Shawn - stock.adobe.com

Over 5.3 billion data records exposed in April 2024

The number of data records breached in April 2024 hit over five billion, a staggering year-on-year increase

Over 5.3 billion data records are known to have bene breached in a total of 652 publicly disclosed cyber security incidents in April 2024, a staggering increase of over 122,000% on April 2023, and over 1,600% higher than in March 2024, according to figures revealed by risk and privacy management specialist IT Governance.

Taken with January’s so-called “mother of all breaches” – which saw 26 billion records exposed via an open instance, likely compiled by an initial access broker – this means that over 35 billion data records have been leaked so far this year.

IT Governance’s founder and executive chairman, Alan Calder, said the number of leaked records in April was high largely due to two outlier events. In the first of these, an illicit data-scraping website known as Spy.pet offered 4,186,879,104 Discord messages for sale.

In the second, a series of critical vulnerabilities in nine pinyin mobile apps used to input Chinese characters affected up to a billion people.

“The spike in data breached this month is really concerning,” said Calder. “It’s a reminder of the persistent challenges we face in safeguarding sensitive information. Organisations need to be one step ahead in protecting our privacy and implement tighter security measures to prevent these kinds of breaches.

“Boards need to lead the charge in prioritising cyber security, weaving it into every aspect of their business strategies,” he said. “This commitment goes beyond protecting against cyber threats; it’s about compliance, safeguarding corporate assets and ensuring directors fulfil their responsibilities to uphold organisational integrity.

“Investing in robust security measures is a must,” said Calder. “We need to allocate resources, train staff and stay up to date on the latest threats. When it comes to cyber security, an ounce of prevention is worth a pound of cure.”

Major breaches

The Spy.pet Discord breach comprised information that had been extracted automatically from the service and compiled into a larger database over a period of about five months. The administrators of the service offered the information for sale to anybody interested, which may have led to increased targeting of Discord by cyber criminals, and may yet.

Scraping Discord’s services is in violation of both the organisation’s terms of service and its community guidelines, and it reacted by banning accounts affiliated with Spy.pet and having the service taken down.

The pinyin app breach, uncovered by Canada’s Citizen Lab, which also worked on the Pegasus spyware scandal, was linked to the discovery of vulnerabilities in software developed by some of Asia’s biggest tech giants, including Baidu, Honor, Huawei, iFlytek, Oppo, Samsung, Tencent, Vivo and Xiaomi, that exposed user keystrokes to network adversaries.

The keyboard apps studied by Citizen Lab collectively account for 95% of the third-party input method editor market, and the three smartphone manufacturers that were found to have pre-installed and by default used vulnerable keyboard apps comprised just under 50% of China’s vast smartphone market – a gift for government snoopers and a potential danger to political activists, dissidents and journalists who oppose Xi Jinping’s increasingly hardline rule.

According to Citizen Lab, there is also strong evidence to suggest that agencies operating on behalf of the informal Five Eyes intelligence alliance – the UK, Australia, Canada, New Zealand and the US – have previously taken an interest in exploiting pinyin apps.

Some of the other high-volume breaches in April include a breach of the iSharing mobile phone tracking app, which exposed the personal data of 35 million people, and a breach at Mobile Guardian, a UK-based mobile app designed to let parents manage their children’s device usage.

In this incident, the email addresses and names of 89,000 parents and teachers from 122 secondary and five primary schools in Singapore were exposed. This breach is known to have arisen via an admin account on Mobile Guardian’s management portal that had allowed unauthorised access to its systems.

Read more about data breaches

  • Account data belonging to Dropbox Sign users was accessed by an unknown threat actor after they hacked into the organisation’s backend infrastructure.
  • The ICO has urged charities and healthcare organisations that work with people living with HIV to do better when it comes to protecting their personal data.
  • Australian flag carrier Qantas has apologised after a glitch in its mobile application temporarily enabled some customers to view the flights and booking details of other frequent fliers.

Read more on Privacy and data protection