Data breaches persist like parasites within big tech companies and government agencies despite numerous measures to protect personal documentation. Despite efforts to halt the rising threat to organisational security, the reported number of data breaches remains consistent with or exceeds that of the previous year.
Several major data breaches have impacted millions of individuals and organisations globally in 2023. Here are some of the most significant breaches that have occurred so far this year.
X (Twitter)
(January 4, 2023)
Twitter has been accused of data breaches for several years. The website underwent a similar case this year, too. For only $2, one could purchase a dark web database with the email addresses of around 200 million users.
The breach was attributed to a flaw in X’s application programming interface (API), which allowed attackers to exploit the system, obtaining email addresses linked to X accounts from June 2021 to January 2022. The data is still being shared with threat actors even after the vulnerability that caused the breach was fixed in January 2022.
(February 5, 2023)
Reddit fell victim to a phishing attack on February 5, 2023, leading to a data breach that resulted in the exploitation of the compromised credentials to access internal documents, source code, employee data, and limited information about the company’s advertisers.
The breach was contained in specific internal systems, with Reddit reassuring users that their primary production systems, which store the majority of user data, remained secure. Reddit took swift action to address the breach, securing its systems and notifying affected individuals.
ChatGPT
(March 24, 2023)
ChatGPT has gained a lot in the field of AI with its contemporary chatbot system. It also introduced a lot of new API updates to users this year, including GPT 4 Turbo, GPT 4 Vision, and GPT 4 Plus, along with new features like voice recognition. Yet, a glitch in ChatGPT’s open-source library led to the inadvertent exposure of customer data, including partial credit card details and chat titles.
OpenAI promptly addressed the issue by taking ChatGPT offline. During the vulnerable period, users could view specific personal details of others, such as names, email addresses, payment addresses, and partial credit card information. However, OpenAI assured users that full credit card numbers remained secure throughout the incident.
MSI
(April 6, 2023)
The popular computer vendor, MSI, was victimised by a ransomware attack that resulted in financial losses and claimed to have exfiltrated 1.5TB of data from MSI’s systems, including sensitive information such as source code, private keys, and firmware. They demanded a ransom of $4 million, threatening to release the stolen data to the public if their demands were not met.
T-mobile
(May 1, 2023)
Prior to the data breach that happened in January, which affected 38 million customers, T-Mobile again underwent a similar threat that affected 800 customers, caused by unauthorised access to PIN-protected accounts, and the attackers were able to steal customer contact details, ID cards, and social security numbers. The company faced threats in 2021 and 2022 as well.
T-Mobile notified its affected customers of the breach and also took steps to secure its systems to prevent future breaches. The company also offered free identity theft protection services to affected customers.
MOVEit
(June 2023)
One of the significant data breaches that happened in 2023, the MOVEit file transfer tool, affected 200 organisations globally, leading to the exposure of personal information of up to 17.5 million individuals.
The vulnerability, identified as CVE-2023-34362, enabled unauthorised access to MOVEit servers, compromising sensitive data in versions 11.2 through 12.5 of MOVEit Transfer and MOVEit Cloud. Organisations had to invest in data recovery and remediation efforts to restore their systems and protect against further breaches.
ROBLOX
(July 2023)
The company underwent a tragic breach that revealed the personal information of nearly 4,000 Roblox developers. The leaked data, which included phone numbers, email addresses, and birth dates, was obtained from attendees of Roblox developer conferences held between 2017 and 2020. The attackers gained access to Roblox’s systems in 2021, leading to the unauthorized acquisition of developer conference attendee data.
Duolingo
(August, 2023)
Around 2.6 million Duolingo users were affected by the data breach that occurred in August, revealing personal information on the dark web’s breach forums. The incident raised concerns about the exposure of names, email addresses, phone numbers, social media profiles, and users’ chosen languages.
It was attributed to a vulnerability in Duolingo’s application programming interface (API), enabling attackers to exploit the system and access user profiles, compromising the exposed data. The issue was solved by asking the users to be alert about future phishing attacks and recommending two-factor authentication on their accounts.
SONY
(September, 2023)
Sony was attacked by a ransomware group, which resulted in the theft of over 6,000 files, including build logs and Java files, that can be used to develop exploits for Sony systems. The attackers threatened to auction off the pilfered data unless met with their ransom demands. Although the specifics of the breach’s beginning are unknown, it was revealed that the attackers used a security hole in Sony.
