The 12 Biggest Data Breaches of 2022

In 2022, a whopping 83% of organizations surveyed by IBM reported experiencing more than one data breach. Having multiple breaches per year is incredibly expensive, especially considering the global average cost of a data breach hit a record-breaking high of $4.35 million in 2022.

Data breaches affected companies across the board, contributing to major cleanups and PR nightmares. At Nira, we document these breaches weekly, to learn from their patterns, and understand how to better protect customer and company data. The breaches we included this year affected some of the largest companies in technology, entertainment, and even cybersecurity itself.

Here are the 12 biggest data breaches of 2022:

1. Okta dealt with multiple data breaches and ‘bumpy disclosures’

On Jan. 21, 2022, authentication platform Okta was breached by the criminal hacking group Lapsus$. The threat actors were able to infiltrate the company’s systems by gaining remote access to a machine that belonged to an employee of Sitel, a subcontractor that provided customer services for Okta.

Okta dealt with another data breach in December 2022, when the company confirmed that its private GitHub repositories were hacked earlier in the month. The December security incident involved threat actors stealing Okta’s source code, according to Bleeping Computer.

Details at a glance:

Two months after the initial hack in January, a member of Lapsus$ shared screenshots showing Okta’s internal systems in a Telegram channel.
In the December hack, BleepingComputer obtained a ‘confidential’ security incident notification that Okta has been emailing to its ‘security contacts.’ Earlier in December, GitHub alerted Okta of suspicious access to Okta’s code repositories, according to the notification.
“Upon investigation, we have concluded that such access was used to copy Okta code repositories,” wrote David Bradbury, the company’s Chief Security Officer (CSO) in the email.

Read more here.

2. Uber allegedly compromised by teenage threat actor

On Sept. 15, 2022, Uber’s cybersecurity incident was first reported. A threat actor, who is allegedly a teenager, was able to compromise the ride-sharing company’s systems and gain access to confidential user data.

The threat actor’s motivations are unconfirmed, however, they posted a message announcing the breach on the company’s Slack, which claimed that the company underpaid their drivers.

Details at a glance:

The threat actor convinced a contractor to accept an MFA prompt that let the attacker register their own device.
The attacker claims they then found an internal network share containing PowerShell scripts with privileged admin credentials. This allowed them to gain access to Uber’s AWS, Slack, Google Cloud Platform, OneLogin, and SentinelOne incident response portal.
Uber confirmed the threat actor “downloaded some internal Slack messages, as well as accessed or downloaded information from an internal tool our finance team uses to manage some invoices.”

Learn more here.

3. Uber suffered a new breach after attack on vendor

Uber suffered another data breach in December 2022 after a threat actor leaked employee email addresses, corporate reports, and IT asset information stolen from a third-party vendor.

Details at a glance:

In December, a criminal hacker called ‘UberLeaks’ started leaking information that they claimed was stolen from Uber and Uber Eats on a popular hacking forum.
According to Uber, this incident was unrelated to the September hack on the company and the files were “related to an incident at a third-party vendor.”
The company later confirmed that the attackers stole its data in a recent breach on Teqtivity, a vendor that Uber uses for asset management and tracking services.
Uber also claimed the Lapsus$ hacking group that breached Uber in September was not involved in this breach.

Read more here.

4. A personal Google account led to Cisco’s May breach

On May 24, Cisco discovered that an employee’s credentials were compromised after an attacker gained control of the employee’s personal Google account.

Credentials for a Cisco account were stored in the browser and synchronized to the employee’s personal account. Through sophisticated voice phishing attacks, the threat actor was able to bypass 2FA and gain access to the employee’s passwords, including their Cisco VPN credentials.

Details at a glance:

The employee’s personal account—not their Cisco work account—was storing Cisco passwords, creating a secondary risk vector.
Threat actors used voice phishing attacks where they pretended to be trusted organizations to gain access to the MFA push notifications.
The attackers were successful in their attempts and were eventually able to get past MFA, which gave them access to the VPN for that user. They were then able to breach Cisco’s networks.

Find more details here.

5. Twitter faced multiple breaches as 5.4 million users’ data was leaked

Twitter faced multiple breaches in 2022, including incidents in July, September, and on Nov. 24. An even larger potential data breach of Twitter records was also disclosed by a security researcher.

Details at a glance:

Last July, a threat actor started selling the private data of over 5.4 million Twitter users for $30,000, according to Bleeping Computer.
A good chunk of the data was public information such as Twitter IDs and locations, but there was also private information including email addresses and phone numbers.
In September, and later on Nov. 24, the 5.4 million Twitter records— the same data from the previous breach—was shared for free on a hacking forum.
An allegedly even larger data dump of tens of millions of Twitter records was also disclosed by security researcher Chad Loder.

Learn more here.

6. Rockstar Games admitted to Grand Theft Auto leak

On Sept. 19, Rockstar Games confirmed on Twitter that a third party had accessed and downloaded some data from their systems⁠—allegedly using Slack—and published it online.

The leak included footage from Grand Theft Auto 6, a project users have been waiting for as early as 2014. The company said although they were “extremely disappointed” that game details were revealed in this way, the project would not be delayed.

Details at a glance:

The same threat actor who gained access to Uber’s systems also claims to be behind the GTA hack.
Like the Uber attack, it’s possible the threat actor used social engineering to gain access to the company’s Slack channel used for talking about the game, where they then downloaded the videos. They’ve threatened to release more of the footage online.
The threat actor claims they pretended to be an IT person from Rockstar Games and convinced an employee to share their login credentials, a common tactic used in social engineering attacks.

Learn what happened here.

7. Microsoft leak exposed customer data and emails

On Sept. 24, security researchers alerted Microsoft that some of its customer data was exposed by a misconfigured server that was accessible over the internet.

In a blog, the security researchers at SOCRadar claimed they could link the leaked information to over 65,000 entities from 111 countries stored in files from 2017 to August 2022.

Details at a glance:

Microsoft says the issue was the result of an “unintentional misconfiguration on an endpoint that is not in use across the Microsoft ecosystem” and not because of a security vulnerability.
Exposed customer data included “names, email addresses, email content, company name, and phone numbers, as well as files linked to business between affected customers and Microsoft,” according to Microsoft.
SOCRadar created a data leak search portal called BlueBleed which allows companies to see if their sensitive information was exposed. Microsoft said they were “disappointed” that SOCRadar released this tool as it “is not in the best interest of ensuring customer privacy or security.”

Read more here.

8. Dropbox phishing attack led to 130 stolen GitHub repositories

On Oct. 14, Dropbox learned that threat actors breached one of its GitHub accounts, stealing 130 code repositories. According to the company, the code contained “some credentials—primarily, API keys—used by Dropbox developers” as well as several thousand names and emails “belonging to Dropbox employees, current and past customers, sales leads, and vendors.”

Details at a glance:

The breach happened after a phishing attack targeted several Dropbox employees using emails impersonating the CircleCI continuous integration and delivery platform.
Employees were redirected to a phishing landing page where they entered their GitHub username and password.
In September, other GitHub users had been targeted in a similar attack impersonating the CircleCI platform. “While GitHub itself was not affected, the campaign has impacted many victim organizations,” said the company.

Learn more here.

9. Twilio admitted to second data breach from 0ktapus hacking group

In October, cloud communications company Twilio admitted to being breached twice over the summer by the hacking group 0ktapus. The first attack in June involved voice phishing (vishing) while the second breach was caused by SMS phishing (smishing) through text messages.

Details at a glance:

In August, Twilio confirmed that a threat actor tricked employees into sharing their login credentials through a smishing attack.
The company has now admitted to an earlier attack that happened in June. The same hacking group conducted fake phone calls pretending to be Twilio’s IT department and convinced employees to give them confidential information.
The attacks were part of a larger campaign by 0ktapus, a group that has compromised more than 130 organizations, usually targeting companies that use Okta for identity access and management.

Read more here.

10. LastPass breached twice in 2022

Password manager company LastPass was breached twice in 2022, with the first incident happening in August. In November 2022, LastPass confirmed that threat actors had accessed its cloud storage using data stolen from its first August breach.

According to the company, some customer data had been exposed. However, “customers’ passwords have not been compromised and remain safely encrypted due to LastPass’s Zero Knowledge architecture.”

Details at a glance:

The first data breach in August occurred when threat actors compromised a developer account.
In the August breach, the attackers maintained access to company systems for four days until they were forced out.
In the second breach, LastPass hired security firm Mandiant to investigate the attack and also notified law enforcement.
In an updated blog post on Dec. 22, LastPass confirmed that threat actors stole its customers’ encrypted password vaults.
LastPass warned customers that the threat actors “may attempt to use brute force to guess your master password and decrypt the copies of vault data they took.”

Learn more here.

11. Threat actor breached Fast Company, sent offensive Apple notifications

On Sept. 25, Fast Company was breached by a threat actor who replaced headlines on the company’s website with obscene, racist language. Two days later, they sent out Apple News notifications from Fast Company with similar messages.

In an unverified post on a hacker forum, the threat actor provided an explanation of how they conducted the breach.

Details at a glance:

The threat actor claims they easily bypassed the company’s security protocols, including a widely-used default password of “pizza123.”
They collected emails, usernames, and IP addresses from multiple employees as well as created their own account in the company’s CMS with new credentials.
Fast Company reported that “no customer or advertiser information was disclosed in connection with the CMS attack, and that we have taken steps to safeguard against further attacks.”

Read more here.

12. Ex-employee at Booz Allen Hamilton downloaded confidential data improperly stored in SharePoint

U.S. government contractor Booz Allen Hamilton has disclosed it was breached on April 14, 2022. During the incident, a now-former employee downloaded an internal report that was improperly stored on an internal Microsoft SharePoint site.

The report contained the personal information of possibly tens of thousands of employees, many of whom are contracted with U.S. intelligence and governmental agencies and hold high-security clearances.

Details at a glance:

Although the data was accessed in April, Booz Allen Hamilton said the company didn’t learn of the incident until Oct. 5.
The company admitted that the personal data in the report included sensitive information such as “name, Social Security number, compensation, gender, race, ethnicity, date of birth, and U.S. Government security clearance eligibility and status as of March 29, 2021.”
The act was believed to not be malicious, and it’s unclear whether the former employee has been charged with any criminal offenses.

Learn more here.

It’s been a busy year for security professionals and researchers as data breaches and incidents have affected hundreds of millions of users and cost companies millions in damages.

We’ve found that the majority of data breaches are not due to employees with malicious intentions, but happen because of common mistakes and misconfigurations that could happen to anyone.

However, accidental errors still cause massive amounts of harm, and it’s vital to understand the risks to your company and customer data. You can learn more about protecting company and customer data here.