December 2018 Breach Report

2018 December Breach Report

2018 was the year of the breach.  Hundreds of companies were breached and your data may have been stolen from them.  And that’s the ones we know about.  Most companies have no idea that hackers have breached their systems.  Many companies have hackers in their systems for 1 to 2 years before they ever find out.

All this to say we can’t always trust that companies will protect your personal information.  This means that you have to do it yourself.  So every month I’m going to go over some of the worst breaches from the previous month.  I’ll tell you the main facts and what it means for you.  If you have an account with that company, then I’ll also tell you if there is anything you can do to protect yourself.

This month Marriott, Caribou Coffee, Bruegger’s Bagels, Dunkin Donuts, Warby Parker, Facebook, Quora, and 1-800-Flowers are among the victims of data breaches.


It’s hard to say if Marriott is the worst breach of 2018. But it’s in direct competition with Equifax as the worst breach of 2018.  Over 500 million Marriott and Starwood customers had their accounts breached.  Stolen data was encrypted, but experts are unsure if the hackers were able to steal the encryption password as well.  Only a small subset of customers may have had their credit card information stolen.  But it is very likely that usernames and passwords were stolen.  

My suggestion would be to change your password if you have an account with Marriott. Remember that most credit cards do not hold you liable for fraudulent charges. If you are concerned, you could always request a new credit card number, but that may be unnecessary. You can read more about the Marriott breach here.

Caribou Coffee

Caribou Coffee announced that hackers breached their point of sale systems in 2018.  This means that credit card data could have been stolen from several Caribou Coffee locations around the US. The notice they issued here listed the locations that were breached. If you used your credit card at any of these caribou coffee locations, be sure to watch your credit card statements.  If you see fraudulent charges, immediately call your credit card company.  You could also call your credit card company and get them to issue you a new number.

Bruegger’s Bagels

Bruegger’s Bagels is owned by the same company as Caribou Coffee, so this breach is the same as Caribou Coffee. Bruegger’s Bagels issued a statement here that shows the locations that were breached.  If you used your credit card at any of the Bruegger’s Bagels locations, make sure to check your credit card statements.  If you discover fraudulent charges, call your credit card company immediately.  You may also call them to request a new credit card number if you are concerned.

Dunkin Donuts

If you are like me, you are a fan of Dunkin Donuts.  They are yet another victim of a data breach in December.  According to their announcement, hackers were able to gain access to “first and last names, email address (username), and your 16 digit DD Perks account number and your DD Perks QR Code.”  Luckily, no credit card information seems to have been stolen here.  But, I would suggest changing your password if you have a DD Perks account.

Warby Parker

If you are a customer of the eyeglasses company Warby Parker, you may have been required to change your password recently.  Warby Parker announced that hackers were able to get into their systems and steal the usernames and passwords of 198,000 of their customers.  They did the right thing by forcing affected users to reset their passwords.  But, if you have an account I would suggest changing your password even if they didn’t force you to.


Facebook announced in December that a flaw in their system allowed 3rd party developers to access user’s photos.  I believed this was so bad that I wrote an entire blog post on it.  You can read all about it there, but my suggestion is to check on the apps that have access to your Facebook account.  I’ve outlined how to do that in my blog post on the subject.


The question and answer site Quora is yet another victim of a breach.  If you have an account with Quora, your username and password might have been stolen by hackers.  Quora announced that usernames, passwords, and data imported from Facebook and LinkedIn for 100 million of their users was stolen.  If you have an account, you should change your password immediately.


The parent company of 1-800-Flowers announced that their Canadian operations suffered a breach.  Canadian customers who ordered from 1-800-Flowers could have had their credit card data stolen.  The parent company says this breach did not affect any customers in the United States.  As always, my suggestion is to watch your credit card statement and call your credit card company if you see any fraudulent charges.


It’s easy to look at these breaches and think there is no hope.  But it’s important to remember that there are some simple steps you can take to protect yourself.  With any breach that affects your username and password, make sure to change your password.  If you use that same password on other sites, it’s also important to change your password there too.  That’s why I recommend using a password manager.  With a password manager, you can create a unique password for every site you have an account.  This way when a breach happens, you don’t have to worry about changing your password on several sites.  I teach you how to do all this and much more in my course “A Hacker’s Guide to Internet Safety and Cybersecurity”.

About the Author Kyle

Kyle Slosek is a security practitioner with 10 years of experience in enterprise Information Technology environments. Through out his career Kyle has performed everything from certification and accreditation to penetration testing and forensics. He holds a Bachelor of Science in Information Technology, a Master of Science in Information Assurance, as well as several industry certifications.