The cybersecurity slog will no doubt continue in 2024, but to cap off the past 12 months, here's WIRED's look back at the year's worst breaches, leaks, ransomware attacks, digital extortion cases, and state-sponsored hacking campaigns.
One of the most impactful hacks of 2023 wasn't a single incident but a series of devastating breaches, beginning in May, caused by mass exploitation of a vulnerability in the popular file transfer software known as MOVEit.
The bug allowed hackers to steal data from a laundry list of international government entities and businesses, including the Louisiana Office of Motor Vehicles, Shell, British Airways, and the United States Department of Energy.
The gang is particularly known for finding and exploiting vulnerabilities in widely used software and equipment, with MOVEit being the latest example, to steal information from a large population of victims and conduct data extortion campaigns against them.
The company said at the time that about 1 percent of its 18,400 customers were impacted.
The company had to revise its assessment in November to acknowledge that actually all of its customer support users had had data stolen in the breach.
The original 1 percent estimate came from the company's investigation into activity in which attackers used stolen login credentials to take over an Okta support account that had some customer system access for helping users troubleshoot.
As with a number of other incidents this year, part of the significance of the Okta incident comes from the fact that the company plays a critical role in providing security services for other companies, yet it suffered a previous high-profile breach in 2021.
Volt Typhoon's hacking, and that of other Beijing-backed hackers, is fueled in part by the Chinese government's stockpile of zero-day vulnerabilities, which can be weaponized and exploited.
In June, Microsoft said that a China-backed hacking group had stolen an immensely sensitive cryptographic key from the company's systems that allowed the attackers to access cloud-based Outlook email systems for 25 organizations, including multiple US government agencies.
Caesars Entertainment confirmed in a US regulatory filing in September that it had also suffered a data breach at the hands of Alphv, one in which many of its loyalty program members' Social Security numbers and driver's license numbers were stolen, along with other personal data.
The Wall Street Journal reported in September that Caesars paid roughly half of the $30 million the attackers demanded in exchange for a promise that they wouldn't release stolen customer data.
In December 2022, LastPass, maker of the popular password manager, said that an August 2022 breach it had disclosed at the end of November 2022 was worse than the company originally thought, and encrypted copies of some users' password vaults had been compromised in addition to other personal information.
It was a deeply concerning revelation given that LastPass has suffered other security incidents in the past, and users trust the company with the most sensitive pieces of their digital lives.
On top of this the company disclosed a second incident in February 2023 that also began in August 2022.
Attackers compromised the home computer of one of the company's senior engineers-who had special access to LastPass' most sensitive systems-and stole authentication credentials.
In that initial disclosure, the company didn't say how many users were affected.
In the meantime, hackers began hawking data that appeared to be taken from a million or more 23andMe users.
In a US Securities and Exchange Commission filing at the beginning of December, the company said that the attacker had accessed 0.1 percent of user accounts, or roughly 14,000 per a company estimate that it has about 14 million customers.
The wireless carrier T-Mobile has suffered a ludicrous number of data breaches in recent years and now has the dubious distinction of being a two-time winner of an honorable mention in WIRED's annual Worst Hacks roundups.
This Cyber News was published on www.wired.com. Publication date: Fri, 29 Dec 2023 13:13:05 +0000