23 of The Biggest Data Breaches of 2018

June 20, 2023

9 Mins Read

The personal information of millions of people around the world was compromised in 2018 due to a whopping 1,100+ data breaches. Every week, a new healthcare provider, social network, or retailer had to inform its customer base that their details were affected by a breach.

As such, 2018 will long be recalled as the most prolific year in data security – everything from passport numbers and bank account information to email addresses and names had been leaked! Some of the most high-profile victims include Quora, Google+, and Marriot.

Facebook also faced multiple incidents and breaches which affected over 100 million users and resulted in them paying fines worth millions of dollars! With that being said, let’s take a closer look at some of 2018’s most notable data breaches:

1. Aadhaar

How many records were exposed?

1.1 billion

What was stolen?

Indian residents’ personal information, including names, unique ID numbers, and bank details.

When did the incident take place?

It’s uncertain when the breach hit India’s national ID database, but it was unearthed in March 2018.

How it occurred?

The data leak stemmed from a state-owned utility company called Indane. They failed to secure the API used to access the database, allowing anyone to download private Aadhaar information.

2. Marriott Starwood

How many records were exposed?

500 million

What was stolen?

Guest details, including reservation dates, phone numbers, passport numbers, and email address. The stolen data also consisted of some payment card numbers as well as expiration dates.

When did the incident take place?

There had been unauthorized access to Marriott’s Starwood guest reservation database since 2014. It was discovered in September 2018.

How it occurred?

According to Marriot International, a Chinese spy agency allegedly “hacked health insurers and the security clearance files of millions more Americans” before gaining access to the Starwood guest database and copying and stealing information.

3. Exactis

How many records were exposed?

340 million

What was stolen?

In-depth information collected on millions of businesses and people, including addresses, phone numbers, personal characteristics and interests, and more.

When did the incident take place?

News of the data breach emerged in June 2018.

How it occurred?

A security researcher found that Exactis’ database was left exposed on a publicly accessible server, though it’s unclear whether the information was accessed by any hackers.

4. Twitter

How many records were exposed?

330 million.

What was stolen?

Users passwords.

When did the incident take place?

To this date, the exact time of the incident is unclear.

How it occurred?

Twitter found out a bug on its website which stored passwords exposed in an internal file. While it isn’t really a breach, it’s certainly exposing sensitive data which could prove to be harmful for the user and the company. As a result, Twitter asked all of its users to reset their passwords.

5. MyFitnessPal

How many records were exposed?

150 million

What was stolen?

Personal information including email addresses, encrypted passwords, and usernames.

When did the incident take place?

The data breach happened on February 2018, but it first came to light in March.

How it occurred?

Law enforcement agencies and security firms are still investigating the real identity of the “unauthorized party” behind the data breach.

6. Quora

How many records were exposed?

100 million

What was stolen?

Personally identifiable information, such as names, passwords, and email addresses. It also included data from linked networks and users’ public content like questions and answers.

When did the incident take place?

The data breach was uncovered in November 2018.

How it occurred?

One of Quora’s systems were hacked by “a malicious third party”, and the company is still looking into how it happened.

7. MyHeritage

How many records were exposed?

92 million

What was stolen?

Users’ email addresses and hashed passwords.

When did the incident take place?

According to the company, the data breach was carried out in October 2017. However, it was first spotted on June 2018.

How it occurred?

The details of MyHeritage users’ was found sitting on a private server belonging to an unrecognized party.

8. Facebook-Cambridge Analytica

How many records were exposed?

87 million

What was stolen?

Data identifying the interests and preferences of users.

When did the incident take place?

Facebook learned of Cambridge Analytica’s illicit harvesting of data in 2015 but didn’t inform users until 2018.

How it occurred?

An app called “thisisyourdigitallife”, which was developed by Cambridge University professor Aleksandr Kogan enabled Cambridge Analytica to improperly access user information and influence the presidential campaign in Trump’s favor.

270,000 or so users only installed it, but Facebook’s design at that time allowed the app to collect data on their millions of friends as well.

9. Google+

How many records were exposed?

Almost 53 million

What was stolen?

Private information on users’ profiles, including name, age, employer, job title, relationship status, birth date, and email address.

When did the incident take place?

The first data breach – which was announced by Google in October last year – happened between 2015 and March 2018, while the second one affected users between November 7 and November 13.

How it occurred?

Google announced its shutting down Google+ in August 2019 after a “security bug” gave third-party developers access to the profile data of 500,000 users. However, it moved the date to April 2019 due to a similar bug which exposed the information of 52.5 million users.

10. Chegg

How many records were exposed?

40 million

What was stolen?

Personal information, including shipping addresses, usernames, hashed passwords, and email addresses.

When did the incident take place?

The data breach happened in late April 2018, but it was only disclosed in September.

How it occurred?

Chegg reported the incident in an 8-K form filed with the SEC, and stated that “an unauthorized party gained access to a Company database that hosts user data for chegg.com and certain of the Company’s family of brands such as EasyBib.”

11. Panera Bread

panera-bread

How many records were exposed?

37 million.

What was stolen?

All the personal details including names, addresses, email addresses, phone numbers, dates of birth, and the last four digits of customer credit card numbers.

When did the incident take place?

The data breach took place from August 2^nd, 2017, to April 2^nd, 2018. While it was first discovered in August 2017, it was publically disclosed on April 2^nd, 2018.

How it occurred?

A database leak led to the plaintext exposure of customer records. Panera was notified on August 2, 2017, but ignored repeated requests by security researchers to fix the database leak. Eight months later, they secured the leak.

12. Facebook

How many records were exposed?

30 million

What was stolen?

Sensitive information, including recent searches, locations, relationship status, contact details, and devices used to access Facebook.

When did the incident take place?

The vulnerability was introduced on Facebook in July 2017 and uncovered in September 2018.

How it occurred?

The attackers successfully exploited vulnerabilities in the popular social network’s code to steal “access tokens” – digital keys that enable Facebook to keep people logged in – and the collected users’ data without their knowledge.

13. Ticketfly

How many records were exposed?

27 million

What was stolen?

Personal data, including phone numbers, names, email addresses, and physical addresses.

When did the incident take place?

Ticketfly fell victim to the “malicious cyberattack” in late May 2018.

How it occurred?

The data breach was carried out by a hacker known as IsHaKdZ. They gained access to Ticketfly’s “backstage” database – which contains client info for all the festivals, venues, and promoters that utilize their services – by compromising the site’s webmaster.

14. Timehop

How many records were exposed?

21 million

What was stolen?

Personal data was compromised, including names, date of births, phone numbers, and email addresses.

When did the incident take place?

Timehop faced a network intrusion in July 2018.

How it occurred?

The attacker used compromised admin credentials to access Timehop’s cloud computing environment and create a new account. Surprisingly, the initial account used to access the company’s cloud computing servers wasn’t secured with 2FA.

15. Sacramento Bee

Sacramento Bee

How many records were exposed?

19.5 million.

What was stolen?

All the personal details including names, addresses, email addresses, phone numbers, party affiliations, dates of birth, places of birth.

When did the incident take place?

Sacramento Bee suffered the data breach on January 2017. However, it wasn’t until February 7^th, 2018 that it was disclosed to the public.

How it occurred?

Hackers were able to seize a voter registration database the Bee had obtained from the state for reporting purposes and another of personal information of Bee subscribers.

16. Careem

How many records were exposed?

14 million

What was stolen?

Phone numbers, names, trip data, and email addresses.

When did the incident take place?

The data breach was carried out in January 2018 but wasn’t disclosed until April.

How it occurred?

Hackers gained access to a computer system which stored drive and customer account information.

17. Cathay Pacific Airways

How many records were exposed?

9.4 million

What was stolen?

Personal information, including names, home addresses, ID card numbers, email addresses, passport numbers, date of births, and credit card numbers.

When did the incident take place?

Suspicious activity was detected in March 2018.

How it occurred?

It’s still not clear who was behind the data breach and how they accessed passenger data “without authorization”.

18. SHEIN

How many records were exposed?

6.42 million

What was stolen?

Encrypted passwords and email addresses of customers.

When did the incident take place?

SIEN was breached sometime in June 2018, but it wasn’t until late August that they came to know about it.

How it occurred?

According to the fashion retailer, the hack was the result of a sophisticated cyberattack on their computer network.

19. Saks and Lord & Taylor

How many records were exposed?

5 million

What was stolen?

Data on credit and debit cards used at the stores in North America.

When did the incident take place?

The exact date of the breach hasn’t been shared.

How it occurred?

A hacking group known as JokerStash announced that it had put up the payment card information of Saks and Lord & Taylor customers for sale on the “dark web”.

20. myPersonality

How many records were exposed?

4 million

What was stolen?

Intimate details of Facebook users who used the rogue app, including psychological test results.

When did the incident take place?

Just months after the Facebook-Cambridge Analytica data scandal. The app was then banned from the social network in April 2018.

How it occurred?

The myPersonality app mishandled sensitive information by sharing it with researchers and companies.

21. T-Mobile

How many records were exposed?

About 2 million

What was stolen?

Email addresses, encrypted passwords, billing information, and account numbers.

When did the incident take place?

The company was hit by a data breach in August 2018.

How it occurred?

Hackers were able to gain access to T-Mobile’s servers by exploiting a vulnerability in an API.

22. Orbitz

Orbitz

How many records were exposed?

880,000.

What was stolen?

Card and personal information such as billing addresses, phone numbers, and emails.

When did the incident take place?

The data breach took place from January 1^st, 2016 to December 22^nd, 2017.

How it occurred?

Hackers were able to access travel bookings in the website’s system.

23. British Airways

british-airways

How many records were exposed?

380,000.

What was stolen?

Card payments which included names, home addresses, and email addresses.

When did the incident take place?

According to British Airways, the data breach was carried out from August 21^st, 2018 to September 5^th, 2018, and was first discovered on September 6^th, 2018. However, it was disclosed to the public on September 7^th, 2018.

How it occurred?

The hacking group injected malicious code on the unsecured webpage of British Airways’ website.

Wrapping Things Up

We’d recommend staying up-to-date with the latest happenings in terms of data breaches so that you can keep a check on everything that requires your immediate attention. Wishing everybody a safer 2019 from the team here at PureVPN – the world’s fastest VPN service!

Topics :

Haris Shahid

June 20, 2023

10 months ago

Haris Shahid has a genuine passion in covering the latest happenings in the cyber security, privacy, and digital landscape. He likes getting out and about, but mostly ends up spending too much of his time behind a computer keyboard. He tweets at @harisshahid01

Have Your Say!!

Cookie	Duration	Description
__stripe_mid	1 year	This cookie is set by Stripe payment gateway. This cookie is used to enable payment on the website without storing any patment information on a server.
__stripe_sid	30 minutes	This cookie is set by Stripe payment gateway. This cookie is used to enable payment on the website without storing any patment information on a server.
Affiliate ID	3 months	Affiliate ID cookie
cookielawinfo-checbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
Data 1	3 months
Data 2	3 months	Data 2
JSESSIONID	session	Used by sites written in JSP. General purpose platform session cookies that are used to maintain users' state across page requests.
PHPSESSID	session	This cookie is native to PHP applications. The cookie is used to store and identify a users' unique session ID for the purpose of managing user session on the website. The cookie is a session cookies and is deleted when all the browser windows are closed.
woocommerce_cart_hash	session	This cookie is set by WooCommerce. The cookie helps WooCommerce determine when cart contents/data changes.
XSRF-TOKEN	session	The cookie is set by Wix website building platform on Wix website. The cookie is used for security purposes.

Cookie	Duration	Description
__lc_cid	2 years	This is an essential cookie for the website live chat box to function properly.
__lc_cst	2 years	This cookie is used for the website live chat box to function properly.
__lc2_cid	2 years	This cookie is used to enable the website live chat-box function. It is used to reconnect the customer with the last agent with whom the customer had chatted.
__lc2_cst	2 years	This cookie is necessary to enable the website live chat-box function. It is used to distinguish different users using live chat at different times that is to reconnect the last agent with whom the customer had chatted.
__oauth_redirect_detector		This cookie is used to recognize the visitors using live chat at different times inorder to optimize the chat-box functionality.
Affiliate ID	3 months	Affiliate ID cookie
Data 1	3 months
Data 2	3 months	Data 2
pll_language	1 year	This cookie is set by Polylang plugin for WordPress powered websites. The cookie stores the language code of the last browsed page.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_ga_J2RWQBT0P2	2 years	This cookie is installed by Google Analytics.
_gat_gtag_UA_12584548_1	1 minute	This cookie is set by Google and is used to distinguish users.
_gat_UA-12584548-1	1 minute	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
_gcl_au	3 months	This cookie is used by Google Analytics to understand user interaction with the website.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
_hjAbsoluteSessionInProgress	30 minutes	No description available.
_hjFirstSeen	30 minutes	This is set by Hotjar to identify a new user’s first session. It stores a true/false value, indicating whether this was the first time Hotjar saw this user. It is used by Recording filters to identify new user sessions.
_hjid	1 year	This cookie is set by Hotjar. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
_hjIncludedInPageviewSample	2 minutes	No description available.
_hjIncludedInSessionSample	2 minutes	No description available.
_hjTLDTest	session	No description available.
PAPVisitorId	1 year	This cookie is set by the Post Affiliate Pro.This cookie is used to store the visitor ID which helps in tracking the affiliate.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to deliver advertisement when they are on Facebook or a digital platform powered by Facebook advertising after visiting this website.
fr	3 months	The cookie is set by Facebook to show relevant advertisments to the users and measure and improve the advertisements. The cookie also tracks the behavior of the user across the web on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
NID	6 months	This cookie is used to a profile based on user's interest and display personalized ads to the users.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Cookie	Duration	Description
_app_session	1 month	No description available.
_dc_gtm_UA-12584548-1	1 minute	No description
_gfpc	session	No description available.
71cfb2288d832330cf35a9f9060f8d69	session	No description
cli_bypass	3 months	No description
CONSENT	16 years 6 months 13 days 18 hours	No description
gtm-session-start	2 hours	No description available.
isoCode	1 month	No description available.
L-k26wU	1 day	No description
L-KVHA4	1 day	No description
m	2 years	No description available.
newVisitorId	3 months	No description
owner_token	1 day	No description available.
PP-k26wU	1 hour	No description
PP-KVHA4	1 hour	No description
RL-k26wU	1 day	No description
RL-KVHA4	1 day	No description
wisepops	2 years	No description available.
wisepops_session	session	No description available.
wisepops_visits	2 years	No description available.
woocommerce_items_in_cart	session	No description available.
wp_woocommerce_session_1b44ba63fbc929b5c862fc58a81dbb22	2 days	No description
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.

23 of The Biggest Data Breaches of 2018

1. Aadhaar

2. Marriott Starwood

3. Exactis

4. Twitter

5. MyFitnessPal

6. Quora

7. MyHeritage

8. Facebook-Cambridge Analytica

9. Google+

10. Chegg

11. Panera Bread

12. Facebook

13. Ticketfly

14. Timehop

15. Sacramento Bee

16. Careem

17. Cathay Pacific Airways

18. SHEIN

19. Saks and Lord & Taylor

20. myPersonality

21. T-Mobile

22. Orbitz

23. British Airways

Wrapping Things Up

Topics :

What is the Golden Ticket

How it works: