The Biggest Data Breaches of 2020

2020 has not been a typical year for anything by any means. But one thing that has been reliable is unfortunately the continued rise of data breaches. While fewer data breaches were reported in the first half of 2020, the number of records exposed are turning out to be the biggest data breaches ever.

Earlier in the year, we took a cybersecurity snapshot of what trends looked like in early 2020.

In the first six months of 2020 alone, we saw 12 billion more records compromised than all of 2019. Unfortunately, 2020 is on pace to be a record year in terms of cybersecurity incidents—especially in the US. In the first six months of 2019, 28.7% of data breaches occurred in the US but in 2020, that number has nearly doubled at 50.5%.

In this list, we’ve compiled the biggest data breaches of 2020, so far, by the number of records that were exposed. All told, these eight breaches exposed over 27 billion records in 2020. And these are only the largest ones. A few breaches that didn’t make this list include Marriott’s 5.2 million compromised records, Nintendo’s leak of 160,000 credentials, the security frenzy that was 500,000 Zoom passwords for sale, and the now-infamous Twitter hack (that one only impacted 45 accounts but resulted in a $121,000 payday for the singular hacker).

There are also plenty of data breaches that occurred in 2020 where the number of records compromised is completely unknown. These companies include Canadian telecom giant Rogers, Princess Cruises, the US Defense Agency, ExecuPharm, and plenty of others.

My point is: There have been a lot of data breaches in 2020 and we don’t have the time to list them all.

Cam4 – 10.88 billion records

2020’s biggest data breach of the year was the live-streaming adult website Cam4, totaling over 10 billion stolen records. That’s one reason to block adult content on your work computers.

The records contained personal information including:

• First and last names
• Email addresses and passwords
• Location and device information
• Sexual orientation and chat transcripts
• Payment logs

The users most affected by the breach lived in the US, Brazil, and Italy. The data breach was discovered in May, roughly two months after the credentials were originally posted online.

AIS – 8.3 billion records

AIS is Thailand’s largest cellphone network. Security researcher Justin Paine discovered an ElasticSearch database that included DNS query logs and NetFlow logs of customers as well as their unique source IP addresses. After the discovery, he reached out to AIS to help make sure that database was secured.

The database was exposed for approximately three weeks and was over 4 terabytes in size, growing by 200 million new data rows every single day.

As Paine points out, this network traffic data can tell you a lot about end users. And if that data falls into the wrong hands, and those people are able to pair it with more data, a lot of harm can be done. As a DNS resolver, we are very familiar with that. That’s why we take privacy so seriously.

Keepnet Labs – 5 billion records

This is a lesson about not taking shortcuts. Keepnet Labs hired a third-party IT service provider to migrate a data breach database (i.e., a list of emails and passwords that had previously been exposed now housed in a database). To speed up the process, the engineer performing the migration decided this process should be a little faster, so they disabled the firewall for 10 minutes.

As that was happening, the database was indexed. In total, 5 billion records that had already been compromised between 2012 and 2019 were made available online again.

Talk about deja vu.

BlueKai – 2 billion records

Oracle purchased BlueKai, a digital tracking service, in 2014. This technology is used in Ad Tech, and the data collected can be incredibly detailed. According to one estimate, BlueKai tracks 1.2% of all internet traffic.

And for a portion of time this year, that very detailed (an accurate) information was available online for anyone to find.

Data leaked includes:

• Home addresses
• Emails
• First and last names
• Web browsing activity

It’s still unclear how this data was leaked.

Estee Lauder – 440 million records

No amount of perfume can cover this up. In early 2020, it was discovered that over 440 million records, some of which included customer and employee email addresses, were available online. The leaked database contained “production, audit, error, CMS, and middleware logs,” which could have further compromised other applications as it opened up the path for malware.

In a statement made by Estee Lauder, they said that none of the information leaked included consumer data and there was no evidence of unauthorized use of the data despite temporary access to it.

Microsoft – 250 million records

In January of this year, the security research team at Comparitech found five Microsoft servers exposed. Each server was identical and contained 250 million customer service records dating back to 2005. Anyone could have accessed this information if they knew where to look.

These records included:

• Email addresses
• Geographical locations
• Support cases, including case numbers, notes, and resolution
• IP addresses (remember that AIS attack? Some hackers would love to look for overlap between web interests and Microsoft complaints)

This is another case where because the databases were available online, they were simply indexed. The total exposure was under 30 days. 24 hours after discovery, the records were removed. Microsoft says they found no evidence of malicious use of the database.

Technically this data breach was remediated on December 31, 2019, but the details weren’t made public until January of 2020.

Unknown – 200 million records

Comparitech comes to the rescue again. In January 2020, there was another case of an exposed server that resulted in that server getting indexed. The server in question was a Google Cloud server containing 200 million records comprised of demographic data about US homeowners, their credit ratings, net worth, income, and plenty of other details.

While Comparitech was unable to identify the owner of this database after they worked to get it offline, however much of the data seems to have come from the US Census Bureau.

MGM Resorts – 142 million records

In February, the MGM Grand revealed that the data of over 10 million customers were pasted to a hacker forum. However, it seems that breach is actually further-reaching than previously thought. Researchers found 142 million records from MGM Resorts guests by July of 2020.

The information was posted for sale on a forum for $2,900 and linked this breach to the original data leak announced in February.

It just goes to show you that if you are the customer of a company that has been the victim of a cyberattack, you should take action to secure your personal accounts even if they assure you that nothing was exposed. You never know.

I’m done scaring you with data breach numbers. But if you want to add another layer of protection to your organization, get a free trial of DNSFilter for better endpoint and off-network protection.

Interested in earlier breaches? Check out the biggest security breaches from 2018.