As the famous idiom goes: “Nothing is certain but death and taxes.” Now, in our digital age, we can add one more certainty: data breaches.

This year we’ve already seen quite a long list of data breaches from all around the world. While most of the focus usually falls on financial data breaches, many hackers are now going after softer targets, such as healthcare and social services. In fact, 2019 has already seen multiple data breaches related to the healthcare field.

In fact, 2019 has already seen multiple data breaches related to the healthcare field.

The number one danger of data breaches is identity theft. With just a few details, like your date of birth, social security number, etc., scammers can use your information to take out loans, get credit cards, or use it for more sophisticated phishing attempts.

Beyond that, they can also access the account that was hacked, collecting private messages, videos and images. In general, what hackers can do with your data is often limited to how creative they are. In order to keep yourself safe, you not only have to practice your own safety, but you need to be aware if your data is out there right now, in some hacker’s hands or being traded on hacker forums.

Our list below is updated from the newest to the oldest data breaches for 2019.

July 1 – Orvibo Smart Home’s wide-open database

  • Affected users: likely 1 million
  • Industry or type: IoT/smart devices
  • Cause of breach: unsecured database

Independent security researchers recently discovered an open database that was linked to the popular IoT maker, Orvibo Smart Home. The database was said to contain more than 2 billion logs, although Orvibo claims to only have around 1 million users.

These users include both private individuals with connected homes, as well as hotels or other businesses that incorporate these smart devices. The exposed data includes:

  • email addresses and passwords
  • usernames
  • account reset codes
  • geolocation and IP addresses
  • family name and ID
  • much more

Orvibo is a Chinese company based in Shenzhen. Weak security on IoT devices is a continuing problem, and more data breaches related to smart devices is predicted.

June 3 – Quest Diagnostics’ massive data breach

  • Affected users: almost 12 million
  • Industry or type: healthcare
  • Cause of breach: hack

Quest Diagnostics, a major US clinical laboratory, reported that the billings collections provider that works with them – American Medical Collection Agency (AMCA) – had suffered a major data breach. An unauthorized user had gained access to AMCA systems, allowing them ample opportunity to steal patient data. The hacker had access from August 1, 2018, to March 30, 2019.

The exposed data included:

  • Names and biographical data
  • Medical information
  • Social Security numbers
  • Financial data

Besides Quest Diagnostics, the breach also impacted LabCorp, Carecentrix, BioReference Laboratories, and Sunrise Laboratories.

May 31 – Flipboard’s major breach

FLIPBOARD

  • Affected users: possibly 1 billion+
  • Industry or type: news aggregation app and site
  • Cause of breach: hack

The most popular news aggregation site and app, Flipboard, has just revealed a major data breach. It is currently unknown how many users have been affected, but seeing as Flipboard has more than 1 billion download from Google Play alone (and that it’s pre-installed on many phones), it is most likely major.

The data stolen in the data breach includes:

  • names
  • usernames
  • email addresses
  • protected passwords (salted and hashed with bcrypt)

Users (not logged in on their phones) have since had their passwords reset and will have to change them. Smartphone users will have to log out by themselves.

May 28 – UK’s Investment Week breach

UK's Investment Week breach

  • Affected users: 330,000+
  • Industry or type: online publication
  • Cause of breach: unsecured server

One of UK’s largest business online publications, Investment Week, has leaked the data of 330,000+ users. Independent security researchers first contacted them on April 29, but after only a muted response, posted a Reddit thread on May 28.

They then contacted VPNpro for an exclusive on what the leak contained, and why Investment Week’s parent company, Incisive Media, gave a subpar response.

The leaked data includes:

  • phone numbers
  • names and email addresses
  • subscription information
  • city and country
  • company information

Read our exclusive story on Investment Week’s breach here.

May 24 – Canva data breach

Canva data breach

  • Affected users: 139 million
  • Industry or type: online graphic design service
  • Cause of breach: hack

The popular graphic design online tool, Canva, reported that user data was compromised in a cyber attack. Canva, which now also owns popular image sharing sites Pexels and Pixabay, reports that the following information was accessed:

  • usernames
  • email addresses
  • demographic information
  • protected passwords (salted and hashed with bcrypt)
  • part credit card and payment data

Users have been urged to change their passwords.

May 20 – Instagram data scraping

Instagram data scraping

  • Affected users: 49 million+
  • Industry or type: social media
  • Cause of breach: unsecured database

Millions of Instagram influencers had their personal data scraped and stored on an unsecured database by a Mumbai-based marketing firm. Many high-profile influencers were included in the database, including celebrities, food bloggers, and other popular personalities.

The personal data includes the following:

  • bio
  • profile information
  • personal phone number
  • personal email addresses

Facebook, which owns Instagram, disputes that users’ personal contact information could have been scraped.

May 15 – WhatsApp hack affects 1.5 billion users

WhatsApp hack affects 1.5 billion users

  • Affected users: 1.5 billion
  • Industry or type: messaging app
  • Cause of breach: hack

In a sophisticated breach, WhatsApp, the popular messaging app owned by Facebook, reported a huge vulnerability in its systems. This breach could allow hackers to completely access users’ phones by simply calling the victim on WhatsApp.

The victim wouldn’t even need to answer it: the malicious could would be implanted by simply making a call. A WhatsApp spokesperson hinted that the malicious code could be from a private company Israeli cyber called NSO group.

However, they have denied the allegations. It is unsure how many users have been affected so far.

May 1 – Failed Citycomp blackmail turned data breach

Failed Citycomp blackmail turned data breach

  • Affected users: unknown (more than 516 GB of data)
  • Industry or type: IT services
  • Cause of breach: hack

After failing to blackmail the German IT company Citycomp, which provides crucial IT services to many enterprise companies, a hacking group published a large set of data of some of its customers, including very well known enterprises.

Citycomp has more than 70,000 services and storage systems for its customers, including cash register systems and printers. The cyberattack happened in early April, and was able to fight off the attack with the help of the German police. However, some of their customers’ data was stolen nonetheless.

The financial and private information of some popular client were stolen, including:

  • Ericsson
  • MAN
  • Toshiba
  • UniCredit
  • British Telecom
  • VAG
  • Leica
  • Hugo Boss
  • Porsche
  • many other

April 29 – Unknown Microsoft Cloud server breach

Unknown Microsoft Cloud server breach

  • Affected users: 80 million
  • Industry or type: online service
  • Cause of breach: unsecured database

Security researchers discovered an unsecured database that is hosted on a Microsoft cloud server. At the moment, the owner of this data is not known.

Nonetheless, the database contains the data of more than 80 million US households. This information includes:

  • names
  • addresses
  • age
  • dates of birth
  • geographic location

Other demographic information was also included. Hackers can use this information (in combination with other data stolen in various breaches) to steal money, do social hacking, or engage in other malicious  activities.

April 25 – Atlanta Hawks ecommerce hack

Atlanta Hawks ecommerce hack

  • Affected users: unknown
  • Industry or type: online store
  • Cause of breach: malicious code

The Atlanta Hawks’ online shop was compromised by hackers, who implemented credit card skimming code on the football team’s ecommerce site. The hackers were able to steal data from any purchases made  on or after April 20, 2019. The code was identified by security researches a few days later.

The data that was stolen includes:

  • customer name
  • customer address
  • credit card details

April 22 – Bodybuilding.com data breach

Bodybuilding.com data breach

  • Affected users: 30 million
  • Industry or type: online store and forum
  • Cause of breach: phishing scam

The internet’s biggest online forum and ecommerce shop for bodybuilders and fitness enthusiasts, Bodybuilding.com, fell victim to a phishing attack that possibly ended up with more than 30 million of its monthly users’ data exposed.

The company wasn’t sure whether any of its customers’ or users’ data was stolen, but decided to notify its users anyways. The hack came from a successful phishing email received in July 2018. The hackers first gained access in February 2019 and Bodybuilding.com finished its investigation on April 12.

The data that could have been stolen includes:

  • name and email address
  • billing and shipping addresses
  • phone number
  • order history
  • biographical data
  • Bodybuilding.com communications

April 15 – Microsoft Email Services breach

Microsoft Email Services breach

  • Affected users: unknown
  • Industry or type: online service
  • Cause of breach: hack

According to a Microsoft email, a “limited” number of people using Microsoft’s web email services – including those with @msn.com or @hotmail.com – had their accounts hacked. The breach, which occurred between January 1 and March 28, has since been solved. But in that time, hackers were able to view users’:

  • email address
  • folder names
  • email subject lines
  • email contacts

The hackers were luckily unable to read any of the users’ email addresses, however. Nonetheless, the company is recommending that affected users should change their passwords.

April 4 – Facebook’s massive breach (again)

 Facebook's massive breach (again)

  • Affected users: 540 million
  • Industry or type: social media
  • Cause of breach: unsecured server (via third-party developers)

Deja vu in the modern era: Facebook (yes, them again) revealed that the records of 540 million of its users had been publicly exposed on Amazon’s cloud computing service. The breach was discovered by the UpGuard Cyber Risk team, who reported that multiple third-party Facebook apps had posted the records in plain sight.

The leaked data includes:

  • user IDs
  • friends data
  • photos
  • location data
  • check ins, etc.

April 4 – Georgia Tech data breach

Georgia Tech data breach

  • Affected users: 1.3 million
  • Industry or type: university
  • Cause of breach: vulnerable web application

The world-renowned George Institute of Technology (commonly referred to as “Georgia Tech”) revealed in early April that 1.3 million students and employees had their information exposed in a data breach.

The fault has been placed on a vulnerability in a web application. A hacker was able to access the database connected to the web app. The stolen information includes:

  • first and last names
  • Social Security numbers
  • addresses
  • dates of birth

April 3 – Toyota’s multiple breaches

Toyota's multiple breaches

  • Affected users: 3.1 million
  • Industry or type: automotive
  • Cause of breach: hack

Within the span of 5 weeks, the popular Japanese car company Toyota suffered two major data breaches. Toyota reports that hackers were able to breach its IT systems and thereby access information that belongs to some of its sales subsidiaries. The previous hack affected 1.3 million Toyota car buyers.

It isn’t clear what kind of information was stolen, although Toyota promises that no financial information was exposed.

March 31 – Earl Enterprise credit card leak

Earl Enterprise credit card leak

  • Affected users: 2.15 million
  • Industry or type: restaurant
  • Cause of breach: malware on POS systems

Earl Enterprise, the parent company for popular restaurants including Planet Hollywood, Mixology and Buca di Beppo revealed that more than 2 million of their customers’ credit card numbers had been stolen. Security researches KrebsOnSecurity discovered that those numbers were being sold online. It is believed that malware was installed on the restaurants’ point-of-sale systems.

The stolen data includes:

  • credit card numbers
  • debit card numbers
  • expiration dates
  • some cardholder names

March 21 – Facebook password leak

 Facebook password leak

  • Affected users: 100 million+
  • Industry or type: social media
  • Cause of breach: unencrypted passwords

On March 21, Facebook admitted that the passwords of hundreds of millions of its users had been stored in plain text on the company’s internal servers. While they claimed that their systems were supposed to encrypt passwords, more than 2,000 Facebook engineers and developers had easy access to hundreds of millions of users’ passwords.

The company said that it hadn’t found any evidence that this was abused by its employees. However, given the struggling social media giant’s years-long problems with transparency and truth, it’s best to assume that if yours is one of those exposed passwords, you should probably change it just to be safe.

March 14 – Gearbest (Chinese shopping giant)

March 14 - Gearbest (Chinese shopping giant)

  • Affected users: 1.5 million+
  • Industry or type: online shopping
  • Cause of breach: unsecured server

The Chinese online shopping giant, Gearbest, has apparently been storing user data on an unsecured server. Cybersecurity researcher Noam Rotem found an Elasticsearch server (the same as ones from above) that was leaking millions of users’ data each week.

Some of the leaked information includes:

  • purchased products
  • shipping address
  • customer information (name, email, phone number)
  • payment information
  • order numbers
  • account passwords
  • national IDs and passport information

Since being contacted about the unsecured server, however, Gearbest hasn’t responded or secured their server yet. This means that the true number of affected users is likely much more than 1.5 million.

March 7 – Verifications.io’s email marketing leak

 Verifications.io's email marketing leak

  • Affected users: 809 million
  • Industry or type: financial
  • Cause of breach: unsecured server

Security researchers Bob Diachenko and Vinny Troia found an unprotected database that contained 809 million users’ personal information. The 150 gigabytes’ worth of data comes from an email marketing company called Verifications.io, which helps companies verify the email addresses they need for their email marketing campaigns. The data is a mix of individual customer and business intelligence information.

Leaked data includes standard user information (like usernames, email addresses, names, genders, etc.) to company names, revenue figures, and so on.

March 1 – Dow Jones Watchlist possible leak

Dow Jones Watchlist

  • Affected users: 2.4 million
  • Industry or type: financial
  • Cause of breach: unsecured server

The Dow Jones Watchlist that lists PEPs – “politically exposed persons,” or prominent individuals that have a higher financial risk for embezzlement, bribery or money laundering – was recently discovered to be hosted on an unsecured server. Security researcher Bob Diachenko found the sensitive information on a database that was available anyone able to use an IoT search engine.

2.4 million records were contained in the database. Data included their connections, linked companies, national and government sanctions lists, related or connected crimes, and citations from federal institutions or law enforcement agencies.

February 22 – UConn Health

UConn Health

  • Affected users: 326,000
  • Industry or type: healthcare
  • Cause of breach: phishing

The University of Connecticut’s UConn Health fell victim to a data breach, when it was discovered that 326,000 users’ information was leaked. The breach was discovered on Christmas Eve. The leaked data includes names, birthdates, addresses, and some medical information as well as billing and appointment information.

1,500 users’ social security numbers were also leaked. UConn Health is also offering free identity theft protection for affected patients.

February 20 – UW Medicine

UW Medicine

  • Affected users: 1 million
  • Industry or type: healthcare
  • Cause of breach: unknown (generic hack)

More health patients had their data stolen in 2019 – this time in a breach at University of Washington Medicine. In total, nearly 1 million (974,000) patients had their medical record numbers and other information leaked. Luckily, this healthcare-related breach wasn’t as severe as the others on this list: no medical records, financial information or social security numbers were included in the leak.

February 20 – Coinmama

Coinmama

  • Affected users: 450,000
  • Industry or type: cryptocurrency
  • Cause of breach: unknown (generic hack)

The Israeli-based crypto exchange platform Coinmama informed their users in February of a larger hack that began in August 2017. (Yes, this is also part of the larger, 30-company hack.) 450,000 users’ names, emails and hashed (protected) passwords were stolen as part of the breach.

The hack, however, impacts only those users that signed up before August 5, 2017. No credit card details were included in the hack, since Coinmama doesn’t store those financial details.

February 20 – Advent Health Medical Group

 Advent Health Medical Group

  • Affected users: 42,000
  • Industry or type: healthcare
  • Cause of breach: unknown (hack)

Yet another data breach affecting a medical group. This time, the Advent Health Medical Group had 42,000 users’ sensitive personal medical data exposed in a 16-month breach that started in August 2017. Personal data that was leaked includes social security numbers, medical data, names, phone numbers and email addresses.

To help alleviate the possibility of identity theft, AdventHealth gave a year of free identity monitoring services.

February 15 – 500px

 500px

  • Affected users: 14.8 million
  • Industry or type: photo-sharing website
  • Cause of breach: hack

500px, a popular photo-sharing site, reported in February that someone had hacked their servers in July 2018. Nearly every account on the 500px service was affected, totaling 14.8 million accounts. The breach included the users’ first and last names, usernames, email addresses, and the following optional information: birth date, location, and gender.

Fortunately, no payment information or photos were included in the hack, since they aren’t stored on 500px servers. This hack is part of the larger hack affection users from 30 companies.

Coffee Meets Bagel

February 14 – Coffee Meets Bagel

  • Affected users: 6 million
  • Industry or type: dating app
  • Cause of breach: unknown/hack

The popular dating app Coffee Meets Bagel had 6 million of its users impacted by a data breach. Apparently, the breach was part of a larger one that affected 841 million users of 30 websites or apps (many of whom are on this list).

Luckily, while the breach is large in scope of how many were affected, only the names and email addresses were leaked. Coffee Meets Bagel reports that they don’t store financial information or passwords.

January 23 – Alaska DHSS

Alaska DHSS

  • Affected users: 100,000
  • Industry or type: healthcare
  • Cause of breach: malware

Alaska’s Department of Health and Social Services (DHSS) revealed in January that more than 100,000 Alaskans had their personal data stolen from an April 2018 cyberattack. This is one of the many instances in which users’ data was stolen due to weak medical/healthcare security.

The stolen information includes health information, benefit information, income, dates of birth, social security numbers, names and much more.

January 17 – Collection #1

Collection #1

  • Affected users: 773 million
  • Industry or type: multiple sources
  • Cause of breach: unknown

Considered one of the largest data breaches of all time, the Collection #1 data breach affected nearly 773 million users. Have I Been Pwned’s Troy Hunt first informed the world about the mega data breach. What’s worst about it is that some of the more than 22 million unique passwords had been “dehashed,” meaning they had been decrypted and converted back to regular, plain text.

Read our in-depth coverage of the Collection #1 data breach.

January 11 – Manged Health Services of Indiana

 Manged Health Services of Indiana

  • Affected users: 865
  • Industry or type: healthcare
  • Cause of breach: phishing

More than 30,000 Indiana patients had their protected health data compromised after a third-party contractor fell victim to a phishing attack. The employee worked at LCP transportation, which is a partner for Managed Health Services (MHS) of Indiana.

Having gained access to LCP email accounts, the hackers were able to see MHS patient data, which included email addresses, names, insurance ID numbers, addresses, medical condition information, and dates of birth.

January 3 – German government breach

German government breach

  • Affected users: 865
  • Industry or type: government officials
  • Cause of breach: weak passwords

One of the highest-reaching data breaches affected Germany in the first few days of 2019. Victims of the hack include German Chancellor Angela Merkel herself, whose fax number and email addresses had been leaked. The leak also impacted more than 860 politicians, most of whom are from Merkel’s party.

The hacker, who was later arrested, said that the passwords made his job much easier. Passwords included “ILoveYou,” 1,2,3,” etc.

January 3 – Town of Salem

Town of Salem

  • Affected users: 7.6 million
  • Industry or type: browser-based gaming
  • Cause of breach: unsecured server/weak admin password

The browser-based game Town of Salem by BlankMediaGames (BMG) revealed that 7.6 million users’ personal details had been stolen. According to a Reddit post, one of the hackers stated that it was pretty easy to get into the server by exploiting a weakness in a server, as well as one of the admins reusing an already exposed username and password.

The stolen information includes usernames, email addresses, passwords, IP addresses, game activity, and premium features (without payment information).

January 2 – Blur

Blur

  • Affected users: 2.4 million
  • Industry or type: cybersecurity
  • Cause of breach: unsecured file or server

Blur, the password manager that’s supposed to help keep your data safe and secure, had 2.4 million users’ information leaked. Users affected were those who registered with Blur before January 6, 2018. The exposed information includes email addresses, names, password hints, IP addresses, and encrypted passwords.

Users have been urged to change their passwords and enable two-factor authentication.

January 1 – Australian government gets phished

Australian government gets phished

  • Affected users: 30,000
  • Industry or type: government
  • Cause of breach: phishing

Less than one day after the New Year began, it was reported that approximately 30,000 Australian government officials had their information stolen. A government employee in the Australian state of Victoria was the victim of a phishing attack, leading to a directory being downloaded by a hacker.

The data that was stolen includes work emails, phone numbers, and job titles. Luckily, the directory didn’t have any financial information. Therefore, the severity level is low.