The Worst Hacks of 2015

This year proved that nothing, and no one, is really safe from hackers.

|
Dec 23 2015, 12:00pm

Image: Ventura/Shutterstock

Last year we witnessed some of the most shocking cyberattacks ever, with North Korea allegedly hacking Sony over the release of a dumb comedy movie to unknown hackers spilling the private nude pictures of dozens of celebrities. For some, it was the year hacking truly became the norm.

But somehow, 2015 was worse. Hacking and data breaches weren't just the norm, but they reached far and wide, hitting victims of all kinds, from regular consumers, to government employees, and even children and cheaters. It seemed like no one was spared.

We've decided to look back to 2015 and revisit not only the worst data breaches, but those that pushed the boundaries and redefined the world of information security. In no particular order, here's our list.

Israel Government Allegedly Hacks Kaspersky Lab
In the last few years, the Russian security firm Kaspersky Lab has helped uncover some of the most secretive and high profile government-led cyberattacks and espionage operations ever, from the landmark Stuxnet to Flame, Red October, and those of the Equation Group. This year, the tables turned when Kaspersky Lab announced it had been hacked by a group of government-sponsored hackers, likely from Israel (though the firm avoided to pointing fingers, the malware used was attributed to Israel in the past). The attack on Kaspersky didn't spill a lot of confidential data, but it was a sign of things to come: a future where malware hunters are targeted by the own spies they're trying to uncover, using more than just intimidation tactics.

The Massive Breach at OPM, The Hack That Keeps on Giving
In May, the agency that handles practically all US government employees' data revealed it had been the victim of a monthlong intrusion, and that hackers had taken the personal data of around 4 million people. That was bad enough, but it turned out the breach was much, much worse than OPM let on.

For starters, hackers (likely Chinese) actually stole the personal information of at least 20 million people, including the fingerprints of 5.6 million people. But we later also learned that the personal data stolen wasn't just stuff such as date of birth and names, but the intimate personal details of millions of government workers, including those holding security clearances. The stolen data included information on their sex lives, drug abuses, and debt—all information that could be used to blackmail them and even blow their cover. Oh, the OPM hack even involved White House correspondants.

Vigilante Hacker Hits Italian Spyware Vendor Hacking Team
In early July, the usually-quiet Twitter account of the controversial surveillance tech vendor Hacking Team got its name to "Hacked Team," and started tweeting screenshots of internal emails, as well a link to more than 400 gigabytes of data.

"Since we have nothing to hide, we're publishing all our emails, files, and source code," read the tweet.

As it turned out, the company had been hacked by a hacker only known as PhineasFisher, the same mysterious vigilante who hacked Hacking Team's competitor Gamma International in 2014. The files exposed Hacking Team's shady customers, including Sudan and Bahrain. Thanks to the cache of internal emails and files, among many things, we also found out how someone stole the company's equipment in Panama, how its software targeted porn sites' visitors, and how the company could turn off customers' spyware infrastructure thanks to a backdoor.

Think of the Children: Toymaker Gets Hacked, Loses Parents' and Kids' Personal Data
An anonymous hacker found a way into the servers of the multinational toy company VTech, which makes internet-connected toys. The hacker was able to access the personal data of almost 5 millions parents and 6.3 million children, including their names, home addresses, passwords, and even selfies and chat logs. The data, however, was never published online. The hacker told Motherboard that all he wanted was expose and denounce VTech's poor security practices. As a result of the hack, the company had to take down its online services, two US senators put into question VTech's security and privacy protections, and a 21-year-old was arrested in the UK.

"If T-Mobile can't guarantee my Social Security number's safety, it shouldn't ask for it."

Hackers Steal Social Security Numbers of 15 Million T-Mobile Customers
T-Mobile revealed in October that hackers had gained access to a server of the giant data broker Experian, getting their hands on around 15 million Social Security numbers. The third-most popular mobile phone carrier in the US tried to deflect the blame on the data broker, which was the one actually hit with the breach. But as Motherboard managing editor (and data breach victim) Adrianne Jeffries argued, "If T-Mobile can't guarantee my Social Security number's safety, it shouldn't ask for it."

Hackers Dox Cheaters And Embarrass Infidelity Giant Ashley Madison
A mysterious group of hackers calling itself the Impact Team broke into Ashley Madison, a successful and infamous website that promised discreet affairs for married men and women. A few weeks later, the hackers released a large data trove revealing all the names of the sites' users, as well as internal emails. The hack exposed the service's many lies, from the faulty paid service to "full delete" an account, to its alleged army of fake women accounts. The hackers claimed it was an easy hack, saying "nobody was watching" despite the fact that emails showed the site administrators knew it was a target for cybercriminals. Most of all, the hack exposed its users secret lives, leaving some of them in despair over what to do. At least three users committed suicide, countless users got blackmailed, and some were publicly outed and doxed. Months earlier, hackers also stole data from hookup website AdultFriendFinder, exposing almost 4 million users and their sexual preferences.

The Massive Healthcare Data Spillage
2015 was the year of the healthcare breach, with 55 recorded ones and a whopping 100 million records stolen. The biggest one was the one suffered by the provider Anthem, which lost almost 79 million records. But there were other attacks against other big providers such as Premera and BlueCross Blue Shield.