Facebook revealed that malicious actors could have abused its search and account recovery capabilities to scrape public profile information from most of its more than 2 billion users. The social networking platform discovered that bad actors had the option of submitting phone numbers and email addresses to locate users' public profiles and obtain personal information off them. As Facebook's CTO Mike Schroepfer explained at the time, "Given the scale and sophistication of the activity we've seen, we believe most people on Facebook [over 2 billion users] could have had their public profile scraped in this way." The tech giant responded by disabling the feature and changing its account recovery process to reduce the risk of scraping.
Score: 9.1 340,000,000 Records
Florida-based marketing and data aggregation firm Exactis left a database containing 340 million individual records unprotected on the web. Security researcher Vinny Troia discovered in June 2018 that Exactis had left the database exposed on a publicly accessible server. The database contained two terabytes of information that included the personal details of hundreds of millions of Americans and businesses including consumers' email addresses, physical addresses, phone numbers and other extremely sensitive information like the names and genders of their children. It's unknown how many U.S. individuals the breach exposed, but 340 million individual records were stored within the database at the time of discovery.
Score: 9.1 150,000,000 Records
An attacker gained unauthorized access to software owned by Under Armour and in so doing compromised as many as 150 million people's account information. On March 25th, the American apparel manufacturer learned that someone had gained unauthorized access to MyFitnessPal, its platform which tracks users' diet and exercise. According to CNBC, those responsible accessed individuals' usernames, email addresses and hashed passwords. They did not expose users' payment information, as Under Armour processes this data separately. Nor did the unauthorized individual(s) compromise users' Social Security Numbers or driver's license numbers, as Under Armour clarified that it doesn't collect those or any other government identifiers.
Score: 9.0 336,000,000 Records
Twitter urged all its more than 330 million users to change their passwords after a software glitch exposed their credentials in plaintext. The glitch involved the failure of Twitter's hashing process to scramble users' passwords prior to writing them to an internal computer log, causing them to be recorded in readable text. According to Reuters' reporting on May 3, the social networking service launched an internal investigation after discussing the issue, an exposure which one source said had persisted for "several months" prior to discovery. This analysis revealed that no passwords had been stolen or abused, but out of an abundance of caution, Twitter still cautioned all 336 million users to change their passwords.