Pages

2 January 2024

The Worst Hacks of 2023

Lily Hay Newman

With political polarization, unrest, and violence escalating in many regions of the world, 2023 was fraught with uncertainty and tragedy. In digital security, though, the year felt more like a Groundhog Day of incidents caused by classic types of attacks, like phishing and ransomware, rather than a roller coaster of offensive hacking innovation.

The cybersecurity slog will no doubt continue in 2024, but to cap off the past 12 months, here's WIRED's look back at the year's worst breaches, leaks, ransomware attacks, digital extortion cases, and state-sponsored hacking campaigns. Stay alert, and stay safe out there.


One of the most impactful hacks of 2023 wasn’t a single incident but a series of devastating breaches, beginning in May, caused by mass exploitation of a vulnerability in the popular file transfer software known as MOVEit. The bug allowed hackers to steal data from a laundry list of international government entities and businesses, including the Louisiana Office of Motor Vehicles, Shell, British Airways, and the United States Department of Energy. Progress Software, which develops MOVEit, patched the flaw at the end of May, and broad adoption of the fix eventually stopped the spree. But the “Cl0p” data extortion gang had already gone on a disastrous joy ride, exploiting the vulnerability against as many victims as possible. Organizations are still coming forward to disclose MOVEit-related incidents, and researchers told WIRED that this trickle of updates will almost certainly continue in 2024 and possibly beyond.

Based in Russia, Cl0p emerged in 2018 and functioned as a standard ransomware actor for a few years. But the gang is particularly known for finding and exploiting vulnerabilities in widely used software and equipment, with MOVEit being the latest example, to steal information from a large population of victims and conduct data extortion campaigns against them.

The identity management platform Okta disclosed a breach of its customer support system in October. The company said at the time that about 1 percent of its 18,400 customers were impacted. But the company had to revise its assessment in November to acknowledge that actually all of its customer support users had had data stolen in the breach.

The original 1 percent estimate came from the company’s investigation into activity in which attackers used stolen login credentials to take over an Okta support account that had some customer system access for helping users troubleshoot. But that assessment had missed other malicious activity in which the attacker ran an automated query of a database that contained names and email addresses of “all Okta customer support system users” and some Okta employees. As with a number of other incidents this year, part of the significance of the Okta incident comes from the fact that the company plays a critical role in providing security services for other companies, yet it suffered a previous high-profile breach in 2021.


The US National Security Agency and its allied intelligence services around the world have been warning since May that a Beijing-sponsored group known as Volt Typhoon has been targeting US critical infrastructure networks, including power grids, as part of its activity. Officials have continued to reinforce that network defenders need to be on the lookout for suspicious activity that could indicate a clandestine operation. Volt Typhoon's hacking, and that of other Beijing-backed hackers, is fueled in part by the Chinese government's stockpile of zero-day vulnerabilities, which can be weaponized and exploited. Beijing collects these bugs through research, and some may also come as the result of a law that requires vulnerability disclosure.

Meanwhile, in June, Microsoft said that a China-backed hacking group had stolen an immensely sensitive cryptographic key from the company's systems that allowed the attackers to access cloud-based Outlook email systems for 25 organizations, including multiple US government agencies. In a postmortem published in September, Microsoft explained that improper access to the key was incredibly improbable, but occurred in this case because of a unique comedy of errors. The incident was a reminder, though, that Chinese state-backed hackers conduct a massive quantity of espionage operations each year and are often lurking undetected in networks, waiting for the opportune moment to capitalize on any flaw or mistake.


MGM casinos in Las Vegas and other MGM properties around the world suffered massive and disruptive system outages in September after a cyberattack by an affiliate of the notorious Alphv ransomware group. The attack caused chaos for travelers and gamblers alike, and took the hospitality group days—in some cases, even weeks—to recover, as ATMs went down, hotel keycards stopped working, and slot machines went dark.

Meanwhile, Caesars Entertainment confirmed in a US regulatory filing in September that it had also suffered a data breach at the hands of Alphv, one in which many of its loyalty program members' Social Security numbers and driver's license numbers were stolen, along with other personal data. The Wall Street Journal reported in September that Caesars paid roughly half of the $30 million the attackers demanded in exchange for a promise that they wouldn't release stolen customer data. MGM reportedly did not pay the ransom.


In December 2022, LastPass, maker of the popular password manager, said that an August 2022 breach it had disclosed at the end of November 2022 was worse than the company originally thought, and encrypted copies of some users’ password vaults had been compromised in addition to other personal information. It was a deeply concerning revelation given that LastPass has suffered other security incidents in the past, and users trust the company with the most sensitive pieces of their digital lives.

On top of this, though, the company disclosed a second incident in February 2023 that also began in August 2022. Attackers compromised the home computer of one of the company's senior engineers—who had special access to LastPass' most sensitive systems—and stole authentication credentials. These, in turn, allowed them to access an Amazon S3 cloud storage environment and ultimately “LastPass production backups, other cloud-based storage resources, and some related critical database backups,” the company wrote in March—a devastating breach for a password manager company.


23andMe disclosed at the beginning of October that attackers had successfully compromised some of its users' accounts and parlayed that access to scrape the personal data of a larger number of users through the company's “DNA Relatives” opt-in social-sharing service. In that initial disclosure, the company didn't say how many users were affected. In the meantime, hackers began hawking data that appeared to be taken from a million or more 23andMe users. Then, in a US Securities and Exchange Commission filing at the beginning of December, the company said that the attacker had accessed 0.1 percent of user accounts, or roughly 14,000 per a company estimate that it has about 14 million customers. The SEC filing didn't include a larger number of those impacted by the DNA Relatives scraping, but 23andMe ultimately confirmed to TechCrunch that the hackers collected data from 5.5 million people who had opted in to DNA Relatives, plus information from an additional 1.4 million DNA Relatives users who “had their Family Tree profile information accessed." Some of the stolen data included classifications like describing subsets of users as being “Ashkenazi Jews,” “broadly Arabian,” or of Chinese descent, potentially exposing them to specific targeting.

While troubling, the data theft didn't include raw genetic information and typically wouldn't qualify as a “worst hack” in and of itself. But the situation was an important reminder of the stakes when dealing with information related to genetics and ancestry, and the possible unintended consequences of adding social sharing mechanisms to sensitive services, even when user participation is voluntary.

Honorable Mention: T-Mobile. Twice.

The wireless carrier T-Mobile has suffered a ludicrous number of data breaches in recent years and now has the dubious distinction of being a two-time winner of an honorable mention in WIRED's annual Worst Hacks roundups. This year, the company disclosed two breaches. One began in November 2022 and ended in January, impacting 37 million current customers on both prepaid and postpay accounts. Attackers stole customers' names, email addresses, phone numbers, billing addresses, dates of birth, account numbers, and service plan details. The second breach, which occurred between February and March and was disclosed in April, was small, impacting less than 900 customers. It is significant, though, because the stolen data included full names, dates of birth, addresses, contact information, government ID information, Social Security numbers, and T-Mobile account pins—in other words, the crown jewels for hundreds of people.

No comments:

Post a Comment