Anatomy of a Breach

Anatomy of a Breach: 2012 Year in Review — The Year of Credential Mega-Breaches and Destructive Attacks

> series: anatomy_of_a_breach —— part: 048 —— year: 2012 —— verdict: credentials_burned_infrastructure_destroyed<span class="cursor-blink">_</span>_

Hedgehog Security 31 December 2012 14 min read
data-breach year-in-review 2012 linkedin shamoon flame credentials series
Breach #048

2012: credentials burned, infrastructure destroyed.

2012 was defined by two parallel trends: the industrial-scale theft of credentials and the emergence of destructive nation-state attacks. LinkedIn's 117 million accounts, the credential dump summer (Last.fm, eHarmony, Yahoo Voices), and the continuation of sophisticated phishing campaigns demonstrated that the internet's credential infrastructure was comprehensively broken — a trend the Verizon DBIR confirmed. Simultaneously, Shamoon's destruction of 30,000 Saudi Aramco workstations and Flame's revelation as a 20MB espionage platform confirmed that nation-state cyber capabilities had matured from Stuxnet's surgical precision into both comprehensive surveillance and mass destruction.

In the UK, the ICO continued its enforcement trajectory — fining NHS trusts, police forces, and councils for the same basic failures that have appeared in every year of this series. And in a corporate boardroom in Canada, the decade-long Nortel Networks espionage was finally revealed by the Wall Street Journal, proving that nation-state intrusions can persist for longer than the company itself survives.

The Breaches
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Twelve months. The scale keeps growing.

# Breach Key Lesson
037 Zappos 24M accounts — but bcrypt passwords, segregated cards, and transparent response showed how to do it right.
038 Nortel Networks A decade of Chinese espionage. Discovered in 2004, ignored by management, persisted until bankruptcy.
039 Global Payments 1.5M cards, Visa delisting. Third payment processor breached in this series. PCI compliance did not prevent it.
040 Anonymous vs UK Gov Home Office, Downing Street, MoJ taken offline. UK government web infrastructure lacked DDoS resilience.
041 Flame 20MB espionage platform. Audio surveillance, Bluetooth theft, forged Windows Update certs. Nation-state tools evolved.
042 LinkedIn 117 million accounts with unsalted SHA-1. The credential mega-breach that fuelled years of credential stuffing.
043 Credential Dump Summer Last.fm (43M), eHarmony (1.5M), Yahoo Voices (plaintext). 160M+ credentials exposed in weeks.
044 Saudi Aramco / Shamoon 30,000 workstations wiped. First major destructive wiper. Nation-states can and will destroy infrastructure.
045 GMP Memory Stick 1,075 serious crime records on an unencrypted USB. Five years after HMRC, the same failure persists.
046 South Carolina DOR 3.6M SSNs, unencrypted. 'Not legally required' is not a security strategy.
047 UK ICO Enforcement £4M+ in fines. NHS, police, councils. The same four failure categories, year after year.
048 2012 Year in Review Credentials burned, infrastructure destroyed. The scale keeps growing. The basics still matter.
The Themes

What 2012 cemented.

Credential Security Is the Defining Challenge
160 million+ credentials exposed in a single summer. The <a href="/blog/anatomy-of-a-breach-linkedin">LinkedIn</a>, <a href="/blog/anatomy-of-a-breach-credential-dump-summer">Last.fm, eHarmony, and Yahoo Voices</a> breaches proved that the internet's credential infrastructure was systemically broken. The only reliable defence is MFA — now mandated by <a href="/cyber-essentials">Cyber Essentials Danzell</a> as an auto-fail criterion.
Destructive Attacks Are Real
<a href="/blog/anatomy-of-a-breach-saudi-aramco-shamoon">Shamoon</a> proved that nation-states will deploy wiper malware to destroy infrastructure at scale. This threat requires resilience — immutable backups, tested recovery, and continuous monitoring — not just prevention.
Dwell Times Can Be Measured in Decades
<a href="/blog/anatomy-of-a-breach-nortel-networks">Nortel's</a> decade-long compromise and <a href="/blog/anatomy-of-a-breach-linkedin">LinkedIn's</a> four-year gap between breach and full disclosure prove that some breaches are discovered years too late — if at all. Continuous monitoring through <a href="https://www.socinabox.co.uk">SOC in a Box</a> is the only way to reduce dwell time from years to hours.
UK Enforcement Escalates
The ICO's <a href="/blog/anatomy-of-a-breach-uk-ico-enforcement-2012">£4 million+ in fines</a> by end-2012 was just the beginning. With GDPR on the horizon, the penalties would increase by orders of magnitude. The time to implement <a href="/cyber-essentials">Cyber Essentials</a> baseline controls was before the regulator came knocking — not after.
Four Years Complete

2009 to 2012: the foundations of modern cyber security.

With 48 articles spanning four years, this series has documented the evolution of the cyber threat landscape from HMRC's lost CDs to Saudi Aramco's wiped workstations, from a single SQL injection in a Marshalls store to the systematic theft of 160 million credentials in a single summer. The threats have scaled. The techniques have evolved. But the root causes — unpatched systems, weak passwords, absent encryption, missing segmentation, inadequate monitoring, and the persistent gap between security policy and security practice — have remained stubbornly consistent.

The organisations that have survived this escalation are the ones that implemented the basics: tested their defences, certified their baseline controls, monitored their environments continuously, and maintained incident response capability for when prevention failed. The Anatomy of a Breach series continues into 2013 — a year that will bring Adobe (153 million accounts), Target (110 million customers), and the Snowden revelations. The scale keeps growing. The basics still matter.

Four Years of Lessons

48 breaches. One consistent truth: the organisations that test survive. The rest become headlines.

<a href="/penetration-testing">Penetration testing</a>. <a href="/cyber-essentials">Cyber Essentials</a>. <a href="https://www.socinabox.co.uk">SOC in a Box</a>. <a href="https://www.cyber-defence.io">Incident response</a>. Four years of evidence. One conclusion. Start now.

Commission a Penetration Test Back to 2012 — Breach #037
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 December 2025

Anatomy of a Breach: 2025 Year in Review — M&S Hits UK GDP, Bybit Loses $1.4 Billion, and 16 Billion Credentials Prove Passwords Are Dead

Breach #204 and the 2025 finale. The year Marks & Spencer's £1.9 billion breach hit UK GDP growth, Bybit lost $1.4 billion in the largest crypto heist ever, three Chinese groups exploited SharePoint to compromise 400+ organisations including US nuclear security, Jaguar Land Rover halted manufacturing, Collins Aerospace grounded airport check-in across Europe, the Salesforce ecosystem suffered its 'SolarWinds moment,' and 16 billion stolen credentials proved that passwords alone can never be trusted again. In the UK, the NCSC issued emergency guidance as M&S, Co-op, and Harrods were targeted in a coordinated retail campaign. Seventeen years. 204 articles. The most devastating year for UK corporate cybersecurity on record.

year-in-review 2025
16 min read
Anatomy of a Breach 31 December 2021

Anatomy of a Breach: 2021 Year in Review — Log4Shell, Colonial Pipeline, and the Year Ransomware Became a National Security Crisis

Breach #156 and the 2021 finale. The year Colonial Pipeline shut down America's fuel supply through a single compromised VPN password, the Irish HSE was devastated by Conti ransomware, JBS paid $11 million to REvil, Kaseya's supply chain attack hit 1,500 businesses, Hafnium compromised 250,000 Exchange servers, someone tried to poison Florida's water through TeamViewer, T-Mobile was breached for the fifth time, and — on 9 December — Log4Shell (CVE-2021-44228) was disclosed: a critical remote code execution vulnerability in Apache Log4j, a logging library embedded in hundreds of millions of systems worldwide. The vulnerability in everything.

data-breach year-in-review
16 min read
Anatomy of a Breach 31 December 2020

Anatomy of a Breach: 2020 Year in Review — SolarWinds, COVID-19, and the Year the Supply Chain Broke

Breach #144 and the 2020 finale. The year COVID-19 transformed the global attack surface overnight, SolarWinds rewrote the supply chain threat model, ransomware claimed its first life at Düsseldorf, Twitter proved social engineering trumps technology, Hackney Council was devastated for two years, Garmin paid $10 million, and the pandemic-fuelled explosion of remote working created new vulnerabilities faster than they could be secured. Then, on 13 December, the SolarWinds/Sunburst supply chain attack was discovered — compromising 18,000 organisations including US government agencies — the most sophisticated supply chain attack in history.

data-breach year-in-review
16 min read
All Posts Get in Touch