These are the worst hacks, cyberattacks, and data breaches of 2018

Millions of records were lost, services were disrupted, and credit card data was stolen as hackers ran amok over the year.
1 of 24 Charlie Osborne/ZDNet

UK government website cryptojacking

February: Over 4,000 websites, including UK government, US, and Australian services, all experienced the same security issue at once due to a vulnerable third-party plugin used for website accessibility. Countless website visitors became victims of cryptojacking, in which their CPU power was used without consent to mine for cryptocurrency.

2 of 24 Charlie Osborne/ZDNet


February -- June: Third-party code on Ticketmaster's web domain was compromised, leading to the implant of credit card skimming malware on the domain. Up to 40,000 UK and international customers are believed to have been affected, with information including names, addresses, email addresses, telephone numbers, payment details, and Ticketmaster login details involved in the breach.

Researchers later connected the cyberattack to the Magecart campaign.

3 of 24 Charlie Osborne/ZDNet

Under Armour

March: Under Armour, a seller of fitness apparel, revealed that the firm's MyFitnessPal mobile app had been hacked, leading to the compromise of 150 million accounts. Usernames, email addresses, and hashed passwords were stolen, and while financial data was not affected, users were required to immediately change their passwords.

4 of 24 Charlie Osborne/ZDNet


March: Aadhaar, India's national ID database, contains the information of at least 1.1 billion Indian citizens. A data leak which originated from a state-owned utility company allowed anyone to download information belonging to all Aadhaar holders, including their private data and financial details.

5 of 24 Charlie Osborne/ZDNet

Facebook, Cambridge Analytica

March: The Facebook -- Cambridge Analytica scandal was one of the largest this year with severe consequences that are still being felt by the companies and regulators alike.

In total, information belonging to up to 87 million users was improperly shared by a developer with Cambridge Analytica for the purpose of voter profiling. It has been suggested that this may have been used to spread propaganda and help elect US President Trump.

6 of 24 Charlie Osborne/ZDNet

British Airways

April -- July: British Airways leaked data belonging to hundreds of thousands of customers who used a credit card to make reward bookings between April and July. The compromised information included names, billing addresses, email addresses, and payment information including card numbers, expiry dates, and CVV security codes.

The leak was uncovered following the Ticketmaster breach. It is believed the hack was the work of Magecart, which has also claimed victims including Newegg, Feedify, and broadcaster ABS-CBN.

7 of 24 Charlie Osborne/ZDNet

Rail Europe

May: Rail Europe, a company which sells tickets for trips around the bloc, suffered a three-month-long data breach caused by credit-card skimming malware. Credit card numbers, expiration dates, and CVV card verification codes were all stolen during the covert campaign, and while the company did not reveal exactly how many customers were involved, Rail Europe accounted for five million customers last year.

8 of 24 Charlie Osborne/ZDNet


May: TeenSafe. a mobile app which touts itself as a "secure" monitoring app for iOS and Android aimed at parents, was responsible for two servers which were publicly exposed, leaking parental email addresses, child Apple IDs, device names, and device identifiers.

9 of 24 Charlie Osborne/ZDNet

Dixons Carphone

June: Dixons Carphone uncovered a data breach which at first appeared small, despite going undetected for roughly a month. The company thought that 1.2 million customers had been affected but this number was later revised to 10 million. Personal and payment card information was stolen.

10 of 24 Charlie Osborne/ZDNet


June: Ticketfly pulled its website offline on the basis that the event seller believed there had been a cyberattack -- a premise which turned out to be correct. The company said that information had been leaked which belonged to roughly 27 million customer accounts and included names, email addresses, physical addresses, and phone numbers.

A hacker believed to be responsible attempted to blackmail Ticketfly a single Bitcoin to keep the data from spreading.

11 of 24 Charlie Osborne/ZDNet


June: In June, MyHeritage revealed the discovery of a file containing 92.2 million account records, including email addresses and scrambled passwords which was made public and published online. The data related to all user accounts up to and including to October 26, 2017, but the hack was not uncovered until much later.

12 of 24 Charlie Osborne/ZDNet


June: You would be forgiven for not knowing of Exactis, a marketing and data aggregation company, but the firm's name became somewhat well-known following a data breach which exposed 340 million records on a publicly accessible server.

Close to two terabytes of information were available in the public domain, including a range of data on US citizens and businesses.

13 of 24 Charlie Osborne/ZDNet


July: Singapore suffered the "most serious" data breach in the country's history this year when healthcare institutions group SingHealth's networks were compromised.

In total, over 1.5 million healthcare patient records, including one belonging to Prime Minister Lee Hsien Loong, were stolen. Data including patient names, national identification numbers, addresses, genders, and dates of birth were compromised.

14 of 24 Charlie Osborne/ZDNet

Hackers go old school

July, give or take a decade: Yale University disclosed a security breach which impacted 119,000 members of Yale, alumni, faculty members, and staff -- but the incident took place between 2008 and 2009. Names, Social Security numbers, physical addresses, and dates of birth were all exposed.

15 of 24 Charlie Osborne/ZDNet


July: Timehop, a past social media content display platform, revealed a security breach which exposed information in a database belonging to 21 million users. In total, 4.7 million phone numbers were breached, alongside usernames and email addresses.

16 of 24 Charlie Osborne/ZDNet

Polar Flow

July: Polar Flow, a popular fitness application, contained a security flaw which permitted anyone to improperly query a developer API. It was later discovered that this security hole could be used to track military personnel who made use of the mobile app.

17 of 24 Charlie Osborne/ZDNet

Student medical records

August: A data breach deemed "appalling" affected students at a Melbourne high school, in which their confidential medical and behavioral records were published online. Over 300 records were leaked, and in some cases, contained descriptions of medical conditions, medication, and learning difficulties.

18 of 24 Charlie Osborne/ZDNet

Air Canada

August: Air Canada experienced a security problem with its mobile app, in which an unauthorized threat actor was able to compromise the system. As a result, information belonging to roughly 20,000 customers was exposed -- and this included passport numbers.

19 of 24 Charlie Osborne/ZDNet


August: T-Mobile detected unauthorized entry into the carrier's network, and although the intruder was quickly booted out, this was not before the attacker was able to access customer data. Roughly three percent of its 77 million customers -- or approximately 2 - 2.5 million customers -- were impacted, with information including customer names, billing ZIP codes, phone numbers, email addresses, account numbers, and account types exposed.

20 of 24 Charlie Osborne/ZDNet

Facebook's network breach

September: If dealing with the aftermath of Cambridge Analytica was not enough, a vulnerability in Facebook's code permitted attackers to steal authentication tokens. Information including names, contact details, cities, device types, places of work, and more was also stolen from some users.

Original estimates pegged the theft as impacting 50 million users, which were later revised to 30 million.

21 of 24 Charlie Osborne/ZDNet

ISP, web traffic hijacks

October -- November: During these months, a spate of ISP and Internet infrastructure attacks emerged. Researchers claim that China has been hacking the backbone of the Western Internet for years, Cambodian ISPs were struck with some of the largest Distributed Denial-of-Service (DDoS) attacks in the country's history, Google traffic was hijacked by a small ISP in Nigeria, and Telegram traffic was attacked in Iran.

22 of 24 Charlie Osborne/ZDNet

Canada Post

November: Information relating to roughly 4,500 customers of the Ontario Cannabis Store (OCS) was improperly shared and leaked, including the names or initials of nominated signatories, postcodes, dates of delivery, reference numbers, Canada Post tracking numbers, and OCS corporate names and business addresses.

While the breach was small, the sensitive subject matter -- and the recent decision to make recreational cannabis legal in Ontario, Canada -- made the incident stand out. It may now be legal, but that does not mean smokers would be happy with others knowing about their recreational use.

23 of 24 Charlie Osborne/ZDNet


November: As is often the case with the most well-known companies, if a security incident occurs, they will often give out information which is necessary -- but no more. Amazon followed this pattern, admitting that a "technical error" had exposed the names and email addresses of some customers, but did not go any further into detail.

Despite a lack of concrete information, when a company such as Amazon has a security lapse, it is certainly of note.

24 of 24 Charlie Osborne/ZDNet


In late December, Google revealed a fresh bug in the Google+ API which had the potential to permit attackers to steal private data belonging to close to 52.5 million users. This discovery pushed the Google+ closure data forward from August to April 2019.

Read on: ZDNet

Related Galleries

Cybersecurity flaws, customer experiences, smartphone losses, and more: ZDNet's research roundup

Related Galleries

Cybersecurity flaws, customer experiences, smartphone losses, and more: ZDNet's research roundup

8 Photos
Inside a fake $20 '16TB external M.2 SSD'
Full of promises!

Related Galleries

Inside a fake $20 '16TB external M.2 SSD'

8 Photos
Hybrid working, touchscreen MacBook hopes, cybersecurity concerns, and more: ZDNet's tech research roundup
Asian woman working at a desk in front of a computer and calculator

Related Galleries

Hybrid working, touchscreen MacBook hopes, cybersecurity concerns, and more: ZDNet's tech research roundup

8 Photos
Developer trends, zero-day risks, 5G speeds, and more: Tech research roundup
Person seated at a booth in a cafe looks at their phone and laptop.

Related Galleries

Developer trends, zero-day risks, 5G speeds, and more: Tech research roundup

10 Photos
Drive Electric Day: A dizzying array of EVs in sunny Florida

Related Galleries

Drive Electric Day: A dizzying array of EVs in sunny Florida

16 Photos
Incipio, Kate Spade, and Coach cases for Samsung Galaxy S22 Ultra: hands-on

Related Galleries

Incipio, Kate Spade, and Coach cases for Samsung Galaxy S22 Ultra: hands-on

15 Photos
Casetify Impact Crush Galaxy S22 Ultra case hands-on: in pictures

Related Galleries

Casetify Impact Crush Galaxy S22 Ultra case hands-on: in pictures

10 Photos