HackCheck 2023 Cybersecurity Roundup - Worst Year So Far?

HackCheck Roundup

2023 has been an eventful year so far in the cybersecurity area, with more than a 13% increase in the number of breaches happening, and much more. With HackCheck's 1-year birthday here, it’s a perfect time to go over this year’s incidents, and what we should learn from whether you are a user trying to dodge the inevitable breach of your data, or a corporation trying to minimize the risk of breaches, or the damage they cause.

2023 Data Breaches Incidents

This year, we have seen an increase in the total number of breaches happening, and if we include the 3.8 billion DarkBeam breach (the data breached there, was already breached before), the total number of records breached reaches a staggering 5 billion records.

So far, 2023 has not been a great year incident-wise. It was the worst year for the US especially, according to some. For the rest of this section, we will go through this year’s incidents and cover what data was breached.

MOVEit Massive Data Breach

MOVEit breach was not just the largest hack of 2023 but also one of the largest in recent history. Due to MOVEit getting hacked by a Russian ransomware group named Cl0p, using a zero-day exploit, many organizations announced that they’re affected. Several companies used the MOVEit software to transfer sensitive data. Progress Software, MOVEit creators, notified that many firms such as payroll provider Zellis, British Airways, BBC, and the province of Nova Scotia have been compromised.

US government contractor Maximus has experienced a data breach due to using the MOVEit transfer application and at least 8 to 11 million US citizen’s sensitive health-related data have been exposed.

Vulnerability in MOVEit transfer software led to the leak of sensitive healthcare data of 4.1 million patients in Colorado using systems managed by tech behemoth IBM.

Date of Breach: Unkown Total Records: More than 60 million How? Ransomware, zero-day exploit

T-Mobile

T-Mobile had announced that hackers gained access to over 37 million individuals’ information including phone numbers, email, and billing addresses due to the data breach. Although the company claimed that they found the breach on the 5th of January, it is believed that the data was stolen in late November 2022.

T-Mobile Data Breach this time in May 2023 affected around of the telecom provider's customers. The company sent a data breach notification letter to the customers explaining the full extent of the data that the cyber attackers had access to.

Date of Breach: Unkown Total Records: More than 37 million How? System vulnerability

JD Sports

In January, JD Sports, the high street sports fashion retailer, said to the Guardian that customers should be cautious about potential scam emails, texts, and calls because a cyber-attack to their system ended up exfiltrating 10 million account data.

Date of Breach: Unkown Total Records: More than 10 million How? Unknown

Freecycle

Freecycle has suffered a large data breach affecting about seven million users. The company advised users to reset their passwords because by the time Freecycle found out about the data breach, the stolen information was uploaded on hacking forums.

Date of Breach: August 2023 Total Records: More than 7 million How? Unknown

PharMerica

PharMerica which is a giant US Pharmaceutical company and is known to provide 2500 different facilities across the US suffered from a data breach in May 2023. Due to this data breach social security numbers, birth dates, names, and health insurance information were extracted which were related to 5.8 million individuals.

Date of Breach: May 2023 Total Records: More than 5.8 million How? Ransomware

Duolingo

In August 2023 Duolingo (a language learning application) suffered a data breach and the information including names, email addresses, phone numbers, and the language that users were learning got leaked. 2.6 million Duolingo users were affected by this data breach.

Date of Breach: August 2023 Total Records: More than 2.6 million How? Unknown

Topgolf Callaway

Over one million customers were affected due to US golf club manufacturer Topgolf Callaway's data breach. They received an email from the company. full names, shipping addresses, email addresses, phone numbers, account passwords, and security question answers are the data that had been stolen.

Date of Breach: August 2023 Total Records: More than 1 million How? System vulnerability

Discord.io

Information such as passwords, usernames, Discord IDs, and billing addresses is thought to have been extracted due to a data breach that happened to Discord.io (not affiliated with Discord, the company) in August 2023. It is believed that 760000 users have been affected by this data breach.

Date of Breach: August 2023 Total Records: Around 760,000 How? Website’s code vulnerability

Activision

Call of Duty makers, Activision, announced a data breach that probably occurred in December 2022. This cyber-attack was caused by a phishing attack that the attackers used to infiltrate the system. Sensitive employee data and content schedules were the information that was revealed during this data breach.

Date of Breach: May 2023 Total Records: Around 760,000 How? phishing

Forever21

Forever 21 is a fashion retailer that announced that the data pertaining to 500000 customers including name, bank account information, and Social Security numbers were exposed. They claim that an unauthorized third party has no longer access to the data but it’s not clarified how they recognize this claim.

Date of Breach: September 2023 Total Records: Around 500,000 How? Unknown

US Department of Transportation

Department of Transportation data breach in May 2023 led to the explosion of 237000 government employee’s personal information. Luckily nothing related to transportation safety was affected during this data breach.

Date of Breach: May 2023 Total Records: Around 237,000 How? Unknown

D.C Health

Washington DC-based healthcare provider Data Breach occurred on 9th March 2023 and affected over 170000 people including a number of federal legislators and their families. The data has been put up for sale online although the FBI bought it for their investigation.

Date of Breach: March 2023 Total Records: Around 170,000 How? Human Error

ChatGPT

In March chatGPT went offline because there was a bug in its open-source library and some users were able to see other active users’ information including the last 4 digits of the credit card number, email address, expiration date of the credit, first and last name. Open AI reassures users that their full credit card number has never been revealed.

Date of Breach: March 2023 Total Records: Over 100,000 accounts How? Open-Source Bug

Sharp Healthcare

In February Sharp Healthcare, the largest healthcare provider in San Diego, warned that the information of 62000 patients is exposed to cybercriminals. The information that was leaked included Security numbers, health insurance data, and health records but no credit card information was involved during this data breach.

Date of Breach: February 2023 Total Records: Around 62,000 How? Ransomware

PayPal

In January, PayPal customers received an email saying that in December 2022 unauthorized parties gained access to their PayPal accounts using stolen login credentials but PayPal announced that no mysterious activity had been reported and no confidential information had been stolen from the PayPal data system.

Date of Breach: December 2022 - Notified in January 2023 Total Records: Around 35,000 How? Unknown

MailChimp

MailChimp claimed that cyber-attacks through the social engineering system caused the leak of information on 133 MailChimp accounts and attackers were able to gain access to those accounts. That wasn’t the first time that MailChimp experienced a data breach from the very same weak spot. This incident happened back then in 2022.

Date of Breach: Total Records: 133 Account How? Phishing

MSI

A new ransomware named gang Money Message asked for $4 million in payment from MSI not to release 1.5TB of data that they had stolen in April. This data breach happened to Computer vendor Micro-Star International through their Taiwanese system. Hackers claimed that they have access to MSI source code, including a framework to develop bios.

Date of Breach: April Total Records: 1.5TB (Total records unknown) How? Ransomware

Reddit

Reddit CTO Christopher Slowe confirmed that on the 5th of February, they recognized a data breach in this social media system and during that incident, limited contact information was stolen mostly for current and former employees. He claimed that there was no problem related to their primary production systems.

Date of Breach: February 2023 Total Records: Unknown How? Unknown

Atlassian

Australian software company Atlassian which is worth $44 billion was hacked by a group of hackers known as “SiegedSec”. The information was uploaded on the internet attached to a message from the hackers announcing they gained access to information related to staff and floor plans for offices in San Francisco and Sydney. Although the company blamed the software company office coordination platform Envoy for the breach at first, they later confirmed that the reason for this breach was a mistake made by an employee who posted the information in a public repository mistakenly. This data breach happened in February 2023.

Date of Breach: February 2023 Total Records: Around 13000 How? Stolen Employee Credential

NATO

In July SiegedSec also informed that they have hacked NATO’s Communities of Interest Cooperation Portal. Some unclassified documents and sensitive data related to the users of the portal were stolen. Also due to a data breach of Microsoft by a group of Chinese hackers known as Storm-0558, 60k State Department Emails were leaked.

Date of Breach: July 2023 Total Records: 60k State Department Emails How? Unknown

Yum!

In April, the owner of Yum! (Pizza Hut, KFC, and Taco Bell) informed that a ransomware attack to their system in January ended up exposing some information including names, driver's license, and ID card info.

Date of Breach: January 2023 Total Records: Unknown How? Ransomware

Microsoft

In September 2023, about 38 TB of data including a disk backup of two employee computers that featured passwords, private keys, personal data, and more than 30,000 internal Microsoft Teams messages, was published on GitHub. Luckily no customer data have been exposed by Microsoft. This data breach in Microsoft's AI research division has been immediately taken care of.

Date of Breach: September 2023 Total Records: Unknown How? Misconfiguration

Discord

In May 2023 Discord announced that they suffer from a data breach. They warned the users that their information such as email addresses had been accessed by cyber attackers. The customer service agent's account has been locked due to the process of ensuring that no threat remains on their data system.

Date of Breach: May 2023 Total Records: Unknown How? Unknown

Air Europa

Air Europa, a Spanish airline, warned its customers to cancel their credit cards because hackers had access to financial information during a data breach. Card numbers, expiration dates, and 3-digit CVV numbers were extracted from the company’s system.

Date of Breach: October 2023 Total Records: 489,000 individuals How? Unknown

How To Stay Safe from a Breach (And after it)

With more and more data breaches happening every year, your data ending up compromised seems more and more likely every year, and it seems it’s becoming an inevitable end to your data. But you can still be safe, even if your data is compromised, how? Let’s go through some steps to maximize your security, before your data is compromised, and what steps to take after your data is breached.

Don’t Use a Password Twice

With the increasing number of data breaches and cyber-attacks, it has become essential to take proactive measures to protect our personal information. One of the most effective ways to do this is by using password managers.

According to bitwarden 33% of U.S respondents use the same password across 5-10 websites. Almost 30% of U.S. respondents rarely reset their passwords. According to surveys, about 58% of Americans have experienced data breaches at some point and 85% of people are aware that re-using passwords is risky!

You can use password manager apps to store and manage your passwords. password manager apps can generate unique and strong passwords for your accounts and save them in an encrypted ‘vault’.

If you want to use password manager apps, first you should find a reliable one that uses strong encryption and a track record of protecting user data. You should find a password manager app that meets your security needs.

Don’t Use a Predictable Password

Hackers or malicious actors will use the data breached previously, to crack or hack your password, and one of the most common ways is to try against a set of common passwords. As per HackCheck analysis, common passwords make up more than 10% of all breached passwords.

How to know if your password is common? Common passwords are usually one of these 3 types (or more than one):

• Sequential Numbers or letters (like 123456, or qwerty)
• A name
• Date of birth (or any date)

59% of adults in America use birthdays and names, using a predictable password is almost as risky as using just one password for several accounts!

To eliminate the risk, users should strive to use non-common, secure, and randomly generated passwords, and one tool that will help users is password generators.

Password managers usually include a feature for generating passwords. Generated passwords are strong, random, and unique passwords that can somehow ensure you about your accounts getting cracked.

Bitwarden password manager can be a good choice. It can help you come up with perfect passwords for each of your accounts. You have choices over the length of the password and using or not using uppercase or lowercase letters, numbers, and signs. Luckily the passwords that these apps generate do not have discernable patterns. With all these features you can have a unique password for each account and reduce the risk of getting hacked.

Don’t Always Use Your Primary Email

Aside from using common passwords for cracking your password, hackers or bad actors also use your own password from the previous breaches. So, if you used your password more than once, or used the same email and password combination before, you are at risk.

You can find out if your Email (Or many more pieces of data like password, or IP) has been in a data breach before using HackCheck data breach search engine and take appropriate measures.

One way to not give your email and password combination to a website that bolsters your security is using temporary or email aliases as it can help protect your personal information and avoid data breaches.

An email alias is a secondary email address that is linked to your primary email account and allows you to manage your emails without using your actual email address.

One of the tools you can use is Skiff’s Email alias feature which helps you mask your true email address, so you can avoid giving your true email to websites you don’t trust. This way, you can keep your primary email address a secret and not expose it to potential hackers and cyber-criminals.

Not using your actual email address, reduces the risk of falling victim to phishing attacks (one of the lead causes of hacks and data breaches).

Preventing Data Breaches

Data breaches are becoming more severe, and they can cause damage to businesses and individuals. The cost of a data breach in 2023 is $4.45 million, a %15 increase over the past 3 years. Startups are also not safe as they are a frequent target for data breaches.

Taking security measures is the first step to protecting your company & users' data, and to avoid data breaches. There are several steps your organization can take to reduce the risk of such incidents.

1. Employees should be trained in cybersecurity

As the employees are usually weak links in the security chain and they can easily do things that lead to a data breach, training the employees can be a big step to prevent data breaches. Employees must learn how to recognize and avoid phishing emails, how to create strong passwords, and how to secure their devices.

2. Strong passwords and multi-factor authentication

People usually do not put much effort into selecting strong passwords. Weak passwords do not get much time to be revealed and even strong passwords can get hacked. Internet users often fail to choose a sufficiently secure password for their accounts, and passwords forget to change their passwords regularly to reduce the risks of getting hacked.

This lack of attention to password security is a major issue that needs to be addressed. Companies should enforce stronger password policies and educate users on the importance of using unique, complex passwords for each account.

Additionally, implementing two-factor authentication (or multi-layer authentication) can add an extra layer of security to prevent unauthorized access to sensitive information. It is crucial for both individuals and companies to prioritize password security to prevent data breaches and protect personal information.

With the growing risks of using an SMS-based authentication, multi-factor authentication adds an extra layer of security by requiring users to provide two or more forms of identification before accessing sensitive information.

3. Update your software

Cyber-attacks can easily take place because of software vulnerabilities. Keeping software up to date is crucial in preventing data breaches. Updating software regularly reduces the entry points through which cybercriminals can get access to systems.

4. Use encryption

Encryption is a process of converting sensitive information into a code that can only be deciphered with a key or password. Using encryption can help protect sensitive information from unauthorized access in case of a data breach.

5. Limit access to sensitive information

The less access people have to sensitive information, the lower the risk of a data breach. Only authorized personnel should have access to sensitive information, and access should be limited based on job responsibilities. Not taking this step seriously can cause an increased risk of human-factored mistakes, or even bad actors, and eventually increase the risk of a data breach.

Protecting Yourself from Data Breaches

There are several measures you can take to protect yourself from a data breach, whether your company holds user data, or you as a user want to stay safe, and secure.

Unfortunately, once your data is breached, there is nothing much that can be done. Most companies, and users, won’t even know that their data is breached until eventually, the stolen data finds its way into the hands of bad actors.

Check for Compromised Data

first, you need to know whether your data has been compromised before, and whether should you even be worried about it.

There are several ways you can try, to find out if your data has been in a previous breach. You can use Have I Been Pwned to check if your email address was in a data breach, but emails are not the only thing that is usually compromised. Your passwords, usernames, Full name, and even IP Address are among the things that might get compromised. You can use tools like HackCheck to check for these pieces of compromised data too.

What to do after?

Change Your Password. The most effective way is changing your password, and do not use the same combination ever again.

Freeze your credit card, If your credit card data is breached you can assess the risk and minimize it.

You can also use tools that will immediately notify you when your data was compromised in a breach, like HackCheck’s new addition, Breach Monitor, or you can take advantage of Firefox Monitor, which operates like Have I Been Pwned, and checks for your email.

Conclusion

Overall, 2023 has not been looking good in many ways, and with more data breaches every year, your data and PII (Personal Identifiable Information) are at an increased risk of danger. Luckily, if you take a few steps, your security can also be up to standards and minimize the risk of bad actors getting hold of your data, or them being able to use those data.

2023 In a View

Largest Data breach: MOVEIt (60 million records) (So far)

Number of Incidents: More than 120 so far

Total Records Breached: ~5 Billion records(including DarkBeam breach)

Cost of Data Breach: USD 4.45 Million

Major Causes of Data Breach: Phishing, stolen credentials, security exploits