Top 10 Application Security Breaches of 2018

Read Time8 Minute, 23 Second

The most disastrous web and mobile application security breaches and security incidents of 2018 (so far).

Application security is one of the most crucial areas of data security, especially as more businesses move to cloud-based computing and make web applications a core focus of their functionality. Web applications are increasingly being used to process and store customer data in the cloud, so weak application security is a very attractive target to attackers. Here are ten of 2018’s biggest, most damaging or highest-profile application security data breaches:

10. Sears, Delta Airlines, Kmart and Best Buy (via [24]7.ai)

When: September 2017-April 2018

The damage: over 100,000 payment card records

The vector: an attack on a third-party online chat service provided by [24]7.ai

On April 4th, SaaS-provider [24]7.ai issued a press statement disclosing a prior cybersecurity attack “potentially affecting the online customer payment information of a small number of our client companies”. The complete list of affected companies is not known, but includes at least Sears, Delta Airlines, Best Buy and Kmart. Technically, the underlying incident occurred over September-October 2017, but [24]7.ai left the incident undisclosed for 5 months. Under article 33 of the GDPR, any company trading in Europe must disclose a personal data breach within 72 hours of becoming aware of it. Had the incident itself occurred after 25 May 2018 (when GDPR came into force), such a delay would likely be treated harshly by EU regulators.

9. British Airways’ breach caused by credit card skimming malware

When: August-October 2018

The damage: 244,000-565,000 customers’ credit card details

The vector: malware injected onto British Airways’ site

In September, British Airways discovered an ongoing malicious attack on their website which had begun towards the end of August. The attack resulted in the personal and payment information of affected customers being compromised.

British Airways did not reveal details on the nature of the attack, but security researchers later discovered that it was caused by credit card skimming malware injected onto the website, targeting the airline’s payment web-app. Initial estimates were that 380,000 records were caught in the breach, but British Airways later lowered this to 244,000. However, it later emerged that a further 185,000 customers were potentially at risk.

Security firm RiskIQ claims that the MageCart hacking group – which specializes in stealing bank card details – compromised and altered the Modernizr JavaScript library that was loaded from the baggage claim information page of the British Airways website.

8. Google+ suffers from years-old API bug When: 2015-October 2018

The damage: up to 500,000 users’ sensitive data and Google+ itself

The vector: a years-old API bug

In March, Google found a bug in an API used in its Google+ social media platform which would allow third-party developers to freely access the personal details of Google+ members. Google left this vulnerability undisclosed until October, saying that the damage from the bug did not pass public disclosure thresholds. However, the Wall Street Journal revealed that the lack of disclosure was at least partially motivated by a desire to avoid negative publicity in the wake of the Cambridge Analytica scandal.

While the potential damage from this bug extends to 500,000 users, Google claims to have found ‘no evidence’ the data was misused or accessed maliciously. In security, absence of evidence is definitely not evidence of absence, and however much or little data was accessed, it was exposed for years and then covered up for months. Google+ as a consumer platform is now due to shut down in August 2019.

7. T-Mobile breach hits 2 million When: August 2018

The damage: roughly 2 million customers’ personal data

The vector: insecure API

In an attack carried out against T-Mobile, hackers were able to gain access to servers holding customer information including names, email and physical addresses and phone numbers. T-Mobile did not disclose the exact number of affected customers, but stated that it was ‘about’ or ‘slightly less than’ 3% of its userbase of 77 million. This attack was possible thanks to an unspecified backend API.

T-Mobile’s official statement said that ‘no passwords were compromised’, but it later emerged that password information was included in the breached data. T-Mobile didn’t count them as compromised because ‘they were encrypted’.

6. Organizations using TypeForm When: June 2018

The damage: an unknown number projected to be multiple millions of individuals’ personal data

The vector: malicious access to Typeform’s servers

Another example of how poorly-secured SaaS-providers can create the widest-reaching data risks, TypeForm’s fast response still left a long list of companies affected after an attacker gained access to a data backup from June. Despite being able to cut off the attacker’s access within 30 minutes of the breach’s discovery, a long line of organizations came forward to disclose that the breach may have affected their customers.

5. Cathay Pacific Airways is the largest airline hack ever When: March-October 2018

The damage: 9.4 million customer records

The vector: possible security holes left by migration from legacy to cloud systems

In what is being called the worst ever airline data hack, Hong Kong-based airline Cathay Pacific Airways was subjected to a persistent, long-term attack beginning in March 2018. In October, the airline released a statement that they had contained the breach, but there is still the possibility of new attacks being mounted.

Fortnum and Mason, Monzo, Birdseye, the UK Liberal Democrat party, Travelodge and the Australian Republican Movement are just a few examples of the organizations who came forward. It’s estimated that thousands of clients were affected by the breach, each one of which may have had data from tens of thousands of users processed by TypeForm’s service. One of TypeForm’s clients, OceanProtocol, came forward to claim that the data lost in the breach had been stored unencrypted.

4. GovPayNet sees 14 million receipts exposed When: September 2018

The damage: a minimum of 14 million receipts containing personal data

The vector: Broken access control allowing anyone to access any user’s receipt

GovPayNet provides services across 35 US states allowing citizens to pay government-related fees or fines. It provides its users access to online receipts, which include names, addresses, phone numbers and the final four digits of payment card numbers. In September, security researcher Brian Krebs notified GovPayNet that their web application would allow anyone to bypass access control and view any receipt.

Although access control was implemented for customers wishing to view their receipt, manually changing the URL would allow for this control to be bypassed. The exposed records were stored in sequential order, numbering at least 14 million and dating back to 2012.

3. Timehop breach started back in December 2017 When: July 2018

The damage: 21 million users’ personal details

The vector: Compromised admin credentials

An attacker was able to gain access to Timehop’s cloud computing environment using compromised admin credentials. While Timehop successfully stopped the attack while in progress, data was still lost. In the process, API keys that allowed Timehop’s app access to users’ social media content were also compromised, but these were reset by Timehop in the breach’s aftermath.

Timehop’s official statement has shown a great deal of transparency, offering a full breakdown of the breached records (including the number it considers to be subject to GDPR) and a timeline of the attack. It became apparent that malicious probing and reconnaissance for the attack had begun in December 2017, highlighting a need for stronger internal access control.

2. Panera Bread customer information to easy to access When: August 2017-April 2018

The damage: up to 37 million customers’ personal details

The vector: customer data stored in plaintext on a publicly available webpage

In August last year, security researcher Dylan Houlihan discovered a severe security issue in Panera Bread’s website: the names, contact details and even partial payment card information of registered users were freely accessible in unencrypted plaintext. If the correct URL was used – which could charitably be called a forced browsing attack – anyone would be able to access Panera Bread’s customers’ data. Houlihan reported the issue immediately, but Panera made no fix until April this year.

Panera claimed that under 10,000 customers had been affected by the data leak, but with customers’ personal data so freely accessible, it would be impossible to know exactly who has accessed it and how much has been stolen. Security blogger Brian Krebs demonstrated that the damage could potentially extend up to 37 million users.

1. Facebook suffers from web-app insecurity When: September 2018

The damage: 30-90 million user accounts

The vector: a bug in the web-app’s features

The timing of this breach was especially unfortunate for Facebook on the heels of the Cambridge Analytica scandal (for which it was fined £500,000 by the UK’s GDPR regulator), but the sheer number of users affected makes it the biggest breach of 2018. A bug in the web-app’s ‘view as’ feature allowed attackers to steal users’ access tokens. A textbook example of a session hijacking attack, this gave attackers access to the victims’ Facebook accounts, and all the personal data held therein.

Facebook’s initial statement was that 50 million accounts were compromised, but later reduced this estimate to 30 million. However, Facebook asked 40 million additional users to log out and reset their access tokens as a precaution, bringing the maximum potential reach of the security issue to 90 million users.

That was our version of the top 10 application security breaches of 2018. We purposefully omitted cryptocurrency incidents that will probably be compiled in a dedicated post. If you know about other significant breaches not mentioned in this article, leave your comment below.