2012: Looking back at the major hacks, leaks and data breaches

During 2012, almost every industry -- from banking to insurance, government departments and even security companies that help to protect against such attacks -- were hacked or breached and vast amounts of data siphoned off from company networks.

Many of the successful attacks came from those part of or connected with hacking collective Anonymous, but not all. From Social Security record breaches to a year of poor company policies on password and user details protection, along with massive hacking attacks that gave the ordinary citizen an insight into the shady private intelligence world, here's a look back at some of the major hacks, leaks and breaches of the year. 

• Read more:  A year in cybersecurity and cybercrime: 2012 review
• Tech blunders, catastrophes and epic fails of 2012: review

In January, hackers breached a network belonging to the Indian intelligence service and acquired a vast amount of Symantec's Norton anti-virus source code. It was subsequently posted on Pastebin, often used by hackers to post leak data and source code anonymously.

Symantec was quick to state that the source code does not reflect the firm's current work. By analyzing the anti-malware source code, malware writers would be able to find weaknesses in order to bypass the software and hijack machines for malicious purposes. It's understood that the Indian authorities intended to inspect the source code, which was stolen from an insecure network.

• Read more: Symantec confirms hacker theft of Norton anti-virus source code

Online retail store Zappos suffered a significant data breach that exposed the accounts of about 24 million. Security experts thought it was the largest consumer data breach of 2012.

Amazon.com-owned Zappos said hackers attacked an internal corporate network through a Kentucky-based server, and swiped customer account information, including email addresses, the last four-digits of credit card details, and cryptographically scrambled passwords. 

• Read more: Zappos hacked, 24 million affected
• Zappos breach highlights fragile password, personal data security

Loose-knitted hacking collective Anonymous successfully attacked Stratfor, a private U.S. intelligence firm, and swiped around five million emails . The data was then handed to Wikileaks for later publication. The email cache included invoices and details of sources connected to news media outlets, and employees of governments located around the world.

Once the full email cache was released, a controversy began when a number of Western Allied governments were accused of using TrapWire surveillance software . It was an overblown fear, not quite the 'global network of cameras' as suggested by a number of media outlets, but was nonetheless a potentially liberty-infringing network. 

• Read more: Stratfor's 5m emails spilled by Wikileaks
• Wikileaks uncovers TrapWire surveillance: FAQ

MasterCard and Visa customers were warned after a massive data breach that affected more than 1.5 million credit and debit card owners. While a hacker initially claimed responsibility for the data breach, it was quickly debunked by a source within the banking industry speaking to ZDNet.

Global Payments, the company that was hit by the data breach, explained that only credit card numbers -- not names, addresses, or Social Security numbers -- but would ultimately cost the card processing firm around $84 million to clean up. 

• Read more: Warning over 'massive' MasterCard, Visa security breach
• Hacker claims mass bank breach; releases Visa, Mastercard data
• Data breach to cost $84m for Global Payments

A hacker associated with hacktivist collective Anonymous posted thousands of internal documents claimed to be associated with the Chinese government, most notably defense contracts signed by the country.

By hacking the Beijing-based China National Import & Export Corp. (CEIEC), the hacker was able to acquire and publish a range of contracts and business memos linked to the U.S. military, including many relating to the U.S.-led war effort in Afghanistan. The CEIEC denied the claims and called them "groundless" and "defamatory." 

• Read more: CNET News: Anonymous hacks hundreds of Web sites in China

A U.K. government department was found snooping on citizen data and many civil servants were reprimanded for looking at medical records, National Insurance numbers, (the U.K. version of 'Social Security') and even criminal records, according to a series of Freedom of Information requests.

Ultimately, it was found that there were 150 'breaches' of data security by staff at the U.K. Department for Work and Pensions, and the National Health Service (NHS)-running U.K. Department of Health over a 13-month period. 

While the secure and confidential data may not have ended up in the hands of criminals or anyone outside of the department, it was a gross invasion of citizen privacy nonetheless. 

• Read more: U.K. government staff caught snooping on citizen data

A Russian forum user claimed to have downloaded 6.46 million passwords belonging to LinkedIn users, though the stolen passwords were cryptographically hashed. However, many of those passwords weren't salted, meaning it was relatively easy to convert the simpler passwords into a readable format.

LinkedIn shortly confirmed the data breach but did not explain how the passwords were accessed. Affected accounts were disabled and password reset emails were sent out. The later cleanup effort cost the professional social networking company around $1 million , and another $2-3 million in forensic work and security upgrades.

• Read more: 6.46 million LinkedIn passwords leaked online
• Breach clean-up cost LinkedIn nearly $1 million, another $2-3 million in upgrades

Next in line to suffer a security breach in June was Last.fm, which after claims of a similar attack on the online music social network. (ZDNet and Last.fm are both owned by CBS).

It became quickly apparent that the incidents were linked, but led to further widespread criticism of the password encryption standards and security features offered by Web services. In the aftermath, many Web sites and services bolstered their security to prevent such breaches occurring again.

• Read more: Last.fm investigating 'security issue', passwords leaked

Yahoo, beleaguered by corporate failures and a revolving door of CEOs, came under fire once again after hackers were able to attack the firm's networks by exploiting a flaw and downloading 450,000 plain-text login credentials .

While the breach was not as large as others, such as LinkedIn or Global Payments, but details of the breach were soon reported and it became quickly apparent how easy it was to acquire the vast cache of data. Using a union-based SQL injection attack, it showed just how insecure Yahoo's security was.

Yahoo was subsequently sued for negligence shortly after the hack in a San Jose, California court. The hackers said in a blog post: "We hope that the parties responsible for managing the security of this subdomain will take this as a wake-up call, and not as a threat." A week later, the former Web portal giant gave the all clear and resumed its operations.

• Read more: 450,000 user passwords leaked in Yahoo breach
• Yahoo sued over stolen usernames and passwords

Graphics unit maker Nvidia suffered a relatively minor security breach that affected the firm's developer forums. Coming only a few weeks after the LinkedIn, eHarmony, and Last.fm password debacles, by comparison the breach was not as bad as those who suffered breaches earlier.

The firm said that it had secured the hashed passwords with "random salt values" making it slightly more difficult for the passwords to be decrypted, but Nvidia still sent all of its forum users a temporary password that must be changed on first use.

• Read more: Nvidia suffers data breach; investigation under way

Formspring was also next on the list of companies to be attacked and passwords stolen. As soon as the firm realized there had been a security breach , Formspring sent out an email to those affected asking them to change their password. 

Around 420,000 password hashes were posted to a security forum, but username and other data were not submitted, making it almost impossible to do anything with. However, the form-based question firm used the SHA-256 algorithm to secure its user's accounts and passwords were hashed with random salts. Formspring now uses bcrypt in order to secure accounts even further.

• Read more: Formspring resets millions of passwords amid breach

One of the world's most used cloud-storage services was attacked by hackers -- and not for the first time -- which led to spam messages being sent to email accounts used in some cases exclusively for Dropbox. The security community was quick to claim there had been a data breach, but Dropbox held off with any definitive answers for some days.

Eventually, the firm said that usernames and passwords stolen from other sites, such as LinkedIn, eHarmony, and Last.fm, were used to gain access to some Dropbox accounts. Along with this, a stolen password was also used to access a Dropbox employee's account with passwords as part of an internal project.

The firm then put in place additional security measures and has since implemented two-factor authentication, requiring two proofs of identity, such as those sent to your mobile device.

• Read more: Dropbox gets hacked... again
• CNET: Dropbox confirms it was hacked, offers users help

With the rollout of iOS 6 imminent, a wave of unique iOS-powered device codes (UDIDs) were stolen by Anonymous, allegedly from the FBI, and were uploaded to the Web. UDID codes are used by developers for analytics, but could also be used to personally identify users. There was enough suspicion to suggest either Apple had passed on the device codes for FBI surveillance, or the iPhone and iPad maker was forced to. It blew up a privacy brouhaha for close to a fortnight.

Apple said, in a rare public statement , that the data had not been requested by the FBI or provided it to any organization. Eventually, after both Apple and the FBI denied any knowledge or involvement, a small company in Florida admitted to a data breach , which led to the UDID codes leaking to the Web. Apple's iOS 6 mobile operating system was rolled out only a few weeks later, which removed UDIDs from iOS-powered devices. 

• Read more: AntiSec claims to have snatched 12M Apple device IDs from FBI
• Apple: We didn't pass iPhone, iPad device IDs to FBI
• Apple UDIDs leaked by Anonymous came from Florida firm, not FBI

Records from a number of prominent universities were made public after a Ghostshell hacker obtained more than 120,000 records and sets of data . Most of the data was SQL-related content.

The leaked data contained more than 36,600 email addresses were identified and tens of thousands of university student, faculty, and staff names were disclosed. While the details of only one bank account were disclosed, much of the data included ethnic, nationality and other personally identifiable information, as well as a whole range of passwords.

The Ghostshell group is known for its higher education agenda, with focus not limited to tuition fees and troubles in the post-graduation job market. 

• Read more: GhostShell university hack: By the numbers

The state of South Carolina suffered a massive data loss of more than 3.6 million Social Security records , after government servers were breached. With a population of 4.6 million, this breach represented about 78 percent of the state's population. 16,000 credit card details were also stolen without encryption.

The figure also included 670,000 businesses  affected by the data breach. It took close to three weeks before the hack came to light after U.S. Secret Service first received information regarding an incident on October 10, 2012.

• Read more: South Carolina suffers theft of 3.6M social security numbers
• Up to 657,000 businesses hit in South Carolina hack

Barnes & Noble had 63 stores hit -- including its flagship "world's largest bookstore" in New York City, after hackers stole vast amounts of credit card data from around the United States. The data was stolen from the credit card machines part of the 63 store's cash registers . A public letter said the book giant had disabled its 7,000 keypads in hundreds of its stores, despite only one store being hit in the successful hacking attack. 

The hack was kept quiet for more than five weeks for the U.S. Justice Dept. and the FBI to investigate. Barnes & Noble said it was "working with banks, payment card brands and issuers" to identify any accounts that may have been compromised.

• Read more: Hackers steal Barnes & Noble credit card numbers: 63 stores hit

More from Anonymous, as hackers associated with the collective leaked the VMware ESX Server's kernel source code to the Web. The 2MB file (compressed) was small in size but the independently verified source code was out in the open.

Because kernel source code doesn't change much , "some core functionality still stays the same," the hacker said, indicating that users of the bare bones operating system-independent virtualization server could be at risk for future hacks. VMware said in a public statement that "more related files will be posted in the future," as the virtualization giant scrambled to update its platform to ensure its customers are secure.

• Read more: Hacker leaks VMware ESX kernel source code online

And last but not least, insurance giant Nationwide Mutual suffered a hack that affected 1.1 million Americans , according to North Carolina Attorney General. It's thought that the hackers may have been from overseas, and may not have been on U.S. soil.

Customers' names, Social Security numbers, and driver's license details were all pilfered by the hackers, and the possibility of date of birth and marital status, gender and their employers name could not be ruled out. The extent of the hack may not be realized until the early part of 2013. The insurance company prepared a statement and said it was "very sorry," but was not aware of "any misuse of customers' information."

• Read more: Nationwide Mutual hack affected '1.1 million Americans'