nordpass logo

Data Breach: What It Is and Why It Happens

Lukas Grigas
Cybersecurity Content Writer

Data breaches may seem menacing: they make headlines every day and leave us in a constant state of anxiety. But the culprit isn’t always a big scary data monster out to get us — sometimes the fault is in our own weak passwords. In fact, 80% of data breaches are caused by compromised, weak, and reused passwords.

On the one hand, news like this can make us all feel a bit silly. On the other, it’s hugely empowering to know we can always stay one step ahead of cybercriminals – even if our only weapon is a good password.

In this series of data protection posts, we’ve covered some crucial areas of cybersecurity from password protection and browser security to advice on keeping your online information safe. The threat of being involved in a data breach is a constant worry, which is why we’re here to show you how easy it is to avoid.

In this article, we’ll be discussing:

  • What a data breach actually is.

  • Recent data breaches.

  • How and why data breaches happen.

  • What you can do to prevent them.

What is a data breach?

A data breach is an incident in which confidential and protected information is exposed, copied, used, or taken without authorization. An example could be the theft of your credit card details or Social Security number. On a larger scale, giant corporations may unintentionally expose millions of user passwords to cybercriminals. Once data is leaked, there is no way to control its spread and use.

From hospitals to gaming forums, your information is stored in various places. While we trust these institutions to protect our data, things often go wrong. Hackers will always try to be one step ahead when it comes to the security of devices and corporations. iPhone’s FaceID can be hacked in less than 120 seconds, a weaker password can be cracked in milli-seconds, and even your baby monitor is at risk.

Major data breaches of 2019

  • Fortnite. An unsecured web page left over 200 million users vulnerable to attack.

  • Verifications.io. The marketing agency had no security measures in place to protect their gigantic database of consumer information. Security expert Bob Diachenko reported the incident, which led to the database being taken down. It included users’ names, birthdates, and home addresses.

  • Facebook. 540 million user IDs, account names, likes, and comments exposed on a publicly accessible server by a third-party app.

  • Capital One. According to The New York Times, an employee managed to steal 80,000 bank account numbers, 140,000 Social Security numbers, and millions of credit card applications. The result: she racked up a $300 million debt for one of the world’s most trusted banks.

Major data breaches of 2020

  • Marriott International. Hackers gained access to a third-party app used to provide guest services by using login details of two employees and so exposed private information of 5.2 million Marriott guests. The exposed data included guest names, email addresses, phone numbers, birth dates, and more.

  • Drizly. The online alcohol delivery startup Drizzly reported a breach, which affected personal details of more than 2.5 million Drizly accounts. The information exposed included hashed passwords, email addresses, and dates of birth.

  • Microsoft. A customer support database with over 280 million Microsoft customer records was left unprotected on the web. The breached database comprised user IP addresses, email addresses, and support case details.

  • T-Mobile. An unknown number of customers’ sensitive data was accessed through a T‑Mobile employee email account after a supply-chain attack and exposed. The private data included names, addresses, Social Security numbers, financial account information, and government identification numbers as well as phone numbers.

Major data breaches of 2021

  • Facebook. Personal information of over 533 million Facebook users from 106 countries was posted online for free in a low-level hacking forum. The scraped data included phone numbers, names, location, email address, and biographical information.

  • Reverb. The database of a popular online marketplace for music gear was breached and then leaked into the dark web. The affected database contained personal details of more than 5.6 million users and included the users’ names, phone numbers, PayPal account information, and IP addresses.

  • MeetMindful. The dating platform was hacked by an infamous hacker and had its users’ account details and personal information exposed. The breached information included details of more than 2.28 million users, which contained names, emails, dating preferences, marital status, birth dates, IP addresses, Facebook user IDs, and Facebook authentication tokens.

  • Twitch. The popular live streaming platform suffered a massive breach. More than 100GB of leaked data was posted online on 4chan. Among the data hackers obtained and leaked was Twitch's source code, internal security protocols, and earning records of many popular streamers.

Major data breaches of 2022

  • Crypto.com. On January 17, 2022, the cryptocurrency exchange site suffered an attack that targeted almost 500 users’ wallets. The hackers behind the attack were able to steal $18 million of Bitcoin and $15 million of Ethereum.

  • Okta. Back in March, the authentication company fell victim to a breach carried out by an infamous hacker group known as Lapsus$. Okta reported the breach and in the statement said that about 2.5% of its customers have been exposed in the breach.

  • Red Cross. The International Committee of the Red Cross reported a cyberattack that targeted its servers and was successful in gaining unauthorized access to large quantities of personal data. The attackers were able to get their hands on information such as names, locations, and contact details of over 515,000 people.

What causes data breaches?

  1. Weak passwords and stolen credentials. The easiest and most common way to steal your data is by guessing your passwords.

  2. Backdoors left open in apps and software in general. Poorly written apps can be riddled with security holes, which make the perfect entrance for hackers. Once they’re in, your data is theirs for the taking.

  3. Malware. This is software downloaded without intention through phishing emails or by visiting illegitimate websites.

  4. Insider jobs. Similar to the Capital One breach, employees are among the biggest threats to data security. Imagine 50,000 employees having direct access to millions of user details every day. Eventually, a bad egg crops up, and the consequences for the company and its customers can be disastrous.

What should you expect from a company that has been breached?

If any of the online platforms or service providers that you use are ever breached, there are a few things that you should expect them to do in order to minimize the risks associated with your personal data falling into the wrong hands.

First, the affected organization should come forward with news of a breach and disclose all the relevant information: date of breach, systems that have been affected, users that have been affected, the type of data breached.

You should also know how the affected entity will handle the situation. One of the first steps that you should expect is the full containment of the breach and the addition of extra security measures. Often, breached organizations provide official statements laying out what to expect. So keep an eye out for any official statements.

The good news with a pinch of salt

There aren’t many occasions where the term “silver lining” is met with great enthusiasm. But believe us when we say there most certainly is one. Data breaches on this scale create massive public awareness and, if channeled positively, can prompt huge changes in data law. Organizations will start to tighten their security belts, and people like you and I will empower ourselves to take our security seriously. In fact, the future of cybersecurity is booming. With cybersecurity vacancies up by 74% over the past five years and expenditure set to reach $1 trillion by 2024, it’s hard not to stay optimistic.

Hundreds of apps and tools have been designed to protect you online, not to mention available tips you can use if you get in trouble. If you think you’ve suffered a data breach, here’s what to do:

Your data breach response plan – a quick checklist

  1. Confirm the breach. Sites like Haveibeenpwned.com check your email address to see if you’ve been a part of any data breaches. You can also call or email the company to confirm whether your information was involved.

  2. Find out what information was breached. While stolen credit cards and account details can be replaced and changed, a new Social Security number is harder to obtain. Knowing what was compromised puts you on a hacker’s trail. For instance, if your card details were compromised, you know the same applies for your associated email account.

  3. Use a password generator for maximum security. Random passwords like MUK7GDj<Hax~nM8E are notoriously hard to hack and would take millennia for those willing to try.

  4. Use a password manager. A password manager does two crucial things:

    • It remembers all of your passwords for you, so you’re free to create long, complex, hacker-proof passwords.

    • It keeps your passwords encrypted in a separate location. This means that your passwords will never be exposed in your browser, device, or apps.

    • Securing your passwords is one of the easiest ways to boost your online safety because it’s generally the first point of attack for cybercriminals.

The takeaway

Taking cybersecurity into your own hands needn’t be a daunting task. Since nearly every area of our lives has an online dimension, isn’t it wise to think about security for ourselves? Especially before it’s too late.

The reality is that cybersecurity can often take a back seat in large and busy organizations. When a data breach does occur, the usual plan of action is to restore confidence in their users — and determine the cause of the breach. Sometimes a breach isn’t even detected or reported until months later.

It’s unfortunate, but the damage is usually left to the user to clear up, which is why it’s imperative to iron-proof your passwords. While newer, more powerful encryption technologies are surfacing, it’s not worth the risk to assume everyone cares about your security as much as you do. In conclusion, you hold the ultimate power for your safety online, and we merely exist to help you get there. Which is why we created NordPass – a simple, convenient password manager that puts online security back into the hands of everyday people.

Subscribe to NordPass news

Get the latest news and tips from NordPass straight to your inbox.