Gaining the tools necessary to pull off a massive hack is getting easier and easier. When you add the inexplicable resistance some companies have shown to upgrading their security infrastructure, it’s no wonder 2014 saw the staggering amount of high-profile hacks that it did.
Between the international political drama surrounding the Sony Pictures attack and the sheer audacity of “The Fappening” celebrity leaks, there were a host of other hacks that you’ve probably forgotten about. Even if they weren’t as memorable, they still had widespread ramifications for the companies involved, not to mention their customers.
Here is our list of the worst hacks of the year.
1. Sony Pictures: You know the story: Sony Pictures’ computers froze up, and a now-infamous ‘90s skull image along with thinly veiled threats appeared across every computer on the network. Before long, huge caches of information from Sony’s hard drives started to hit the web, including private e-mails between executives Scott Rudin and Amy Pascal, the personal information and Social Security numbers of a host of celebrities and early versions of Sony movies like Fury.
The massive fallout is still playing out. Journalists combed through the leaked documents to find a variety of tidbits that prompted both fascination and outrage -- from Channing Tatum’s emails that resembled those of a drunken frat boy, to racist comments shared between executives regarding President Obama.
Had things stopped there, it would have been egg on Sony’s face and nothing more. However, the Guardians of Peace — the hacking group that claimed responsibility for the attack — escalated the situation by threatening terrorist attacks on theaters showing the Seth Rogen/James Franco film “The Interview.”
The fact that this film, which revolves around killing North Korea’s Kim Jong-un, was expressly targeted led many, including the FBI, to believe that North Korea was responsible. That idea has since been called into question by many independent analysts.
2. JPMorgan Chase: One of the largest intrusions ever, this hack put 76 million households at risk of having their names, phone numbers and email addresses exposed. JPMorgan insists there is no evidence that anything more sensitive was taken, however.
Amazingly, the hackers didn’t take the opportunity to loot any JPMorgan accounts, prompting some security officials to suggest that the hack had been pulled off for political reasons. Many experts suggested that the hackers were Russian or were sponsored by parts of the Russian government.
Wherever they came from, one of the most disturbing elements of the attack was how mundane it was. JPMorgan uses two-factor authentication, meaning one password won’t gain someone access to the system. Unfortunately, one of the bank’s servers didn’t have that higher level of security. As The New York Times reported, the hack “might have been thwarted if the bank had installed a simple security fix to an overlooked server in its vast network.” Ouch.
3. Bitcoin/Mt. Gox: If you’re a fan of BitCoin, and that JPMorgan story had you crowing something to the effect of, “Oh, that’s what they get for using a corporate bank! That kind of thing would never have happened with a decentralized cryptocurrency like Bitcoin,” now would be a good time to check your words.
Back in March, the primary Bitcoin exchange, known as Mt. Gox, was hit by a series of hacks that ultimately cost $460 million in Bitcoins and set the cryptocurrency’s economy spiraling. Even now, Bitcoin is still feeling the residual effects of the devastating hack.
Mt. Gox, of course, fell into bankruptcy after the hack, with CEO Mark Karpeles being subpoenaed by the Treasury Department in April to provide testimony on the matter. He declined to appear.
4. DarkHotel: This super-effective series of hacks targeted executives in luxury hotel suites in what Wired called “surgical strikes.” After getting comfortable in his hotel room, an executive would open up his laptop, connect to the hotel WiFi and be greeted with an innocuous-looking prompt to update his Adobe software. However, rather than helping the hapless exec read his .pdf files, the “update” would install a sophisticated keylogger in the bowels of his system and set about seeing what personal information it could glean, including passwords, bank account information, and private emails. The extremely targeted nature of these hacks distinguished them from so many others this year.
5. Heartbleed and Shellshock
This wasn’t so much a directed hack but rather the discovery of a systems vulnerability that could redefine the way we approach network security for a long time. Heartbleed was a vulnerability in a Windows security library that allowed for more data to be read than would typically be allowed to a user. This results in potential hackers having wide access to system output and database queries that also could hide personal information and passwords. The webcomic XKCD illustrated how it works far better than I could put it into words. While a patch has since been released, it could still take a while for every administrator to get things up to speed. Until that happens, everyone is at risk.
Shellshock was a similar vulnerability that instead lurked inside a small piece of software called the BASH terminal. BASH is a fundamental part of the operating system for many computers — more specifically, those running certain versions of Linux or Mac OSX. It’s the terminal in which commands essential for the operation of the machine are run. Shellshock allowed a potentially malicious actor to execute his own commands on almost any system — essentially giving them top-tier access. The vulnerability has since been patched, but as with Heartbleed, it might take a while to get everyone up to speed.
6. The Silk Road
It wasn’t just the “legitimate” side of Bitcoin (“legitimate” being a very, very subjective term) that was hacked this year. After the initial version of The Silk Road, the notorious underground black market website that sold everything from herbs to hit men, was taken down by the U.S. government, a new version sprung up, titling itself “The Silk Road 2.0.” This new version of the website quickly found itself to be a target, as hackers used a newly found bug in the Bitcoin protocol to bankrupt the site, draining it of $2.6 million in Bitcoin from its escrow account.
“I am sweating as I write this… I must utter words all too familiar to this scarred community: We have been hacked,” wrote Defcon, the site’s administrator, following the hack. “Our initial investigations indicate that a vendor exploited a recently discovered vulnerability in the Bitcoin protocol known as ‘transaction malleability’ to repeatedly withdraw coins from our system until it was completely empty.”
7. The Fappening
We all remember this. Leaked personal photographs were stolen from celebrities’ phones and iCloud accounts. Nude photos and videos of prominent actors like Jennifer Lawrence, Kate Upton and Aubrey Plaza were leaked, along with those of hundreds of less-famous TV and movie stars.
While it’s not been absolutely proven, most of the blame has been pointed at a website called Anon-IB. This website allegedly housed a secretive group that traded and shared celebrity nude pictures, and “The Fappening” was a case of the images being shared more widely. Others still blame vulnerabilities in Apple’s iCloud service for the intrusions. Whatever the case may be, many women were hurt by the leak. Jennifer Lawrence decried the hack as a “sex crime,” and similar accusations have been leveled at the perpetrators by other victims, too.
8. The Snapchat Hack
Right on the heels of The Fappening came “The Snappening.” Snapchat, the social media application that has found itself to be the center of many a sexting scandal, has always prided itself on its relative anonymity and privacy. As the very purpose of the app is to only display photos for a short period of time, not keep them on any servers, and to not allow screenshots, Snapchat seemed about as private as users could get.
However, hackers find a way, and even the most secure application has its weak link. In this case, the weak link was a third-party app called SnapSaved, which integrated into Snapchat, allowing users to save photos and videos. SnapSaved was slightly less dedicated to privacy than the Snapchat team; it stored all of the saved photos on its own web server. This web server was hacked, leading to leaks of 98,000 photos and videos, most of them pornographic.
As an aside: In case this entry has piqued your curiosity to go hunting down these pictures, it would be prudent of me to advise you not to. Bear in mind that at least half of Snapchat’s users are minors and, as such, downloading a trove of stolen Snapchat pictures has a strong chance of landing you in prison. Plus, it’s just super, super skeevy.
9. ‘Lizard Squad’ and the raids on PSN and Xbox Live
The Lizard Squad hacking group’s Grinch-like attempts to ruin Christmas for millions of new game console owners garnered widespread media attention. The hackers performed widespread DDoS (distributed denial of service) attacks on the PlayStation Network and Xbox Live online gaming services.
Timing their attacks over Christmas Day with the obvious goal of making hundreds of thousands of newly unwrapped PlayStation 4s and Xbox Ones unusable, the group hit these services with an attack of unprecedented proportions, three times that of the last record.
Things got a little more ludicrous when Kim Dotcom, the billionaire owner of the Mega.co.nz file hosting site (formerly MegaUpload, the site that was taken down by the U.S. in a highly publicized raid), offered the hackers millions of dollars of vouchers for VIP access to Mega.co.nz. The hackers accepted, temporarily halting the barrage, but started hitting the services again a short while later.
10. The Rise of Ransomware
Ransomware’s been around for a while, but 2014 saw the appearance of a few particularly malicious strains. For ages, spyware and malware makers have been trying to extort users out of their money. One of their favorite tactics has been a fake “virus scan” that promises to clean a user’s system...for a price. Ransomware ratcheted things up a few steps, locking up a user’s hard drive, encrypting their files and threatening deletion until they paid. Mostly trafficking in Bitcoins, these bad actors made an untold amount of money — several billion, at the last count. To their credit, the people behind the virus at least kept to their word, unlocking the majority of hard drives belonging to people that paid up.
Top Reads from The Fiscal Times: