23 Most Notorious Hacks History that Fall Under OWASP Top 10

securityboulevard.com – 2023-03-28 08:23:09 – Source link

Hacks and data leaks have affected many major players in recent years, including AT&T Vendor(9 Million accounts), T-Mobile (37 Million accounts), JD Sports(10 Million), MyDeal (2.2Million), Dropbox (nearly 69 million accounts), Flagstar bank (1.5 Million) and eBay (145 million).

Those were bad. But not the worst. What are the most notorious hacks in history? They’re subject to debate, but these 23 attacks categorized under OWASP Top 10 would be strong candidates for the title.

Broken Access Control

Broken access control

1. Microsoft Exchange Server Vulnerability (2021)

In early 2021, Microsoft Exchange, an email and collaboration system used by many organizations, was targeted by a sophisticated hacking campaign that exploited a “BOLA” (Broken Object Level Authorization) vulnerability. The attack was attributed to a state-sponsored group based in China.

The BOLA vulnerability allowed the attackers to bypass certain access controls and gain access to sensitive data stored within Microsoft Exchange servers, including email communications and user credentials. The attackers also used other vulnerabilities to install web shells on the targeted servers, which allowed them to execute arbitrary code and maintain persistent access to the compromised systems.

The scope of the attack was significant, with tens of thousands of organizations reportedly affected worldwide. Microsoft issued emergency patches for the affected Exchange servers, but many organizations were slow to apply them, leaving their systems vulnerable to attack.

The attack was highly sophisticated and well-coordinated, and it is believed to have been carried out to steal sensitive data for espionage purposes.

2. First American Financial Corp Data Leak (2019)

The US-based mortgage settlement and real estate financial services company First American Financial Corp faced one of the biggest hacks in history in 2019. Ben Shoval, a real estate developer, had found that approximately 885 million files containing sensitive customer data from 2003 onwards were freely available. He notified the company about the same.

This leak was a result of a human error. In January of that year, the internal team discovered an Insecure Direct Object Reference (IDOR) flaw during a manual pen test. This bug allowed users to access private information using a specific URL and sequentially changing its numbers. And without proper authentication, any user could access any information freely.

3. Quora Data Breach (2018)

100 million (50% of the user base) of Quora users’ data were exposed in one of the biggest hacker attacks in 2018. This occurred because malicious third parties gained unauthorized access to its internal systems.

The breach was discovered on November 30, 2018, and Quora publicly announced the incident on December 3, 2018.

According to Quora, the information that was compromised included:

  • Account information, such as usernames and email addresses
  • Encrypted passwords
  • Data imported from linked networks, such as Facebook and Twitter

Quora said it had taken immediate action to investigate the incident and notified law enforcement authorities. The company also said that it had reset the passwords of affected users and had logged them out of their accounts.

The Quora data breach highlights the importance of strong password hygiene and the need for users to use unique passwords for each online account. It also underscores the need for companies to implement robust security measures to protect their users’ personal information.

4. Cambridge Analytica Scandal (2018)

In 2018 it was discovered that political consulting firm Cambridge Analytica had obtained access to the personal information of millions of Facebook users without their consent. This was made possible by a broken access control vulnerability in Facebook’s application programming interface (API) that allowed third-party developers to access user data.

The scandal brought to light the issue of data privacy and the need for stricter access control measures to protect user data. Facebook faced widespread criticism for its role in the breach and was fined $5 billion by the U.S. Federal Trade Commission for violating users’ privacy.

5. The University of California, Los Angeles (UCLA) Data Breach (2014)

In 2014, UCLA suffered a data breach that exposed the personal information of approximately 4.5 million individuals. The breach was caused by a vulnerability in a database that allowed the attacker to gain unauthorized access to sensitive data.

The data compromised in the breach included names, Social Security numbers, dates of birth, addresses, and medical information of patients and staff associated with the university’s health system.

6. Target Data Breach (2013)

Target suffered a data breach that exposed the credit and debit card information of approximately 40 million customers. The breach was caused by a misconfigured network segment allowing the attacker to access Target’s payment system.

The security misconfiguration that allowed the breach to occur was related to the access controls and security protocols used in Target’s payment processing system. The system was designed to segregate the network traffic of different departments and systems within Target, but this segregation was not properly implemented or monitored. As a result, the hackers could access the payment processing system through a vendor portal that had access to the system but was not properly secured.

Cryptographic Failures / Sensitive Data Exposure

Excessive data exposure

7. Twitter Breach (2022)

The Twitter APIs faced a classic case of excessive data exposure in 2022 when attackers sold 5.4 Million users’ information on a hacking forum. In January 2023, attackers further scraped 400 Million users’ public and private data, selling it on the dark web.

The excessive data exposure flaw enabled the attacker to check whether email ids and phone numbers were linked to Twitter accounts. This breach left several users, including high-profile users like celebrities, politicians, and activists, exposed to social engineering, targeted phishing attacks, and identity thefts, among others.

8. Exactis (2018)

The Exactis data breach of 2018 is yet another biggest hack in history. Exactis is a marketing and data aggregation company that stores customer data across various variables to target ads.

It had stored nearly 2TB of customer data on a publicly accessible cloud server. This left data of 340 million customers, including 400 variables of personal characteristics, exposed to the public.

9. Facebook Data Breach (2019)

The social media giant Facebook faced a massive data breach in 2019 that exposed over 533 Million Facebook users’ data. Sensitive personal information such as location, phone numbers, user IDs, account names, etc., were stolen and posted in hacking forums. The exposed data was scraped from two datasets from third-party Facebook apps.

The breach occurred because Facebook was storing user passwords in plain text, meaning the passwords were not encrypted. This made it easy for hackers to access user accounts by guessing or cracking passwords.

Injection Attacks

Injection attacks

10. Kaseya Ransomware Attack (2021)

Kaseya is an IT solutions provider for MSP and enterprise clients. The company was a victim of a ransomware attack during the American Independence Day weekend in 2021. The REvil group, known for their ransomware attacks, claimed responsibility for this attack, impacting over 1500 of Kaseya’s clients.

Attackers exploited unpatched SQL vulnerabilities in the company’s VSA servers to carry out this attack. This may not be the biggest attack in terms of size, but it has been a notorious hack in the recent past.

11. WooCommerce Leak (2021)

WooCommerce offers a popular ecommerce plugin for WordPress CMS. In 2021, it was found that several of its plugins, features, and software versions were vulnerable to SQLi, and several attacks occurred as a result. Unpatched flaws in the plugin exposed data on 5 million websites to theft.

12. The Heartland Payment Systems Hack (2008)

The credit card payment processor is one of the world’s largest, processing about 100 Million monthly transactions for Visa, Mastercard, American Express, and Discover.

Its system was compromised in 2008, and an estimated 130 Million customer accounts were accessed, making it one of the largest credit card hacks in history.

Albert Gonzalez and two Russian hackers placed sniffer programs within the Heartland system. These sniffers intercepted credit card credentials in real time and relayed the data back to them.

The sniffers remained undetected for six months. Gonzalez was already in police custody for two other hacks (Dave & Buster’s and TJX) when the sniffer programs were discovered, and the Heartland investigation began.

He was found guilty in 2010 and sentenced to an unprecedented 20 years in prison.

What makes his crime even more incredible is that Gonzalez had been cooperating with government officials – including the Secret Service – as an informant since 2003.

He hacked and stole over 180 million credit and debit card accounts right under the noses of those authorities tasked with preventing cybercrime.

Security Misconfiguration

security misconfiguration

13. Capital One Breach (2019)

The Capital One breach of 2019 exposed customers’ sensitive personal, banking, and financial information, including Canadian social insurance and US social security numbers, loan applications, credit scores, credit limits, account balances, etc. This hack affected 100 million US and 6 million Canadian consumers, making it a major recent breach in history.

The attacker, a former software engineer at Amazon Web Services (AWS), orchestrated this attack and stole 80,000 bank account numbers and 140,000 US social security numbers, apart from exposing sensitive information.

While working at the company, she built a tool to scan misconfigured AWS accounts. Using the tool, she could hack into and access more accounts, including those belonging to Capital One. The breach was made possible due to misconfigured firewalls used by Capital One.

The company was fined USD 80 million by the US Office of the Comptroller of the Currency (OCC) owing to the breach and paid USD 190 million in settling customer lawsuits.

14. The Yahoo Hacks (2013 & 2014)

Poor Yahoo. At one time, the king of search engines, it’s fallen on hard times lately. People are abandoning it in droves for the likes of Google, Bing, and others. Its cause wasn’t helped much when in 2016, it revealed major hacks that had occurred years before.

Over one billion (yes, billion) Yahoo accounts were compromised in 2013, including names, DOBs, security questions, contact details, and passwords.

A further 500 million accounts were hacked in 2014. How many accounts overlap with the first hack is unknown, so the number of affected accounts is unclear. But it’s a lot.

It’s the largest hack of a single entity in the history of the internet. That’s not a great claim to fame for a company trying to woo users back to its flock.

And although Yahoo is much less relevant than it used to be, the tendency of people to reuse passwords and security questions has serious implications. If you had a Yahoo email account in 2009 but switched to Gmail with the same password, the hack means someone could access your current email account.

Perhaps you even used the same password or security questions for your online banking or e-commerce accounts or while paying your taxes online. See the problem?

It’s believed that either China or – you guessed it – Russia may have been behind the breaches.

“My message for companies that think they haven’t been attacked is: ‘You’re not looking hard enough.’”

– James Snook, Deputy Director of OCSIA

Vulnerable and Outdated Components

15. Colonial Pipeline Ransomware Attack (2021)

Colonial Pipeline is an American fuel company that supplies fuel to a large section of the east coast of the US. During the Mother’s Day weekend, attackers unleashed the DarkSide ransomware on the company’s IT systems, taking advantage of the upcoming holiday.

This ransomware brought the entire IT systems of the company to a grinding halt and led to the suspension of pipeline operations for a week. The attackers targeted the billing infrastructure while the existing pumping systems worked fine.

However, the services could not be continued without being able to bill customers. The halting of the operations caused a fuel shortage along the east coast which caused panic buying among retail consumers and rescheduling flights among airline consumers.

Attackers had stolen 100GB of data in this recent major hack in history and demanded a ransom of 75 bitcoins in exchange for the decryption tool. The company had to oblige and pay the ransom to resume operations.

One of the main factors was a lack of proper security controls and protocols within Colonial Pipeline’s IT systems. The hackers could exploit a vulnerability in a legacy VPN (Virtual Private Network) system that had not been properly patched or updated. This vulnerability allowed the attackers to access Colonial Pipeline’s network and deploy the ransomware.

A lack of preparedness and response planning by the Colonial Pipeline also facilitated the attack. The company was initially slow to respond to the attack and struggled to contain the damage and restore operations. This led to significant disruption to the fuel supply chain in the southeastern United States and caused shortages and price increases at gas pumps.

16. JBS Ransomware Attack (2021)

In another holiday cyberattack, global meat supplier JBS was hit by a massive attack during the 2021 Memorial Day weekend. This was one of the biggest hacks in history to affect a player in food production. Attackers managed to get into JBS networks using flaws in the system and threatened to delete files or cause disruption until a cryptocurrency ransom was paid.

This ransomware attack brought its beef and pork slaughterhouses in North America and Australia to a standstill. The company obliged the attackers’ demand and paid USD 11 million ransom to resume its operations.

17. Equifax Data Breach (2017)

One of the biggest hacks in history is the Equifax data breach that happened in 2017. Equifax, a credit reporting agency, had several security lapses that enabled attackers to access sensitive PII, date of birth, social security numbers, address, driver’s license numbers, etc., of over 143 million customers.

Attackers were able to wreak havoc for 76 days before they were discovered. The company spent USD 1.4 billion in recovery after this data breach.

Equifax used Apache Struts as a web framework, like many Fortune 100 companies, to build its APIs and applications. An XXE vulnerability in the company’s customer complaints web portal made the initial hack possible. The vulnerability in the framework was left unpatched by Equifax’s internal failures.

The attackers made their way through the portal into other servers owing to a lack of proper segmentation. And a flaw in the company’s API enabled attackers to access data and credentials without authenticating themselves.

The attackers encrypted and exfiltrated data to escape detection for months. The non-renewal of an encryption certificate for one of the internal security tools made this possible. It was not until 2019 that the certificate was renewed.

18. Strava API Breach (2018)

Another major hack in history that exposed global heatmaps of military bases was the Strava API breach in 2018. Strava is a fitness app widely leveraged by military personnel to track their fitness and training routines.

The poorly designed API vulnerabilities exposed the 3 trillion data points, including 1 billion online activities. The attackers were able to collect worldwide user activities from January 2015 to September 2017.

19. The Nasdaq Hacks (2010)

In late 2010, there was a Russian attempt to hack the Nasdaq. The FBI was the first to notice, and their monitoring pointed to possible malware on the Nasdaq servers themselves.

No one had ever successfully compromised such a target. An NSA analysis of the malware confirmed it was likely designed and executed by a foreign intelligence agency, not just some computer whiz with too much time.

It was eventually traced back to Russian software engineering and was attempting to steal $11 billion from the New York Stock Exchange. If successful, it would have caused havoc within the system and hobbled the U.S. economy.

It was obviously prevented, but it highlights the vulnerabilities of the stock exchange and financial institutions.

Identification and Authentication Failures

20. LinkedIn API Breach (2021)

One of history’s most recent and biggest hacks is the LinkedIn API breach of 2021. Personal records of over 700 million users – 92% of the user base – were scraped from the platform and put up for sale in a hacker forum. Why did this happen? Attackers found a public API without authentication and breached it to scrape content.  

Since users’ personal and professional information on this platform was exposed, an advisory was issued to users that the risk of identity theft, targeted phishing attacks, and impersonations are high. Users were advised to remain vigilant.

21. The iCloud Celebrity Hacks (2014)

Accounts – including many A-list celebrities like Jennifer Lawrence and Kate Upton – were accessed on the Apple cloud storage platform in 2014.

Hackers used a combination of brute-force guessing and phishing schemes to gain entry. They sent official-looking emails to account owners with instructions to log in and change their security credentials—Anyone who did so gave the hackers everything they needed to get in and copy files.

Several (seemingly) unconnected individuals were investigated over the next few months. At least two were found guilty and sentenced to between 9-18 months in late 2016 and early 2017 for crimes related to the hack.

Security Logging and Monitoring Failures

API10:2019 Insufficient Logging & Monitoring

22. SolarWinds Supply Chain Attack (2020)

SolarWinds is a network-monitoring software that nuclear labs leverage, intelligence agencies, several Fortune 500 companies, and the Pentagon. The company faced a supply chain attack in 2020 that exposed over 50 million records.

Russian hackers compromised and gained access to SolarWinds’ production environment and introduced malicious code into Orion, a network monitoring product. They sent out a tainted software update which more than 18000 customers installed.

The update installed Trojan horses into client systems and created a backdoor called SUNBURST. Breaking the chain of trust, this supply chain attack wreaked havoc on an undisclosed number of individuals and companies in the software supply chain.

The attackers gained access to SolarWinds’ systems through a combination of tactics, including password guessing, spear-phishing, and exploiting a zero-day vulnerability in the Orion software.

The attackers were able to evade detection for several months by exploiting insufficient logging and monitoring practices.

23. Marriott International (2018)

One of the largest hacks in history was the Marriott International data breach in 2018 that exposed 500 million guest records, including passport details, credit cards, arrival-departure dates, PII, etc.

Attackers accessed Marriott’s guest data through email spoofing to spread malware into the vulnerable guest reservation system using legacy I.T. infrastructure. Britain’s Information Commissioner’s Office (ICO) fined the company 18.4 million pounds for GDPR violations.

The breach was attributed to insufficient logging and monitoring practices, as the attackers were able to move around undetected for several years before being discovered.

Don’t become another statistic.

The dreaded hack. It can happen to anyone, anywhere, anytime. When will the next “most notorious hacks” happen? Probably sooner than you think.

Phishing schemes. DDoS attacks. Brute-force attacks.

Don’t make an appearance in the next edition of hacker history. Be smart. Be proactive. Be safe and secure.

Stay tuned for more relevant and interesting security updates. Follow Indusface on Facebook, Twitter, and LinkedIn

State of Appsec report

The post 23 Most Notorious Hacks History that Fall Under OWASP Top 10 appeared first on Indusface.

*** This is a Security Bloggers Network syndicated blog from Indusface authored by Venkatesh Sundar. Read the original post at: https://www.indusface.com/blog/notorious-hacks-history/

Source link

Add a Comment