2021 Data Breaches: A Full Timeline

Data breaches affected a number of companies in 2021, including the likes of Microsoft, Twitch, and Facebook. In this article, we’ll detail every data breach we tracked in 2021, in reverse chronological order.

To keep up with the latest breaches, see our article on the most recent data breaches.

December 2021: FlexBooker Breached, Compromising 3 Million Users

In December 2021, a hacker group identified as “Uawrongteam” broke into FlexBooker, an online booking platform, and made off with data on roughly three million users. After looting the data, they posted it for sale on various hacker forums.

The stolen data included drivers’ licenses and other personally identifying information, as well as password data. The data was apparently accessed by exploiting FlexBooker’s Amazon Web Services configuration.

November 2021: Panasonic Hacked, Exposing Data on Job Candidates & More

In November 2021, Panasonic announced that it was attacked by a hacker. Initially, the company believed that only business partner and specific proprietary data was accessed. However, after investigating further, the company stated in January 2022 that job candidate data, as well as information about interns, was also accessed.

Panasonic did not confirm how many individuals were impacted, though it said it reached out to notify those involved.

November 2021: Email Addresses for 5 Million Robinhood Users Exposed

In November 2021, Robinhood announced that an unauthorized person used a social engineering attack to obtain access to internal systems. The hacker accessed a list that contained the email addresses of 5 million users, the full names of 2 million users, and additional personal information on approximately 310. Around ten customers may have had an extensive amount of information compromised.

After collecting the data, the hacker demanded a payment to prevent the release of the information. Robinhood reach out to local authorities and began working with a security firm. Additionally, the company contacted all impacted account holders, as well as made a public announcement.

October 2021: Twitch Source Code & Other Data Hacked

In October 2021, source code for Twitch – which is owned by Amazon – and an unreleased Amazon Game Studios Steam competitor, along with Twitch creator payout data, began appearing online. A 125 GB torrent was posted on 4chan, with the user claiming it contained the entirety of Twitch. The poster stated they wanted to foster competition in the streaming space and cause disruption with the leak.

In the data cache, there was three years of data relating to Twitch creator payouts. Additionally, the full scope of twitch.tv, along with source code for Twitch clients, proprietary code, details on an unreleased Steam competitor, and more.

Twitch later confirmed that user data like passwords were not involved in the breach, asserting that internal data and creator payouts were the bulk of what’s present. The company also stated that only a small fraction of users were impacted at all and that the effect with minimal.

Later, Twitch stated that a server configuration error was potentially responsible, though it didn’t go into specifics. The company said it reset all stream keys and was continuing to examine the impact of the incident.

September 2021: Neiman Marcus Discovers 2020 Data Breach

In September 2021, Neiman Marcus discovered a data breach that had occurred in May 2020. The hack involved approximately 4.6 million online customer accounts and included data on their payment cards – including expiration dates – as well as other personal information.

Different customer accounts may have been impacted in ways. For example, some may have had their names and contact details compromised, while security questions and answers may have been collected from others.

August 2021: T-Mobile Data Breach Exposes Personal Information of Nearly 48 Million People

In August 2021, information about a data breach involving current and prospective T-Mobile customers began making headlines. The company confirmed that 40 million people who had previously applied for credit with the company were involved in the breach, as well as 7.8 million postpaid customers.

Hackers stole files relating to credit applications, impacting current and prospective users. The dataset contained sensitive information, including first and last names, Social Security numbers, dates of birth, and driver’s license and ID numbers. Phone numbers, account numbers, passwords, and PINs were not compromised.

For active prepaid customers, files containing names, phone numbers, and account PINs were compromised. Data from former prepaid customers was also accessed in the breach, though it isn’t clear how inactive accounts were impacted.

August 2021: 30 Million Records Across 47+ Organizations Exposed Due to Microsoft Power Apps Misconfiguration

In August 2021, news of a large-scale data leak involving misconfigured Microsoft Power Apps portals emerged. In total, the incident involved a minimum of 47 organizations, including companies like Ford Motor Co., the New York Metropolitan Transportation Authority, and American Airlines.

Overall, 38 million records were exposed, though the nature of the data varied depending on the organization. For example, in some cases, it was details from employee files. In others, data sets included COVID-19 testing and vaccine data, including personal information involving associated individuals. For other organizations, the data differed.

The misconfigurations weren’t the fault of Microsoft directly, as certain system changes initiated by users could cause data to become publicly accessible. However, the tech giant failed to include warning notifications in the systems to alert users that could occur, instead only addressing the possibility in technical documentation, leaving some feeling that the tech giant was at least partially to blame.

You can read more in our full timeline of Microsoft Data Breaches.

August 2021: Personal Data on 3+ Million Senior Citizens Exposed by SeniorAdvisor

In August 2021, a group of ethical hackers at WizCase found that SeniorAdvisor – a website – left the personal records of 3+ million senior citizens exposed in an improperly configured Amazon S3 bucket. The dataset included names, phone numbers, and email addresses, and had been collected for sales purposes. As a result, the data contained a mix of customer details and prospects, including individuals who had never had direct contact with the company.

August 2021: Databases and Account Details on Thousands of Microsoft Azure Customers Exposed

In August 2021, Wiz security professionals stated that they gained access to Microsoft Azure account details and customer databases due to a Cosmos DB vulnerability. The flaws created a form of loophole, giving users the ability to access other databases that weren’t theirs. A range of organizations was impacted by the issue, including several Fortune 500 companies.

It isn’t clear if anyone other than the security professionals accessed any information. However, anyone who did access the systems would have been able to download, delete, and alter records unobstructed.

July 2021: 1.6 Million Files Involving 80+ Municipalities by PeopleGIS Service

In July 2021, in another incident involving a misconfigured Amazon S3 bucket, WizCase found a vulnerability relating to MapsOnline, a PeopleGIS software service. Around 1.6 million files across 80+ municipalities were exposed, including personal data on area residents, building plans, and more information on properties in their respective areas.

June 2021: Data on 3.3 Million Audi Customers Exposed in Unsecured Database

In June 2021, Volkswagen revealed that customer data on 3.3 million Audi customers – including current and prospective buyers – was left publicly accessible online. The data cache involved sales and marketing details gathered between 2014 and 2019, including names, email addresses, and phone numbers, as well as specific vehicle-related data.

Around 90,000 of those affected also had more sensitive data stolen. That could include Social Security numbers and birth dates.

The company said that the data was exposed online at some time during the August 2019 to May 2021 timeframe. The company continued to investigate the incident to determine an exact timeline.

April 2021: 500 Million LinkedIn Users’ Data Scraped and Sold

In April 2021, personal data on over 500 million LinkedIn users was posted for sale on a hacker forum. A representative for LinkedIn reported to Business Insider that this data was scraped from publicly available data on the platform. The data included information such as email addresses and phone numbers – all the more reason to keep sensitive details from public profiles.

April 2021: 530 Million Facebook Users’ Data Leaked on Online Hacker Forum

In April 2021, data on more than 530 million Facebook users was posted publicly in an online hacking forum. While the data appears to have been scraped in 2019 – a process involving the use of software to collect details relating to accounts – it contained information gathered when a contact importer vulnerability left certain personal data unprotected. Along with phone numbers, email addresses were obtained on a limited number of users.

You can read more in our full timeline of Facebook breaches.

March 2021: Utah-Based COVID Testing Company Leaks Personal Data on Over 50,000 Customers

In March 2021, misconfigured Amazon S3 buckets left the personal data of over 50,000 customers of Premier Diagnostics, a Utah-based COVID testing company, exposed. The data cache included driver’s license, passport, and insurance card images, along with other data.

February 2021: LogicGate System Breached by Unauthorized Person

In February 2021, an unauthorized person breached LogicGate systems. It isn’t clear how many people were impacted or precisely what information was compromised.

February 2021: COMB Data Leak Exposes Details on 3.2 Billion Accounts

In February 2021, a massive data cache dubbed the Compilation of Many Breaches (COMB) was leaked on an online hacker forum. It contained login details for 3.2 billion accounts, including streaming services, email providers, and more.

The dataset wasn’t based on a single data breach and didn’t contain unique information. Instead, it was a large trove featuring information collected from multiple breaches conducted by various individuals and groups.

January 2021: Scraped Data on 214 Million Social Media Accounts Leaked

In January 2021, a large-scale data leak at SocialArks exposed data from 214 million social media accounts. A misconfigured database operated by the company made the information accessible without a password, and none of the data within was encrypted.

Along with easily viewable information like follower counts and bios, phone numbers and email addresses were in the store of data. The data was collected through a process called scraping, where a company uses software to retrieve publicly accessible information and combine datasets from several sources to learn more about individuals. While that’s not illegal, it is barred on most social media platforms.

January 2021: Microsoft Exchange Server Flaw Leads to 60,000+ Hacks

In January 2021, four zero-day vulnerabilities involving Microsoft Exchange Servers were discovered. Hackers had the ability to access systems, download emails, deploy malware, hijack servers, and take other actions within the systems.

While estimated suggest that 30,000 U.S. businesses and 60,000 companies worldwide were affected, the exact scope and impact aren’t clear. Mainly, this is because the flaw allowed multiple hacker groups to gain access to systems, so there wasn’t a singular event at the center, making it harder to track.

January 2021: 2.28 Million MeetMindful User Records Exposed by Hacker

In January 2021, data on MeetMindful users was released online in a hacker forum. There were approximately 2.28 million records in total, and the data cache contained highly sensitive information. Along with names, emails, and some address information, the dataset contained body details, birth dates, location data, IP addresses, Facebook user IDs, dating preferences, Facebook tokens, and more.

About the Author

Find Michael on LinkedIn

Michael X. Heiligenstein

Michael X. Heiligenstein is the founder and editor-in-chief of the Firewall Times. He has six years of experience in online publishing and marketing. Before founding the Firewall Times, he was Vice President of SEO at Fit Small Business, a website devoted to helping small business owners. He graduated from the University of Virginia with a degree in English and History.