2018’s Top hacks and data breaches

The year 2018 is now a thing of the past yet it has established a memory that will haunt victims of biggest data breaches and hacking incidents for years. Today, we will be discussing some of the biggest data breaches and hacking incidents of 2018 which took users by storm.

“2018 not only shocked the world by highlighting systemic cybersecurity issues. Multiple governments adopted new rules and laws, which are making a global impact now and will echo for years to come,” says Daniel Markuson, Digital Privacy Expert at NordVPN. “Still, 2019 can bring some hope for the future – but only if governments and corporations understand the importance of digital privacy and security.”

Marriott (500 million)

On November 30th, Marriott announced that it suffered a massive data breach in which personal and financial data of over 500 million customers was stolen. The stolen data included names, addresses, email addresses, phone numbers, passport numbers, gender, traveling information and payment card data, etc. In an update on January 4th, 2019, Marriott said that cyberattack was smaller and hit 5.25 million passports.

MyFitnessPal (150 million)

On March 30th, Under Armour Inc., announced that it was hit by a large-scale data breach in which hackers stole personal data from 150 million MyFitnessPal user accounts late February 2018. The stolen data included usernames, email addresses, passwords stored as bcrypt hashes.

Quora (100 million)

On December 4th, Quora, a question-and-answer website announced that it suffered a data breach in which personal data of 100 million registered users was stolen. The stolen data included names, email addresses, hashed passwords, direct messages, details about users’ questions, answers, upvotes, comments, and “data imported from linked networks when authorized by users.

MyHeritage (92 million)

On June 5th, Israeli DNA and genealogy website MyHeritage said that it suffered a massive data breach in which email accounts and hashed passwords of 92 million users (92,283,889) who signed up to the service up to October 26, 2017, were stolen. The company claimed that no DNA data was stolen as “family trees and DNA data are stored by MyHeritage on segregated systems, separate from those that store the email addresses, and they include added layers of security.”

Ticket Fly (27 million)

On June 1st, Eventbrite-owned ticket distribution service Ticketfly’s website was hacked and defaced by unknown hackers. As a result, personal data of 27 million customers was stolen. The hacker also uploaded links to files which contained the stolen data including names, residential addresses, email addresses and contact numbers of Ticketfly’s employees and acquaintances at different venues.

Facebook (50 million – 30 million)

On September 28th, the social media giant Facebook announced that hackers exploited a critical vulnerability in its “View As” feature and stole personal data and access tokens of 50 million users. In an update, the company claimed that data of 30 million users was stolen including their names, email address, date of birth, phone numbers device types, location, searches, contact details, education, relationship status, working-related data, places they checked in, pages they like and people they follow.

Timehop (21 million)

On July 10th, Timehop, a smartphone app for Android and iOS users developed to collect collecting old posts and photos of social media users suffered a massive cyber attack in which personal data of over 21 million users was stolen. The stolen data included names, email addresses, phone numbers and keys that let the app go through and display social media posts.

Sacramento Bee (19.4 million)

On June 7th, The Sacramento Bee, a daily newspaper published in Sacramento, California was targeted by unknown hackers who managed to hack personal data of millions of people. The stolen data included personal information of 53,000 subscribers and 19.4 million California voters.


On July 17th, Spanish telecom operator Telefonica revealed that it has become a victim of a data breach after hackers stole private data of millions of Telefonica customers by exploiting a vulnerability in its cyber infrastructure. The stolen data included cell and landline numbers, residential addresses, national ID numbers, names, banks, billing records, and call history, etc. 

Cathay Pacific Airways (9.4 million)

On October 25th, Cathay Pacific Airways suffered a data breach in which personal data of 9.4 million customers was stolen by hackers. The stolen data included name, nationality, emails, date of birth, phone numbers, physical addresses, frequent flyer programme membership number, ID card numbers of 245,000 Hong Kong citizens and credit card information.

T-Mobile (2 million)

On August 25th, the telecom giant T-Mobile said that it suffered a data breach in which personal data of 2 million customers was stolen. The stolen data included names, phone numbers, email addresses, encrypted passwords, billing zip code, account number and account type both post and prepaid.

Adidas (“A few million”)

On July 1st, one of the world’s largest sportswear manufacturer Adidas said that hackers targeted its US website and as a result, personal details of millions of Adidas US customers was stolen. The stolen data included usernames, encrypted passwords, and contact details. The company also claimed that customers’ health and fitness or credit card related information was not compromised.

Careem (14 million)

On April 3rd, the UAE based ride-hailing giant and Uber’s rival in the region Careem was hacked which allowed hackers to steal personal data of over 14 million customers and drivers. The stolen data included name, phone numbers, email addresses, and ride data. Careem claimed that there was no evidence that passwords or credit card numbers were accessed by hackers yet it urged users to change their passwords.

Dixons Carphone (5.9 million)

On June 13th, Dixons Carphone, prominent United Kingdom-based retailer suffered a data breach in which personal and financial data of millions of customers was compromised. The company said that hackers were able to access 1.2 million personal data records and 5.9 million payment cards from the processing systems of its Currys PC World and Dixons Travel stores.

Coincheck ($534 million)

On January 26th, the cryptocurrency exchange Coincheck said it was hacked. As a result, hackers stole 58 billion Yen of the virtual currency “NEM (Nemu)” ($534 million – €429 million) from its digital wallets. Coincheck hack was the biggest hack in the history of cryptocurrency business at that time.

SingHealth (1.5 million)

On July 21st, Singapore’s largest healthcare institution SingHealth suffered a data breach in which records of over 1.5 million patients including the Prime Minister of Singapore Lee Hsien Loong were stolen. The stolen data included names, addresses, date of birth, race, gender, and National Registration Identity Card numbers.

Flightradar24 (230,000)

On June 22nd, Flightradar24, one of the largest flight tracking services known for showing real-time airplane locations on the map suffered a data breach in which emails and encrypted passwords of over 230,000 users were stolen.

Orbitz (800,000)

On March 20th, popular travel website Orbitz said it suffered a data breach in which personal and financial data of 800,000 customers was stolen. The stolen data included names, email addresses, phone numbers, gender, date of birth, zip code, physical address and banking details such as card information.

British Airways (380,000)

On September 7th, British Airways became a victim of a data breach in which financial and personal data of about 380,000 of the airlines’ customers was stolen.

SIM swap attack ($5 million)

On August 1st, it was reported that authorities in Californian arrested and charged a 20-year old college student Joel Ortiz for being part of a mobile phone hijacking group who hacked SIM cards using SIM swapping technique. According to reports Ortiz managed to hijack over 40 phone numbers and stole $5 million as well from high-profile targets including cryptocurrency investors.


In October, Google revealed that a bug was present in the API for the consumer version of Google Plus (Google+) that allowed third-party developers to access data of not just over 500,000 users but also of their contacts and friends. As a result, the search engine giant planned to shut down Google+ by August 2019.

However, on December 10th, Google+ said it was hit by another bug which exposed personal information of 52.5 million (both consumer users and enterprise customers) to third-party app developers even when set to not-public.

San Diego Unified School District breach

On December 27th, it was revealed that the San Diego Unified School District, California suffered a cyber attack in which unknown hackers managed to steal a trove of personal data belonging to over 500,000 staff and students. The stolen data included student ID numbers, full names, dates of birth, home addresses, mailing addresses, phone numbers, and social security numbers, etc.

There were several other data breaches and hacking incidents which took place in different parts of the world however what’s shocking is that more than 1 billion people had their data compromised in 2018. Another shocking truth is that people are still using weak passwords for instance, according to the list of 25 worst passwords of 2018 people are still using “123456 and password” as their password on the Internet.

Let’s see what will happen in 2019 – Be vigilant and happy browsing.

Related Posts