The Worst Hacks of 2024

Every year has its own mix of digital security disasters, from the absurd to the sinister, but 2024 was particularly marked by a hacking spree where cybercriminals and state-sponsored espionage groups repeatedly exploited the same vulnerabilities or target patterns to fuel their frenzy. For the attackers, the approach was brutally effective, but for the compromised institutions—and the people they serve—the malicious rampage had very real consequences for people’s privacy, safety, and security.

With political unrest and social unrest intensifying around the world, 2025 will be a complex—and potentially explosive—year in cyberspace. But first, here’s WIRED’s look back at this year’s worst breaches, leaks, state-sponsored hacking campaigns, ransomware attacks and digital extortion incidents. Be careful, and be safe out there.

Espionage operations are a fact of life, and relentless Chinese campaigns have been a constant in cyberspace for years. But China-linked espionage group Salt Typhoon ran a particularly notable operation this year, hacking several US telecoms, including Verizon and AT&T (plus others around the world), over several months. And U.S. officials told reporters earlier this month that many of the affected companies are still actively trying to remove hackers from their networks.

The attackers targeted a small group – fewer than 150 by current count – but they included people already under US wiretap orders, as well as State Department officials and members of both Trump and Harris’ presidential campaigns. In addition, texts and calls from other people communicating with Salt Typhoon targets were also naturally intercepted in the spying scheme.

Throughout the summer, attackers were on the prowl, breaching prominent companies and organizations that were all customers of cloud data storage company Snowflake. The spree barely qualifies as hacking, since cybercriminals were using stolen passwords to log into Snowflake accounts that didn’t have two-factor authentication turned on. The end result, however, was an extraordinary amount of data stolen from victims including Ticketmaster, Santander Bank and Neiman Marcus. Another prominent victim, telecom giant AT&T, said in July that “almost all” of the records related to calls and texts from its customers A snowflake-related intrusion occurred over a seven-month stretch in 2022. Security firm Mandient, which is owned by Google, said in June The rampage affected around 165 victims.

In July, Snowflake added a feature that allows account administrators to mandate two-factor authentication for all their users. In November, the suspect was Alexander “Connor” Mouka Canadian law enforcement arrests accused of leading hacking spree. He was indicted by the US Department of Justice for the Snowflake tear and faces extradition to the US. John Erin Binnswho was arrested in Turkey on a charge related to telecom T-Mobile’s 2021 breach, was also charged with the Snowflake customer breach.

In late February, medical billing and insurance processing company Change Healthcare was hit by a ransomware attack that disrupted hospitals, doctor’s offices, pharmacies and other healthcare facilities around the United States. The attack is one of the largest breaches of medical data ever, affecting more than 100 million people. The UnitedHealth-owned company is a dominant medical billing processor in the United States. Days after the attack began it said it believed ALPHV/Blackcat, a notorious Russian-speaking ransomware gang, was behind the attack.

Personal information stolen in the attack included patient phone numbers, addresses, banking and other financial information, and health records including diagnoses, prescriptions and treatment details. Company ALPHV/BlackCat paid a $22 million ransom In early March in an attempt to control the situation. Payment is apparent Daring attackers to hit healthcare targets At a higher rate than usual. Ongoing, rolling notices to more than 100 million victims—with many more yet to be discovered—mount lawsuits and other blowback. This month, for example, the state Nebraska CHANGE Healthcare suedAlleging that “failure to implement basic security safeguards” made the attack far worse than it should have been.

Microsoft said In January it was breached by Russia’s “Midnight Blizzard” hackers in an incident that compromised company executives’ email accounts. The group is linked to the Kremlin’s SVR foreign intelligence agency and is specifically linked to the SVR’s APT 29, also known as Cozy Bear. After an initial intrusion in November 2023, attackers targeted and compromised historic Microsoft system test accounts that then allowed them access to what the company said was “a very small percentage of Microsoft corporate email accounts, which included members of our senior leadership team and employees.” Our cybersecurity, legal, and other functions.” From there, the group fired “certain emails and attached documents.” Microsoft said the attackers appeared to be looking for information about what the company knew about them — in other words, monitoring Microsoft’s research into the Midnight Blizzard group. Hewlett-Packard Enterprises (HPE) also said in January that it had suffered a corporate email breach attributed to Midnight Blizzard.

Background check company National Public Data suffered a breach in December 2023, and data from the incident began appearing for sale on cybercrime forums in April 2024. Various configurations of data cropped up repeatedly over the summer, culminating in public confirmation of the breach by the company in August. Stolen information included names, social security numbers, phone numbers, addresses and dates of birth. Because National Public Data did not confirm the breach until August, speculation about the situation has grown for months and has included theories that the data included tens or even hundreds of millions of Social Security numbers. Although the breach was significant, the actual number of people affected appears, mercifully, to be much lower. Company A filing report Officials in Maine said the breach affected 1.3 million people. In October, National Public Data’s parent company, Jericho Pictures, Filed for Chapter 11 bankruptcy Reorganization in the Southern District of Florida, citing state and federal investigations into violations as well as several lawsuits the company has faced.

Honorable Mention: North Korean Cryptocurrency Theft

many people Many cryptocurrencies are stolen Every year, including North Korea Cyber ​​criminals Those who have one Order to help fund The monastic kingdom. A Report From cryptocurrency tracing firm Chainanalysis, published this month, however, underscores just how aggressive Pyongyang-backed hackers have become. Researchers found that in 2023, hackers linked to North Korea stole more than $660 million in 20 attacks. This year, they stole about $1.34 billion across 47 incidents. The figures for 2024 represent 20 percent of the total incidents tracked by Chainanalysis for the year and 61 percent of the total funds stolen by all actors.

The sheer dominance is impressive, but researchers stress the seriousness of the crime. “U.S. and international officials have assessed that Pyongyang uses stolen crypto to finance its weapons of mass destruction and ballistic missile programs, which endangers international security,” Chainalysis wrote.