Are we sitting comfortably?

T’was a dark and stormy night, and the cybersecurity team huddled in their Scrum meeting. “Tell us a tale,” the CISO commanded. One hand rose, and a story began to unfold…

1. An Artist’s Tale

Our first story is one of careless exposure, affecting illustrators, graphic designers, filmmakers, web developers, and hobbyists alike.

In 2019, nearly 7.5 million user records from a well-known multimedia software company were left exposed on the open web. Private and business accounts alike – complete with emails, countries, and subscribed products – were freely accessible. The cause? A misconfigured prototype server. This trove of information made spear-phishing attacks frighteningly easy.

Even more severe was their 2013 breach: a 3.8GB file leaked containing 152 million usernames, passwords, and encrypted payment details. Alarmingly, the company used a single encryption key for all passwords, exposing a careless disregard for basic security.

2. Terror in Numbers

Volume and probability can be terrifying. In 2022, Imperva’s data scientists faced a DDoS attack of epic proportions: 10 million requests per second from just 12,000 IPs, peaking at 25.3 billion requests.

DDoS attacks aren’t just getting bigger—they’re relentless. Q2 of 2022 saw serious attacks increase 287%, with 91% of network-layer attacks re-targeting victims within 24 hours. The monsters are growing, and the stories are far from over.

3. The Safest Way to Travel?

Air travel frightens millions, but nothing compares to a £183 million data breach suffered by a major European airline in 2018. Over 380,000 travelers’ card details and personal data were stolen during the holiday season.

The fallout? PR disaster, financial penalties, and almost bankruptcy. Even fines were slashed from £488 million to £20 million. A chilling reminder: trust in travel can be exploited as easily as passwords.

4. Nightmare on Web Services Provider Street

In 2016, a famous web services provider revealed breaches affecting 500 million accounts from 2014 and 3 billion accounts from 2013.

Delayed disclosure, multiple lawsuits, and lost acquisitions followed. The moral: even the most trusted platforms can harbor silent horrors for years.

5. The Hotel of Horrors

Imagine acquiring a hotel group only to inherit a pre-hacked reservation system exposing 500,000 guests’ personal and travel details.

The caretakers made redundancies, unaware of the digital albatross they now bore. Mergers without data diligence are nightmares waiting to happen.

6. Hot Wind and Hellfire

In 2020, SolarWinds’ Orion platform became a delivery mechanism for the largest global software supply chain attack in history.

Unprotected updates installed malware across US government agencies and Fortune 500 companies, giving attackers surveillance over critical systems. Investigators pointed to Russia’s SVR as likely perpetrators. A chilling reminder: trust in software updates can be deadly.

7. Social Stigma

In 2016, a major multimedia company disclosed a breach of 360 million user accounts, originally compromised in 2013.

Password reuse made these accounts a treasure trove for automated attacks, proving that old breaches can haunt users for years.

8. Know Your Enemy

In 2014, the Syrian Electronic Army gained access to 145 million accounts of a multinational e-commerce company using only three employee credentials.

Monitoring, least privilege, and access control might have helped—but without insight into who does what with your data, even small oversights are catastrophic.

9. Dread in the Heartlands

In 2008–2009, a major payment processor lost 130 million accounts to malware and SQL exploits, enabling counterfeit cards worldwide.

The consequences? Massive PR backlash, regulatory fines exceeding $140 million, and lessons that still echo across the financial world.

10. Do You Hear a Scraping Sound?

In 2022, over 700 million LinkedIn profiles were scraped from the platform, including salaries, geolocation, phone numbers, and other sensitive data.

No passwords or financial info were involved—but it was ripe for phishing and smishing attacks, harvested simply via API abuse. The hacker admitted it was a hobby. Sometimes, curiosity itself is terrifying.