Analysis of top 8 recent data breaches

Data leaks take no prisoners – they mistreat everyone the same. Companies that got breached ranged from big to tech giant:

Individual breach analyses

Parkmobile.us, SuperVPN, GeckoVPN, ChatVPN, Pixlr.com, Raychat.io are the most sensitive data breaches as close to 100% of users lost their emails and password hashes. 90% of Facebook’s affected users lost all three first and last names and phone numbers. 

On the other hand, scraping has seen its fair share of (un)success in the past year as well. In April 2021, ~30% of scraped LinkedIn users got their last and first name, as well as phone numbers and physical addresses exposed.

Now that we’ve covered the basics, let’s take a closer look at each individual breach from June 2020 to summer 2021.

1. Facebook.com data breach

In April 2021, Facebook revealed a huge data breach that affected 533 million users. According to the company, the leak happened due to a vulnerability that got patched in 2019.

Threat actors have allegedly used contact importer software to match phone numbers against user profiles to exploit this bug. Facebook denies that this was a breach and maintains that it’s a scraping method.

• Affected users: 533 mln.
• Method: Hacked.
• Company type: Social networking site.
• Date reported: April 2021
• Data price: Free.
• User data leaked: First name, last name, company name, relationship status, email, gender, phone number, location, locale, and others.
• Leaked data statistics: 18 different data keys were leaked from relationship status to profession and phone number. 9 out of 10 users lost their first and last name, gender, phone number.

2. Wattpad.com data breach

Wattpad, a host to user-generated books and other written material, was breached. The leak affected around 270 million users, exposing a large variety of data points. Neither the company nor the hacker has revealed how the breach happened.

• Affected users: 270 mln.
• Method: Hacked.
• Company type: A website that allows members to publish user-generated stories on a variety of different topics.
• Date reported: July 2020
• Data price: Free.
• User data leaked: Emails, usernames, password hashes, IP addresses, dates of birth, location, gender, bio, country of residence, Facebook profile.
• Leaked data statistics: 7 out of 10 users got their usernames and passwords leaked. Emails, usernames, password hashes, IP addresses, and dates of birth make up 60% of total records.

3. Raychat.io data breach

In May 2021, a data set from an entire Iranian messenger Raychat was leaked, affecting 150 million users. According to researchers, the breach occurred due to a misconfigured server containing more than 267 million accounts. Whether this was a new leak or an older one is currently unknown.

• Affected users: 150 mln.
• Method:  Poor cloud security.
• Company type: Messaging platform, a popular Iranian business and social messenger.
• Date reported: May 2021.
• Data price: Free.
• User data leaked: IPs, e-mails, country, city, and password hashes.
• Leaked data statistics: IPs, emails, and password hashes constituted more than 90% of total breached data.

4. Parkmobile.us data breach

ParkMobile, the leading US parking service provider, suffered a breach in April 2021, affecting 21 million ParkMobile users. According to the Federal Trade Commission, the breach happened because the company has failed to implement “basic security procedures.”

• Affected users: 21 mln.
• Method: Poor cloud security.
• Company type: A mobile parking app.
• Date reported: April 2021
• Data price: 125k USD.
• User data leaked: First name, last name, password hashes, emails, phone numbers, usernames, and locations.
• Leaked data statistics: Two-thirds of all leaked records were e-mail addresses and password hashes.

5. Pixlr.com data breach

In January 2021, Pixlr, a photo editing application, suffered a data breach that affected 1.9 million users. The hackers claim they stole that data in a separate breach back in 2020.

• Affected users: 1.9 mln.
• Method: Poor cloud security
• Company type: Pixlr is a very popular and free online photo editing application with many of the same features found in a professional desktop photo editor like Photoshop.
• Date reported: January 2021.
• Data price: Free.
• User data leaked: Emails, names, password hashes, and country.
• Leaked data statistics: 1.9 million emails and just below half a million password hashes. Overall, two-thirds of records were either email addresses or names.

6. SuperVPN, GeckoVPN, and ChatVPN data breach

In February 2021, a cyber thief stole data that three VPN providers collected from their users. SuperVPN, GeckoVPN, and ChatVPN are all free android VPN services with over 110 million downloads on Google Play.

• Affected users: 21 mln.
• Method: Poor cloud security.
• Company type: VPNs for Android.
• Date reported: February 2021.
• Data price: 2k USD.
• User data leaked: Email addresses, full names, countries, payment information, device IDs, and password hashes.
• Leaked data statistics: Only 3% of all leaked records were not emails or hashed passwords.

7. Bonobos.com data breach

In January 2021, Bonobos, a US men’s clothing retailer, reported a breach that affected around 7 million of its customers. The company claims that someone got access to its external cloud environment and backup files.

• Affected users: 7mln.
• Method: Poor cloud security.
• Company type: Retail, men’s clothing store.
• Date reported: January 2021.
• Data price: Free.
• User data leaked: First names, last names, emails, IP addresses, partial numbers of 3.5 million payment cards, and password hashes.
• Leaked data statistics: Besides just a few usernames, other leaked data points range from 20 to 30%.

8. AnimalJam.com data breach

WildWorks, a game company that makes a popular kids game Animal Jam, confirmed a data breach in November 2020. Thirty-one million data points got leaked, affecting 7 million users. 

The hacker has allegedly infiltrated the company’s communication channels and acquired access to its database.

• Affected users: 7mln.
• Method: Hacked.
• Company type: Kids games; belongs to WildWorks gaming company.
• Date reported: November 2020.
• Data price: 6k USD.
• User data leaked: IP addresses, emails, usernames, password hashes, and country of residence.
• Leaked data statistics: Data points besides IP addresses, emails, usernames, and countries amount to only 10% of leaked records. 

LinkedIn.com data scrapes

LinkedIn.com got scraped twice in 2021, once in April (500 million users) and a second time in June (500 million users). Each incident has affected more than 66% of the website’s total user base.

LinkedIn’s April scrape:

• Affected users: 500 mln.
• Method: Scraping.
• Company type: Employment-oriented online service.
• Date reported: April 2021.
• Data price: Free.
• User data leaked: First and last names, email, profession, phone number, address, country, zip code, city, and state.
• Leaked data statistics: Third of affected users got their physical addresses exposed, and 40% of leaked records reveal users’ location.

LinkedIn June scrape:

• Affected users: 500 mln.
• Method: Potential scraping.
• Company type: Employment-oriented online service.
• Date reported: June 2021.
• Data price: 5k USD.
• User data leaked: Email addresses, first and last names, phone numbers, location, LinkedIn usernames and profile URL, professional and personal backgrounds, genders, usernames of other social media accounts.
• Disclaimer: Recent data shows that there are 500 million users affected instead of 700 million previously stated in the media.

While scrapes are not technically data breaches (explained below), they still pose a large threat to everyone involved. Such information can lead to massive spam and phishing campaigns or identity theft.

What about the data points of last year’s breaches?

If we analyze the data from all eight breaches, we see that:

• Email addresses are the most commonly leaked data points. They got leaked in all of our mentioned breaches, and 10% of total leaked records were emails.
• Password hashes got leaked in 7 out of 8 breaches (in all cases except Facebook’s).
• First and last names and IP addresses got leaked in half of the data breaches.
• Phone numbers got leaked in 1 out of 4 data breaches.

How much is your data worth?

Personal data is a huge business among ad brokers and dark web regulars. Leaked data, however, is illegal to use for any legitimate business. That’s why hackers and other threat actors are the only ones that utilize such information.

Data costs vary depending on data types.

For instance, the ‘most personal’ data sets of 2020 (e.g., ParkMobile data that contains first and last names, addresses, phone numbers, passwords, and locations) go for about 0.6 USD cents per user. This doesn’t sound like much. But considering there were around 21 million affected users, the total cost of all leaked data amounts to around 125,000 USD.

Half of the analyzed datasets are given away for free (Facebook, Raychat, Bonobos, Pixlr). 

The difference between leaked and scraped data

Leaked data is confidential information that was made publicly available via a breach. On the other hand, scraped data is publicly available information gathered into a big data set, usually via a social media platform (e.g., Facebook, LinkedIn, etc.).

We often tend to think of breaches as the “scarier” of the two because they can contain more sensitive information. However, if we compare leaked data against scraped data, we see a different side of the story:

• Most commonly breached data points (10% of total records each): emails, phone numbers, first and last names, gender.
• Data points scraped from LinkedIn: emails, phone numbers, first and last names, physical addresses.

In other words, the lost information is strikingly similar between leaked and scraped data.

In comparison, more than 1 billion users lost their data due to data breaches over the last year, while 500 million got their LinkedIn profiles scraped during the first incident in April. In total, a quarter (2bln) of total lost data points (7bln) was scraped via Linkedin.

We’re often afraid of being hacked or falling victim to phishing attacks without realizing how much information we reveal about ourselves on social media platforms. For example, in all 8 data breaches combined physical addresses made up only 0.002%, while on April’s Linkedin data scrape alone 8.92% of data points were addresses.

The most concerning thing is that scraping is entirely legal. If you google “scraped LinkedIn data,” almost half of the search results promote tools and guides on scraping social media platforms.

What to do if your data was leaked?

We can expect spam email campaigns, vishing (voice call phishing), and other phishing attacks from the wide variety of leaked data points mentioned above.

To protect yourself from these, carefully examine emails and text messages for any phishing signs. Also, don’t open any untrustworthy or fishy links, especially if they come in urgent messages (e.g., “You have X amount of time to do Y”).

Also, people tend to reuse their passwords. Make sure to change them from any of the sites that had passwords leaked. 

We always advise you never to use the same password twice! To help yourself handle this, get a password manager and lock behind a single difficult password.

Privacy data breaches going forward

Data breaches are becoming more frequent, and it’s no surprise. More and more companies collect data about their users, but few take adequate measures to protect it. This is painfully apparent since most of these breaches happen due to poor security. 

On another note, scraping is legal, and companies don’t consider these as breaches. Most websites that you use do not concern themselves with the integrity of your data unless the law says they should.

Data collection will not stop anytime soon, and neither will breaches. However, we can take measures to minimize their effects. Most importantly – be mindful of what information you put yourself out on social media and other platforms.