The week of December 28, 2014

The 10 biggest hacks of 2014

By Patrick Howell O'Neill

Chances are your personal information was hacked this year—even if you didn’t realize it.

2014 was a year of unprecedented security breaches, with attacks striking some of the world’s biggest corporations and most famous celebrities. We’ve reached the tipping point of cyberwar with North Korea over the Sony hacks spurred by the Seth Rogen/James Franco romp The Interview, and vulnerabilities in the very infrastructure of the Web have been exploited to potentially devastating effect.

When it comes to cybersecurity, the situation doesn’t appear to be improving at all.

We’ve gathered 10 of the biggest hacks of the year. All of them were extremely high-profile and should serve as one last reminder to change your damn passwords already.

10) Heartbleed (April 2014)

A catchy name, killer logo, and ubiquitous reports made Heartbleed one of the scariest hacks of 2014. Deemed  “catastrophic,” the vulnerability affected the OpenSSL cryptographic software library used to encrypt Web traffic. It allows attackers to grab any and all manner of sensitive data from seemingly secure servers without leaving a trace.

“On the scale of 1 to 10, this is an 11,” cryptographer Bruce Schneier wrote.

Created during a late-night programming session that yielded a massive error, Heartbleed threw the world of network security into a maelstrom. The impact has been enormous—here’s a long but incomplete list of affected services—including many of the biggest websites and most widely used software in the world.

“Some might argue that [Heartbleed] is the worst vulnerability found (at least in terms of its potential impact) since commercial traffic began to flow on the Internet,” Forbes cybersecurity columnist Joseph Steinberg explained.

Heartbleed could continue to plague the Internet for years to come.

9) Shellshock (September 2014)

It took months for the Internet’s collective pulse to calm down after Heartbleed, just enough time for Shellshock to enter the world’s lexicon.

Heartbleed’s heir apparent, it allowed hackers to gain access to vulnerable systems on Mac OS X and Linux computers—exactly the type of machine that run the backend of countless major websites and services.

It took only a few hours before hackers were taking over machines to create enormous botnets of slave computers that launched millions of attacks on, among other targets, the U.S. Department of Defense.

8) CurrentC

Mobile payments are a literal a gold mine; that’s why Walmart, Target, and Best Buy launched a product called CurrentC in a sharp counter to the creation of Apple Pay.

The problem came just a few days later, when users were told “that unauthorized third parties obtained the e-mail addresses of some of you.”

It was a poor start that earned CurrentC critical headlines the world over.

In fact, things might not have been quite as bad as the early reports suggested. Hackers reportedly only obtained customers’ email addresses, and the attack was far from the death knell for the service.

Millions are currently using CurrentC every week, despite the fact that the first hack hit at just the wrong time. That shows the power and determination of the product’s titan backers to overcome whatever obstacles it may encounter.

7) CyberVor (August 2014)

Either this was an enormous hack pulled off by Russian criminals or a big public relations hack by Hold Security.

Earlier this year, the New York Times reported that a Russian gang called CyberVor (“Vor” means thief in Russian) had amassed 1.2 billion username and password combinations, plus 500 million email addresses, making this “the largest known collection of stolen Internet credentials.”

The news went viral and the world wanted more details. Too bad, too, because there are no details. Hold Security, the firm that reported the theft to the Times, said it had nondisclosure agreements that wouldn’t allow the company to name the victims of the attacks. The newspaper reported that an independent security expert verified the authenticity of the credentials, however, and the report was published.

Here’s another way of looking at it. When security firms like Hold Security break news about major thefts, they get massive advertising from the reporters that cover the incident, and criticism tends to be limited because details are unavailable.

“[T]his is a pretty direct link between a panic and a pay-out for a security firm,” Forbes’ Kashmir Hill wrote, reporting that shortly after the news went up, Hold Security offered a $120 service to see if you were infected.

Meanwhile, the Times wrote (in the story’s 11th paragraph) that the stolen credentials hadn’t been sold and were only being used to spam social networks like Twitter. That doesn’t sound quite like what all the grandiose headlines promised.

6) Home Depot (September 2014)

Home Depot fell victim to a data breach resulting in the theft of 56 million credit and debit cards earlier this year. That’s notable on its own, but the hack only gets bigger once you examine the context.

Last year, Target was victim to a hack that led to the theft of 40 million credit and debit cards. That was a wake up call to the world’s biggest retailers, including Home Depot, who reinforced security on its point-of-sale equipment.

However, Home Depot cybersecurity sources told reporters that the company had been ignoring their concerns for at least six years. The company reportedly responded to internal complaints and criticisms with the same sad refrain: “We sell hammers.”

Several cybersecurity experts resigned from the company as a result.

By the time Target jolted them awake, it was too late. Criminals were inside their systems, stealing information from millions of customers for months if not years. The fixes the company rolled out to respond to the Target hack were finished a month after their own hack was revealed.

5) JP Morgan Chase (August 2014)

The data breach that allowed hackers inside JPMorgan Chase is one of the biggest in history. Over 83 million households and small businesses—about 65 percent of all U.S. households—were affected, including previous account holders.

Either this was an enormous hack pulled off by Russian criminals or a big public relations hack by Hold Security.

But for all its vastness, the data stolen doesn’t appear to have been all that sensitive. Passwords, account numbers, user IDs, birthdays, and Social Security numbers appeared to be safe, according to Chase, and no fraud has been reported since the attack occurred.

That’s good news—for now at least. An enormous haul like this isn’t going to go without use, and all types of fraud can be enabled here including phishing and cold-calling—two criminal arts that have been as strong as ever this holiday season.

4) Sony (November 2014)

The hack of the moment also has big implications for the future.

While hackers who targeted Home Depot and JPMorgan took more classical routes—using the breach to steal customer data—the Sony hackers are aiming squarely at the company itself.

The drama opened in November when the attackers demanded the company pay a ransom to keep a big cache of stolen data private.  The Sony executives didn’t pay up, so a torrent of sensitive information from the company rushed into public view.

Unreleased films hit the Internet, financial information about executives was revealed, secret marketing information and political plans hit the presses. Just when it looked like things couldn’t get any worse, Sony shelved The Interview, the comedy that spurred the altercation—in light of escalating threats. While the FBI has officially deemed North Korea responsible for the hacks, President Obama has said he believe it was a mistake to establish a pattern of intimidation.

3) Regin (November 2014)

Over the last few years, you’ve likely heard of countless cyberattacks against the West being linked to China. It’s gotten to the point where almost any attack is presumed to have originated in Beijing until proven otherwise—or at least that’s how the press reports it.

Here we have something different.

The United States and United Kingdom are reportedly responsible for creating and deploying Regin, a complex bit of malware behind an attack on the Belgian Internet company Belgacom’s computer systems and email servers.

Regin, which steals data and disguises itself as legitimate software, has also been found on European Union computers, where it reportedly stole data for months with direction from America’s National Security Agency. It’s been called a “top-tier espionage tool” and “among the most sophisticated ever discovered by researchers.”

2) South Korea (August 2014)

Over 70 percent of the adult population of South Korea was affected by a massive data breach that hit 27 million people and 220 million private records. There has never been a larger swath of a single country affected in one fell swoop of an attack.

The hack of the moment also has big implications for the future.

Sixteen hackers were arrested in August for the scheme, which earned them a seemingly small $390,000 after they targeted Korea’s strong online gaming culture. Registration pages for gaming and gambling sites, as well as online ringtone downloads and movie ticket stores, were among the attackers’ targets.

The actual origin of the attacks is unknown. South Korean police say it came from China and was resold to “mortgage fraudsters and illegal gambling advertisers.” Damages are estimated to exceed $2 million.

1) Celebgate (August 2014)

This wasn’t about the money or the demands. Instead, it was about the targets.

Hundreds of images, including nude photos, from many of the world’s biggest female celebrities were posted online at the end of August as a result of a hack of Apple’s iCloud services that allowed attackers to steal passwords, usernames, and other data in a “very targeted” breach.

Millions of people looked at the stolen images, with some even sending bitcoins as payment to the hacker, sparking a wide debate about the ethics of posting or even looking at nude photographs stolen from a private citizen. When sites like Reddit eventually took steps to stop the spread of the photos—after they reaped the rewards of many millions of pageviews and a big pile of cash from its users—cries of censorship spread the debate over stolen photos even wider.

This year saw cybersecurity reach new heights in terms of public awareness. Names like Heartbleed and hacks like Sony’s have made more headlines than ever before. But it was Celebgate—also known as “The Fappening”—that topped them all.

Months later, it still does.


Screengrab via Google Trends

Illustration by J. Longo