2012: Looking back at the major hacks, leaks and data breaches

ZDNet looks back at the year, on a month-by-month basis, at some of the most publicized hacks, leaks and data breaches of 2012.
1 of 20 Zack Whittaker/ZDNet

Dozens of data breaches, millions affected

During 2012, almost every industry -- from banking to insurance, government departments and even security companies that help to protect against such attacks -- were hacked or breached and vast amounts of data siphoned off from company networks.

Many of the successful attacks came from those part of or connected with hacking collective Anonymous, but not all. From Social Security record breaches to a year of poor company policies on password and user details protection, along with massive hacking attacks that gave the ordinary citizen an insight into the shady private intelligence world, here's a look back at some of the major hacks, leaks and breaches of the year. 

2 of 20 Zack Whittaker/ZDNet

January: Symantec Norton source code theft

In January, hackers breached a network belonging to the Indian intelligence service and acquired a vast amount of Symantec's Norton anti-virus source code. It was subsequently posted on Pastebin, often used by hackers to post leak data and source code anonymously.

Symantec was quick to state that the source code does not reflect the firm's current work. By analyzing the anti-malware source code, malware writers would be able to find weaknesses in order to bypass the software and hijack machines for malicious purposes. It's understood that the Indian authorities intended to inspect the source code, which was stolen from an insecure network.

3 of 20 Zack Whittaker/ZDNet

24 million affected by Zappos hack

Online retail store Zappos suffered a significant data breach that exposed the accounts of about 24 million. Security experts thought it was the largest consumer data breach of 2012.

Amazon.com-owned Zappos said hackers attacked an internal corporate network through a Kentucky-based server, and swiped customer account information, including email addresses, the last four-digits of credit card details, and cryptographically scrambled passwords. 

4 of 20 Zack Whittaker/ZDNet

February: Statfor hacked, Anonymous hands emails to Wikileaks

Loose-knitted hacking collective Anonymous successfully attacked Stratfor, a private U.S. intelligence firm, and swiped around five million emails. The data was then handed to Wikileaks for later publication. The email cache included invoices and details of sources connected to news media outlets, and employees of governments located around the world.

Once the full email cache was released, a controversy began when a number of Western Allied governments were accused of using TrapWire surveillance software. It was an overblown fear, not quite the 'global network of cameras' as suggested by a number of media outlets, but was nonetheless a potentially liberty-infringing network. 

5 of 20 Zack Whittaker/ZDNet

March: Global Payments hacked; MasterCard, Visa customers affected

MasterCard and Visa customers were warned after a massive data breach that affected more than 1.5 million credit and debit card owners. While a hacker initially claimed responsibility for the data breach, it was quickly debunked by a source within the banking industry speaking to ZDNet.

Global Payments, the company that was hit by the data breach, explained that only credit card numbers -- not names, addresses, or Social Security numbers -- but would ultimately cost the card processing firm around $84 million to clean up. 

6 of 20 Zack Whittaker/ZDNet

April: Anonymous attack Chinese Web sites, defense contracts stolen

A hacker associated with hacktivist collective Anonymous posted thousands of internal documents claimed to be associated with the Chinese government, most notably defense contracts signed by the country.

By hacking the Beijing-based China National Import & Export Corp. (CEIEC), the hacker was able to acquire and publish a range of contracts and business memos linked to the U.S. military, including many relating to the U.S.-led war effort in Afghanistan. The CEIEC denied the claims and called them "groundless" and "defamatory." 

7 of 20 Zack Whittaker/ZDNet

May: U.K. government caught snooping on citizen data

A U.K. government department was found snooping on citizen data and many civil servants were reprimanded for looking at medical records, National Insurance numbers, (the U.K. version of 'Social Security') and even criminal records, according to a series of Freedom of Information requests.

Ultimately, it was found that there were 150 'breaches' of data security by staff at the U.K. Department for Work and Pensions, and the National Health Service (NHS)-running U.K. Department of Health over a 13-month period. 

While the secure and confidential data may not have ended up in the hands of criminals or anyone outside of the department, it was a gross invasion of citizen privacy nonetheless. 

8 of 20 Zack Whittaker/ZDNet

June: LinkedIn password breach affects 6.46 million users

A Russian forum user claimed to have downloaded 6.46 million passwords belonging to LinkedIn users, though the stolen passwords were cryptographically hashed. However, many of those passwords weren't salted, meaning it was relatively easy to convert the simpler passwords into a readable format.

LinkedIn shortly confirmed the data breach but did not explain how the passwords were accessed. Affected accounts were disabled and password reset emails were sent out. The later cleanup effort cost the professional social networking company around $1 million, and another $2-3 million in forensic work and security upgrades.

9 of 20 Zack Whittaker/ZDNet

Password breach hits 1.5 million eHarmony users

Only a few days after the LinkedIn breach, dating Web site eHarmony was hit with a similar attack that led to the exposure of 1.5 million hashed passwords. The firm's security practices were not as strong. Its security systems only saved the user's password -- despite some users owning multi-case passwords -- in upper-case characters only, further weakening the system.

10 of 20 Zack Whittaker/ZDNet

Last.fm next in line to suffer massive password breach

Next in line to suffer a security breach in June was Last.fm, which after claims of a similar attack on the online music social network. (ZDNet and Last.fm are both owned by CBS).

It became quickly apparent that the incidents were linked, but led to further widespread criticism of the password encryption standards and security features offered by Web services. In the aftermath, many Web sites and services bolstered their security to prevent such breaches occurring again.

11 of 20 Zack Whittaker/ZDNet

July: Yahoo password breach exposes 450,000 user logins

Yahoo, beleaguered by corporate failures and a revolving door of CEOs, came under fire once again after hackers were able to attack the firm's networks by exploiting a flaw and downloading 450,000 plain-text login credentials.

While the breach was not as large as others, such as LinkedIn or Global Payments, but details of the breach were soon reported and it became quickly apparent how easy it was to acquire the vast cache of data. Using a union-based SQL injection attack, it showed just how insecure Yahoo's security was.

Yahoo was subsequently sued for negligence shortly after the hack in a San Jose, California court. The hackers said in a blog post: "We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat." A week later, the former Web portal giant gave the all clear and resumed its operations.

12 of 20 Zack Whittaker/ZDNet

Nvidia developer forums hacked, company investigates

Graphics unit maker Nvidia suffered a relatively minor security breach that affected the firm's developer forums. Coming only a few weeks after the LinkedIn, eHarmony, and Last.fm password debacles, by comparison the breach was not as bad as those who suffered breaches earlier.

The firm said that it had secured the hashed passwords with "random salt values" making it slightly more difficult for the passwords to be decrypted, but Nvidia still sent all of its forum users a temporary password that must be changed on first use.

13 of 20 Zack Whittaker/ZDNet

Formspring password breach, mass password reset follows

Formspring was also next on the list of companies to be attacked and passwords stolen. As soon as the firm realized there had been a security breach, Formspring sent out an email to those affected asking them to change their password. 

Around 420,000 password hashes were posted to a security forum, but username and other data were not submitted, making it almost impossible to do anything with. However, the form-based question firm used the SHA-256 algorithm to secure its user's accounts and passwords were hashed with random salts. Formspring now uses bcrypt in order to secure accounts even further.

14 of 20 Zack Whittaker/ZDNet

August: Dropbox hacked (again…)

One of the world's most used cloud-storage services was attacked by hackers -- and not for the first time -- which led to spam messages being sent to email accounts used in some cases exclusively for Dropbox. The security community was quick to claim there had been a data breach, but Dropbox held off with any definitive answers for some days.

Eventually, the firm said that usernames and passwords stolen from other sites, such as LinkedIn, eHarmony, and Last.fm, were used to gain access to some Dropbox accounts. Along with this, a stolen password was also used to access a Dropbox employee's account with passwords as part of an internal project.

The firm then put in place additional security measures and has since implemented two-factor authentication, requiring two proofs of identity, such as those sent to your mobile device.

15 of 20 Zack Whittaker/ZDNet

September: Apple's UDID leaks linked to Florida data breach, not FBI

With the rollout of iOS 6 imminent, a wave of unique iOS-powered device codes (UDIDs) were stolen by Anonymous, allegedly from the FBI, and were uploaded to the Web. UDID codes are used by developers for analytics, but could also be used to personally identify users. There was enough suspicion to suggest either Apple had passed on the device codes for FBI surveillance, or the iPhone and iPad maker was forced to. It blew up a privacy brouhaha for close to a fortnight.

Apple said, in a rare public statement, that the data had not been requested by the FBI or provided it to any organization. Eventually, after both Apple and the FBI denied any knowledge or involvement, a small company in Florida admitted to a data breach, which led to the UDID codes leaking to the Web. Apple's iOS 6 mobile operating system was rolled out only a few weeks later, which removed UDIDs from iOS-powered devices. 

16 of 20 Zack Whittaker/ZDNet

October: Ghostshell hacks universities, massive data breach

Records from a number of prominent universities were made public after a Ghostshell hacker obtained more than 120,000 records and sets of data. Most of the data was SQL-related content.

The leaked data contained more than 36,600 email addresses were identified and tens of thousands of university student, faculty, and staff names were disclosed. While the details of only one bank account were disclosed, much of the data included ethnic, nationality and other personally identifiable information, as well as a whole range of passwords.

The Ghostshell group is known for its higher education agenda, with focus not limited to tuition fees and troubles in the post-graduation job market. 

17 of 20 Zack Whittaker/ZDNet

South Carolina suffers huge Social Security records theft

The state of South Carolina suffered a massive data loss of more than 3.6 million Social Security records, after government servers were breached. With a population of 4.6 million, this breach represented about 78 percent of the state's population. 16,000 credit card details were also stolen without encryption.

The figure also included 670,000 businesses affected by the data breach. It took close to three weeks before the hack came to light after U.S. Secret Service first received information regarding an incident on October 10, 2012.

18 of 20 Zack Whittaker/ZDNet

Barnes & Noble credit card machines breached, card data stolen

Barnes & Noble had 63 stores hit -- including its flagship "world's largest bookstore" in New York City, after hackers stole vast amounts of credit card data from around the United States. The data was stolen from the credit card machines part of the 63 store's cash registers. A public letter said the book giant had disabled its 7,000 keypads in hundreds of its stores, despite only one store being hit in the successful hacking attack. 

The hack was kept quiet for more than five weeks for the U.S. Justice Dept. and the FBI to investigate. Barnes & Noble said it was "working with banks, payment card brands and issuers" to identify any accounts that may have been compromised.

19 of 20 Zack Whittaker/ZDNet

November: Hacker leaks VMware ESX kernel source code to the Web

More from Anonymous, as hackers associated with the collective leaked the VMware ESX Server's kernel source code to the Web. The 2MB file (compressed) was small in size but the independently verified source code was out in the open.

Because kernel source code doesn't change much, "some core functionality still stays the same," the hacker said, indicating that users of the bare bones operating system-independent virtualization server could be at risk for future hacks. VMware said in a public statement that "more related files will be posted in the future," as the virtualization giant scrambled to update its platform to ensure its customers are secure.

20 of 20 Zack Whittaker/ZDNet

December: Nationwide Mutual hacked, 1.1 million Americans affected

And last but not least, insurance giant Nationwide Mutual suffered a hack that affected 1.1 million Americans, according to North Carolina Attorney General. It's thought that the hackers may have been from overseas, and may not have been on U.S. soil.

Customers' names, Social Security numbers, and driver's license details were all pilfered by the hackers, and the possibility of date of birth and marital status, gender and their employers name could not be ruled out. The extent of the hack may not be realized until the early part of 2013. The insurance company prepared a statement and said it was "very sorry," but was not aware of "any misuse of customers' information."

Related Galleries

Cybersecurity flaws, customer experiences, smartphone losses, and more: ZDNet's research roundup

Related Galleries

Cybersecurity flaws, customer experiences, smartphone losses, and more: ZDNet's research roundup

8 Photos
Inside a fake $20 '16TB external M.2 SSD'
Full of promises!

Related Galleries

Inside a fake $20 '16TB external M.2 SSD'

8 Photos
Hybrid working, touchscreen MacBook hopes, cybersecurity concerns, and more: ZDNet's tech research roundup
Asian woman working at a desk in front of a computer and calculator

Related Galleries

Hybrid working, touchscreen MacBook hopes, cybersecurity concerns, and more: ZDNet's tech research roundup

8 Photos
Developer trends, zero-day risks, 5G speeds, and more: Tech research roundup
Person seated at a booth in a cafe looks at their phone and laptop.

Related Galleries

Developer trends, zero-day risks, 5G speeds, and more: Tech research roundup

10 Photos
Drive Electric Day: A dizzying array of EVs in sunny Florida

Related Galleries

Drive Electric Day: A dizzying array of EVs in sunny Florida

16 Photos
Incipio, Kate Spade, and Coach cases for Samsung Galaxy S22 Ultra: hands-on

Related Galleries

Incipio, Kate Spade, and Coach cases for Samsung Galaxy S22 Ultra: hands-on

15 Photos
Casetify Impact Crush Galaxy S22 Ultra case hands-on: in pictures

Related Galleries

Casetify Impact Crush Galaxy S22 Ultra case hands-on: in pictures

10 Photos