The number of cyber attacks has grown up steadily during the last few years. In 2016, 758 million malicious attacks occurred according to KasperskyLab, (an attack launched every 40 seconds) and there is no doubt that 2017 will break the record. This summer, ransomware were under the spotlight with the WannaCry and NotPetya attacks whose paralyzed some large companies or structures for a moment. The types of cyber attacks are almost as numerous as the number of hackers. From individuals personal information to industrial products data, the field is vast and the consequences can be multiple: impersonation, banking data fraudulent use, blackmail, ransom demand, power cuts …
Often, it is the exploitation of system and network vulnerabilities that is responsible for cyber attacks, but these can often be avoided. Indeed, many vulnerabilities are known and referenced. Below are a few examples of companies that have not been able to react in time and have paid a high price for it. The ranking was elaborated in increasing order of the people impacted by the attacks, the last one being the one that made the most victims.
Here is our Top 10 of the world’s biggest cyberattacks
10. From Instagram to the darknet : there is one step
The start of a the school year 2017 has been marked by the hacking of the social network Instagram. In fact, phone numbers and email addresses of 6 million users have been made public and are available for purchase on the darknet. Even if no password has been recovered, some information are valuable as its belong to the singers Selena Gomez, Justin Bieber and Taylor Swift for example. Instagram leaders believe the hacker “Doxagram” has exploited the breach of an API they claim to have corrected today. But for some experts, the pirate has certainly used another way. So caution.
9. A hot summer for Ashley Madison
In August 2015, the Ashley Madison extramarital dating site was hacked and personal data (names, email addresses, phones, sexual preferences …) of more than 30 million users across more than 40 countries recovered. The “Impact Team” threatened to make public all data if the website did not close. A promise is a promise, the group released 30 gigabytes of users data. And, these revelations have had tragic consequences like numerous resignations and 3 suicides of subscribers.
For its part, the company has survived. Consequently, it has paid the equivalent of 13 million euros in compensation. The case also became the subject of a TV documentary entitled “Ashley Madison: Sex, lies and cyber attacks” in 2016. Once again, a security breach is behind the attack. In fact, the website had a very inadequate security system and was in the contravention of several measures regarding the protection of privacy.
8. Adobe was going through hell
Adobe announced in October 2013 the massive hacking of its IT infrastructure. Personal information of 2.9 million accounts were stolen (logins, passwords, names, credit card numbers and expiration dates). Another file discovered on the internet later brought the number of accounts affected by the attack to 150 million (only 38 million active accounts) . To get those information the hackers took advantage of the security breach of the publisher. Indeed, it did not respect certain practices of security of the passwords. The stolen passwords had been encrypted instead of being chopped as recommended. If the banking data were stolen, however they were unusable because of a high quality encryption of Adobe.
The company was attacked not only for its customer information but also for its product data. Indeed, the most worrying problem for Adobe was the theft of over 40GB of source code. For instance, the entire source code for the ColdFusion product was stolen as well as parts of the sources Reader and Photoshop. If other attacks were to be feared, they did not finally take place.
7. Panic among Sony
In April 2011, the PlayStation Network, the multiplayer gaming service, online gaming purchasing and live content distribution of the Japanese brand was attacked. The personal data of 77 million users leaked. The banking details of tens of thousands of players were also compromised. After the intrusion discovery, the PSN as well as Sony Online Entertainment and Qriocity had been closed for a month. To calm the anger of users, Sony has to pay 15 million dollars in compensation plus a few other millions for the court fees and the refund of the people whose bank accounts have been illegally used. This cyber attack could have been largely avoided. Indeed, hackers have used a well-known network vulnerability that Sony did not pay attention to. The data was not encrypted and could easily be hijacked thanks to a very simple SQL injection.
Unfortunately, in November 2014…
… the subsidiary Sony Pictures Entertainment was attacked by a malware, and more precisely by a computer worm. The “Guardians of Peace” had stolen 100 terabytes of data including a lot of confidential information. Had been stolen for example, the future James Bond scenario, the personal data of 47,000 employees (names, addresses, e-mails, social insurance numbers, salaries…), or compromising emails. Amy Pascal had been ejected from her position because of the shocking content of her emails (judged insulting to then-President Barack Obama). In addition, the company canceled the broadcast of several movies and paid the equivalent of 8 million dollars in compensation to its employees and former employees. The cyber attack could have been once again avoided because SonyPictures had carried out an audit of its security system a few months before the incident. This last had revealed serious failures in the infrastructure management, including a firewall and several hundred terminals (routers and servers) that were not managed by the competent teams.
6. Equifax : a tricky crisis management
A few days ago, Equifax, an American credit company, revealed that it suffered a cyber attack last July. The personal data (names, birthdates, social insurance numbers, driving license) of 143 million American, Canadian and British customers are affected as well as 200,000 credit card numbers. Complaints against the company as well as suspicions of insider dealing are accumulating. Indeed, on the one hand, the vulnerability of Apache Struts used by the hackers was well known (article Cyber-attack of Equifax = SMEs you are vulnerable as well!) and on the other hand, several executives of the company sold strongly actions a few days before the security breach was made public.
5. The South Korean nightmare
The South Koreans learned in January 2014 that data of 100 million credit cards have been stolen for several years. In addition 20 million bank accounts have been also hacked. For fear of having their bank accounts emptied, more than 2 million South Koreans had their credit cards blocked or replaced. The data stealer was actually an employee of the Korea Credit Bureau (KCB), a solvency company. He stole personal information from customers of credit card companies when he worked for them as a consultant. He had simply copied the data to an external hard drive. Then he resold to a few people including a credit trader and telemarketing companies.
4. Target targeted
Target, the second-largest US discount retail chain, was victim of a large-scale cyber attack in December 2013. Data from 110 million customers were hijacked between November 27 and December 15. If the banking data of 40 million customers were stolen on the one hand, the personal data of another 70 million customers were stolen on the other hand (names, postal addresses, telephone numbers and email addresses).
And it was not Target which discovered the attack. The American secret services had detected abnormal bank movements and warned the brand. According to several US security services, the hacker group was located in Eastern Europe. It had installed malware in cash registers to read information from the credit card terminals. This technique is known as RAM Scraping. Once the data had been hijacked, the attackers had been resold them on the black market. Two Mexican were arrested in January 2014 in Texas for using the stolen data.
3. Adult Friend Finder exposed
In 2015, the dating libertines site was attacked for the first time. The information (pseudonyms, dates of birth, postal codes, IP addresses and sexual preferences) of 4 million accounts were made public on a forum only accessible on Tor. Recovered by malicious people, the data could have been used for spam campaigns, identity theft or blackmail. However, no banking data had been hijacked.
But the following year…
…Adult Friend Finder faced a new attack, much more violent than the first one. This time it was not 4 million accounts pirated but more than 400 million. The stolen information was less sensitive but in total, 20 years of personal data were stolen. Attackers used a LFI (Local File Inclusion) breach, a technique that consists of introducing a local or remote file into an online resource. In addition, some former users had the unpleasant surprise to learn their personal information had not been deleted despite their accounts cancellations. This hacking record had largely dethroned the AshleyMadison site cyberattack (number 9).
2. Theft of more than one billion passwords
In August 2014, the IT security company Hold Security revealed that Russian hackers had stolen 1.2 billion logins and passwords on 420,000 websites around the world. And this would have allowed the group of hackers “CyberVor” to access 500 million email accounts. Hackers used programmed botnets to visit sites and perform vulnerability tests. In order to exploit SQL injection vulnerabilities and access databases. If the attack is notifiable on a large scale, it has ultimately had no major consequences. According to the FBI, the information has only been used in a large spam campaign on social networks for instance but this hacking record remains a mystery for the organization.
1. Yahoo! : hackers favourite target?
Last year, Yahoo! announced it had suffered a cyber attack in 2014 that affected 500 million user accounts. It had constituted the largest massive hacking of individual data directed against a single company. Names, dates of birth, telephone numbers and passwords were stolen. If the company had assured that the banking data had not been affected, it recommended its users to be careful.
Before that, in 2012, the hacker “Peace” had sold 200 million dollars of usernames and passwords for $1900.
Because bad things always come in threes…
… in March, Yahoo! has confessed being hacked once again. This time, “only” 32 million accounts had been affected. This cyberattack relaunched the investigation of the 2014 hack, as the attackers used a stolen tool that year. So they created malicious cookies allowing them to log in without the passwords. As a result for Yahoo!, the firm was bought by Verizon in 2017 for $ 4.5 million instead of the $ 4.8 million announced in 2016.
Update: Finally, Yahoo has just admitted that all the 3 billion user accounts had been hacked in 2013. This cyber-attack is the most important in the Internet history.
Will you be the next?
While the previous cyber attacks are impressive, many more are taking place every day in different business sector or through different means. This summer the ransomware Wannacry and NotPetya have made a lot of talk. More recently, HBO lost 1.5 terabytes of data, TV show episodes, scripts, manager emails and some actors phone numbers of the flagship Game of Thrones. Finally, on another sector, dozens of US energy suppliers have been attacked and hackers can cut electricity anywhere in the United States at any time.
How to protect against cyber attacks? Updating IT systems is a first step, but the best is to permanently detect vulnerabilities and fix them quickly to avoid attacks. This is why our solutions were developed: to allow our customers to better manage their vulnerabilities and give them the keys to improve the security of their systems. We offer you the vulnerability analysis of one of your IP addresses in order to allow you to know your cyber risk exposure and to be able to solve it before it is too late.