10 biggest hacks of user data in 2016

And how to protect yourself from similar breaches in 2017

10 biggest hacks of user data in 2016

You take great pains to come up with a strong password when registering for an account on a website—only to see your efforts go for naught when that site gets hacked. Several sites had their databases of user accounts not only breached but stolen this year, which include the necessary information for logins (i.e. username, password). The following sites are ranked starting at the fewest number of user accounts with passwords that were taken.

Also, these hacks were reported to have been executed during 2016. So this list does not feature Myspace (427 million user accounts stolen) or Yahoo! (a cool billion). Both were hacked supposedly before 2016, but were only reported this year. This list also does not include reports of user records that were exposed due to poor security, but where there is no evidence they were actually stolen.

10. i-Dressup: 2.2 million

This social site for teenage girls was found to have a vulnerability when a hacker in June extracted user account passwords and emails from it. He said it took him three weeks to download the information for 2.2 million accounts, but that there were 3.3 million more still open for the taking. The passwords weren’t protected with encryption.

Lesson: Don’t sign onto a site that doesn’t provide strong encryption

9. DLH.Net: 3.3 million

The registered users of DLH.Net, a gaming site, had their full names, usernames, passwords, email addresses, dates of birth, and other data taken on July 31. Eighty-four percent of the passwords were easily decrypted because they had been protected with weak algorithms. Facebook access tokens were also stolen from those who had signed in to DLH.Net using their account with this social network.

This website was hacked by the same unknown perpetrator who on July 10 breached the official forum for the game Dota 2, swiping nearly 2 million forum member usernames, passwords, email addresses, and IP addresses. These passwords were protected with weak encryption, too; over 80 percent of them were cracked. And this hacker also exploited security vulnerability in the site’s forum software.

Lesson: Don’t sign into a site using your Facebook credentials, unless it’s Facebook.

8. Leet: 5 million

Leet is a cloud service letting you set up servers on your Android smartphone or iPhone to host games for the mobile version of Minecraft. In a hack that possibly took place in early February, someone stole account usernames, passwords, email addresses, and IP addresses. Initially, 2 million records of user information were released in September, soon followed by another 3 million.

Lesson: Make absolutely sure that you don’t use the same password for more than one site.

7. ClixSense: 6.6 million

2.4 million people who signed up for this site, which paid them to fill online surveys and watch ads, had their full names, email addresses, passwords, dates of birth, gender, home addresses, and IP addresses dumped onto the internet for all to see. The hackers offered for sale the same personal details for another 4.2 million who had signed up with ClixSense. The information contained in this data stolen in early September was current as of mid-August, and was stored with no encryption.

Lesson: Don’t divulge personal information like home address or date of birth under any circumstances.

6. Lifeboat: 7 million

Here’s another Minecraft-related site hack. Somehow the usernames and passwords for all members of this community who play the mobile version of Minecraft together online were leaked onto the internet. The company admitted that they had been aware of this theft since early January, and decided to force users to change their passwords. But the press reporting this contacted three registered members of Lifeboat who all claimed they never got a notice to reset their passwords.

Lesson: Change you passwords frequently, even when you’re not prompted to.

5. Dailymotion: 18 million

This video streaming site—not as popular as YouTube but still heavily visited—had its user database stolen on Oct. 20 by an unknown hacker through unknown means. Over 85 million usernames and email addresses were taken, of which one out of every five of them had passwords associated with these accounts. These passwords were protected with a strong encryption that makes them difficult to crack.

Lesson: Think about creating multiple email accounts, one for your personal business, another for online entertainment, gaming, etc.

4. Mail.ru: 25 million

Yet another major hack tied to gaming communities and insecure message forums: in July and August, hackers attacked three gaming forums hosted by this Russian internet company. Among the records lifted were usernames, passwords, email addresses, and birth dates. Some of these forums also exposed the IP addresses and phone numbers of users. About half of the passwords were easily cracked due to their weak encryption.

Mail.ru downplayed this hack, saying these attacked forums contained “old passwords.” They assured that the stolen user account data were not connected to email accounts and other services provided by their company.

Lesson: Don’t give out your phone number.

3. Weebly: 43 million

Weebly is a web hosting platform that lets you easily put together a personal site or simple online store. Usernames, passwords and IP addresses for more than 43 million accounts were stolen in a hack that happened in February. Fortunately, the passwords were secured with strong encryption, and the company said that they did not believe any customer’s account had been improperly accessed. They also sent emails to customers requiring that they reset their passwords.

Lesson: When you get an email from a west hosting platform telling you to reset your password, do it.

2. VerticalScope: 45 million

If there’s a single lesson that everyone should conclude from the hacks of user account databases in 2016, it’s to be extra careful when signing up for an account on a message forum. In February, a hacker stole member information for over 1,000 message forums that covered auto, sports and tech communities hosted by the company VerticalScope. This haul contained usernames, passwords and IP addresses—the passwords had weak encryption. And many of these forums were running an old version of software with known security vulnerabilities that hackers can easily breach by using attack tools.

Lesson: Beware of message forums.

1. FriendFinder Networks: 412 million

Back in May 2015, the FriendFinder Networks company’s AdultFriendFinder dating site was hacked, resulting in the personal information of 3.5 million members being stolen: usernames, passwords, email addresses, birth dates, ZIP codes, and sexual preferences.

That was nothing compared to 2016.

Leaping to No. 1, this company, known for their adult-oriented websites, had 20 years worth of user account information stolen in October. The massive, pilfered trove exposed usernames, passwords and email addresses. The passwords for five of their sites (which include AdultFriendFinder and Penthouse.com) were in plaintext or secured with weak encryption—so weak that 99% of them had been cracked.

There was also evidence of accounts that may have been marked for deletion. Yet this breach revealed the existence of these accounts anyway.

Lesson: No words.

This story, "10 biggest hacks of user data in 2016" was originally published by Network World.

Copyright © 2016 IDG Communications, Inc.