Close this search box.

Ten biggest data breaches in 2020

Courtesy: NordVPN
Courtesy: NordVPN

Hackers were as active as ever in 2020 by taking advantage of users’ vulnerabilities and the economic disruption amid the global COVID-19 pandemic. The number of cyberattacks is rising every year, and 2020 saw a great peak in cybercrime. According to the Risk Based Security report, 2,953 data breaches were publicly reported in the first three quarters of 2020 alone, bringing the number of exposed records to a staggering 36 billion. In 2019, there were 15.1 billion records breached.

“The still ongoing pandemic has drastically altered the way people work, shop, communicate and entertain themselves,” said Daniel Markuson, a digital privacy expert at NordVPN. “Our lives had to move online, making us leave more digital footprint, which has been attracting all types of scammers, fraudsters and hackers who look for security vulnerabilities to exploit.”

Ten biggest data breaches in 2020

Out of the enormous number of data breaches that happened in 2020, NordVPN experts picked the top 10 biggest leaks in terms of the data volume. The list includes leaky databases that were not necessarily breached per se but exposed sensitive data to the public. Some of the data breaches outlined below might have happened some years ago but surfaced only in 2020.

10. Unknown (201 million). In January, security researchers found a database of more than 200 million sensitive personal records exposed online. The leaky database with an undetermined owner was hosted on a Google Cloud server and consisted of highly sensitive personal and demographic data about U.S. residents and their properties with names, addresses, email addresses, credit ratings, income, net worth, property market value, investment preferences and other explicit details. It remains unknown if any unauthorized parties accessed the dataset, which was considered to be a gold mine for cybercriminals. Google was alerted about the case, and, after more than a month, the exposed server was taken offline.

9. Microsoft (250 million). In January 2020, Microsoft disclosed a data breach on its servers storing customer support analytics. The breach took place in December of 2019. 250 million entries, including email addresses, IP addresses and support case details were accidentally exposed online without password protection. The leaky database consisted of five ElasticSearch servers, which are used to simplify search operations. Misconfigured security rules were blamed for the accidental server exposure, which Microsoft swiftly fixed.

8. Wattpad (268 million). In June 2020, a database of more than 268 million records belonging to Wattpad, a Canada-based website and app for writers to publish new user-generated stories, was breached. The malicious actors compromised Wattpad’s SQL database containing user account credentials, email addresses, IP addresses and other sensitive data. After the incident, the company reset its users’ passwords.

7. Broadvoice (350 million). In October 2020, news surfaced that Broadvoice, the U.S. VoIP provider to businesses, exposed more than 350 million customer records, such as names, phone numbers and call transcripts, including voicemails left with medical outlets and financial services firms. 10 databases belonging to the company were easily accessible to security researchers due to a configuration error which left them open without any authentication required for access. Broadvoice patched the security flaw and notified the relevant legal authorities about the incident.

6. Estée Lauder (440 million). In January 2020, U.S. cosmetics giant Estée Lauder had its unprotected database, containing 440 million internal records, exposed online. Researchers say the exposed information included email addresses, internal documents, IP addresses and other information belonging to the company-owned education platform. The company closed the database off once they were made aware of the issue.

5. Sina Weibo (538 million). In March 2020, it was reported the biggest Chinese social media platform called Weibo was breached, and personal details of more than 538 million users were up for sale on the dark web and other places online. The exact timing of the data breach is unclear, but there’s speculation it might date back to 2019. The hacker claimed the sensitive data, including 172 million users’ real names, gender, location and even phone numbers, was obtained from a structured query language (SQL) database dump.

4. Whisper (900 million). In March 2020, news broke that Whisper, a popular secret-sharing app, left 900 million user records exposed online. Anonymous personal confessions and all the metadata related to those posts, including the location coordinates and other sensitive information, were publicly viewable on a non-password-protected database, which, if accessed by hackers, could result in user identification and blackmail. Access to the data was removed once the company was informed.

3. Keepnet Labs (5 billion). In March 2020, Keepnet Labs, a UK-based cybersecurity firm, experienced a cyber incident during which a contractor temporarily exposed a database containing 5 billion email addresses and passwords from previous data breaches. According to the threat intelligence company, which collects historic breach data to notify its business customers in case their data was compromised, it was migrating the ElasticSearch database and disabled the firewall for about 10 minutes to speed up the process. The risky decision enabled security researchers to access the data without a password via an unprotected port.

2. Advanced Info Service (8.3 billion). In May 2020, Advanced Info Service, Thailand’s largest GSM mobile phone operator, had to take down one of its databases following an alleged data breach. A security researcher found an open ElasticSearch database online containing 4TB of internet usage data, or 8.3 billion records. The sitting-to-be-found information, such as domain name system (DNS) queries and Netflow data, could be used to map a user’s internet activity. The database is secure now.

1. CAM4 (10.88 billion). In March 2020, researchers found an unprotected ElasticSearch server of the adult video streaming website CAM4, which was leaking 7TB of data, or nearly 11 billion records. The exposed records included user sensitive information, such as full names, email addresses, sexual orientation, chat and email correspondence transcripts, password hashes, IP addresses and payment logs. The database error was fixed, however it remains unknown if any hackers accessed the highly sensitive information of members of the adult site, who usually prefer to stay anonymous.


Hackers exploiting COVID-19 anxiety in targeted phishing scams

Oldsmar water treatment facility attack is an example of rising cyber threat




Keep your finger on the pulse of top industry news