kind of distance itself from a brand that was being associated with lacks security and other shady maybe not shady shade is the wrong word, but ethically questionable actions. But as I mentioned in the last episode, the Cambridge Analytica scandal was just a little side quest in the real Number five on our top ten list of largest data breaches in

US history. Chen's main target for number five was just Facebook in general, because the site has been a massive target for hackers looking to harvest a mountain of data, and that makes sense. Most estimates put the number of Facebook users in the neighborhood of three billion people billion with a B. So, if you're a hacker and if your goal is to steal as much personal information as you can, you're likely balancing a few different things when

you're figuring out who you're going to attack. How valuable is the information you're going to get hold of. How much of that information do you think you can potentially get away with? How secure is the system? You know you might be able to infiltrate a relatively small target without much trouble. On the flip side, you're not likely going to end up with a ton of useful stuff

in the process. But Facebook, well, Facebook has just about everyone's data on it, and heck, if you wanted to see if you could compromise specific accounts and use those to boost a misinformation campaign, that's a possibility too. It may be that you're not looking to sell information. You may want to sell a narrative, and in doing so, what you're doing is borrowing accounts that aren't yours to

elevate a message. The main data breach that Chen mentions with Facebook actually happened with Facebook in twenty twenty one.

You know, that's years after the Cambridge Analyticus scandal, and that's when someone posted to a black market site on the dark Web that they had data records including personal information of more than half a billion Facebook users, so more than five hundred million, like five hundred and thirty million user accounts essentially, so this information would include things like user names, the actual names, the data, birth location data, and more, all from people who were on the platform

between twenty eighteen to twenty nineteen. How much data was available per person depended upon the individual and the settings that they used on Facebook, because this was another case of hackers using data scraping tools to pull publicly available information off a platform. So no different than if you were to visit each person's account and then just note

down all the information that was visible to you. And you might remember from our last episode that a hacker with a handle Tomliner was offering similar information that someone presumably Tomliner themselves whoever they are, had scraped off of LinkedIn. So this Facebook instance is a similar case, except it appears that the hacker exploited a vulnerability in the Facebook

platform to harvest information from profiles. Until Facebook fixed the vulnerability in late twenty nineteen, and this is based off Facebook's own statements about the data reach. The company claimed initially that the April twenty twenty one data was the same as a similar breach that happened in January, also

of twenty twenty one. Now Motherboard reported in January twenty twenty one that quote a user of a low level cyber criminal forum is selling access to a database of phone numbers belonging to Facebook users and conveniently letting customers look up those numbers by using an automated Telegram bot end quote. So this person had created a database in which you could search for specific names and see if

you've got a hit with a relevant phone number. But the April revelation showed more than just phone numbers, which you know already. Just the phone numbers is bad enough, But the hack that happened later in twenty twenty one included lots more stuff like that geolocation data if it was in fact part of the account. Now companies like Meta Slash Facebook typically have policies prohibiting the mass scraping

of data. As I said in the last episode, data is effectively the currency of the Internet, and when you really get down to it. User data is the commodity that Meta relies upon for its revenue. Meta's whole business model is primarily centered on advertising, and user data allows Meta to work with ad companies to target specific customer bases. So you'd better believe Meta would prefer to maintain dominion over that information rather than having someone else get a

hold of it. Plus, by not keeping user information under tight control, Meta opens itself up to lawsuits and regulatory finds that sort of thing, and that certainly happened in twenty twenty one. So, for example, the Data Protection Commission or DPC, which is a regulatory agency in Ireland and thus part of the European Union, found Facebook at fault for failing to comply with the quote GDPR obligation for

data protection by design and default in the quote. So as a quick reminder for those of y'all who live outside the EU like me, GDPR stands for General Data Protection Regulation and it's part of a much larger piece of legislation regarding fundamental rights. So here in the United States we have relatively little protection with regard to our private information. That may be changing, but it's long overdue.

The same is not true in the EU, where citizens are supposed to have authority over their own personal information. In the wake of hackers releasing personal information about more than five hundred million Facebook users, the DPC conducted an investigation into Facebook. The DPC determined that Facebook failed to embed proper data privacy and protection measures in place, and that gave the hackers the opportunity to scrape all that data. So just having a policy saying hey, don't do that,

that wasn't enough. They had to have things that actually would prohibit the practice, and that was where the failure was. The DPC then ruled that Facebook would owe a fine of two hundred and sixty five million euros, which at the time equalled to around two hundred and seventy five million dollars, And that was actually the third fine DPC

levey to get Meta just that year. The first fine was for eighteen point six million dollars that related to Meta keeping really poor records that contributed to a data leak that exposed the information of around thirty million Facebook users, so a much smaller leak in that case. The second of the fines was actually the largest because this two hundred and sixty five million euros. That wasn't the most.

The most was four hundred two million, and that had to do with how Facebook, well really Meta was handling data that belonged to teenage users of the app Instagram. So yeah, it was a very expensive year for Meta in terms of fines paid to the EU. I mean keep in mind that Facebook had also had to face a five billion dollar fine in the United States earlier

due to other issues. So yeah, Facebook was no stranger to having to pay out hundreds of millions and even billions of dollars in fines for how the company handles information. In Chen's blog post, he also points out a few other incidents involving Meta and data security or lack of data security. So, for example, in twenty nineteen, Upguard researchers found a database of five hundred and forty million Facebook user data records on quote public Amazon S three cloud

servers end quote. Now, arguably you could say this really wasn't Facebook's fault, This was the fault of a third party company that was working with Facebook. That third party company was Cultura Collectiva, which was a media and app

developer company. So you could say that, you know, Cultura Collectiva was a customer for Facebook, and they had this massive database of Facebook user data, presumably so that they could develop the apps or whatever that they were working on, and they were storing this database on an Amazon S three cloud server, but they failed to actually secure that information on the cloud. They didn't put protections in place to prevent unauthorized people from being able to access, which

is a big old whoopsie. But I think it's fair to say that it was not Meta's direct fault for this one. It sounded to me like this was the third party that arranged to have the database on that server. But I don't know if Facebook had done that, Like if Meta had made it available on that server and then gave access to Cultura Collectiva but failed to secure that access appropriately, then yes, it would have been Meta's fault. I honestly don't know the details where I can make

a determination in that regard. Anyway, That's really just the tip of the iceberg when it comes to data breaches

with Meta slash Facebook. And given the reach of platforms like Facebook and Watsapp and Instagram, you know, all these different meta properties, it really should come as no surprise that any data breach that targets Meta is going to end up being one of the largest in US history simply because they have such a huge user base, right like, just by definition, if it's an effective attack, it's going

to be one of the largest ever. So again, it's one of those things that you know, it makes Meta such an attractive target for attackers, the fact that it's this huge. Okay, we've got lots more to go through, and rather than start the next entry and then just have to take a break in the middle, let's take a break. Now, we'll be back with numbers four and three. I think, okay, we're back. So number four on our list of largest data breaches in US history is another

financial institution. So in the last episode, I mentioned how a twenty fourteen hack on JP Morgan Chase demonstrated that it wasn't just web based companies that were at risk. In May twenty nineteen, that lesson was reinforced when poor data security practices meant the first American financial corporation inadvertently made it possible for anyone with a particular weblink and able to access some really sensitive financial information. There was

no hacking required. Literally, all you needed was the URL and boom you could view a whole bunch of files, and by whole bunch, I mean nine hundred million files almost, so you know, more than eight hundred billion. I think it was like eight hundred and eighty million something along

those lines. So what the heck happened? Well, whomever first American financial corporation hired to do web design made a major boo boo, And I'd like to think it was an honest but dumb mistake and not you know, some sort of malicious or premeditated attempt to gain access to sensitive information. So essentially, the web developer failed to include any sort of authorization or verification process to access this

list of files. So maybe the thought was just that, you know, the URL for the web directory wouldn't be published anywhere, so the only people who would even have access to it were the ones who knew what the UURL was. And if that was the thought, like if it was like, oh, we don't need to institute anything else because this is a private web address, who's going to see it? That would be a practice that's called security through obscurity, which by the way, is not very

secure at all. And as the name implies, the hope is that by flying below the radar of attackers, no one takes notice of you, so you remain safe, not because you're practicing really good security, but because no one has spotted you, and so no one has decided to target you. Sometimes this isn't something that you're actively practicing, it's just kind of in effect. I have argued in the past that Apple enjoyed security through obscurity. For many years,

you didn't see much malware targeting Apple systems. Apple fans would argue this was because Apple was just better at security than companies like Microsoft or IBM. In fact, some of Apple's own ads seemed to me at least to imply that one advantage Apple computers had over Windows based PCs is that they were more secure. Now, I would counter that I don't think Apple was necessarily so much

better at security. I mean, granted, they were using proprietary systems, including proprietary software and hardware, which does make it harder to develop malware for those platforms. It doesn't make it impossible, but it makes it harder. But I think that the vast majority of people, I don't think this this is true. The vast majority of people were not using Apple computers.

They were on Windows based machines. So, yeah, there were people using Apple computers, but if you looked at the percentages, I mean, Apple was just dwarfed by Windows machines. So if you are a hacker and you're going to dedicate the time and effort into developing malware, and you have a specific goal in mind, whatever that goal might be, you're more likely going to aim at the largest target

in order to have the biggest impact. Like, that's going to make more of a difference than affecting a relatively small population of Apple users. Go for the bigger population of Windows users. That's security through obscurity, right, Like, yes, the security might have been better to some degree, but that's not why Apple was so safe for the longest time. It was also safe or what was not the only reason?

I guess I should say it was also safe because the company's market share was small enough that a lot of hackers just didn't see the return on investment to develop malware for Apple when most people were using Windows machines anyway, Whether the thought was that no one who was unauthorized would even find their way to this URL, or it was just an oversight and the web developer failed to take steps that they should have taken the vulnerability was in place, and this type of vulnerability is

called an insecure direct object reference. So this is just a category for vulnerabilities, and essentially it just means that if a user has the ability to submit a specific input into a system and they can gain access to that system without having to pass through any control measures, that is an insecure direct object reference. So in this case, the input was just a web address, so the only tool that you needed was a browser. You did not

have to be a hacker. You needed a web browser and you needed to put a URL into the address bar and boom, you would be taken to one of

these documents. Now, adding to this problem was the fact that First American Financial Corporation was using a sequential numbering system for their documents, which meant if you had discovered a URL that brought you to one of these documents, you could then adjust the numeral that was at the end of the file name, and if you went down one, then you'd see the previous record, and if you went up one, you'd see the next record. So what kind

of records are we talking about. Well, it included stuff like bank statements, receipts, actual bank account numbers, drivers licenses, and other stuff. Now, on the bright side, while security researcher Brian Krebs reported on the discovery of the issue, it appeared that no unauthorized third parties with malicious intent had actually accessed this information. You could argue, really just a matter of luck. Also, there was no way to

really know. But it just didn't seem like this stuff was showing up anywhere where you would say, oh, the bad guys got hold of this, right. It wasn't like it was popping up on the dark web. Perhaps because it seemed that no criminals had found out about this problem before First American could actually, you know, address it, the SEC went fairly light on the financial institution, at least in my opinion. First American was ordered to pay

a five hundred thousand dollars fine. Now, five hundred thousand dollars is a lot of money. If you hit me with a five hundred thousand dollars fine, I would be up the creek. I would be so deep in trouble. But when you think of like a financial institution and the fact that this this data leak scope was nearly a billion records of incredibly sensitive financial information. I think it's still a fairly light fine to have to pay.

The State of New York would actually secure a million dollar payout from First American in a lawsuit settlement, so that was twice as much. Now it may be, and I haven't looked at this. It maybe that the SEC just had limitations on how much it could find an institution, in which case, you know, no fault on them. It's not like it's not like they could do more. If you throw the book at someone, you don't typically assume

the person has a second book to throw. More recently, First American was in the news again in late twenty twenty three when hackers claiming to be part of the infamous Alpha and black Cat groups infiltrated company systems and encrypted several directories as a ransomware attack. Now, this disrupted First Americans operations for a short while, but the company assured the public that the attackers had failed to lock off anything that was absolutely critical for operations, and at

first they believe that customer records weren't act. However, very recently First American revealed that quote personal information pertaining to approximately forty four thousand individuals may have been accessed without authorization as a result of the incident. End quote. This is according to the title report dot com. So the company is going to be contacting those who are potentially affected and offer identity protection services and credit monitoring for

free for you know, some amount of time. I don't know for how long. Number three on our list is a real estate education company. It is called the Real Estate Wealth Network. Now, before I did any research on this episode, I had not heard about this particular data breach. This one I just missed. When it happened, it was big news, and somehow I didn't see it, And it really was a data leak. So similar to what we

just talked about with First American. As opposed to you know, hackers compromising a system, this is more of a company failing to put in the proper measures to protect information. Before I read about this particular situation, my imagination went wild, right,

because it's the Real Estate Wealth Network. I in my imagination thought, aha, this is going to be a story about some sort of crypto anarchist, right, because here's a company that's dedicated to teaching folks how to build wealth by buying up real estate in many parts of the United States. Right now, we're in sort of a housing crisis. There are a lot of middle class Americans who cannot afford to buy a house, which is a change from

previous generations. Right like, you have people who are in the same relative space in middle class, who, unlike earlier generations, cannot buy an average home or a suitable home. So the housing prices have skyrocketed in various regions throughout the United States in recent years, and a lot of properties seem to get scooped up by people or companies determined to turn the houses into lucrative vacation rental properties a

la Airbnb and such. So I am imagine this data breach was the work of some crypto anarchist akin to the main character in v for Vendetta. You know, a person who was determined to take down the system by targeting a wealth generation platform that by its very existence seemed to put the common person at a disadvantage. But no, it's nothing quite so dramatic as that. This is another case of a company failing to institute basic security measures

in place in order to protect sensitive information. So let's talk about that information first, and then I will talk about what actually happened. So the leaked info included all the top hits, you know, your basic stuff like customer names, their phone numbers, addresses, that kind of thing. But it also included other stuff like tax IDs, or whether or not the entity that owned the property had ever gone through bankruptcy, or if there were any court judgments against

the property owner. Obviously, it also included property history records like when it was bought and sold and who bought it or sold it. And there were a lot of these data records, or like a one and a half billion data records in total. Some of them included information about very notable people, you know, like politicians and celebrities

and that kind of thing. And you could imagine this sort of crime meant that the people who had access to this information could do all sorts of other crimes, everything from spearfishing, which would be a breeze because you would have so much information about your target, you could craft a very convincing attack that would potentially compromise them further. You would have all the information you needed to commit some pretty nasty fraud crimes in the name of some

of these victims. Not to mention now that you have these notable people like politicians and celebrities. You have information that you know, stalkers would really like, or people who have a particular desire to hurt somebody specific they might really want the information. So yeah, there's a whole host of crimes that can happen as a result of this.

So what actually happened? How did this come about? Well, the simple explanation is that the Real Estate Wealth Network failed to put any security around accessing this database, which held one point one six terabytes of information in it. There was this security researcher named Jeremiah Fowler who discovered the problem. He found an unencrypted, massive database containing extremely sensitive information, and he said he found it after searching for his own details, and then he followed a trail

that led to this database. So I don't know if he was just like doing this search just on his own and that had nothing to do with, you know, any kind of investigation and just stumbled upon this, or if he had already heard something about this or suspected something about it and then started to do some searching

and came across it. Either way, he reported the problem to the Real Estate Wealth Network, and to their credit, they promptly locked down access to the database, They closed off that avenue toward the data, and they also confirmed that they owned the data base, which again all credit

to Real Estate Wealth Network for doing this. They acknowledged the data leak, and honestly, that had a real breath of fresh air to it, because, yes, the leak never should have happened in the first place, but at least we're not talking about an incident in which the company delayed installed for days, weeks, months, or even years before finally owning up to it. Because spoiler alert number one

on this list did that. It's a company that held back on disclosing information about a massive data breach for multiple years. But no, Real Estate Wealth Networks was pretty quick to disclose this issue, which is really the responsible thing to do, right, to warn those who have been affected so that they could be on the lookout for any signs that malicious actors have accessed that information. However, despite this responsible approach, you know, you still have to

admit there were some pretty massive problems here. So for one thing, it was not clear how long that database had been unsecured, right it could have been unsecured for ages.

It was also unknown whether anyone besides you know, the security research or Fowler had noticed this issue, because you know, if criminals had found it, they would have a treasure trove of data at their fingertips, and they wouldn't likely just blurred out that they had found it if they wanted to keep accessing it, although they could have made copies.

And apparently, from what I understand, no one found anything about this on the dark web, So that's a fairly good indicator that it was unnoticed by the criminal element. But I mean, it would have only been a matter of time. So the fact that Fowler found it and that Real Estate Wealth Networks responded so quickly, that's really a good thing. But yeah, this data included you know, information about actual like celebrities, everyone from Britney Spears to

Elon Musk to Nancy Pelosi. So okay, we're coming down to our top two entries on this list. Although I should remind everybody that while I'm presenting this as a top ten countdown, in episode one was like ten through five and a half and this is five through one, I should mention Kyle Chen did not claim that his list was ordered in any kind of ranked way. He listed twenty six different data breaches, and I don't wish to imply that this is Kyle Chin's ranking. I just

chose to interpret it that way. So I'm just an Internet hack. Really. Maybe at some point I'll do an episode covering the other sixteen data breaches. But we're gonna take a quick break right now for some more messages, and when we come back, we're gonna keep on hacking. Okay, we're back, and I mentioned before the break, we're gonna keep on hacking. And hacking actually does play a part in numbers two and one, right, because the last two

those weren't really data breaches. Those were data leaks. A breach, I would argue, is when an outsider, a hacker, has managed to infiltrate a system in some way. They have breached the security whatever there might be of a system. Data leaks are when you don't have any security in place and no one actively has to be like searching for it. It's just out there and it's available if you happen to nowhere to look. Well, this is definitely a breach, not a leak, and it's one that puts

Microsoft in the spotlight. The Culprit was an allegedly China backed hacker group called Hafnium. The target were Microsoft Exchange servers. So to be clear, the targets weren't just Microsoft. It wasn't like the they were going after the company Microsoft. They were going after companies that were using Microsoft Exchange servers, So customers of Microsoft. That's who these hackers were going after. And the entry point was allegedly four separate zero day vulnerabilities.

Now I mentioned in the previous episode. A zero day vulnerability is one that the person or entity that's responsible for the softwareware, or system doesn't know about. That's what makes it a zero day vulnerability. They have zero days to address any sort of exploit that pops up in the wild, and zero day vulnerabilities are like gold to hackers.

They represent an opportunity to infiltrate systems without fear of being stopped or sometimes even detected, and that gives hackers way more time and opportunities to achieve whatever goals they have, whether that's stealing information or breaking entire directories as part of a ransomware attack, or infiltrating systems with malware, whatever it might be. One zero day vulnerability is bad for

zero day vulnerabilities is really really bad. And on top of that, some of these vulnerabilities had sort of been grandfathered in from software that had been out for almost

a decade at that point. One key element that made this particular attack so devastating was that many of the customers using Microsoft Exchange kept their own email servers on company premises or on prem as those in the biz call it, so in case you're not familiar with that term, it just means that a company hasn't offloaded everything to the cloud. At least some of their servers that they're using are on company property, whether that's in the company

HQ or a data center or whatever. The point is, they own and operate the server. They're just running the Microsoft Exchange product on those servers. So these are computers that are not under the direct supervision of Microsoft. And that's the important part, and the reason it's important is that once Microsoft became aware of these vulnerabilities, they could and they did release security patches to plug up those holes, which would stop attackers from being able to infiltrate those

Microsoft Exchange servers. But while Microsoft could install these patches directly onto any systems that were under their direct control. They couldn't do that with exchange servers that were on premises on customer property, right because Microsoft doesn't have that access. You wouldn't want Microsoft to have that access. You know, the whole reason to have on premises systems is that those are under your direction and control. So you don't want to give another party access to that's that's a

security vulnerability. So that meant Microsoft had to send out messages to their customers that essentially said, hey, you need to install these security patches asap, like yesterday, and the customers were in charge of actually following through on that because they were maintaining their own on premises email servers.

And you know, some companies have it departments that will respond immediately to these kinds of messages and install those kind of security patches, but there are cases where that

doesn't happen. Now, sometimes the decision not to implement a security patch right away is actually done out of a sense of caution, because occasionally you'll get a patch that once you install, but it has unintended consequences on your operations, right it might break something else, And so sometimes companies won't install a security patch on the initial day of

release just in case that patch causes other issues. They take a wait and see approach to make sure that they're not going to interrupt their regular business operations by installing this patch. But that means that they remain vulnerable for as long as the patch remains uninstalled. Now, other times, you might have IT departments that just are not on top of the ball, and that means some companies would

just go unprotected longer than others. Sometimes you don't really have an IT department at all, Right, You've outsourced a lot of stuff, and so you don't necessarily have the assets in place to be able to install security patches. You're depending too heavily upon third parties and as a result, you may not have the staff who has the knowledge

of how to install those security patches. It's possible there are still some servers out there that aren't protected, though I hope that's not the case because it has been like three years since this attack happened, and surely someone has installed security updates within those three years. But you never know anyway, what did the attackers actually achieve, what was their goal and what did they do well by

exploiting these vulnerabilities in Microsoft's software. The hackers gained access to these infected email servers, and that meant they could access all the email on that server as if they were the administrator of the server. They could read everything, so they could go into any account on that email server and read stuff. They could send email as someone else if they wanted to, and they could harvest data in contacts. They could pull all the information off of

calendars like they could gather a lot of valuable information. Now, in this case, the targets were companies, not necessarily individuals. However, if they were able to compromise a company system that had an individual of interest on it, then they could pull tons of information about that person as part of their attack. The attackers were able to compromise the email servers of around thirty thousand companies in the United States. Thirty thousand companies, not people like keep in mind, like

these businesses might employ hundreds or thousands of people. They were also able to compromise another thirty thousand businesses around the world, so sixty thousand total. Brian Krebs, once again was the researcher who wrote about these attacks and alerted the world in general as to what was going on. The revelation came just a few days after Microsoft had

released emergency security updates. By the way, there are actually a lot of security researchers out there, the white hat hacker types, who tend to have a general code of honor right. If they discover a vulnerability in a system, typically what they do is they reach out to the company or person responsible for that system and they alert them. They say, hey, I found this, it's possible to exploit.

You're gonna want to patch it. And typically they'll give a little bit of time for the company to respond to this, and then they'll wait for that response before they reveal what they know to the public. That's the responsible way to do it, so that the least amount

of damage is done. However, if a company fails to respond, like if it doesn't acknowledge the fact that you have alerted them to this vulnerability at all, well, sometimes researchers will reveal what they know in an effort to pressure the company into responding. If they go public and say this vulnerability exists, then there's suddenly this enormous amount of pressure on the company to fix it, and then also warns the customers of that company that the product they're

using isn't secure. However, in this case, Microsoft acted very quickly and then Brian Krebs reported on it, so back to Microsoft. US cybersecurity experts determine that the hacker group Halfnium was responsible for these attacks, and that in turn Halfnium enjoyed the backing and protection of the Chinese government. Further, the attacks were assumed to be part of a large espionage mission to spy upon and steal information from US companies.

In particular, The Guardian reported that the US government, in the form of the FBI, the Federal Bureau of Investigation, took a rather extreme step to protect companies by hacking into infected systems that belonged to various companies that had failed to mitigate the malware themselves. In order to actually neutralize the threat, so the FBI hacked into company systems in order to shut down the malware. The FBI did not go the extra step to install the security updates

on those systems. But apparently the FBI was fighting hacking by hacking, I guess, and not directly against the hackers, but against the same companies that had already been hacked. When it comes to zero day vulnerabilities. I don't think there's really anything I can say that's terribly helpful. I mean, how do you fix a problem if you don't know

there is a problem. So, you know, it might be tempting to blame Microsoft for leasing software platforms that had these vulnerabilities in them, but again, if the company has no awareness that there's an issue, how are they supposed to fix it? So I think just saying do better isn't really useful. You see that a lot in the gamer community. It's very dismissive and snobby, and I hate it and it's not useful at all. It's not helpful.

So I don't really think that's a viable response. As for customers, well, there's even less that you can do as a customer to prevent an attack that leverages a zero day vulnerability in some tool that your company is using. The best you can do is beyond the ball when security patches come out to minimize the risk of becoming another victim, or to at least temporarily migrate away from

a tool that's been known to have been compromised. Okay, we're finally up to number one on the list, and maybe, like I said, I'll do a future episodes to cover some of the other instances that Kyle Chen mentions. So again, if you didn't hear me before, these are all coming from a blog post that Kyle Chen wrote for upguard dot com, So you can always look up like the largest data breaches in US history. That'll probably pull that article up as a result. That's where I'm getting this

particular list. But our number one entry is Yahoo, and yeah, this one was huge. Also, I can't really say this one because the word one is deceptive. Honestly, this was a series of cyber attacks that ultimately resulted in more than three billion records being exposed to cyber criminals. Three billion. That's nearly forty percent of the world's population. Though honestly,

that's three billion accounts. I'm sure that some people had multiple accounts, so it's not the same thing as three billion people, I guess, But that seems like a fine point that we don't really need to worry about. If we do assume that's three billion people, that means if you were to get ten people together, four of those folks, or really three point seven eight of them would be

affected by this. But those chances would actually depend upon where in the world you are, right, Like, if you're in a more developed part of the world, then the odds are going to be higher that there'll be more people there who were affected by this. My analogy only works if the ten people are randomly selected from all

over the world. But anyway, I'm on a tangent. So what happened, Well, what happened was a combination of various hacking techniques, some international intrigue, a company staying quiet about the whole thing for way too long after finding out about this intrusion, possibly in an effort to avoid affecting a massive acquisition deal that was going on with another

big company. Because this story is juicy, y'all. But we begin in twenty thirteen, and this is when the first and the largest hack happened, though the public would not find out about it for another three years. Now. Arguably, Yahoo itself remained ignorant of this attack for quite some time, but it would take three years for the US public

to hear that this had happened. Even in that revelation, Yahoo would downplay how many accounts were affected by a third in fact, because, as we would later hear in twenty seventeen, the attack compromised some three billion accounts, but when Yahoo disclosed this attack to the public back in twenty sixteen, Yahoo said it was just one billion, which is weird. I was saying, just is crazy. I mean, one billion is a number so huge that I cannot

possibly imagine it. So you might as well cop to all three billion at that point, right, But to be fair to Yahoo, I do think it's very possible the company honestly did not have a grasp on how large this attack actually was at that time. And by large I do mean every single Yahoo account active or otherwise was affected by this because the company had lousy security.

There's no getting around it. I don't think that's opinion, by the way, because in twenty twelve, Yahoo had already been the target of a different hacker attack that ultimately compromised nearly half a million accounts. Now half a million is a drop in the bucket compared to three billion. It's nothing. But you would think that half a million compromised accounts would be a serious wake up call to Yahoo, and it would at least kick things into gears so

that the company would institute better security practices. But sadly, that didn't really happen, or at least it didn't happen on a scale and timeline that would prevent the massive intrusion in twenty thirteen. Now, it is easy to conflate the twenty thirteen attack with another one that happened in twenty fourteen. So if you're keeping count, that's three different

hacker intrusions in three years. Twenty twelve was half a million, twenty thirteen three billion, twenty fourteen was like five hundred million. I think it is important to draw some distinctions between these because authorities would ultimately identify four individuals believed to be responsible for the twenty fourteen attack. These folks would

also end up having alleged ties to the Russian government. Thus, there are locations that the Yahoo hack in twenty fourteen was the result of a state backed hacking operation, that it was essentially funded by the Russians. Now, whether the twenty thirteen attack was state backed or not, we don't really know. To this day. As far as I can tell, no one has the definitive information on who was behind

the twenty thirteen attack. Marissa Meyer, who was CEO of Yahoo during those data breaches, would testify to Congress in twenty seventeen that the company had been unable to determine who was responsible for that particular attack in twenty thirteen. She also revealed that she did learn of the twenty fourteen intrusion in twenty fourteen, this is the one that would affect half a billion accounts, but she didn't learn of the actual scale of the attacks until twenty sixteen.

So if that's true, it meant the attackers had some really good ability to hide their tracks and had years of opportunity there as well. So presumably no one knew about the twenty thirteen attack until much later. They knew about the twenty fourteen attack, but they didn't know how

bad it was. This also means I can't really talk about what happened in twenty thirteen, because the truth of the matter is there were several potential exploits that the hackers could have used, and the twenty thirteen attack may have used multiple avenues to get access to all the information. We can, however, talk about what happened in twenty fourteen. We know more about that one. It's a tail that

involves spearfishing and cookies. Now I should also mention this version of the story comes to us courtesy of the FBI. The agency said that the hackers first sent spearfishing emails to Yahoo employees, So again, these are emails meant to trick someone into taking some sort of action that benefits the hacker, and in this case, it was clicking on a link that ultimately would give the hackers administrator level access to some of Yahoo's systems, but not all of

their systems. But it did give them a chance to look at some code that Yahoo used that would be really valuable, and this included code on how Yahoo generated Internet cookies, So a quick refresher course on what cookies are and what they do. With the Web, You've got clients and you've got servers. So if you're browsing the web on your computer or your smartphone, you're using a client. Servers are sending or serving you the information that you're requesting.

So if you type in an address in your web browser like www dot Google dot com, your client sends a request to go to that website. This request gets routed to the appropriate web server, which then sends the data to your client, so that you are visiting Google. So each interaction is kind of like this. Now, to save some time and effort, we have cookies. So cookies are little bits of info that get saved to your computer the client, and cookies can do really handy stuff.

For example, let's say that you've logged into an account on a service like Amazon and you're doing some shopping, and then you navigate a way because you have to go do something else. But then gush, darn it, you remember, oh, well, you know what, I should have ordered something else on top of everything else. So you go back to Amazon. Well, if you didn't have cookies, you would need to go all the way back through the login process because Amazon

wouldn't know it was you again. But with a cookie stored on your computer, Amazon can say, oh, yeah, that's Billy Bob who logged in earlier, never logged out their back Let's just let them continue their session. So cookies are how web pages quote unquote know where you were the last time you visited, so that you can kind of pick up where you left off. Of course, cookies can do more than that, and there's a whole discussion to be had about tracking and whatnot with cookies, but

we're going to leave that for now. So how did the attack happen. Well, the hypothesis goes that the hackers were able to figure out how to forge Yahoo cookies because Yahoo was not good at practicing decent security, because ideally each cookie would contain data that's unique to a single individual and that would be very hard to crack. But Yahoo apparently wasn't really doing this in that regard.

You could say Yahoo was kind of behaving sort of like how certain German officers in World War Two were reusing code phrases while encrypting messages using an Enigma machine. Now, the practice of reusing those code phrases, that's what gave British code breakers the advantage that they needed to actually break the code. If the Germans had used more discipline security measures, the code likely would have stood up to the BRIT's best efforts and it wouldn't have ever been broken. Possibly.

I mean, it's impossible to say, because we know what did happen, it's impossible to say that what could have happened was a definite possibility. Anyway, all this meant that the hackers could actually forge a cookie, and they could fool Yahoo into thinking that the hackers were actually somebody else, like a legitimate Yahoo user, So it meant that they could access user accounts and then spy on that user's correspondence, plus scrape any data relating to that user and their

other online accounts. So potentially they could even compromise even more data in the process. A right, like if you figure out a user's username and password, and you also see that they use other services, you can try and use that and see if it works. Because so many people reuse their passwords. I said it in the last episode, I'll say it again. Don't do that, And you start to see how a data breach can be much bigger

than just this enormous scope of three billion accounts. So coy to Marissa Meyer, Yahoo learned about the twenty fourteen attack, even though they might not have known what the scope was, but they kept things quiet, possibly in part because there was this big acquisition deal Verizon wanted to acquire Yahoo.

Some of this news, however, would break before that deal would be finalized, and Verizon would drop the offer by a whopping three hundred and fifty million dollars, So that was a big deduction on the final cost for that acquisition,

and even that might have been too modest. Because, of course, later we would find out the real scope of those attacks, lawsuits would follow, but Yahoo would pay out a little more than one hundred million dollars as a result of the lawsuits, a few tens of millions here, tens of millions there in different fines, But honestly, I think it was a pretty small amount considering the nature and scope

of the attack. Then again, the whole thing did cost y'all who hundreds of millions of dollars because the acquisition was reduced in price too. Only one of the four men identified as hackers in that twenty fourteen attack was ever arrested and sentenced for this crime was in a Canadian citizen named Karim Borotov. He was sentenced to five years in prison. He even wrote a book about his experiences.

The other three accused, which included two members of the Russian FSB, that's kind of like the successor of the KGB in the old Soviet days. They were accused, but they were never arrested, and of course Russia denied having any involvement in the attacks whatsoever. And that brings us down to the last of my top ten. Again, I don't wish to suggest that Kyle Chin had ranked these in any specific way. This was kind of how I ranked them, and there were sixteen other ones on that list.

So again, go to upguard dot com and search for that article about the largest data breaches in US history if you want to read more about them. Maybe I'll do an episode about those later. I might do an episode just about the ticketmaster data breach because that happened. That are particularly bad time for ticketmasters since it's already in the crosshairs of the US government due to an antitrust lawsuit. So maybe I'll do a full episode about that in the future too. In the meantime, I hope

you're all safe. I hope all your personal information is safe, and I'll talk to you again really soon. Tech Stuff is an iHeartRadio production. For more podcasts from iHeartRadio, visit the iHeartRadio app, Apple Podcasts, or wherever you listen to your favorite shows.