# A list of exploits Computers, all the way down, are nothing but math. Therefore, *any* computer system with sufficient attention toward it (meaning sufficient motivation for someone to try) is going to get hacked. Efforts like [encrypting everything](encryption.md), [hardening](computers-cysec.md), and [enforced procedures](computers-cysec-compliance.md) are designed to do several things: 1. Mitigate the damage or propagation of secure information. 2. Make the hackers easier to catch while taking that information (or maybe even mislead them). 3. Inspire the hackers to attack *other*, less-secure computers instead. Here's a list of various exploits that have become public, which is by *no* means in any way exhaustive: - Some of them are *really* severe, and can lead to identity theft of potentially millions. - Others were discovered by [security researchers](computers-cysec-compliance.md) beforehand. - Some were simply a disgruntled employee with too many [permissions](computers-cysec-authentication.md). By the time you see it here, most of them have been fully patched. Governments - [2023-04](https://www.bleepingcomputer.com/news/security/irs-authorized-efilecom-tax-return-software-caught-serving-js-malware/) The IRS eFile.com tax return software was sending JavaScript malware. Acer (hardware company) - [2023-03](https://www.theregister.com/2023/03/08/acer_confirms_server_breach) 160 GB of internal company data for repair technicians was stolen from Acer. Activision (game company) - [2022-12](https://www.bleepingcomputer.com/news/security/activision-confirms-data-breach-exposing-employee-and-game-info/) Activision had sensitive workplace documents stolen from them. Booking.com (discount travel clearinghouse, owner of Priceline and KAYAK) - [2021-10](https://archive.is/20211111083353/https://www.nrc.nl/nieuws/2021/11/10/american-spy-hacked-bookingcom-company-stayed-silent-a4065086) An American spy was able to access Booking.com's database for thousands of Middle East hotel reservations. Bumble (dating app) - [2021-08](https://robertheaton.com/bumble-vulnerability/) Bumble has an exploit that leaks users' exact location. Clubhouse (hacker forum) - [2021-04](https://cybernews.com/security/clubhouse-data-leak-1-3-million-user-records-leaked-for-free-online/) 1.3 million user data records with social media information was stolen as a SQL database. - [2021-07](https://twitter.com/mruef/status/1418693478574346242) 3.8 billion phone numbers were stolen from the Clubhouse network, which includes many contacts for people who did *not* have a Clubhouse login. Experian (credit/personal information bureau) - [2022-07](https://krebsonsecurity.com/2022/07/experian-you-have-some-explaining-to-do/) People were having accounts hacked at Experian through the company authorizing changes from stolen personal information and updating emails that weren't theirs. - [2022-10](https://krebsonsecurity.com/2023/01/experian-glitch-exposing-credit-files-lasted-47-days/) Experian had a glitch for 7 weeks that allowed viewing *any* consumer's information with simply their name, address, date of birth, and social security number. Ferrari (auto company) - [2023-03](https://www.bleepingcomputer.com/news/security/ferrari-discloses-data-breach-after-receiving-ransom-demand/) After a ransom demand, Ferrari has disclosed that they've had a data breach of customers' personal contact information. Intel ([CPU](computers-cpu.md) company) - [2020-08](https://arstechnica.com/information-technology/2020/08/intel-is-investigating-the-leak-of-20gb-of-its-source-code-and-private-data/) 20 GB of internal Intel company data was leaked, likely from an employee. Meta: Facebook (social media company) - [2019-09](https://techcrunch.com/2019/09/04/facebook-phone-numbers-exposed/) 419 million phone numbers linked to Facebook were for sale online. - [2021-04](https://cybernews.com/news/leaker-says-they-are-offering-private-details-of-500-million-facebook-users/) 533 million user records were for sale elsewhere online, including telephone numbers. - [2022-11](https://www.privacyaffairs.com/facebook-data-sold-on-hacker-forum/) 1.5 billion Facebook users' data has been claimed to be for sale on a hacker forum. Meta: WhatsApp (message service) - [2022-09](https://nvd.nist.gov/vuln/detail/CVE-2022-36934) An integer overflow in WhatsApp can permit code to remotely execute. Microsoft (tech company) - [2020-09](https://www.zdnet.com/article/windows-xp-leak-confirmed-after-user-compiles-the-leaked-code-into-a-working-os/) Most of the Windows XP OS has been leaked. - [2020-11](https://web.archive.org/web/20201105011435/https://resynth1943.net/articles/github-source-code-leak/) GitHub's entire source code was publicly leaked. - [2022-03](https://www.bleepingcomputer.com/news/microsoft/lapsus-hackers-leak-37gb-of-microsofts-alleged-source-code/) 37 GB of source code for Cortana and Bing was taken by LAPSUS$ through a single compromised account. Microsoft: LinkedIn (social media company) - [2021-04](https://cybernews.com/news/stolen-data-of-500-million-linkedin-users-being-sold-online-2-million-leaked-as-proof-2/) 500 million user records were for sale, with 2 million provided for free as proof. - [2021-06](https://restoreprivacy.com/linkedin-data-leak-700-million-users/) 700 million user records were for sale, in a completely unrelated event to the 500 million record leak. Microsoft: Teams (video chat service) - [2020-12](https://github.com/oskarsve/ms-teams-rce) Microsoft Teams has a zero-click, wormable, cross-platform remote code execution. Microsoft: Twitch (streaming video service) - [2021-10](https://kotaku.com/report-twitch-is-hacked-and-its-source-code-is-in-the-1847808252) 125 GB, the entirety of Twitch's website (including streamers' private data) has been leaked in a [torrent](computers-torrent.md). Microsoft: [Windows](computers-os-windows.md) ([operating system](computers-os.md)) - [2021-11](https://www.bleepingcomputer.com/news/microsoft/new-windows-zero-day-with-public-exploit-lets-you-become-an-admin/) A new exploit allows users on Windows 10, Windows 11, and Windows Server to have administrator privileges. Nestlé (food and personal care) - [2022-03](https://www.thetechoutlook.com/news/technology/security/anonymous-released-10gb-database-of-nestle) The hacker group Anonymous released 10 GB of data from Nestlé to politically pressure them to leave Russia. NVIDIA ([graphics](engineering-graphics.md) CPU company) - [2022-01 NVIDIA's email systems and developer tools were taken offline by a cyberattack](https://www.protocol.com/bulletins/nvidia-cyberattack). A month later, [the hacker group LAPSUS$ leaked NVIDIA corporate information such as schematics and source code, with the demand that the company make their drivers open-source](https://thehackernews.com/2022/03/hackers-who-broke-into-nvidias-network.html). - Okta (authentication company) - [2022-12 Okta's source code was stolen from its GitHub repositories](https://www.bleepingcomputer.com/news/security/oktas-source-code-stolen-after-github-repositories-hacked/), and 2 months later [the company disclosed that the hacker group LAPSUS$ attempted to breach their main systems](https://www.okta.com/blog/2022/03/updated-okta-statement-on-lapsus/). - Parler (social media company) - [2021-01 70 TB of mostly public information was scraped from Parler right before the website was taken down](https://cybernews.com/news/70tb-of-parler-users-messages-videos-and-posts-leaked-by-security-researchers/). - Robinhood ([investing](money-investing.md) platform) - [2021-11 5 million customer emails and 2 million customer names were taken from Robinhood](https://www.theverge.com/2021/11/8/22770861/robinhood-7-million-customers-hacker-breach-extortion-security). - Slack (messaging/chat service) - [2020-01 It's possible to perform remote code execution on any Slack app](https://hackerone.com/reports/783877). - T-Mobile (cell phone service company) - [2021-08 Over 100 million T-Mobile records were hacked and sold online](https://www.vice.com/en/article/y3d4dw/t-mobile-confirms-it-was-hacked). - [2023-02 Three different cybercriminal groups have claimed they've hacked T-Mobile more than 100 times in 2022](https://krebsonsecurity.com/2023/02/hackers-claim-they-breached-t-mobile-more-than-100-times-in-2022/). - Tesla (auto company) - [2023-05 100 GB of 1,000 Tesla accident reports about phantom braking and unintended acceleration have been reported to a German news site](https://jalopnik.com/whistleblower-drops-100-gigabytes-of-tesla-secrets-to-g-1850476542). - Twitter (social media company) - [2020-07 Multiple famous Twitter accounts were compromised, starting with cryptocurrency brand accounts, which all advertised a Bitcoin offer during the breach](https://www.coindesk.com/business/2020/07/15/everything-we-know-about-the-bitcoin-scam-rocking-twitters-most-prominent-accounts/). - [2022-08 5.4 million Twitter accounts' contact details were for sale on a hacking forum](https://9to5mac.com/2022/08/08/twitter-data-breach/). - Uber (ridesharing company) - [2022-09 A teenager hacked into Uber and announced it on their internal Slack channel](https://www.theverge.com/2022/9/16/23356213/uber-hack-teen-slack-google-cloud-credentials-powershell). - Western Digital ([hard drive](computers-memory.md) company) - [2021-06 WD My Book devices have had information randomly deleted from their drives](https://arstechnica.com/gadgets/2021/06/mass-data-wipe-in-my-book-devices-prompts-warning-from-western-digital/), and [this zero-day exploit also sits on Western Digital MyCloud devices that don't upgrade their OS](https://krebsonsecurity.com/2021/07/another-0-day-looms-for-many-western-digital-users/). - Wikipedia (not-for-profit public wiki) - [2019-09 Wikipedia was attacked constantly, and taken offline for intermittent periods](https://wikimediafoundation.org/news/2019/09/07/malicious-attack-on-wikipedia-what-we-know-and-what-were-doing/). - Zoom (videoconference service) - [2021-04 Hackers who found a zero-day exploit were rewarded $200,000 by the company](https://www.malwarebytes.com/blog/news/2021/04/zoom-zero-day-discovery-makes-calls-safer-hackers-200000-richer). ## Vast multi-organization exploits Cisco ([networking hardware](networks-computer.md) company) - [2023-04](https://thehackernews.com/2023/04/us-and-uk-warn-of-russian-hackers.html) The US and UK are warning that Russian hackers are exploiting flaws in Cisco routers. Kaseya (networking company) - [2021-07](https://www.reuters.com/technology/hackers-demand-70-million-liberate-data-held-by-companies-hit-mass-cyberattack-2021-07-05/) Up to 1,500 businesses have been affected by a ransomware attack through Kaseya. Let's Encrypt ([certificate authority](computers-cysec-authentication.md)) - [2021-03](https://letsencrypt.status.io/pages/incident/55957a99e800baa4470002da/6044830be2838505358d3108) Let's Encrypt had reduced performance due to a DDoS attack. Microsoft (tech company) - [2021-03](https://krebsonsecurity.com/2021/03/at-least-30000-u-s-organizations-newly-hacked-via-holes-in-microsofts-email-software/) At least 30,000 US organizations have been affected by a Chinese espionage unit through four new flaws in Microsoft's Exchange Server email software. Tesla ([auto](autos.md) company) - [2021-05](https://www.securityweek.com/tesla-car-hacked-remotely-drone-zero-click-exploit/) Security researchers have found a zero-day exploit that allows them to hack Tesla cars (among potentially others) from a drone as near as 100 yards. ## Pure incompetence Sometimes, it's not a clever hack, and it was simply people failing at keeping everything [safely compliant](computers-cysec-compliance.md). Government - [2022-06](https://web.archive.org/web/20220624102603/https://www3.nhk.or.jp/nhkworld/en/news/20220624_27/) A USB stick was lost that had the personal data of 460,000 residents, though it was found later by the person who lost it.