The Worst Hacks of 2023

With political polarization, unrest, and violence escalating in many regions of the world, 2023 was fraught with uncertainty and tragedy. In digital security, though, the year felt more like a Groundhog Day of incidents caused by classic types of attacks, like phishing and ransomware, rather than a roller coaster of offensive hacking innovation.

The cybersecurity slog will no doubt continue in 2024, but to cap off the past 12 months, here’s WIRED’s look back at the year’s worst breaches, leaks, ransomware attacks, digital extortion cases, and state-sponsored hacking campaigns. Stay alert, and stay safe out there.

One of the most impactful hacks of 2023 wasn’t a single incident but a series of devastating breaches, beginning in May, caused by mass exploitation of a vulnerability in the popular file transfer software known as MOVEit. The bug allowed hackers to steal data from a laundry list of international government entities and businesses, including the Louisiana Office of Motor Vehicles, Shell, British Airways, and the United States Department of Energy. Progress Software, which develops MOVEit, patched the flaw at the end of May, and broad adoption of the fix eventually stopped the spree. But the “Cl0p” data extortion gang had already gone on a disastrous joy ride, exploiting the vulnerability against as many victims as possible. Organizations are still coming forward to disclose MOVEit-related incidents, and researchers told WIRED that this trickle of updates will almost certainly continue in 2024 and possibly beyond.

Based in Russia, Cl0p emerged in 2018 and functioned as a standard ransomware actor for a few years. But the gang is particularly known for finding and exploiting vulnerabilities in widely used software and equipment, with MOVEit being the latest example, to steal information from a large population of victims and conduct data extortion campaigns against them.

The identity management platform Okta disclosed a breach of its customer support system in October. The company said at the time that about 1 percent of its 18,400 customers were impacted. But the company had to revise its assessment in November to acknowledge that actually all of its customer support users had had data stolen in the breach.

The original 1 percent estimate came from the company’s investigation into activity in which attackers used stolen login credentials to take over an Okta support account that had some customer system access for helping users troubleshoot. But that assessment had missed other malicious activity in which the attacker ran an automated query of a database that contained names and email addresses of “all Okta customer support system users” and some Okta employees. As with a number of other incidents this year, part of the significance of the Okta incident comes from the fact that the company plays a critical role in providing security services for other companies, yet it suffered a previous high-profile breach in 2021.

The US National Security Agency and its allied intelligence services around the world have been warning since May that a Beijing-sponsored group known as Volt Typhoon has been targeting US critical infrastructure networks, including power grids, as part of its activity. Officials have continued to reinforce that network defenders need to be on the lookout for suspicious activity that could indicate a clandestine operation. Volt Typhoon’s hacking, and that of other Beijing-backed hackers, is fueled in part by the Chinese government’s stockpile of zero-day vulnerabilities, which can be weaponized and exploited. Beijing collects these bugs through research, and some may also come as the result of a law that requires vulnerability disclosure.

Meanwhile, in June, Microsoft said that a China-backed hacking group had stolen an immensely sensitive cryptographic key from the company’s systems that allowed the attackers to access cloud-based Outlook email systems for 25 organizations, including multiple US government agencies. In a postmortem published in September, Microsoft explained that improper access to the key was incredibly improbable, but occurred in this case because of a unique comedy of errors. The incident was a reminder, though, that Chinese state-backed hackers conduct a massive quantity of espionage operations each year and are often lurking undetected in networks, waiting for the opportune moment to capitalize on any flaw or mistake.

MGM casinos in Las Vegas and other MGM properties around the world suffered massive and disruptive system outages in September after a cyberattack by an affiliate of the notorious Alphv ransomware group. The attack caused chaos for travelers and gamblers alike, and took the hospitality group days—in some cases, even weeks—to recover, as ATMs went down, hotel keycards stopped working, and slot machines went dark.

Meanwhile, Caesars Entertainment confirmed in a US regulatory filing in September that it had also suffered a…