As many students went back to school in September and families adjusted to new schedules, identity thieves remained hard at work — because they never take summer vacations. This month, they’ve continued to try their hardest to hack into systems at companies around the country and steal all the personal data and information they can find.
Here are the recent data breaches that were making headlines in September 2016:
Rumors of a large-scale data breach at Yahoo surfaced back in August, but confirmation — along with the true scope of the breach — came to light in September. Yahoo announced that personal information from a minimum of 500 million accounts had been stolen in late 2014. In what could be the most expansive data breach of all time, Yahoo revealed that the hacker took e-mail addresses, passwords, full user names, dates of birth, telephone numbers, and in some cases, security questions and answers. The company believes the responsible party is an individual working on behalf of a foreign government.
Yahoo is currently working with law enforcement and the FBI to investigate this breach further. All Yahoo users were encouraged to change passwords and security questions immediately and to review their accounts for any suspicious activity.
Dropbox didn’t suffer a new data breach in September, but they made headlines when new details from their 2012 breach were released. Originally, the company had reported that a small number of usernames were stolen, but that those users had been contacted and their accounts were secured. However, in September, the tech website Motherboard said it had obtained files that contained approximately 68 million e-mail addresses and hashed/salted passwords from the 2012 breach.
Currently, Dropbox does not believe any accounts were accessed by hackers. The only customers affected by the new revelations are those that were customers in 2012 and have not changed their passwords since then.
ClixSense, a pay-to-click ad service, was hijacked by hackers on September 4. The company regained control over Labor Day weekend, but the damage had already been done — and over 6 million ClixSense users had their sensitive information stolen. Some hackers breach systems just to make a point, but the ClixSense hackers are brazen and clear about their intentions. In a post on PasteBin, they said that they are planning to sell the user information they stole and proceeded to post data for over 2.2 million customers as a sample of what they possess. The post has since been taken down, but it is obvious that they are serious.
Troy Hunt, who operates the breach website Have I Been Pwned?, told Ars Technica he reviewed the dumped files and said they contained e-mail addresses, unhashed and hashed passwords, dates of birth, sex, first and last names, home addresses, IP addresses, account balances, and payment histories.
Active Network, an event and activity management software company, suffered a breach that affected 6.5 million individuals seeking online fishing and hunting licenses in Idaho, Oregon, Kentucky, and Washington. The hacker, who calls himself “Mr. High,” took credit for the breach immediately afterward and said he stole “over six million pieces of personal information.” He also said that he contacted each state’s Department of Fish and Wildlife/Game to let them know that he found a security flaw so they could fix it. It does not appear that the stolen information has been used or sold.
In a press release, Active Network said it had a cybersecurity firm conduct a review, and that the incident was isolated to Idaho, Oregon, and Washington — no mention of Kentucky, even though the hacker claimed responsibility for that state as well. Individuals affected in Washington created accounts prior to 2006, and in Idaho and Oregon, those affected in the breach made accounts before July 2007. The company began sending out letters to those affected on September 19, 2016. They are offering two years of free identity theft protection services.
Check back next month to stay up to date on the most recent data breaches.