This story is over 5 years old.


The Worst Hacks of 2016

Once again, this year proved that nothing, and no one, is really safe from hackers.
Image: Che Saitta-Zelterman/Motherboard

It's that time of the year again, where we recap the worst or biggest hacks of the previous 365 days, and try to convince you that, yes, this was the worst year for security ever.

It's not quite like that. Plus, every year has been called the worst year, or the year of data breaches, for at least five years now. Perhaps the reality is that we will always have data breaches and hacks. 2016 was no different, but it's fair to say it actually had some of the most shocking cyberattacks we've ever seen.


Read more: The Motherboard Guide to Not Getting Hacked

Here's a handy list to remind you of all the things that got badly pwned this year. (Sorry, Johnny Cockring, but hacking billboards to put Rubio porn memes on them didn't make the list)


Undeniably the hack of the year, or at least the one that was talked about the most. Over the last year, hackers believed to be working for the Russian government penetrated the networks of the Democratic National Committee, the Democratic Congressional Campaign Committee, the Gmail account of Hillary Clinton's campaign chairman John Podesta, and many more.

The hackers didn't just steal documents and data, but then went one extra step, setting up cover personas, such as the mysterious Guccifer 2.0—the Romanian hacker who can't speak Romanian—to leak the data publicly. These efforts, according to security experts and eventually the US government, were all part of a Russian campaign to influence the US presidential election.


These hacks didn't happen in 2016, but we didn't know about them (or at least their full extent) until this year. 2016 will be remembered as the year old data breaches surfaced all of a sudden, for no apparent reason.

In May 18, we found out that the 2012 LinkedIn breach, which at the time had only hit around 6 million people, actually affected practically all LinkedIn users—around 117 million. Then hackers revealed someone had broken into MySpace, stealing the passwords of 427 million users. Then we found out about Tumblr, which lost the passwords of 65 million people. Then, it was VK and DropBox.


We don't know exactly who the hacker, or group of hackers, behind all these breaches are. But a mysterious character nicknamed Tessa88 seemed to be at the center of it all somehow.

There were also two (from the same company!) old mega breaches, apparently unrelated to these ones, which all dated back to 2012. Yahoo revealed that someone, perhaps a nation-state, had broken into its servers and stole 500 million credentials in 2014. And that someone else (nobody knows who), had stolen as many as 1 billion records in 2013.

All these hacks had unintended consequences, such as low-level hackers breaking into celebrities' social media accounts taking advantage of the fact that some used the same passwords across different accounts. That forced some companies—which had not been breached—to proactively reset users' passwords. Overall this was another great reminder to never reuse passwords.

Of course, there were also plenty of new fresh breaches, including a new hack of Adult Friend Finder, exposing more than 400 million users.


Here at Motherboard we've been warning you that the Internet of Things can be an unmitigated disaster for cybersecurity for around a year now. We also warned you that cybercriminals would soon turn your internet connected stuff into zombie armies.

And then it happened.

In September, unknown attackers forced the website of security journalist Brian Krebs to go offline after a record-breaking distributed denial of service powered by a drove of hacked cameras and DVRs. The attack was powered by a new type of self-spreading malware called Mirai that targets Internet of Things devices and turns them into a botnet. Weeks later, a hacker released the code for Mirai on a hacking forum, unleashing a new wave of attacks.


The worst one targeted Dyn, an internet infrastructure company. The attack took down Twitter, Reddit, Spotify and many more as collateral damage. As hackers launched a turf war to control the botnet, the attacks continued, and might go on for a while.


Over a seemingly weekend just like any other, a mysterious hacking group calling themselves the Shadow Brokers released a series of hacking tools they claimed belonged to Equation Group, an security industry term to refer to the NSA. As it turned out, those tools really were indeed stolen, somehow, from the American spy agency.

To this day, we don't know who The Shadow Brokers are, or why they really released the files. Theories range from blaming Russia, to a rogue NSA insider. After weeks of silence, The Shadow Brokers released even more files—and then disappeared again.


On a summer morning, a famous Middle Eastern human rights activist received a weird text message on his iPhone. Instead of clicking on the link inside of it, he forwarded it to a cybersecurity researcher. The researcher, who's studied government spyware for a long time, immediately knew this was yet another sophisticated attempt to hack the activist, who had already been targeted with two different types of commercial/government spyware.

As it turned out, someone, presumably the UAE government, was trying to hack into the activist's iPhone using an unknown hacking tool developed by a shadowy Israeli hacking contractor. This was the first time anyone had caught a remote jailbreak—the technical term for taking control of an iPhone remotely—in the wild. In other words, it was a rare and extremely dangerous catch (Apple quickly released an update that patched the vulnerability).


Researchers estimated that the exploit that the hackers tried with the activist could've cost one million dollars, given that a startup offered that kind of reward (now they offer $1.5 million) for anyone that comes out with a similar hacking technique.


All year long, unknown cybercriminals have been abusing the international cross-border payments messaging system SWIFT, which is used by most major banks in the world, to steal millions of dollars.

The first major known cyber heist was in February against the Bangladesh Bank, which lost $81 million in just a few hours. The hackers could've stolen $1 billion if it hadn't been for a typo in one of their money transfer requests, which alerted the Federal Reserve Bank in New York, stopping part of the attack.

That was just the beginning. In the following months, more banks reported similar attacks, and international banks, as well as Swift, are now working on a way to stop them.

Get six of our favorite Motherboard stories every day by signing up for our newsletter.