Tech

The 14 scariest hacks of 2015

Cadie Thompson

2015-12-13T23:07:00Z

Nothing was safe from hackers this year.

From cars and gas stations to phones and hospital equipment, hackers got very creative finding new vulnerabilities to exploit.

And, even worse, they managed to get their hands on more intimate data than in past years.

This year wasn't just hackers accessing emails, passwords, and social security information, but they also stole new kinds of personal data including fingerprints and pictures.

Here's a look at the most frightening hacks that happened this year.

The US Office of Personnel Management was breached and hackers made off with tons of personal data, including fingerprints.

In June, hackers managed to get their hands on lots of highly sensitive information after breaching the US Office of Personnel Management.

Some 20 million people had their name, home address, and Social Security number stolen. But in addition to that there were some 5.6 million fingerprints that were also taken as part of the attack.

As if that wasn't bad enough, as many as 1 million people affected by the breach weren't able to be notified by the government agency that their data was compromised because their mailing address had changed.

Hackers figured out how to remotely take control of Jeep Cherokee.

The 2014 Jeep Grand Cherokee is introduced at the North American International Auto Show in Detroit, Michigan January 14, 2013. REUTERS/James Fassinger — The 2014 Jeep Grand Cherokee is introduced at the North American International Auto Show in Detroit Thomson Reuters

Fiat Chrysler recalled some 1.4 million cars after hackers exposed a major security vulnerability in the UConnect feature, which enables phone calls, controls entertainment and navigation, and powers a Wi-Fi hotspot.

Hackers used Uconnect's cellular connection to find out the car's IP address and were able to gain control the car from anywhere in the country.

When the hackers accessed the chip that controls the entertainment system, they were also able to rewrite the car's firmware and implant code that allowed them to take over things like the engine and brakes.

A billion Android devices were compromised by a vulnerability in the operating system.

A nasty Android vulnerability called "Stagefright" went public in July. The exploit would let hackers take over the operating system of any Android phone without the user even knowing.

With almost 1 billion Android devices affected, security researchers were quick to call it one of the biggest smartphone security flaws ever. The vulnerability was discovered by the security company Zimperium, so we don't know if any hackers ever actually used it.

Google rolled out a patch, but because hardware manufacturers must first implement it before it can go to consumers, there's a good chance that millions of devices are still exposed.

Ashley Madison hack left millions of cheaters exposed.

ashley madison s korea — In this June 10, 2015 photo, Ashley Madison's Korean web site is shown on a computer screen in Seoul, South Korea. Lee Jin-man/AP

This was not a good year for cheaters.

In July, it was revealed that the infidelity website Ashley Madison was breached and some 32 million users had their email addresses and partial credit card information posted to the internet.

Because the sole purpose of Ashley Madison is to help married people have an affair, just having names exposed was a huge deal.

Ashley Madison, though, claims that since the hack it has actually seen increased growth. Users whose information was exposed, though, haven't been so lucky.

Hospital pumps were recalled after a big security flaw was discovered.

For the first time, the Food and Drug Administration warned healthcare facilities to stop using a computerized medical device because of concerns surrounding its vulnerability to hacking.

The device was Hospira's Symbiq medication infusion pump, which is a computerized pump designed to deliver drugs to patients automatically. Since the pump is connected to the hospital's network, a hacker would be able to access it remotely and change its medication settings. Luckily, there are no known cases of this actually happening.

Hospitals and other healthcare facilities received the warning this summer.

FireFox revealed a massive security hole in its software.

A man is seen next to a Firefox logo at a Mozilla stand during the Mobile World Congress in Barcelona Thomson Reuters

During the first week of August, Mozilla warned users about a FireFox exploit in an advertisement on a Russian news site.

The vulnerability allowed hackers to search for and steal files from computers without the owner ever knowing. There are no details about how the hack may have been used or who was affected.

Mozilla said the exploit only affected desktop versions of the browser, and it urged users to update their software. The company rolled out a fix as soon as they were notified of the bug.

A serious zero-day vulnerability was found in Mac OS X.

Even Apple, who is known for having some of the most secure devices, was hit with a major security headache when it was revealed hackers were exploiting a vulnerability called DYLD.

DYLD is known as a "zero-day exploit" because it's a security hole that the software creator doesn't even know exists. Once these are discovered by the company, they are usually fixed pretty quickly.

The exploit let hackers install malicious applications on a victim's computer by taking advantage of a security hole in Apple's latest error-logging feature in the Mac OS X 10.10.

Apple reportedly worked quickly to fix the bug.

A hacker cracked GM’s OnStar system using a homemade gadget.

The 29-year-old hacker Samy Kamkar built a device that could take over GM cars that have the OnStar system.

Kamkar built the device, which he dubbed the "OwnStar" system, for about $100.

The gadget enabled Kamkar to do basically everything that an OnStar system does, including locate, unlock, and start the car using the gadget. All he had to do was attach it to the car he wanted to target and it out hijack the system.

A GM spokesperson told Tech Insider it has since fixed the issue by updating their OnStar RemoteLink app.

A hacker built a $30 gadget that can open car locks.

Using parts purchased online for about $30, Kamkar also built a device that can break into just about any car or garage that uses keyless entry.

All a hacker has to do is place the wallet-size device on the targeted car to extract the necessary data to open the unlock the car anytime.

The vulnerability is a well-known flaw that lies in the chips used for the keyless entry system, Kamkar told Tech Insider this summer. At least one chipmaker has implemented a fix for the issue, he said.

Gas pumps were found to be wide open to hackers.

Two security researchers from Trend Micro revealed that gas stations are increasingly becoming a target of cybercrime.

The researchers conducted an experiment to track hackers targeting gas pumps around the world and found that the US gas stations were most at risk.

They learned computerized systems at gas pumps can be breached to extract all sorts of data about the pump. In some cases, hackers could manipulate the pump data to possibly cause an explosion.

Researchers took control of a Corvette's brakes via text message.

Car hack metromile car dongle — Security researchers found vulnerabilities in car dongles can be used to breach vehicles. YouTube

A scary vulnerability in cellular-capable car dongles enables hackers to take control over certain functions in cars, including car brakes and the windshield wipers.

The dongle is question is a USB-like device that plug into a vehicle's on-board diagnostics port under the dashboard. A lot of car owners these days are using dongles to make their cars smarter.

Security researchers used a Corvette to demo how to exploit the vulnerability, but they said that the exploit could work on almost any car with a dongle.

The car dongle the researchers used was one produced by Mobile Devices and distributed by Metromile. Metromile has since disabled the cellular capabilities in its devices.

15 million T-Mobile customers had their data stolen after a third-party breach.

In October, T-Mobile revealed that some 15 million customers who applied for T-Mobile services or for device financing between September 1, 2013 to September 16, 2015 had sensitive data stolen.

However, the data wasn't stolen directly from T-Mobile.

The hackers managed to get the information from servers belonging to Experian, which processes credit checks for T-Mobile.

While no payment or banking information was obtained, hackers did manage to get the names, addresses, Social Security numbers, and identification numbers like those found on a driver license or passport of all those affected.

Dell computers were left wide open to hackers.

A huge security flaw was found in Dell computers in November.

The vulnerability existed in a security certificate found in new Dell computers shipped since August. The flaw left customers wide open to man-in-the-middle attacks, which are when a hacker discretely alters the communication between two parties without them knowing.

The hackers were able to show users fake versions of websites when they were using a public connection. Any information entered into those fake websites — like passwords and other sensitive information — could then be stolen.

Dell has since rolled out multiple ways for users to check if they have been affected and to fix the issue if they are. You can read more about how to check your computer here.

Millions of children had their personal information and pictures stolen.

In November, the Chinese toymaker VTech was breached and millions of parents and their children were affected.

Some 4.9 million parent accounts and 6.7 million kid's profiles were affected.

Stolen information included names, email addresses, encrypted passwords, IP addresses, and other sensitive information. But the most startling revelation was that pictures of children were also taken as part of the breach.

It's worth noting, though, that the hacker who claimed responsibility for the breach said he had no plans to do anything with the data.