The world's biggest data breaches and hacks of 2013

From Facebook to Adobe, 2013 has been a tough year for companies looking to defend against cybercrime.
1 of 15 Charlie Osborne/ZDNet

Media Outlets: The New York Times, The Wall Street Journal

In January this year, The New York Times, having been the victim of persistent attacks, experienced a breach which lasted four months.

A sophisticated Chinese hacking team slipped past security systems in order to deploy 45 custom malware pieces and access the computers of 53 employees -- before moving on to a domain controller, breaching the system, and gaining the hashed password of every member of staff on The New York Times payroll. Eventually, once the breach was discovered, the hackers were dispelled. 

The newspaper said that it may have to do with an investigation carried out in October 2012 concerning a story which said the Chinese Prime Minister had accumulated funds through business dealings. The government official said this accusation was "groundless." However, the publication also pointed the finger at security firm Symantec for failing to protect it against the security breach. In response, the security firm said:

"Turning on only the signature-based anti-virus components of endpoint solutions alone are not enough in a world that is changing daily from attacks and threats. We encourage customers to be very aggressive in deploying solutions that offer a combined approach to security.

Anti-virus software alone is not enough."

The Wall Street Journal then came forward, stating that the U.S. publication too had been a victim of attacks designed to monitor reports concerning China, and cyberattacks spanned several years. The WSJ said that "journal sources on occasion have become hard to reach after information identifying them was included in emails," and suggested that information gained by the attackers has worked its way to Chinese authorities, who then took action to silence whistleblowers. 

Read also:  

2 of 15 Charlie Osborne/ZDNet

The U.S. Federal Reserve

In February this year, the Federal Reserve acknowledged that hacktivist collective Anonymous had broken in to a number of government websites as part of "Operation Last Resort" -- and managed to both steal and post the sensitive credentials of 4,600 banking executives.

The compromised and exposed database belongs to The St. Louis Federal Emergency Communications System, the communication system used by seventeen states in a time of crisis, allowing financial institutions and government officials to talk through two-way channels. 

The hacktivists posted both the login details and private information -- such as IP addresses and contact information -- in to a public dump, all the while demanding U.S. computer crime law reform. Just to further twist the knife, Anonymous used the government website itself to post the spreadsheet containing the stolen data. 

Read also: 

3 of 15 Charlie Osborne/ZDNet


In February this year, the world's largest social network suffered a sophisticated attack caused by a zero day vulnerability.

Facebook said there was "no evidence" that user data was compromised by the cyberattack, which was caused when a number of the social network's employees visited a mobile developer website infected with malicious code. Malware was then installed on these employee's laptops, and the Java-based zero day exploit was able to bypass security systems that keep applets away from system files. As a result, hackers may have been able to access the internal Facebook corporate network.

Law enforcement was notified and the hack investigation is ongoing. 

However, this wasn't the end for Facebook's year of being a cyberattack target. Facebook said in a blog post on June 21 that as part of its White Hat scheme -- which rewards notices of system vulnerabilities -- a bug that may have allowed some of a person's contact information (email or phone number) to be accessed by people who either had some contact information about that person or some connection to them. Approximately 6 million Facebook users had email addresses or telephone numbers shared without their consent before the bug was fixed.

Read also: 

4 of 15 Apple


In February, Apple experienced a breach on its corporate servers after employee computers were hit with malware, funnelled through a vulnerability in the Java Web plug-in. This attack took place only a week after Facebook was hit with a similar attack. 

On February 19,  the iPhone and iPad maker announced the company was working with law enforcement agencies to investigate the security breach, but there was "no evidence that any data left Apple." The tech giant said in a statement:

"Apple has identified malware which infected a limited number of Mac systems through a vulnerability in the Java plug-in for browsers. The malware was employed in an attack against Apple and other companies, and was spread through a website for software developers. We identified a small number of systems within Apple that were infected and isolated them from our network."

A Java malware removal tool was released the same day to prevent Mac users from being hit with the same cyberattack, and Oracle subsequently patched the exploit.

5 of 15 Charlie Osborne/ZDNet


Yet another attack in February took place, this time against popular microblogging platform Twitter. 

In a blog post, Twitter said "unusual access patterns" allowed the company to discover attacks on Twitter data. The subsequent investigation found that the usernames, email addresses, session tokens and encrypted versions of passwords for 250,000 users were potentially placed at risk.

The firm said that the cyberattack "was not the work of amateurs," and was unlikely to be an isolated scenario. 

As a result, Twitter reset passwords for these accounts, notifying those impacted via email. In addition, the social network suggested that Java be disabled on user browsers. 

Following the breach, Twitter rolled out support for two-factor authentication to bolster security. 

See also:

6 of 15 Charlie Osborne/ZDNet


In March this year, the popular note-taking platform's master website was hacked, and account information of its users accessed.

Evernote, known for its mobile device applications, detected the attack early on, but the hacker or group responsible were still able to access user information including names, email addresses and encrypted passwords -- the latter luckily both hashed and salted.

As a precaution, Evernote required all of its users to change their passwords.  

In a statement to sister site CNET, an Evernote representative said:

"At this time we believe we have blocked any unauthorized access, however security is Evernote's first priority. This is why, in an abundance of caution, we are requiring all users to reset their Evernote account passwords before their next Evernote account log-in. We are actively communicating to our users about this attack through our blog, direct e-mails, social media, and support. This simple step of users creating strong, new passwords will help ensure that user accounts remain secure." 

7 of 15 Charlie Osborne/ZDNet


In April this year, LivingSocial confirmed it was another major outlet to be the victim of cyberattack.

The daily deals website discovered its database systems were breached, while unknown hackers made off with the names, emails, birthdays and encrypted passwords of the vast majority of users -- roughly 50 million accounts in total out of 70 million worldwide. 

However, credit card and banking information was not accessed. 

The Washington, D.C.-based site is owned in part by online retailer Amazon, and has divisions internationally. Only Thailand, Korea, Indonesia and the Philippines were not affected, as their data systems are different. 

Read also: 

8 of 15 Charlie Osborne/ZDNet


In May this year, almost one million accounts were compromised and passwords were forced to be reset after hackers infiltrated Drupal.org's systems.

Drupal, which offers an open-source content management system (CMS) to power the back of websites, joins the ranks of Wordpress and Joomla as a popular option for millions of webmasters. However, on May 29, the security team wrote in a blog post that third-party software installed on Drupal.org servers allowed hackers to access the system. User account data on Drupal.org and groups.drupal.org were accessed, including usernames, email addresses and country information, as well as hashed passwords. The team said:

"Upon discovering the files during a security audit, we shut down the association.drupal.org website to mitigate any possible ongoing security issues related to the files. The Drupal Security Team then began forensic evaluations and discovered that user account information had been accessed via this vulnerability."

As a precaution, users of Drupal had to reset their login information. In addition, Drupal rebuilt its security systems, enhanced many servers with new security patches, and added antivirus to scanning routines. 

According to Drupal's website, 1,012,335 people in 229 countries currently use the system.

9 of 15 Charlie Osborne/ZDNet

Washington State Court System Breach

In May this year, Washington State Court systems were infiltrated by hackers, exposing up to 160,000 Social security numbers.

The agency found that the website of the Washington State Administrative Office of the Courts (AOC) was accessed unlawfully through third-party software installed on the network. Up to 160,000 social security numbers and the details of one million driver's licenses may have been downloaded and accessed, although only 94 Social security numbers were confirmed as stolen.

Mike Keeling, information technology operations and maintenance manager for the court system, told reporters on a conference call:

"The access occurred through a 'back door' part of a commercial software product we were using, and it is patched now. We found specific (hacker) footprints in the area where those 94 Social Security numbers were located, so that's why we're reasonably sure that the data was accessed."

Government officials said that Social security numbers and of those booked into a city or county jail in the state from September 2011 to December 2012, and those who received a DUI from 1989 to 2011 were potentially at risk.  

10 of 15 Charlie Osborne/ZDNet

Yahoo! Japan

In May, Yahoo! Japan detected unauthorized access in the administrative panel of the Yahoo! Japan web portal, and suspected up to 22 million user IDs may have been stolen as a result.

The access attempt, which took place at roughly 9pm on May 16 this year, did not include passwords or the data necessary to reset them. In a blog post apologizing for the breach, Yahoo! Japan said:

"We don't know if the file (of 22 million user IDs) was leaked or not, but we can't deny the possibility given the volume of traffic between our server and external" terminals."

Yahoo! has a 35 percent stake in the company.


11 of 15 Charlie Osborne/ZDNet

Homeland Security

May seemed to be a popular time for cyberattacks. The Department Of Homeland Security (DHS) found itself on the receiving end this year after third-party software used on its network contained vulnerabilities that were exploited, exposing a number of employees' personal data.

The DHS said that information include names, Social security numbers and dates of birth were potentially accessed. In a statement, the agency said:

" At the direction of DHS, the vulnerability was immediately addressed. While there is no evidence that any unauthorized user accessed any personally identifiable information, out of abundance of caution, DHS is alerting employees and individuals who received a DHS clearance, of the potential vulnerability and outlining ways that they can protect themselves."

Yahoo! has a 35 percent stake in the company.


12 of 15 Charlie Osborne/ZDNet


In June, the most high-profile data breach occured: catastrophic for the agency involved, and a catalyst for the subsequent media frenzy and outrage of the U.S. general public. Edward Snowden, a former contractor of the U.S. National Security Agency (NSA), leaked confidential documents to The Guardian and Washington Post, before going on the run and eventually entering Russian territory.

The contractor quietly, over time, saved copies of confidential documents that documented the NSA's monitoring and spying activities at home and abroad. Documents are still steadily being released in to the public sphere, and as a result, the debate over governmental reach has been brought into the spotlight. Not only this, but the NSA revelations have impacted on international relationships between the U.S. and other countries. 

Read also: 

13 of 15 Charlie Osborne/ZDNet

LinkedIn, Last.fm, eHarmony

In June, LinkedIn, Last.fm, and eHarmony were all subject to user passwords being leaked online, where a hacker posted the files on forums asking for help in cracking them.

The eight million hashed passwords posted appear to belong to the professional social network, music streaming site and dating service. 

All posted over several days, the biggest list of 6.46 million passwords was believed to belong to LinkedIn, and were not 'salted' -- which makes cracking hash lists faster and easier. In a blog post, LinkedIn later confirmed that some of the data did relate to user passwords -- and emails were then sent asking users to reset their details.  

EHarmony confirmed the data breach, saying that a 'small fraction' of its users were affected. Last.fm soon followed suit, conducting an investigation and suggesting that passwords by changed. 

14 of 15 Charlie Osborne/ZDNet


In October this year, Adobe admitted that 2.9 million user accounts were compromised in an attack which stole names, financial data and customer orders information.

Brad Arkin, senior director of security for Adobe products and services, explained in a blog post that "one of the unfortunate realities of doing business today" was cyberattacks, and unfortunately Adobe's security team discovered sophisticated attacks on the company's networks, although the culprits were not discovered.

In addition to the theft of customer data, Adobe said that illegal access to source code for products including Acrobat, ColdFusion, and the ColdFusion Builder was also discovered, although this was not a risk for customers. 

Arkin said that while sensitive data and encrypted credit or debit card numbers were taken, federal investigators did not believe unencrypted numbers were removed from servers. 

After the data breach, Adobe reset the passwords on breached Adobe customer IDs and notified customers if their financial details were exposed. In addition, the company offered these customers to enrol in complimentary credit monitoring services for a year. 

Read also: 


15 of 15 Charlie Osborne/ZDNet


In November this year, the MacRumors forum was breached by hackers who probably gained access to names, passwords and emails of its users.

In a blog post, administrators said that all of its 860,000 users were affected.

"In situations like this, it's best to assume that your MacRumors Forum username, email address and (hashed) password is now known," Editorial Director Arnold Kim said. "While the passwords are "hashed" (which is a one-way conversion from your actual password to a scrambled version), given computing power these days, if your password isn't very complex, they could brute force figure it out by trying lots of combinations."

The hack involved a hacker gaining control of a moderator account, who then boosted their privileges in order to steal the data. 

Read also: 

Related Galleries

Developer trends, zero-day risks, 5G speeds, and more: Tech research roundup
Person seated at a booth in a cafe looks at their phone and laptop.

Related Galleries

Developer trends, zero-day risks, 5G speeds, and more: Tech research roundup

10 Photos
Tech salaries, developer skills, cybersecurity, and more: ZDNet's research roundup

Related Galleries

Tech salaries, developer skills, cybersecurity, and more: ZDNet's research roundup

8 Photos
Yubikey Security Key C NFC
Security Key C NFC

Related Galleries

Yubikey Security Key C NFC

8 Photos
First look at the YubiKey Bio
YubiKey Bio

Related Galleries

First look at the YubiKey Bio

10 Photos
iVerify (version 17)
iVerify for iOS and iPadOS

Related Galleries

iVerify (version 17)

5 Photos
OnlyKey hardware security key

Related Galleries

OnlyKey hardware security key

19 Photos
SoloKeys Solo V2
Solo V2

Related Galleries

SoloKeys Solo V2

10 Photos