It's the annual data breach round-up!

It's the annual data breach round-up!

It's December: the leaves have fallen, the temperature is way down, lights are being put up, and depending on where you live, you might even be looking at snow.

But our favorite December tradition isn't chestnuts roasting on an open fire or kissing beneath the mistletoe. No, our favorite winter activity is reviewing the best, most severe security breaches and disclosures of the last year.

Yes, we know we're weird.

Like pretty much all the years before it, 2018 had some really juicy breaches. But what we think sets it apart is the incredibly well known brands that suffered big, serious breaches.

With that in mind, let's take a look at our favorites, from least severe to most:

7. Panera Bread (37 million users potentially affected)

Panera is a popular chain of bakeries/sandwich shops/eateries that, like many brick-and-mortar stores, has worked hard to build an online component to their business. They let people order food for delivery or pickup through their website, saving customers the hassle of waiting in line.

Unfortunately, they also accidentally left up the records of millions of users in plain text on their website for anyone with an internet connection to see. This included names, email addresses, and the last 4 digits of credit cards. Not great.

While Panera claims only 10,000 people were affected, the number of records left up was over 37 million.

6. Facebook (50 million users affected)

Facebook doesn't need any introduction, so we can just skip that part.

This breach, reported back in September, was a good old fashioned hack—exploiting three different parts of Facebook's code to take control over millions of accounts. Up to 50 million people were affected.

The most intriguing bit of this breach? Facebook poobahs Mark Zuckerberg and Sheryl Sandberg's accounts were among those hit.

5. Google (50 million users affected)

Remember Google+? Google's failed answer to Facebook is still around, sort of, and is exposing your data.

According to the Guardian, a "privacy flaw" leaked the names, ages, and email addresses of over 50 million Google+ users.

While we're shocked that 50 million people are using Google+, this is still not a good look, so much so that Google has accelerated plans to shutter the service in 2019.

4. Quora (100 million users affected)

Quora is a very helpful question and answer site. We've used it countless times over the years, from "How does air conditioning work?" to "Is it okay for a cat to eat tomatoes?"

Most recently we went on Quora to try and remove a grain of rice that got stuck in an iPhone speaker/jack. Miraculously, there was an answer there! It turns out, if you have a question, chances are, someone else has it too.

Because the site doesn't collect credit card information, the breach shouldn't be too serious, but the sheer number is staggering.

3. Under Armor/MyFitnessPal (150 million users affected)

MyFitnessPal, owned by Under Armor, is a popular app/website that helps users with their diet and exercise. It lets people log cardio and workouts, calculates calories from food, and sets goals for people trying to lose weight.

Needless to say, there's a lot of personal information on the app's servers, but most troubling about this breach was that it included hashed passwords. While not the actual passwords themselves, the hashed passwords are still breadcrumbs that could result in stolen passwords down the line, which is why MyFitnessPal asked users to change them.

2. Exactis (340 million users affected)

Exactis is a data broker, meaning they collect and sell information to people who want it, mostly marketers, advertisers, and the like. This also means they have incredibly personal information way beyond your typical email and name.

According to Wired, they collect information on your hobbies, your health habits, and your family, your religion, and more.

That's why people are understandably freaked out that these records—data on hundreds of millions of people—were just sitting out in the open available for the taking.

1. Starwood (500 million users affected)

Starwood is the largest hotel group in the world, owning such properties as the W Hotels, the Sheraton, The Westin, and more.

For the past four years, hundreds of millions of people stayed at their hotels, giving the hotel chain names, arrival and departure information, passport numbers, contact information, date of birth, and more.

Now, all of that has been compromised. According to TechCrunch, the breach occurred as long ago as 2014, but wasn't detected until this year, which is one of the reasons so many records were taken.

It's one of the biggest breaches ever, not just for the number of accounts, but what was in them.

Wrapping up

Oh, the weather outside is frightful, and so are these data breaches. We hoped you enjoyed our end-of-year roundup, and we look forward to seeing you back here for a hopefully safer 2019!