Security News

Biggest Data Breaches of 2020

Cyber security attacks are on the rise and the arrival of COVID-19 has done nothing to slow the onslaught. In fact, it has given attackers a whole new ballpark in which they can play. As 2020 draws to a close, here are some of the biggest breaches this year (so far):

1) Cosmetics giant Estée Lauder suffered a data breach that saw over 440 million records compromised, including the exposure of internal company emails and non-consumer email addresses.

2) Microsoft announced a breach of one of its customer databases, housing 250 million records containing logs of conversations between Microsoft support agents and customers from all over the world over a 14-year period.

3) More than 200 million records containing a wide range of property-related information of US residents were left exposed on a database that was accessible on the web without requiring any password or authentication.

4) A hacker leaked the details of 20 million users - part of a larger batch of 39 million records - of Aptoide, a third-party app store for Android applications.

5) Over 265 million records of Facebook users were sold on a hacker forum for US$600.

6) The information of nine million customers of budget airline easyJet was exposed, including over 2,200 credit card records, following a cyberattack.

7) International hotel chain Marriott announced that a data breach had impacted nearly 5.2 million hotel guests, making it the second security incident to hit the company in recent years.

8) A hacker leaked the usernames and passwords of nearly 23 million players of the online children's game, Webkinz World.

9) Security researchers discovered that the database of the exercise app, Kinomap, was "lying around", completely unsecured and unencrypted, potentially leaving the data of 42 million users open to 'whoever'.

10) A hacker sold a database containing the information of 91 million Tokopedia accounts on a dark web market for as little as $5,000, while other threat actors were cracking passwords and sharing them online.

11) Details of 115 million Pakistani mobile subscribers surfaced online after a hacker tried to sell the package for 300 bitcoins (US$2.1 million).

12) A hacker group claimed to have breached ten companies, selling their respective user databases, totalling more than 73 million user records, for around $18,000 each on a dark web marketplace.

13) More than 192 million records were leaked when a server belonging to Brazilian cosmetic giant Natura was exposed to the public for two weeks.

14) A hacker breached the 'image comparing' app Wishbone and leaked 40 million user records containing a treasure trove of information that could be used for phishing campaigns, account takeovers, and credential stuffing attacks.

15) A 2019 data breach that targeted MGM Resorts, in which it was thought over 10 million customers were affected, turned out to be far greater when, in July this year, a hacker posted an ad selling the data of over 142 million MGM customers for US$2,900.

16) Around 271 million user records of the 'user-generated story' platform, Wattpad, were made available for free on an English and Russian speaking hacker forum, after initially being offered for ten Bitcoin.

17) Over 386 million user records, stolen from eighteen companies during data breaches, were placed on a hacker forum for free by a threat actor.

18) A hacker sold the credit card details of three million Dickey's Barbecue Pit customer credit cards on a dark web marketplace.

19) The data of 20 million users of India's biggest online supermarket, BigBasket, was discovered for sale on the dark web after a hacker breached the companies cyber defences.

20) WeLeakInfo sold itself as "the most extensive private database search engine". Alas, it was anything but this and offered 12 billion usernames and passwords from over 10,000 data breaches for sale.

Cyber criminals are always looking to find new ways to ply their trade. However, in most cases, basic cybersecurity practices can go a long way to preventing attacks. These include strong passwords, two-factor password authentication (2FA) and being alert to suspicious emails and links that could be 'phishing expeditions'.

Another way to stay cyber-secure is by keeping track of vulnerabilities affecting your software. Patching and updating software is essential. Doing this ensures that your software - in many cases, your business and its assets - are safe from cyber attack.

Keeping track of vulnerabilities can be a time-consuming process. SecAlerts makes this task easier, by matching vulnerability alerts to your software stack. Join our 1,500+ global users - including GitLab, Lonely Planet, and DeLoitte (UK) - and try our free (weekly) service.

+ + +

Thanks for visiting SecAlerts and reading this story. We offer a free weekly CVE alert service, or an hourly service from $US20/mth, both of which include software updates and news relating to your software stack. Join more than 1,500 other users and sign up.

. . .

If you want to stay notified of vulnerabilities that affect you, register for a weekly security report customised to your stack.

Get weekly security news and vulnerability alerts

Join over 1,000 others receiving a free weekly report with a round-up of vulnerabilities and security news customised to your software stack. See an example email

Example email for SecAlerts

Earlier: