The Year’s Biggest Data Breaches — And What To Do About Them

The databases at Marriott, Facebook, and more were breached this year. Here’s how to secure your account and protect yourself from identity theft.

Millions of people were affected by data breaches this year. The list of companies that were attacked or that inadvertently exposed customers’ data in 2018 is a long one. For consumers, the best way to protect yourself is to assume the worst. Change your passwords often, revoke third-party app access, and turn on app-based two-factor authentication to get ahead of hackers.

Here’s how this year’s biggest breaches happened — and more on what you can do to secure your accounts.

The Mega Marriott Data Breach

In November, hotel chain Marriott disclosed a historic data breach affecting up to 500 million people — topped only by Yahoo’s breach of 3 billion users. Hackers stole information from the company’s reservation database, dating back to 2014, and anyone who made a reservation at a Starwood property (including Sheraton, Westin, W, and St. Regis hotels) on or before Sept. 10, 2018, may have been affected.

What May Have Been Stolen: The most sensitive information procured included names, passport numbers, mailing addresses, phone numbers, emails, dates of birth, and genders. Starwood Preferred Guest account information, arrival and departure information, and reservation dates were also included.

What to Do: The exposed data puts customers at risk of identity theft, spam, and phishing attacks. Marriott is offering potentially affected customers free enrollment to a data monitoring site called WebWatcher.

If you’ve stayed at a Starwood hotel in recent memory, enroll in WebWatcher. You should also be wary of any emails from Marriott or Starwood hotels that look legitimate (even if they include your Starwood account number), as they are likely phishing attempts.

As a precaution, because the breach was so comprehensive, order a free credit report from the three main reporting agencies through, and see if there are any unauthorized accounts opened in your name. Then, review your credit and debit card account activity. If there’s anything you don’t recognize, go to to report the crime, report the fraudulent account or activity with the credit card issuer, and freeze your credit reports so that no one can open a credit account without a PIN number you create.

The Facebook–Cambridge Analytica Scandal

In April after reports published by the New York Times and the Observer, Facebook said that the political analytics firm Cambridge Analytica had accessed the personal data of up to 87 million people without their consent. Cambridge Analytica was hired by Donald Trump’s presidential campaign to develop “psychographic” profiles of users and create advertisements based on those profiles.

Cambridge Analytica purchased this data thanks to a Facebook personality quiz called “This Is Your Digital Life” that psychology researcher Aleksandr Kogan created in June 2014. The quiz app harvested information from quiz takers and their friends, even if those friends didn’t agree to share their data with the app.

What May Have Been Accessed: Between 2010 and 2014, Facebook gave developers the ability to access extensive user data, including their notes, religion, relationship status, and political views, as well as that of their friends.

What to Do: Review which third-party apps have access to your Facebook account. Facebook created a page that shows whether or not banned apps had access to your information. Even if no apps are identified to have misused your data, you should check your Apps and Websites settings and remove applications you no longer use. While you’re at it, check the apps you’ve authorized to access your Google and Twitter accounts, too.

The Attacks on Reddit, Yahoo, and Gmail Two-Factor Authentication

Adding two-factor authentication (2FA) adds an extra layer of security to your accounts by requiring a code, in addition to your password, at login. But that second factor can be compromised if the code is delivered via text message. In June, a hacker broke into Reddit’s systems by bypassing employees’ SMS-based 2FA for the company’s cloud hosting accounts.

In December, researchers at Certfa Lab also discovered that Google and Yahoo email addresses with SMS verification enabled were compromised by an Iranian hacking group.

What Was Stolen: In Reddit’s case, users who signed up between 2005 and 2007 may have had data including usernames, emails, and private messages accessed. In Google and Yahoo’s case, the attack was limited to only 77 accounts owned by high-level individuals like US government officials.

While that information should have never ended up in hackers’ hands, the real lesson from these attacks is that non-SMS-based authentication is less secure than app-based authentication.

What to Do (part 1): Enable two-factor authentication on every account, and use an authenticator app — not SMS — where you can. Instead of receiving a text message, you’ll use login codes generated by an app, which are available even when your phone doesn’t have service.

For online accounts where you can enable two-factor authentication via app (Google Authenticator and Authy are great), opt for the app. Instagram, Amazon, Google, PayPal, Facebook, Twitter, and a bunch of other websites support app-based 2FA.

Not all accounts allow authenticator apps. But any two-factor authentication, even by text, is better than none at all. Hackers gain access to your texts through your mobile carrier, so protect that account by adding a PIN to prevent your phone number from getting hacked.

And remember: If you turn on two-factor authentication, don’t forget to print out your backup codes and keep them in a safe place.

What to Do (part 2): Before inputting your password and login code on any site, look closely at the URL to make sure it’s legitimate, especially if you’ve clicked on a link sent by text or email.

In some of the attacks on Google and Yahoo email addresses, hackers designed websites that looked just like those companies’ login pages. When users input their login code on the fake page, hackers could quickly use that code to access the genuine accounts.

Hacks of My Fitness Pal, Quora, MyHeritage, Chegg, and T-Mobile Accounts

The app MyFitness Pal (affecting 150 million users), Quora (100 million users), DNA testing site MyHeritage (92 million users), education tech site Chegg (40 million users), and T-Mobile (2 million users) all experienced hacks this year, and all these breaches included users’ passwords. In some cases, the stolen passwords were encrypted and the companies could not determine if the hackers could decrypt them.

What Was Stolen: Hackers accessed a variety of information — but, most importantly, what links these attacks is that usernames and passwords were among the data stolen. If you reuse the same password on multiple sites, it may mean that more than one account could be exposed.

What to Do: The best way to secure your account is to change your password. First, download a password manager that you can use to generate and store strong passwords. There are LastPass and Dashlane, which have a great free version, or 1Password, which is $3 per month. You will need to remember one strong master password, which unlocks access to your password manager. You should also change this password every few months.

Get the manager’s browser extension and mobile app to make your life easier. In your phone’s settings, you can also turn on the ability to auto-fill login credentials from your password manager.

Once your password manager is set up, start generating strong passwords for all of your accounts. Don’t forget to turn on two-factor authentication via app, too!

Skip to footer