The scariest hacks and vulnerabilities of 2019

This year's biggest and scariest security incidents, data breaches, and vulnerabilities.
Written by Catalin Cimpanu, Contributor

Yes, this is one of those end-of-year summaries. And it's a long one, since 2019 has been a disaster in terms of cyber-security news, with one or more major stories breaking on a weekly basis.

Below is a summary for the past 10 months of security disasters, organized by month.


Severe vulnerability in Apple FaceTime - A bug in Apple's FaceTime app let attackers call and self-answer a FaceTime call without any user interaction from the callee, opening the door for secret surveillance.

North Korean hackers infiltrate Chile's ATM network after Skype job interview - the article's title is self-explanatory, and the story is worth your time to read.

Hackers breach and steal data from South Korea's Defense Ministry - Seoul government said hackers breached 30 computers and stole data from 10. The hacked computers stored data on weapons and munitions acquisition.

Someone hacked the PHP PEAR website - We still don't know what happened there, but some hacker breached the PHP PEAR repo and backdoored a version of the PHP PEAR package manager.

Security flaws found in 26 low-end cryptocurrencies - This report shows just how dangerous some low-end, no-name cryptocurrencies are, and how hackers could steal funds en-masse at any time.

Oklahoma gov data leak exposes FBI investigation records - An Oklahoma Department of Securities server allowed anyone to download government files, such as internal files, and even FBI investigations.

Iranian hackers suspected in worldwide DNS hijacking campaign - FireEye, and later Cisco Talos, disclosed a global campaign carried out by Iranian hackers who redirected traffic from companies all over their globe through their Iranian servers, recording company credentials for future attacks.To do this, they hacked DNS management accounts at domain name registrars, in order to execute DNS hijacking attacks. These same hackers also breached Greece's top-level domain registrar.

SCP implementations impacted by 36-years-old security flaws - All SCP (Secure Copy Protocol) implementations from the last 36 years, since 1983, were found to be vulnerable to four security bugs that allowed a malicious SCP server to make unauthorized changes to a client's (user's) system and hide malicious operations in the terminal.

Yearly LTE security flaws - Two sets of new LTE security flaws were discovered this year. One that impacted 3G, 4G, and 5G, and a second set of 36 vulnerabilities found found after a fuzzing project carried out by South Korean security researchers.

Websites can steal browser data via extensions APIs - Researcher finds nearly 200 Chrome, Firefox, and Opera extensions vulnerable to attacks from malicious sites.

WiFi firmware bug affects laptops, smartphones, routers, gaming devices - Major security flaw found in Marvell Avastar chipset. List of impacted devices includes PS4, Xbox One, Samsung Chromebooks, and Microsoft Surface devices.

Malware found preinstalled on Android devices - Happened twice in 2019. First, in January, when researchers found malware inside an Alcatel app preinstalled on Alcatel smartphones. Second, in June, when Germany's cyber-security agencies found a backdoor in four Chinese smartphone models.


Leaky DB exposes China's Muslim-tracking practices - Security researcher Victor Gevers found a leaky DB from a Chinese company that exposed its Muslim-tracking facial recognition software, inadvertently revealing China's Uyghur-tracking practices.

Major WinRAR bugs exposed - Check Point researchers found a WinrAR bug that impacted all the WinRAR versions releassed since 2000. Over 500 million WinRAR users were at risk. The bugs eventually become widely used by cyber-criminals and nation-state hackers at the same time.

New WinPot malware can make ATMs spit out cash - WinPot has been on sale on underground forums since March 2018.

Tor traffic from individual Android apps detected with 97% accuracy - New machine learning algorithm can detect when Tor users are using a specific app, such as YouTube, Instagram, Spotify, others, via Tor.

Hackers wipe US servers of email provider VFEmail - Hackers did not ask for a ransom. VFEmail described the incident as "attack and destroy."

Thunderclap vulnerability - The security flaw impacts how Windows, Mac, Linux handle Thunderbolt peripherals. They allow the creation of highly dangerous malicious peripherals that can steal data from OS memory.

PDF protocol attacks - A team of German academics found a way to fake signatures in PDF documents, and later this year, a way to break PDF encryption.

Hiding malware using the CPU - Academics have found ways to hide malware on a computer using speculative execution and Intel's SGX enclave system.


Hackers take tornado sirens offline before major storm - Yeah. That was just evil.

The ASUS supply-chain hack - Hackers hijacked the ASUS Live Update utility to deploy malware on users' systems. The hack took place in 2018, but was disclosed in March. Over one million PCs were believed to have been impacted.

Ring of GitHub accounts promoting 300+ backdoored apps - GitHub ring consisting of 89 accounts promoted 73 repos containing over 300 backdoored Windows, Mac, and Linux apps.

Bithumb cryptocurrency exchange hacked a third time in two years - Hackers believed to have made off with nearly $20 million in EOS and Ripple cryptocurrencies. At this point, Bithumb appears that they're not even trying anymore.

Chrome zero-day under active attacks - CVE-2019-5786, a bug in Chrome's FileReader API, was exploited in the wild to read content from a user's computer. Google said the bug was used together with a Windows 7 zero-day by a nation-state attacker.

New Intel CPU bug - Researchers find new Intel VISA (Visualization of Internal Signals Architecture) debugging technology.

Hacks at French gas stations- Criminal group steals 120,000 litres of fuel from Total gas stations around Paris after gas stations forgot to change gas station pump PINs.

Citrix data breach - Citrix learned of the hack from the FBI. Hackers stole business documents. A lot of Citrix customers' are government agencies and Fortune 500 companies.

Smartphone unlocking issues - We've had a few this year, but the first case was reported in March when a user found that Samsung Galaxy S10 facial recognition can be fooled by a video of the phone owner. A month later, a user found that he could unlock a Nokia 9 smartphone's fingerprint scanner with a pack of gum. Then in October, users found that you could unlock a Pixel 4's facial unlock technology while you had your eyes closed, and a couple found that they could unlock Samsung S10 devices using fingerprint protection with any user's finger if the device was protected by a silicon case. In fact, the issue with bypassing facial recognition is quite widespread. A study by a Dutch non-profit last year found that attackers could bypass face unlock-type features on 42 out of the 110 smartphones they tested.


United Airlines covers up seat cameras - The airline insists that the cameras have not been in active use; however, customers were still very disturbed and annoyed by the cameras' presence in the first place.

Researcher prints 'PWNED!' on hundreds of GPS watches' maps due to unfixed API - Over 20 GPS watch models allowed threat actors to track device owners, tinker with watch functions.

Tens of thousands of cars were left exposed to thieves due to a hardcoded password - Security updates that remove the hardcoded credentials have been made available for both the MyCar Android and iOS apps since mid-February.

The Weather Channel goes off the air for 90 minutes after ransomware infection - A similar attack on French TV station M6, in October, was unsuccesful.

Facebook admits to storing plaintext passwords for millions of Instagram users - Incident comes after a month earlier, Facebook admitted to storing plaintext passwords for Facebook accounts too.

Source code of Iranian cyber-espionage tools leaked on Telegram - Tools were made available for every-day malware developers, opening more users to attacks. A second and third leak of Iranian hacking tools occurred in May and June.

Indian govt agency left details of millions of pregnant women exposed online - More than 12.5 million medical records for pregnant women were left exposed. Records removed from leaky server after more than three weeks.

Over 13K iSCSI storage clusters left exposed online without a password - New attack vector opens backdoor inside enterprise disk storage arrays and people's NAS devices.

Gnosticplayers' hacks - A hacker known as Gnosticplayers has dumped over one billion user records online in the span of a few months.

Hacker group has been hijacking DNS traffic on D-Link routers for three months - Other router models have also been targeted, such as ARG, DSLink, Secutech, and TOTOLINK. The attacks are especially active cross Brazil.


A hacker wiped Git repositories and asked for a ransom - Thousands of repos were impacted, but almost all projects were recovered.

New MDS attacks on modern CPUs - Researchers, academics detail new Microarchitectural Data Sampling (MDS) attacks, such as Zombieload, Fallout, and RIDL.

Thrangrycat vulnerability - Thrangrycat flaw lets attackers plant persistent backdoors on Cisco gear. Most Cisco gear is believed to be impacted. No attacks detected in the wild.

BlueKeep vulnerability - In mid-May, Microsoft warned about a new "wormable" RDP vulnerability that later became known as BlueKeep. Two new wormable BlueKeep-like vulnerabilities (DejaBlue) were later disclosed in August. After months of eagerly waiting attacks, a proof-of-concept exploit was publicly published in September.

Unsecured server exposes data for 85% of all Panama citizens - The server contained patient data, but no medical records were exposed -- only personally identifiable information (PII).

Software update crashes police ankle monitors in the Netherlands - Borked update prevents ankle monitors from sending data back to police control rooms. Some suspects needed to be collected and sent back to jail as a result.

In a first, Israel responds to Hamas hackers with an air strike - Israel military said it bombed building housing Hamas cyber forces.

Google replaces faulty Titan security keys - Vulnerability in Bluetooth pairing protocol forces Google to replace Titan keys sold in the US. Microsoft was later forced to issue a special fix to address the issue.

Canva hack - One of Gnosticplayers' victims. Company was hacked for 139 million user records.

StackOverflow hack- Stack Overflow said hackers breached production systems, and the hackers went undetected for more than a week.

Flipboard hack - Extent of the hack is unknown, but Flipboard said hackers had access to its systems for almost nine months.

London Underground to begin tracking passengers through Wi-Fi hotspots - Transport for London (TfL) said it was planning to roll out a system to track commuters making use of public Wi-Fi hotspots across the London Underground in coming months.

Major Safe Browsing bug - Mobile Chrome, Safari, and Firefox failed to show phishing warnings for more than a year.


Hackers breached 10 telecom providers - Researchers at Cybereason said a nation-state-backed intelligence operation has compromised at least 10 global telco companies - to such an extent the attackers run a "de facto shadow IT department".

New Silex malware bricked thousands of IoT devices - Attack lasted for days, but the hacker eventually stopped and retired the Silex malware code.

NASA hacked because of unauthorized Raspberry Pi connected to its network - NASA described the hackers as an "advanced persistent threat," a term generally used for nation-state hacking groups, but didn't provide other details.

Popular Facebook grief support page hacked -  Facebok ignored the hack for weeks.

Google Nest cams could have allowed former owners to spy on the new owners - Google eventually pushed out an update.

Two Firefox zero-days - Mozilla fixed two Firefox zero-days [1, 2] that were used to attack Coinbase employees.

AMCA data breach - Healthcare billing vendor got hacked last year and hackers put patient data for sale online. The breach impacted multiple healthcare providers, and eventually went over the 20 million mark.

CBP says hackers stole license plate and travelers' photos - CBP said subcontractor stored photos on its internal servers without authorization, and then got hacked.

Major HSM vulnerabilities impact banks, cloud providers, governments - Two security researchers revealed vulnerabilities that can be exploited remotely to retrieve sensitive data stored inside special computer components known as HSMs (Hardware Security Modules).

Wave of SIM swapping attacks hit US cryptocurrency users - For a week in June, tens of US-based cryptocurrency users saw themselves victims of SIM swapping attacks.


Kazakhstan government intercepted all local HTTPS traffic - HTTPS interception efforts targeted Facebook, Google, Twitter, and others sites. Apple, Google, and Mozilla eventually intervened and banned the certificate used for HTTPS MitM attacks.

Hacker steals data of millions of Bulgarians - A hacker stole the personal details of millions of Bulgarians and emailed download links to the stolen data to local news publications. The date, stolen from the country's National Revenue Agency, eventually leaked online.

Hackers breach FSB contractor - Hackers have breached SyTech, a contractor for FSB, Russia's national intelligence service, from where they stole information about internal projects the company was working on behalf of the agency -- including one for deanonymizing Tor traffic.

iMessages could have bricked your iPhone - Bug patched before being exploited in the wild.

Urgent/11 security flaws- Major bugs in TCP library impacted routers, printers, SCADA, medical devices, and many IoT devices.

Apple's AWDL protocol plagued by security flaws - Apple patched a bug in May, but academics say the rest of the flaws require a redesign of some Apple services. Bugs would enable tracking and MitM attacks.

DHS warns about CAN bus vulnerabilities in small aircraft - DHS cyber-security agency CISA recommends that aircraft owners restrict access to planes "to the best of their abilities" to protect against vulnerabilities that could be used to sabotage airplanes.

Vulnerabilities found in GE anesthesia machines - GE recommended that device owners not connect vulnerable anesthesia machines to a hospital's main networks. The company also denied the bugs could lead to patient harm, but later recanted and admitted that the issues could be dangerous to human life.

Los Angeles police caught up in data breach - Personal record of 2,500+ of LA cops stolen in the hack. The hacker emailed the department directly and included a sample of the allegedly stolen information to back up their claims.

Louisiana governor declares state emergency after local ransomware outbreak - Yep. Ransomware got so bad. It then hit Texas, dentist offices, and managed services providers.

Bluetooth exploit can track and identify iOS, Microsoft mobile device users - The vulnerability can be used to spy on users despite native OS protections that are in place and impacts Bluetooth devices on Windows 10, iOS, and macOS machines. This includes iPhones, iPads, Apple Watch models, MacBooks, and Microsoft tablets & laptops.

7-Eleven Japanese customers lose $500,000 due to mobile app flaw - 7-Eleven eventually shut down the app.


SWAPGSAttack CPU flaw - Researchers detail hardware vulnerability that bypasses mitigations against Spectre and Meltdown CPU vulnerabilities on Windows systems - and impacts all systems using Intel processors manufactured since 2012.

New Dragonblood vulnerabilities - Earlier this year in April, two security researchers disclosed details about five vulnerabilities (collectively known as Dragonblood) in the WiFi Alliance's recently launched WPA3 WiFi security and authentication standard.

14 iOS zero-days - Google finds exploits for 14 iOS vulnerabilities, grouped in five exploit chains, deployed in the wild since September 2016. Attacks aimed at Chinese Uyghur users.

The VPN security flaws - Hackers mount attacks on Pulse Secure and Fortinet VPNs -- including nation-state actors.

Windows CTF flaw - Vulnerability in Microsoft CTF protocol goes back to Windows XP. Bug allows hackers to hijack any Windows app, escape sandboxes, get admin rights.

WS-Discovery protocol abused for DDoS attacks - Protocol adopted by DDoS-for-hire services, used in real-world attacks already.

Capitol One hack - A hacker breached Capitol One, from where she stole the records of 100 million users. She also hacked 30 other companies.

Hy-Vee card breach - Supermarket chain Hy-Vee admitted to a security breach on some of its point-of-sale (PoS) systems. The data was eventually put up for sale on hacking forums.

Employees connect nuclear plant to the internet so they can mine cryptocurrency - Employees at a Ukrainian nuclear plant take unncessary security risks just to mine Bitcoin. They were eventually arrested.

Moscow's blockchain voting system cracked a month before election - French researcher nets $15,000 prize for finding bugs in Moscow's Ethereum-based voting system.

US military purchased $32.8m worth of electronics with known security risks - List of vulnerable products purchased by the DoD includes Lexmark printers, GoPro cameras, and Lenovo computers.

AT&T employees took bribes to plant malware on the company's network - DOJ charges Pakistani man with bribing AT&T employees more than $1 million to install malware on the company's network, unlock more than 2 million devices.

Windows malware strain records users on adult sites - New Varenyky trojan records videos of users navigating adult sites. Currently targeting only French users.

TrickBot trojan gets capability to aid SIM swapping attacks - TrickBot trojan seen collecting credentials and PIN codes for Sprint, T-Mobile, and Verizon Wireless accounts.

Warshipping technique - Hackers could use packet delivery services to ship hacking devices right to your company's doorstep.

Instagram boots ad partner Hyp3r - Instagram catches ad partner collecting data on its users.


Simjacker attack - Security researchers detailed an SMS-based attack that can allow malicious actors to track users' devices by abusing little-known apps that are running on SIM cards. SIM cards in 29 countries were found to be impacted. A second attack named WIBAttack was also discovered.

Smart TV spying - Two academic papers found that smart TVs were collecting data on users' TV-viewing habits.

Checkm8 iOS jailbreak - New Checkm8 jailbreak released for all iOS devices running A5 to A11 chips, on iPhones 4S up to iPhone 8 and X. The first jailbreak exploit to work on the hardware level in the past nine years.

Database leaks data on most of Ecuador's citizens - Elasticsearch server leaks personal data on Ecuador's citizens, their family trees, and children, but also some users' financial records and car registration information. An arrest followed.

Limin PDF breach - The details of over 24.3 million Lumin PDF users were shared on a hacking forum in mid-September. The company acknowledged the breach a day later.

Heyyo dating app leak - They leaked almost everything except private messages.

vBulletin zero-day and subsequent hacks - An anonymous security researcher released a zero-day in the vBulletin forum software. The vulnerability was immediately used to hack a bunch of forums.

Massive wave of account hijacks hits YouTube creators - YouTube creators from the auto and car community were hit with spear-phishing attacks that could bypass 2FA, allowing hackers to take over Google and YouTube accounts.

Lilocked (Lilu) ransomware - Thousands of Linux servers were infected with the new Lilocked (Lilu) ransomware.

Over 47,000 Supermicro servers are exposing BMC ports on the internet - Researchers discovered a new remote attack vector on Supermicro servers that were found to be exposing their BMC port over the internet.

Ransomware incident to cost company a whopping $95 million - A ransomware incident at Demant, a Danish company that makes hearing aids, has created losses of nearly $95 million, one of the most expensive incidents to date.

Exim vulnerability (CVE-2019-15846) - Millions of Exim servers are vulnerable to a security bug that when exploited can grant attackers the ability to run malicious code with root privileges.


Avast hack - Czech antivirus maker discloses second attack aimed at compromising CCleaner releases, after the one suffered in 2017. Company said hacker compromised the company via a compromised VPN profile.

Android zero-day exploited in the wild - Google Project Zero researchers find Android zero-day exploited in the wild, impacting Pixel, Samsung, Huawei, Xiaomi devices.

Alexa and Google Home devices leveraged to phish and eavesdrop on users, again - Amazon, Google fail to address security loopholes in Alexa and Home devices more than a year after first reports.

Czech authorities dismantle alleged Russian cyber-espionage network - Czech officials said Russian operatives used local companies to launch cyber-attacks against foreign targets. Officials said operates had support from the FSB and financial help from the local embassy.

Johannesburg held for ransom by hacker gang - A group named "Shadow Kill Hackers" is asking local officials for 4 bitcoins or they'll release city data online. Second major attack against Johannesburg after they've been hit by ransomware in July, when some locals were left without electricity.

CPDoS attack - CloudFront, Cloudflare, Fastly, Akamai, and others impacted by new CPDoS web cache poisoning attack.

PHP7 RCE exploited in the wild - New PHP7 bug CVE-2019-11043 can allow even non-technical attackers to take over Nginx servers running the PHP-FPM module.

macOS systems abused in DDoS attacks - Up to 40,000 macOS systems expose a particular port online that can be abused for pretty big DDoS attacks.

Editorial standards