Lessons Learned From Data Breaches

Each new data breach casts doubt on whether personal data can ever truly be kept private. Despite increased efforts to improve security and prevent hacking, major sites continue to become the targets of global hackers. What do these breaches teach businesses and users about modern cybersecurity, and what can be done to minimize future risks?

Millions of Users Compromised on Instagram

In March 2019, Facebook announced in a blog post that tens of thousands of Instagram users’ passwords had been “accidentally” stored in a format readable by third parties, although the social site claimed none of the passwords were “internally abused or improperly accessed.” By April, the number of affected users had increased to the millions, suggesting the breach was much more extensive than was first believed.

All affected users should have been notified by Facebook, but despite the apparent lack of malicious activity, the full impact of any vulnerability may not always be known. With no indication of who might have had access to the passwords or how the data might be exploited, it’s possible information associated with the accounts could have been compromised.

Instagram was in the spotlight again about a month later when information on 49 million users, including celebrities and popular influencers, was discovered in a database belonging to Chtrbox, an influencer marketing site. Information was reported to include profile pictures, likes, shares, follower counts, locations, phone numbers and email addresses.

Chtrbox claimed only 350,000 records were in the database, all compiled from publicly available information and not Instagram itself. If any of the data did actually come from Instagram, it’s possible a flaw in the website, which may have existed since October of prior year, could be to blame. The database was “inadvertently left unsecured for approximately 72 hours” before being fixed. 

Canva Design Tool Attacked and Breached

Other sites are equally vulnerable even when they don’t contain the same level of personal data found on social media platforms. A breach of the Australian design tool Canva highlights this unsettling reality. Canva allows users to create custom images for social media posts and profiles, email marketing, blogs and print advertising and was recently breached by an opportunistic hacker going by the name “GnosticPlayers.”

The hacker claimed to have stolen data on 932 million users from 44 sites across the web, including Canva which closed its database server after detecting the breach in mid-May 2019, but it was too late to prevent 139 million records from being compromised. Seventy-eight million of the affected users sign into Canva through Google accounts, which could put additional information outside of the design platform at risk.

Canva assures its users no login credentials were compromised because all passwords for the site and third-party login options are encrypted and impossible to decode. However, it continued to advise users to change passwords for Canva accounts as a precaution. 

How Should Users Respond?

The smartest thing for individuals to do after a data breach is to change passwords for the affected sites and any sites where the same email address and password combination are used. Those signing in through a third party, such as Google, may also want to consider updating those passwords, as well. Even though affected users receive notification from companies that experience a data breach, a password reset is always a good precautionary measure following data compromise.

Creating stronger passwords, eliminating duplicates and managing password information more carefully reduces the risk of multiple accounts being compromised. Adopting the highest security settings and adding firewalls, anti-spyware and anti-malware programs to all devices can provide another layer of protection during daily work and web browsing. 

How Should Businesses Respond?

Companies handling any kind of personal information need to implement more sophisticated security measures and take advantage of solutions incorporating artificial intelligence and machine learning to monitor network use and detect anomalies suggestive of possible malicious activity. Early detection is key in preventing extensive breaches, and technology is continuously being updated to handle new threats.

IT professionals trained in disciplines relevant to breach prevention can help business owners develop and deploy improved cybersecurity plans and educate both employees and customers in better password management practices. Some companies are dealing with increased threat risks by phasing out passwords completely and introducing more secure login options.

It’s unlikely breaches will ever stop completely, but businesses and users are responsible for taking proactive steps to reduce risks as much as possible. For IT professionals, massive breaches like those affecting Instagram and Canva highlight the growing need businesses have for better access control and cybersecurity protocols. Individuals with knowledge and experience in identity risk management and identity theft prevention can provide the guidance required to identify potential vulnerabilities and thwart hackers before millions of records are compromised.