Blockpass Data Breach Intelligence Report - April 2019

May 2019
Over the course of April, the Blockpass Research Team analyzed 7 data breach events, chosen either for their scale, significant impact on consumers, or their implication on a global scene. This month, the largest single data breach was in social media whilst two of the events still have unknown elements to their scale or identity.

News of massive data leaks has, unfortunately, become all too commonplace. Just a few weeks after the biggest security breach ever discovered, April turned out to be a catastrophic month for cybersecurity as well. Of the 7 events analysed this month, two breaches both affected greater than 200 million individuals, with approximately 10% of the world's population being affected overall. A common theme between the breaches is data being put on unprotected or unsecured databases without the users’ knowledge. Interestingly, the data in these two breaches dates back quite some time. Hopefully will we see, in a few years, that new data protection regulations like the EU’s GDPR will have made a difference.

Since, November the Blockpass team has analysed six months worth of data and found that, statistically, 50% of the world's population has been the victim of a data breach. Extrapolating from this we can predict that over the course of a year most people will be the victim of a hack or leak. Blockpass is working towards a future when these kinds of statistics are eliminated by empowering users to be in full of their data and eventually eliminating the need for centralised data stores.

# of Events Analyzed7
# of Identities Lost> 751,000,000
% of World Population> 9.9%
Industry Hardest HitSocial Media

This report, for the month of April, is the sixth of our Data Breach Intelligence Reports. We encourage the Blockpass community and anyone who might be otherwise interested to let us know what kinds of information they would like to see provided in future reports by contacting us at [email protected] under the subject line “Suggestions for the blog.”


Facebook| Social Media | Up to 540,000,000
According to a report by cybersecurity research firm UpGuard, the personal information of as many as 540 million Facebook users has been available in an unprotected database on Amazon’s cloud computing service. The data appears to have been posted to the server by two third-party Facebook app developers.

UpGuard has named Mexican media company Cultura Colectiva as the main culprit. The company uploaded around 146 gigabytes of user data that had been collected on Facebook. Exposed data includes users’ names, IDs, comments, and reactions.

Another culprit is an app called At the Pool. The app was meant to provide a way to help people meet up for offline activities, although the service ended in 2014. Data leaked from this app includes Facebook user IDs, friends, photos, location check-ins, and some passwords.



Unknown| Unknown | 202,400,000
The perpetrators of this month’s second biggest case of data negligence, which was only revealed on the 30th of April, have yet to be revealed. It has been confirmed by Microsoft’s cloud services division that the personal details of 80 million US households had been left on a database they hosted for anyone online to see.

The average American household consists of 2.53 individuals. This means that it can be calculated that over 200 million individuals have been affected. The data within the database, including home addresses, full names, marital statuses, income brackets, ages, and birthdates, could be extremely valuable to fraudsters.

Sources:| Health and Fitness | Up to 7,000,000, a hugely popular online community and store for bodybuilders and fitness enthusiasts, disclosed in mid-April that some percentage of its seven million users may have had their data exposed to hackers following a phishing attack that occurred in February. The attack has been linked to an email that had been opened by a employee.

While the data has certainly been exposed, website staff are unsure whether or not it has in fact been accessed. Exposed data includes names, email addresses, billing and shipping addresses, phone numbers, and order histories. staff have said that they have reset all user passwords.



Georgia Tech| University | 1,300,000
The Georgia Institute of Technology revealed on April 4th that the personal data of as many as 1.3 million current and former students and employees had been leaked. The university has said that the security breach has occurred as a result of vulnerable web application.

There is fear that far reaching user data such as names, addresses, social security numbers, and dates of birth may have been exposed. The breach is currently under investigation by the US Department of Education and the University System of Georgia.



Docker Hub| Image Repository | 190,000
On April 26th, it was reported that the account information of about 190,000 Docker Hub users had been compromised. The Docker Hub is an online repository of Docker application images to run and is a go-to source in the development community. Docker Hub has stated that the breach affected about five percent of its users.

The Docker Hub did act quickly on the breach, which was discovered on April 25th. They announced the issue to their community on the following day. Leaked data includes usernames and hashed passwords, as well as GitHub and Bitbucket tokens which can be used for Docker autobuilds.



University of Alaska| University | Tens of thousands
On the 28th of April, administrators at the University of Alaska (UA) announced in a press  release that some student records had been leaked through compromised email login names and passwords. The exact number of accounts that had been breached has not been publicly released, but it can be presumed to be in the tens of thousands given the university’s size.

The university began finding traces of unauthorized access to UAOnline reports as early as February 2018. Following an investigation that was carried out in March 2018, the university determined that student accounts had been accessed between January and February of that year. The university has not seen the need to warn of the breach until now, more than one year later.

Leaked data varies depending on the type of information stored on the account; however, in extreme cases students may have seen leaked their names, government issued identification numbers (in many cases social security numbers), dates of birth, driver’s license numbers, health and health insurance information, passport numbers, and UA student ID numbers



Microsoft| Communications | Undisclosed
Only months after January’s big reveal that 773 million Microsoft email addresses, and tens of millions of addresses, had been exposed to the public, Microsoft informed users early April that a “limited” number of additional addresses had been leaked between January 1st and March 28th of this year.

As reported by Techcrunch, any user of an or could be at risk of having had some of the personal information leaked. Microsoft says that they have closed up the vulnerability, but that for a certain amount of time hackers were able to see affected users’ email addresses, folder names, subject lines and contact email addresses. No email contents or login details seem to have been affected.