Top 18 cyber-security breaches in 2018

5 min read

Top 18 cyber security breaches of 2018

Nowadays, our entire lives seem to be online. From the name to phone number to credit card data and even social security numbers. So You can only imagine how a cyber-security breach can make us all re-evaluate how much we put online.

This blog post is not to scare you out of using the internet and crawling into a cave or a remote village with no electricity. Rather, it’s more about understanding where we are at when it comes to cyber-security and how we can make the web a safer place for all of us

So, without further ado, here are the top 18 cyber-security breaches of 2018;

Facebook logo for worst hack in Facebook's 14 years history in 2018.


Also describes as the worst hack in Facebook’s 14 years history. The hackers were able to exploit vulnerabilities in Facebook’s code to get their hands on “access tokens” — essentially digital keys that give them full access to compromised users’ accounts — and then scraped users’ data.

This data consists of locations, contact details, relationship status, and recent searches — highly sensitive data that could be used to facilitate identity theft.

Facebook released a statement explaining the whole issue

“the attackers exploited a vulnerability in Facebook’s code that existed between July 2017 and September 2018. The vulnerability was the result of a complex interaction of three distinct software bugs and it impacted “View As,” a feature that lets people see what their own profile looks like to someone else.”


Now, this is a brand that has always been on top of its security game and has always shown constant respect to its users.

On December 10th of 2018, Google announced that it would be shutting down Google+ earlier than planned. This is because they discovered a bug that affected users’ data.

Although this was not the doing of a third party. The bug allowed data to be viewed even if the user chose to make them private.


Careem, one of the region’s most prominent startups, was hit earlier last year with a cyber-attack that put the users’ data at risk on January 14, when access was gained to a computer system that stored customer and driver account information.

Names, email addresses, phone numbers and trip data were stolen, though there was no evidence that passwords or credit card information – held on external third-party servers – were compromised


Chegg is a US-based tutoring and textbook rental service. this is considered to be the first big attack since it was founded in 2005.

An unauthorized party gained access to a Company database that hosts user data for and certain of the Company’s family of brands such as EasyBib,” said Chegg in its SEC filing.

Chegg said the hacker(s) ‘may have’ gained access to user data such as names, email addresses, shipping addresses, usernames, and passwords.

The ed tech company said it plans to reset passwords and notify its user base, estimated at over 40 million in order to deal with such attack.

5-British Airways

British Airways suffered a breach of “criminal nature”. This breach affected the financial and personal data of hundreds of thousands of clients that booked online between August 21 and September 5.

The airways contacted clients who were affected and encourage those who believe might have been affected to contact their bank.


It appears that a computer belonging to SingHealth, one of the state’s two major government healthcare groups, was infected with malware through which the hackers gained access to the database.

Hackers have stolen personal data in Singapore belonging to some 1.5 million people, or about a quarter of the population, officials say.

Data includes names and addresses but, thankfully, not medical records other than the drugs dispensed.


The BIGGEST data breach on the list, affecting 1.1 BILLION.

A data leak on a system run by a state-owned utility company Indane allowed anyone to download private information on all Aadhaar holders, exposing their names, their unique 12-digit identity numbers, and information about services they are connected to, such as their bank details and other private information.

Although, initially this was labelled as fake news. However,  it is now a case in the supreme court.


This one is kinda related to the Cambridge Analytica scandal which we’ll talk about later on.

myPersonality is an app that was brought to Facebook’s attention after they failed to agree to the audit. Facebook investigated the incident and they banned myPersonality.

In a blog post by Facebook, They stated that the app was clearly sharing user information with researchers and that they “mishandled” information.

Facebook notified people affected but not their friends, as there is no reason to believe their data was involved.

“Given we currently have no evidence that myPersonality accessed any friends’ information, we will not be notifying these people’s Facebook friends. Should that change, we will notify them.”

In September of last year, SHEIN announced a security breach that affected around 6.42 million of its customer base. The company says the breach occurred over the summer, sometime in June, when hackers carried out “a sophisticated criminal cyberattack on its computer network.”

SHEIN did not say how the breach happened but said the intruders gained access to the email address and encrypted passwords of users.


A hacker called “IsHaKdZ” compromised the site’s webmaster and “gained access to a database titled ‘backstage,’ which contains client information for all the venues, promoters, and festivals that utilize Ticketfly’s services.”

“In consultation with third-party forensic cybersecurity experts, we can now confirm that credit and debit card information was not accessed. However, information including names, addresses, email addresses and phone numbers connected to approximately 27 million Ticketfly accounts was accessed.”

Ticketfly is an event ticketing company based in the US.


A security researcher informed DNA testing and genealogy website MyHeritage that a file with 92 million user email addresses and scrambled passwords were found on a server outside of the company.

more sensitive information, such as credit card information, family trees, and DNA data, are stored in a different place than email addresses and passwords, and MyHeritage believes that information was never compromised.

MyHeritage is rolling out two-factor authentication, which lets users log in using a code sent to a mobile device in addition to a password.


I think we all noticed how we suddenly were logged out of Quora for no apparent reason. Well, here is the reason. A third party gained access to quora servers and compromised Account information, including name, email address, encrypted password and data imported from linked networks when authorized by users.

About 100 million users of Quora were affected by unauthorized access to one of its systems by a “malicious third party,”


Earlier last year,  An “unauthorized party” gained access to data from user accounts on MyFitnessPal, an Under Armour-owned fitness app.

The investigation indicates that the affected information included usernames, email addresses, and hashed passwords — the majority with the hashing function called bcrypt used to secure passwords.

In a statement by Under Armour.

14-Saks and Lord & Taylor

The well known high-end store was put under fire march of last year when they discovered customer data was stolen by a hacking group.

New York-based security firm Gemini Advisory LLC says that a hacking group called JokerStash announced that it had put up for sale more than 5 million stolen credit and debit cards, and that the compromised records came from Saks and Lord & Taylor customers.

15-Cambridge Analytica

We have all heard of this on the news. We have all seen Mark with his poker face and robot voice, sweating in front of a court full of judges. Let me spill the peas.

A personality prediction app called “thisisyourdigital life,” developed by a University of Cambridge professor, improperly passed on user information to third parties that included Cambridge Analytica, a data analytics firm that assisted President Trump’s presidential campaign by creating targeted ads using millions of people’s voter data.

Only 270,000 Facebook users actually installed the app, but due to Facebook’s data sharing policies at the time, the app was able to gather data on millions of their friends.


Exactis is not very known and you’ve probably never heard of it. Yet, it gained a lot of publicity after it left the data of almost every single American citizen exposed on the web.

Security researcher Vinny Troia discovered that Exactis, a data broker based in Palm Coast, Florida, had exposed a database that contained close to 340 million individual records on a publicly accessible server.

Exactis is a marketing and data aggregation firm based in Palm Coast, Florida.

Although they didin’t state how it happened, the data of about 2 million users were compromised last year. In a statement, they said:

None of your financial data (including credit card information) or social security numbers were involved, and no passwords were compromised. However, you should know that some of your personal information may have been exposed, which may have included one or more of the following: name, billing zip code, phone number, email address, account number, account type (prepaid or postpaid), and/or date of birth.

However, Later on in a blog post by motherboard, The writer claims that passwords were indeed compromised and the reason they didn’t mention in was because the passwords were “encrypted”.


Oh, I LOVE this one! You might not know much about BJ.58 but let me tell you about it. This is a job search website just like WUZZUF and similar to LinkedIn. So, 854 GB of data that belongs to MILLIONS (202,730,434 individuals to be exact) was open for anyone to find. No password in the way. No login authentication. No protection whatsoever.

You can read all about it in this blog post

Well, believe it or not, our list is over but cyber-attacks are definitely far from finished. Cyber-security is so essential for your business. So make sure you keep yourself, and your business safe.

You can also follow us on facebook, twitter, linkedIn, and GitHub.