Data breaches are among the biggest banes of the internet age.
Personal data becomes more and more valuable, as the numbers clearly show. And while hacking affects big and small businesses alike, the 15 biggest data breaches inevitably hit some of the most recognizable names online, such as Facebook, Marriott International, and Equifax.
Here’s an idea of some of the mind-blowing facts and figures involved:
- Over 14,717,618,286 records have been lost or stolen since 2013 due to data breaches.
- 3,353,178,708 records were compromised in the first half of 2018.
- In 2017, 86% of all breaches worldwide occurred in North America.
- One year later, 45.9% of data breaches in the US were in the business sector.
- In January 2015, a Russian hacker calling himself “Peace” stole 117 million LinkedIn email and password combinations.
- Crafty cybercriminals managed to collect the personal data of over 500 million guests of the Marriott International hotel chain between 2014 and 2018.
- In September 2018, a successful attack on Facebook compromised 50 million user accounts.
Intrigued? Would you like to find out more about the most important recent data breaches? Then read on.
And as a bonus, Hosting Tribunal created this visual narrative to go alongside our exploration of the most audacious data thefts in recent history.
Table of Contents
1. AOL (America Online)
Back in the early-to-mid-noughties, AOL was among the leading web portals and online service providers in the world. Then, almost at the peak of its powers, it was rocked by one of the most famous data breaches of the last fifteen years.
Here’s what happened:
In 2003, 24 year-old AOL software engineer Jason Smathers used a colleague’s code to access the company’s screen name list. He stole the details of 92 million customer accounts.
These included sensitive personal information like emails, ZIP codes, and credit card types (though no actual credit card numbers). This made AOL one of the most prominent companies hacked up to that point.
Smathers sold an updated version of the list to the 21 year-old Las Vegas-based online marketer Sean Dunaway for $100,000 in 2004. In turn, Dunaway offered the list to spammers for $52,000 a pop. It all kicked off from there, and the compromised email accounts received up to a staggering 7 billion spam messages over the following months.
The authorities were soon on to the scam and arrested Smathers and Dunaway. The two cyber crime pioneers were put on trial in June 2004. Smathers got 15 months in prison in August 2005. Smathers wrote to Assistant US Attorney David Siegal, expressing his regret for he had done.
The bottom line:
This massive early data breach cost AOL anywhere between $400,000 and several million dollars in damages.
Yahoo may have been one of the early internet trailblazers in the 1990s, but its fortunes were on the wane when it got hit by what is by far the biggest of the biggest data breaches of all time in 2013-2014.
Here’s how things unfolded:
In August 2013, an unidentified cybercriminal organization successfully hacked all of Yahoo’s 3 billion accounts. As a result, it gained access to a wealth of information, including names, email addresses, passwords, dates of birth, phone numbers, and security questions and answers.
It gets worse.
More recent data breaches followed the original one over the course of the following year. By August 2015, dark web sellers were offering lists containing 1 billion user account details for as much as $300,000.
Then, an investigation by a security firm, led by noted cyber-security researcher Andrew Komarov, discovered that these lists included the names of 150,000 US government and military employees, as well as additional accounts related to the European Union, Canadian, British, and Australian governments.
The plot thickens.
In fact, the full extent of the Yahoo data breach was not made public until 2017, over three and a half years after the initial incident! How about that for trying to hush things up?
When we consider that the breach compromised secret government data as well as the personal details of billions of individuals, the fact that it also knocked around $350 million off Yahoo’s sale prices shouldn’t come as much of a surprise.
Retail chains can be just as susceptible to information security breaches as tech giants, as the example of Target, the eighth-largest retailer in the US, clearly shows.
On November 27, 2013, the attackers entered Target’s corporate network by taking the long route. They targeted (ahem!) a third-party vendor, refrigeration contractor Fazio Mechanical, with a spear phishing attack.
Having gained control of Target’s servers, they used malware to steal data from the company’s point of sale systems over the course of the next two weeks. By December 15, 2013, Target had hired an external forensic team, which mitigated the attack.
You’re probably wondering:
“What was the extent of the damage?”
Well, the cybercriminals cleverly chose the time of the year – around Black Friday and the lead-up to Christmas. This is when sales are at their peak. Naturally, they hit the jackpot.
According to Target’s official estimate, the personal and financial information of about 110 million credit/debit-card carrying customers had been compromised by one of the biggest data breaches in recent years.
That’s a massive 11GB of data! Not quite the Black Friday bargain or Christmas gift a third of Americans had in mind.
In the wake of this disastrous data breach, Target tried to improve security by installing an application whitelisting POS systems, implementing POS management tools, and improving firewall rules and policies, among others.
(Source: Business Insider)
While we’re on the subject of cyber attacks on major retailers, we need to talk about the infamous eBay data breach.
This is what happened:
In early 2014, a hacker group by the name of Syrian Electronic Army raided eBay’s network using the stolen credentials of three corporate employees. Once in, the attackers entered the user database and got access to a wealth of information. This included the names, email addresses, phone numbers, encrypted passwords, registered addresses, and dates of birth of all 145 million eBay customers.
But that’s not the worst part:
The company failed to realize the extent of the damage until May! In fact, it wasn’t even aware customers’ data had been affected. “For a very long period of time we did not believe any eBay customer data was compromised,” global marketplaces chief Devin Wenig said. Which means customers continued using eBay for months, blissfully unaware of the malicious threat. And all the while, the hackers kept harvesting their personal data.
Mind-boggling, isn’t it?
Finally, when at least three US states began investigations into the company’s security practices, eBay refused to compensate customers or offer free credit monitoring.
5. Anthem Inc
Healthcare insurance in the US is a billion-dollar industry. Small wonder hackers targeted Anthem Inc, the largest US health insurance provider. Naturally, this came to be one of the largest data breaches in recent history.
The hackers utilized a Trojan to break into Anthem’s system in early February 2015. Consequently, they gained access to personal data from over 80 million accounts. This included birthdays, Social Security numbers, ZIP codes, email addresses, and employment and income information.
But that’s not all:
The breach affected regional Anthem brands in 26 states, including Georgia, California, Kentucky, Maine, and Wisconsin. Several other providers, including Caremore, UniCare, and Amerigroup, were also affected. That’s quite an impressive list of companies that have been hacked!
At the time of the breach, Anthem CEO Joseph Swedish said the company had been the target of a “very sophisticated external cyber attack.”
You don’t say.
Following a lengthy trial, in 2017 Anthem agreed to provide a $115 million compensation for the attack’s victims.
LinkedIn is the professionals’ social media platform of choice. Profiles commonly feature users’ entire CVs, complete with a detailed work history, education, and endorsements by clients, colleagues, and employers. There can be some rich pickings for cybercriminals.
This is the first of three attacks on social media companies to feature on our list of the world’s biggest data breaches.
The Russian hacker “Peace” stole 117 million LinkedIn email and password combinations in 2015. He then proceeded to offer them on the dark web. The asking price was 5 bitcoins, or $2,300 at the time. Leaked Source, a paid search engine for leaked data, claimed to have acquired a massive 167 million of the stolen credentials.
According to Leaked Source, 160 million of the compromised accounts had unique email addresses. The remaining 7 million had numerical user IDs and passwords.
But how did Leaked Source simply get their hands on this massive loot, exactly?
Leaked Source representative told Fortune they’d acquired 167 million credentials for free from an unknown source. (Naturally, he’d refused to reveal their identities.)
To contain this most curious of data breach examples, LinkedIn asked all account holders suspected of being compromised to change their passwords as soon as possible. What’s more, the company began encrypting and “salting” (adding random data to the passwords before they’re encrypted to make them less crackable) following an earlier hacking incident in 2012.
An early social networking pioneer, MySpace, was the largest social media platform in the world between 2005 and 2008. Тhen Facebook overtook it, and things went downhill fast over the next couple of years. Chances are, by that point you’d probably forgotten you had a MySpace account in the first place. And then, in 2016, the social network suffered one of the biggest cybersecurity breaches of all time.
This was huge.
We already mentioned the Russian hacker “Peace” in relation to the earlier LeakeddIn breach. In May 2016, he struck again, breaching over 360 million MySpace accounts. Their passwords were stored as unsalted SHA-1 hashes.
Each record contained an email address and a password. Since some accounts had multiple passwords, there were over 427 million passwords available for sale. These included over 111 million users with an associated username and 68.5 million with a secondary password.
From Russia with love, eh?
Myspace’s CFO Jeff Bairstow ensured they take customer privacy extremely seriously. “Our information security and privacy teams are doing everything they can to support the MySpace team.”
(Source: The Guardian)
Three (often stylized 3) is one the UK’s largest mobile phone networks and broadband internet providers, with additional worldwide operations in Ireland, Sweden, Austria, Denmark, Hong Kong, Macau, and Indonesia. In 2016, it became yet another victim of high profile data breaches.
On November 17, the company security team found out eight customers had been unlawfully upgraded to a new device by cybercriminals. The hackers then used the devices to obtain personal information from 133,827 customer accounts, including names, dates of birth, addresses, emails, phone numbers – though no bank details. Ultimately, the safety of 6 million customer accounts was at risk.
The UK National Crime Agency investigated the matter and arrested three people.
But there’s a twist:
Three boss Dave Dyson admitted the purpose of all this wasn’t to steal information. Instead, the criminals only aimed to get new handsets for free.
Evidently, the attackers obtained the personal data of over 100,000 individuals as an unexpected bonus.
And all in a day’s work.
Along with Experian and TransUnion, Equifax is one of the big three credit agencies in the US, with headquarters in Atlanta, Georgia. Given the company’s prominence, the successful July 2017 attack should feature on any list of recent data breaches.
On July 29, Equifax announced the discovery of the data breach, which caused a leak involving the data of 143 million Americans. To put it into perspective, that’s nearly half of the entire US population!
While the compromised data of the vast majority of accounts was limited to names, dates of birth, and addresses, approximately 209,000 also included credit cards numbers.
How did the hackers get access?
Alarmingly, they targeted one of the company’s US-based servers.
It actually makes sense.
“As surprising as it seems, the same web application vulnerabilities from decades ago are still some of the primary vectors that are leveraged by hackers in modern attack scenarios,” Alex Heid, chief security researcher at SecurityScorecard, said on the subject of the Equifax data breach.
The breach caused a major scandal, and Equifax CEO Richard Smith had to testify before Congress four times! In the first hearing, he is alleged to have blamed a single employee who had failed to update a piece of software on the targeted server.
Meanwhile, the attackers enjoyed windfall profits, selling Social Security numbers and drivers’ licenses for as much as $20 a pop. Not bad when you’ve got nearly 150 million!
The hugely successful San Francisco-based ridesharing startup has been constantly in the news in recent years. In October 2016, it also made it in the less glamorous data breaches list.
It was on the receiving end of a breach that affected about 50 million riders and 7 million drivers worldwide – as well as 600,000 US driver’s license numbers.
Here’s how the attack occurred:
Hackers managed to get hold of login information for an Uber Amazon Web Services account using a private GitHub site maintained by Uber engineers. Then, they downloaded 16 large files containing user information.
To make matters worse, Uber did not report the incident to the regulators at the time. Instead, it attempted to hush everything up by paying the cybercriminals $100,000 to delete the data.
In 2017, Uber’s new CEO, Dara Khosrowshahi, ordered a full investigation, which revealed the full extent of the damage. As a result, the company fired the two individuals who had led the initial response to the attack. The company also agreed to provide affected drivers with free credit monitoring and identity theft protection. Better late than never.
11. Marriott International
The hospitality business is also far from immune to major data breaches. And Marriott International, the largest hotel chain, is the most tempting target.
This is how the most impressive recent data breach in 2018 took place:
On November 30, 2018, Marriott announced it had come under a cyber attack, which had compromised a mind-blowing 500 million accounts. The data included names and addresses, payment information, phone numbers, and even passport numbers. In fact, there were 18.5 encrypted and 5.25 million unencrypted passport numbers!
There were 9.1 million encrypted payment card numbers. 385,000 of them were still in use.
The hotel chain management first learned of the breach on September 8, when the IT company managing its Starwood guest reservation database got in touch after detecting an irregularity.
Two days later, Marriott invited third-party investigators to look into the matter. They discovered that two compressed, encrypted files had been deleted from a device.
The investigators managed to recover and decrypt the files. There, they found two tables – one detailing passport information and another from the Starwood Guest Reservation Database containing guest data.
It was only in November 2018 that Marriott realized hackers had been in its system since July 2014!
Let that sink in for a minute.
12. Cathay Pacific
(Source: Business Traveller)
Remember when Cathay Pacific, Hong Kong’s flag carrier, made the headlines in September 2018 for misspelling its own name on a Boeing 777? At the time, “CATHAY PACIIC,” as the plane livery proudly proclaimed, showed a sense of humor by sharing pictures of the mixup on their Twitter account.
No such thing as bad publicity, right?
Wrong, as the airline carrier found out that same year after being hit by one of the biggest data breaches in 2018.
This is how it all went down:
In March 2018, Cathay detected suspicious activity on their network. In their own admission, they took “immediate action to understand the incident and contain it” by employing an, allegedly, “leading global cybersecurity firm.”
Turned out this was just the beginning. More (and sustained) attacks followed over the course of the next two months. The company’s internal and external IT security resources were fully focused on containment and prevention – rather than an actual solution. By late-May, the number of successful attacks had diminished.
Over the next few months, Cathay tried to find out if customer data had been compromised. Having taken its sweet time, the company took some much needed action. It notified the Hong Kong Privacy Commissioner for Personal Data, the Hong Kong Police, and the Hong Kong Stock Exchange of the unauthorized access to certain IT systems, concerning the personal data of certain passengers in Hong Kong and abroad.
The extent of the damage?
The personal data of a whopping 9.4 million passengers had been compromised, including 860,000 passport numbers, 245,000 Hong Long identity card numbers, 403 expired credit card numbers, and 27 active credit card numbers.
(Source: The Guardian)
We already explored two different social media breaches. How about a third?
Facebook has come under fire recently over what it does with users’ data. The Cambridge Analytica scandal in March 2018 made sure of that. So, being hit by the biggest hack in its history barely a few months later was the last thing the social media giant needed.
Facebook engineers discovered a data breach on Tuesday, September 25, 2018, and patched it two days later. Apparently, attackers had managed to steal “access tokens” – a type of digital security key.
These allowed the cybercriminals to take full control of 50 million Facebook accounts. What’s more, they were able to log in to third-party applications that use Facebook Login. According to Facebook, the attack exploited three bugs that were present in the site’s “View as” feature from July 2017.
Apart from contacting the 50 million account holders whose access tokens were taken, Facebook asked another 40 million users who had used the “View as” tool since July 2017 to log out.
Mark Zuckerberg expressed his relief of resolving the issue. Still, he admitted this shouldn’t have happened in the first place.
Pointing the obvious there, Mark, but still better than nothing. Barely.
In the wake of one of the most serious recent cybersecurity breaches, Facebook shares fell by about 3%.
One of the major hacking events of 2018 involved the popular Q&A website Quora. On November 30, Quora discovered some user data was compromised by an unknown third party.
The company immediately launched an investigation and found out that personal information in as many as 100 million accounts may have been compromised.
This included all kinds of personal information:
- Email addresses
- Encrypted passwords
- Data from linked networks
- Public content and actions
- Non-public content and actions, such as answer requests, downvotes, and direct messages
Whoever did this hit the jackpot.
To their credit, Quora notified users almost as soon as they discovered the data breach. In a Quora Blog post from December 4, CEO Adam D’Angelo accepted responsibility and apologized profusely.
Let’s hope they’ve learned their lesson from one of the biggest data breaches!
15. Blank Media Games
Finally, we’ve come to the enchanted world of online gaming.
Austin-based video game developer Blank Media Games is known for online browser game Town of Salem. Originally released in 2014, the game is based on the historic Salem witch trials, which resulted in the execution by hanging of nineteen people.
What went wrong?
Between December 28 and December 30, 2018, an anonymous hacker stole the personal details of 7.6 million players, including usernames, passwords, email and IP addresses, game and forum activity, and purchased game premium features.
Luckily for the players, the breach did not involve any credit card details. Achilles, a Blank Media Games staff member went on the record saying “To clarify, we do not handle money. The third party payment processors are the ones that handle all of that. We never see your credit card, payment information, anything like that. We don’t have access to that information.”
So at least there’s that.
The hack came to life after an unknown person sent a copy of the stolen data to commercial data breach indexing service DeHashed.
After DeHashed contacted Blank Media Games, and following several days of frantic activity, the hacked servers were secured and “multiple backdoors removed” in early-January 2019.
Nevertheless, the witch hunt for the hacker continues.
Here’s the bottom line:
Whether you’re an online business owner or user, it’s crucial to be up to speed with the latest cybersecurity statistics which will help you learn more about online safety.
If our in-depth exploration of the 15 biggest data breaches of the last 15 years has taught us anything, it’s that no one’s safe from the cybercriminals – not Yahoo, not Facebook, and not you. So take extra care.