The worst hacks of 2024

Every year has its own mix of digital security disasters, from the absurd to the sinister, but 2024 was particularly marked by hacking where cybercriminals and state-sponsored espionage groups repeatedly exploited the same weakness or type of target to fuel their frenzy. For attackers, the approach is ruthlessly effective, but for compromised institutions – and the people they serve – malicious attacks have had very real consequences for people’s privacy, safety and security.

As political unrest and social unrest intensify around the world, 2025 will be a complicated – and potentially explosive – year in cyberspace. But first, here’s WIRED’s look back at this year’s worst breaches, leaks, state-sponsored hacking campaigns, ransomware attacks and digital extortion cases. Stay alert and be safe out there.

Espionage operations are a reality, and China’s relentless campaigns have been a constant in cyberspace for years. But China-linked spy group Salt Typhoon conducted a particularly notable operation this year, infiltrating a host of US telecoms, including Verizon and AT&T (plus others around the world), for months. And U.S. officials told reporters earlier this month that many victim companies are still actively trying to remove the hackers from their networks.

The attackers surveilled a small group of people — fewer than 150 by current count — but they include individuals who were already subject to US wiretapping orders, as well as State Department officials and members of the Trump and Harris presidential campaigns. In addition, texts and calls from others who interacted with Salt Typhoon targets were inherently caught in the spying scheme.

Over the summer, attackers have been on a tear, breaching major companies and organizations that were all customers of cloud data storage company Snowflake. It almost barely qualifies as hacking, as cybercriminals were simply using stolen passwords to log into Snowflake accounts that didn’t have two-factor authentication enabled. The end result, however, was an extraordinary amount of data stolen from victims including Ticketmaster, Santander Bank and Neiman Marcus. Another prominent victim, telecommunications giant AT&T, said in July that it had “virtually all” records of its customers’ calls and text messages from a seven-month period in 2022 were stolen in a Snowflakes-related break-in. Security firm Mandiant, which is owned by Google, said in June that the rage affected approximately 165 victims.

In July, Snowflake added a feature so account admins could make two-factor authentication mandatory for all their users. In November, suspect Alexander “Connor” Moucka was arrested by Canadian law enforcement for allegedly leading a hacking spree. He has been indicted by the US Department of Justice over Snowflake’s tear and faces extradition to the US. John Erin Binnswho was arrested in Turkey on an indictment related to a 2021 breach of T-Mobile telecommunications, was also indicted on charges related to the Snowflake client breach.

In late February, medical payment and insurance processing company Change Healthcare was hit by a ransomware attack that caused disruptions to hospitals, doctor’s offices, pharmacies and other healthcare facilities across the US. The attack is one of the largest medical data breaches of all time, impacting more than 100 million people. The company, which is owned by UnitedHealth, is a dominant medical billing processor in the US. It said days after the attack began that it believed ALPHV/BlackCat, a notorious Russian-speaking ransomware gang, was behind the attack.

Personal data stolen during the attack included patients’ phone numbers, addresses, banking and other financial information and medical records, including diagnoses, prescriptions and treatment details. The company paid a $22 million ransom to ALPHV/BlackCat in early March in an attempt to control the situation. Payment apparently encouraged attackers to hit health care targets at an even higher rate than usual. With notifications underway to more than 100 million victims — with more still to be discovered — lawsuits and other withdrawals have mounted. This month, for example, the state of Nebraska sued Change Healthcareclaiming that “failure to implement basic security protections” made the attack much worse than it should have been.

Microsoft said in January that it was breached by Russian “Midnight Blizzard” hackers in an incident that compromised the email accounts of company executives. The group is linked to the Kremlin’s SVR foreign intelligence agency and is specifically linked to SVR’s APT 29, also known as Cozy Bear. After an initial intrusion in November 2023, attackers targeted and compromised historical Microsoft system test accounts, which then allowed them to access what the company said were “a very small percentage of Microsoft’s corporate email accounts, including members of our senior management team and employees of our cybersecurity, legal and other functions.” From there, the group exfiltrated “some emails and attached documents.” Microsoft said the attackers appeared to be looking for information about what the company knew about them — in other words, Midnight Blizzard acknowledging Microsoft’s research into the group. Hewlett-Packard Enterprise (HPE) also said in January that it had suffered a corporate email breach attributed to Midnight Blizzard.

Background check company National Public Data suffered a breach in December 2023, and data from the incident began being sold on cybercrime forums in April 2024. Different configurations of the data surfaced again and again over the summer, culminating in confirmation publicized the company’s breach in August. The data stolen included names, social security numbers, phone numbers, addresses and dates of birth. Since National Public Data did not confirm the breach until August, speculation about the situation grew for months and included theories that the data included tens or even hundreds of millions of Social Security numbers. While the breach was significant, the actual number of people affected appears to be thankfully much lower. The company reported in a file officials in Maine that the breach affected 1.3 million people. In October, National Public Data’s parent company, Jerico Pictures, filed for Chapter 11 bankruptcy reorganization in the Southern District of Florida, citing state and federal investigations into the breach, as well as a number of lawsuits the company faces related to the incident.

Honorable mention: Cryptocurrency theft from North Korea

A lot of people steal a lot of cryptocurrencies every year, including North Korean cyber criminals who have a mandate to help finance the hermit kingdom. A report from cryptocurrency tracking firm Chainalysis released this month, however, underscores just how aggressive Pyongyang-backed hackers have become. Researchers found that in 2023, hackers affiliated with North Korea stole more than $660 million in 20 attacks. This year, they stole an estimated $1.34 billion in 47 incidents. The 2024 figures represent 20% of the total incidents tracked by Chainalysis for the year and 61% of the total funds stolen by all actors.

The sheer dominance is impressive, but researchers emphasize the seriousness of the crimes. “U.S. and international officials have assessed that Pyongyang is using the cryptocurrency it steals to fund its weapons of mass destruction and ballistic missile programs, endangering international security,” Chainalysis wrote.