The aftermath: An analysis of recent security breaches
Every cybersecurity professional, no matter their role, knows that the worst-case security scenario for their employer is a security breach. However, with attacks and threats becoming more advanced and evolving, even experienced professionals at some of the world’s most successful organizations can fall victim to a cybersecurity breach.
Seeing new breaches in the headlines can seem a little discouraging at first, but learning more about the extent of these attacks, how they occurred and how some of the most successful security practitioners in the business deal with the aftermath can give you valuable insights for your education or career.
Security breach meaning
While a security breach may sound like a catch-all term for any successful attack, the term has some important implications. Not every cyber incident is a breach. A cyber breach is the next step beyond an an intrusion. The MITRE ATT&CK framework does a good job of highlighting all the steps that can occur after "Initial Access."
A breach is the confirmed sensitive data or information disclosure of a system, network or application to an unauthorized third party. Often, this is followed by the manipulation or theft of that data or information.
To learn more, read our article, What are cybersecurity breaches?
Recent cybersecurity breaches
1. Twitter zero-day vulnerability
- Date of breach: December 2021
- Type of breach: Data breach caused by API vulnerability
- Total users affected: 5,485,635
Due to a zero-day vulnerability that was exploited by a threat actor, over 5.4 million global Twitter users had their profile information illegally acquired, which was then sold to two other threat actors. The vulnerability was patched in January 2022, but by then, the email accounts and phone numbers of those users had already been exposed.
Though there were no specific instances noted, the phone numbers and email addresses of those users were left open to spearphishing attacks, and those using pseudonyms or trying to remain anonymous on the social media platform had their real identities exposed. Any high-profile or celebrity users affected in the zero-day security breach also had their private information exposed.
Twitter, now called X, had a limited response to the incident and didn’t acknowledge the breach until several months after it fixed the patch. News of the breach was followed by a former executive-turned-whistleblower decrying the company’s “negligent” cybersecurity practices.
2. Trygg-Hansa data breach
- Date of breach: October 2018 – February 2021
- Type of breach: Data exposure by backend database vulnerability
- Total users affected: 650,000
While, by definition, data was breached in this case, this wasn’t the result of an attack or threat but of an oversight that left the backdoor wide open. As an insurer, Swedish firm Trygg-Hansa kept tons of highly sensitive customer information in their backend database. However, one of their customers eventually pointed out to the Swedish Authority for Privacy Protection that all their private customer information could be accessed through a vulnerability in their client portal.
Trygg-Hansa sent quotation pages with a URL for specific client portal login pages that used that client’s member ID number. Since member ID numbers were sequential, changing a number in that one part of the URL gave anyone unauthorized access to a different client’s profile.
Among the information exposed were customer insurance details, social security numbers, financial information, personal data and health information. With such a long exposure period before Trygg-Hansa fixed the vulnerability, it’s hard to tell how many customers had their information illegally accessed; however, the Swedish Authority for Privacy Protection confirmed over 200 instances of this. In response to this cyber breach, they fined Trygg-Hansa $3 million.
3. Microsoft Azure SSRF vulnerabilities
- Date of breach: October 8 – December 2, 2022
- Type of breach: Server Side Request Forgery
- Affected: Potential security breach
Luckily, the vulnerabilities in four of Microsoft’s Azure services were exposed before a real security breach could occur. However, it’s a good example of how even the world’s leading tech giants are susceptible to potential cybersecurity breaches. While doing regular research, Orca Security found that Azure Machine Learning, Azure Functions, Azure API Management and Azure Digital Twins had vulnerabilities to SSRF attacks. What’s worse, two of those vulnerabilities didn’t even require authentication to access. If an actual attack had been carried out, hackers could’ve accessed user data and code for these cloud services. The saving grace was Microsoft’s SSRF mitigations, which prevented IMDS endpoint access.
Luckily, Orca reported these vulnerabilities to Microsoft, and the tech company patched them within weeks. No data was breached, but the cyber incident highlighted the need for frequent vulnerability and testing.
4. Slack’s GitHub account hack
- Date of breach: December 29, 2022
- Type of breach: Cyber attack resulting in code breach
- Affected: Slack employee tokens
In this security breach, a threat actor was able to violate the security of Slack’s GitHub account and download a subset of their private code. They did this by stealing Slack employee tokens used to access GitHub, but luckily, no primary code or user data was accessed in this hack. In response, Slack invalidated all their employee tokens for GitHub and reissued new ones.
Slack’s response to the hack was considerably quiet, as it came on the heels of an incident in August of the same year, where password hashes were accidentally leaked by the company.
5. Deezer data breach
- Date of breach: 2019
- Type of breach: Third-party cyberattack resulting in user data breach
- Total users affected: 228,000,000
The European streaming music service Deezer used a third-party service provider that experienced a breach attack, resulting in a snapshot of user data stolen. Among the data stolen were personal information, location data, email addresses, user IDs and registration dates.
Despite not working with the third-party provider since 2020, Deezer stated the snapshot was stolen in 2019 and undiscovered until the data appeared for sale on a breach forum on November 6, 2022. While Deezer is based in Europe, user data from around the world was breached.
In response, Deezer assured its users that, despite the third-party hack, their systems and databases remained secure. They informed their customers of the type of data leaked in the recent breach and recommended that they change their passwords to increase account security despite no reported leaked passwords.
They also reassured users and regulators that they did their due diligence when working with the unnamed third party, including vetting ISO 27001 and SOC 2 certifications, engaging in GDPR-compliant data protection agreements and obtaining certificates of data destruction. The security breach was never reported to Deezer by the third-party provider.
Common themes and lessons learned
These are just a small sample of recent breaches, but they highlight the various ways an organization can be breached — from zero-day exploits to insecure databases to third-party partners. Strengthening your organization’s network and information security is vital but ultimately not very useful if third-party service providers with access to your data don’t have a secure information security model in place. Auditing the security of companies you share data with can help you make informed decisions about whom to keep working with.
Another theme is the awareness and response each of these organizations had. The majority weren’t aware of a breach or vulnerability until it was brought to their attention by a user, a cybersecurity firm or the threat actor themselves. Creating a path for researchers and others to report issues can ensure those issues get addressed — before it becomes a messy breach.
Cybersecurity breaches often lead to significant issues, including legal and compliance issues, downtime, loss of customer trust, monetary fines and reputational damage. Creating response plans for various breach scenarios so you can be proactive rather than reactive can help shape public perception of the incident.
What should you learn next?
What should you learn next?
If you want to explore more breaches, check out the articles linked below.
More breach cases to study
- Forever 21 data breach and Android BadBazaar espionage
- Massive AT&T data breach and fake jobs targeting security researchers
- U.S. Marshals service breach and TPM 2.0 security flaws
- Discord.io data breach and Ivanti Avalanche vulnerabilities
- Airlines disclose pilot data breach and the Microsoft Teams bug