The 15 biggest data breaches of the 21st century

Data breaches affecting millions of users are far too mutual. Here are some of the biggest, baddest breaches in recent memory.

lock circuit board bullet hole computer security breach
Thinkstock

In today's data-driven world, data breaches can affect hundreds of millions or even billions of people at a time. Digital transformation has increased the supply of information moving, and data breaches have scaled up with information technology as attackers exploit the data-dependencies of daily life. How big cyberattacks of the future might become remains speculation, merely as this list of the biggest data breaches of the 21st Century indicates, they have already reached enormous magnitudes.

For transparency, this listing has been calculated past the number of users impacted, records exposed, or accounts affected. We take likewise made a distinction between incidents where data was actively stolen or reposted maliciously and those where an organisation has inadvertently left data unprotected and exposed, but there has been no significant evidence of misuse. The latter accept purposefully non been included in the list.

So, here it is – an up-to-date list of the 15 biggest data breaches in contempo history, including details of those affected, who was responsible, and how the companies responded (equally of July 2021).

1. Yahoo

Date: August 2013
Impact: 3 billion accounts

Securing the number one spot – nigh 7 years after the initial breach and iv since the true number of records exposed was revealed – is the attack on Yahoo. The visitor first publicly announced the incident – which it said took place in 2013 – in December 2016. At the time, it was in the procedure of beingness acquired by Verizon and estimated that account data of more than a billion of its customers had been accessed by a hacking group. Less than a year subsequently, Yahoo appear that the actual figure of user accounts exposed was 3 billion. Yahoo stated that the revised estimate did not correspond a new "security issue" and that it was sending emails to all the "additional afflicted user accounts."

Despite the attack, the deal with Verizon was completed, albeit at a reduced price. Verizon's CISO Chandra McMahon said at the time: "Verizon is committed to the highest standards of accountability and transparency, and we proactively piece of work to ensure the safe and security of our users and networks in an evolving mural of online threats. Our investment in Yahoo is assuasive that squad to continue to take significant steps to enhance their security, likewise equally benefit from Verizon's feel and resource." After investigation, information technology was discovered that, while the attackers accessed account information such equally security questions and answers, plaintext passwords, payment card and bank data were non stolen.

2. Alibaba

Engagement: November 2019
Impact: one.one billion pieces of user data

Over an 8-month menses, a developer working for an chapter marketer scraped customer data, including usernames and mobile numbers, from the Alibaba Chinese shopping website, Taobao, using crawler software that he created. Information technology appears the developer and his employer were collecting the information for their own use and did not sell it on the black marketplace, although both were sentenced to three years in prison.

A Taobao spokesperson said in a argument: "Taobao devotes substantial resources to combat unauthorized scraping on our platform, as data privacy and security is of utmost importance. We take proactively discovered and addressed this unauthorized scraping. We will continue to work with law enforcement to defend and protect the interests of our users and partners."

3. LinkedIn

Date: June 2021
Affect: 700 million users

Professional person networking behemothic LinkedIn saw data associated with 700 million of its users posted on a nighttime web forum in June 2021, impacting more than than 90% of its user base. A hacker going by the moniker of "God User" used data scraping techniques by exploiting the site's (and others') API before dumping a start data data set up of around 500 million customers. They and then followed up with a avowal that they were selling the full 700 meg client database. While LinkedIn argued that as no sensitive, individual personal data was exposed, the incident was a violation of its terms of service rather than a data breach, a scraped information sample posted by God User independent information including email addresses, phone numbers, geolocation records, genders and other social media details, which would give malicious actors plenty of data to craft convincing, follow-on social engineering attacks in the wake of the leak, as warned by the UK'south NCSC.

4. Sina Weibo

Date: March 2020
Impact: 538 million accounts

With over 600 meg users, Sina Weibo is i of People's republic of china's largest social media platforms. In March 2020, the visitor announced that an attacker obtained office of its database, impacting 538 1000000 Weibo users and their personal details including real names, site usernames, gender, location, and telephone numbers. The attacker is reported to have and then sold the database on the nighttime web for $250.

Mainland china'south Ministry of Industry and It (MIIT) ordered Weibo to enhance its information security measures to better protect personal information and to notify users and authorities when data security incidents occur. In a argument, Sina Weibo argued that an attacker had gathered publicly posted information by using a service meant to help users locate the Weibo accounts of friends past inputting their telephone numbers and that no passwords were afflicted. However, it admitted that the exposed data could be used to associate accounts to passwords if passwords are reused on other accounts. The visitor said it strengthened its security strategy and reported the details to the appropriate authority.

5. Facebook

Date: April 2019
Touch: 533 meg users

In April 2019, it was revealed that two datasets from Facebook apps had been exposed to the public internet. The information related to more than than 530 million Facebook users and included phone numbers, account names, and Facebook IDs. However, two years later (April 2021) the data was posted for gratuitous, indicating new and real criminal intent surrounding the data. In fact, given the sheer number of phone numbers impacted and readily available on the dark spider web as a event of the incident, security researcher Troy Hunt added functionality to his HaveIBeenPwned (HIBP) breached credential checking site that would allow users to verify if their phone numbers had been included in the exposed dataset.

"I'd never planned to make phone numbers searchable," Hunt wrote in blog post. "My position on this was that it didn't make sense for a bunch of reasons. The Facebook data changed all that. There'south over 500 million phone numbers only only a few million email addresses so >99% of people were getting a miss when they should have gotten a hitting."

6. Marriott International (Starwood)

Appointment: September 2018
Bear upon: 500 million customers

Hotel Marriot International announced the exposure of sensitive details belonging to half a 1000000 Starwood guests following an attack on its systems in September 2018. In a statement published in November the same year, the hotel giant said: "On September 8, 2018, Marriott received an alert from an internal security tool regarding an endeavour to admission the Starwood guest reservation database. Marriott quickly engaged leading security experts to help determine what occurred."

Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. "Marriott recently discovered that an unauthorized party had copied and encrypted information and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and adamant that the contents were from the Starwood guest reservation database," the statement added.

The data copied included guests' names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest business relationship information, dates of nascence, gender, arrival and difference information, reservation dates, and communication preferences. For some, the data also included payment menu numbers and expiration dates, though these were manifestly encrypted.

Marriot carried out an investigation assisted by security experts following the breach and announced plans to phase out Starwood systems and accelerate security enhancements to its network. The company was somewhen fined £eighteen.4 million (reduced from £99 1000000) by United kingdom of great britain and northern ireland data governing body the Information Commissioner's Office (ICO) in 2020 for failing to keep customers' personal information secure. An article by New York Times attributed the attack to a Chinese intelligence group seeking to assemble information on Usa citizens.

vii. Yahoo

Engagement: 2014
Bear on: 500 1000000 accounts

Making its second advent in this list is Yahoo, which suffered an attack in 2014 separate to the i in 2013 cited above. On this occasion, state-sponsored actors stole data from 500 million accounts including names, electronic mail addresses, phone numbers, hashed passwords, and dates of birth. The company took initial remedial steps back in 2014, but it wasn't until 2016 that Yahoo went public with the details after a stolen database went on auction on the blackness market.

viii. Adult Friend Finder

Date: Oct 2016
Impact: 412.ii meg accounts

The developed-oriented social networking service The FriendFinder Network had 20 years' worth of user data beyond 6 databases stolen by cyber-thieves in Oct 2016. Given the sensitive nature of the services offered by the visitor – which include casual hookup and developed content websites similar Adult Friend Finder, Penthouse.com, and Stripshow.com – the alienation of data from more than 414 1000000 accounts including names, electronic mail addresses, and passwords had the potential to be particularly damming for victims. What'south more, the vast bulk of the exposed passwords were hashed via the notoriously weak algorithm SHA-one, with an estimated 99% of them cracked by the time LeakedSource.com published its analysis of the data gear up on November 14, 2016.

9. MySpace

Date: 2013
Affect: 360 one thousand thousand user accounts

Though it had long stopped existence the powerhouse that it one time was, social media site MySpace hitting the headlines in 2016 after 360 million user accounts were leaked onto both LeakedSource.com and put up for sale on dark web marketplace The Real Bargain with an request price of six bitcoin (around $3,000 at the fourth dimension).

Co-ordinate to the company, lost data included e-mail addresses, passwords and usernames for "a portion of accounts that were created prior to June xi, 2013, on the old Myspace platform. In social club to protect our users, we have invalidated all user passwords for the afflicted accounts created prior to June 11, 2013, on the old Myspace platform. These users returning to Myspace will be prompted to authenticate their account and to reset their countersign past following instructions."

It's believed that the passwords were stored as SHA-one hashes of the offset 10 characters of the countersign converted to lowercase.

ten. NetEase

Date: October 2015
Touch on: 235 1000000 user accounts

NetEase, a provider of mailbox services through the likes of 163.com and 126.com, reportedly suffered a breach in October 2015 when e-mail addresses and plaintext passwords relating to 235 million accounts were being sold by nighttime web market vendor DoubleFlag. NetEase has maintained that no data alienation occurred and to this day HIBP states: "Whilst there is testify that the data itself is legitimate (multiple HIBP subscribers confirmed a password they use is in the data), due to the difficulty of emphatically verifying the Chinese breach it has been flagged as "unverified."

xi. Court Ventures (Experian)

Date: October 2013
Impact: 200 million personal records

Experian subsidiary Court Ventures fell victim in 2013 when a Vietnamese man tricked it into giving him access to a database containing 200 meg personal records by posing as a private investigator from Singapore. The details of Hieu Minh Ngo's exploits simply came to calorie-free following his arrest for selling personal information of US residents (including credit card numbers and Social Security numbers) to cybercriminals across the world, something he had been doing since 2007. In March 2014, he pleaded guilty to multiple charges including identity fraud in the United states of america Commune Courtroom for the District of New Hampshire. The DoJ stated at the time that Ngo had made a total of $2 meg from selling personal data.

12. LinkedIn

Date: June 2012
Impact: 165 million users

With its second appearance on this list is LinkedIn, this time in reference to a alienation it suffered in 2012 when it announced that 6.5 million unassociated passwords (unsalted SHA-ane hashes) had been stolen by attackers and posted onto a Russian hacker forum. Even so, it wasn't until 2016 that the full extent of the incident was revealed. The same hacker selling MySpace's data was establish to be offering the electronic mail addresses and passwords of around 165 million LinkedIn users for just v bitcoins (around $2,000 at the time). LinkedIn best-selling that it had been made enlightened of the alienation, and said it had reset the passwords of affected accounts.

13. Dubsmash

Date: December 2018
Bear on: 162 1000000 user accounts

In Dec 2018, New York-based video messaging service Dubsmash had 162 million e-mail addresses, usernames, PBKDF2 password hashes, and other personal information such as dates of nascency stolen, all of which was then put up for sale on the Dream Market place dark web market the following Dec. The information was being sold every bit part of a nerveless dump also including the likes of MyFitnessPal (more on that below), MyHeritage (92 meg), ShareThis, Armor Games, and dating app CoffeeMeetsBagel.

Dubsmash acknowledged the breach and sale of information had occurred and provided advice around password changing. Nonetheless, information technology failed to state how the attackers got in or confirm how many users were affected.

14. Adobe

Date: October 2013
Impact: 153 million user records

In early Oct 2013, Adobe reported that hackers had stolen almost three million encrypted customer credit menu records and login information for an undetermined number of user accounts. Days later, Adobe increased that judge to include IDs and encrypted passwords for 38 million "agile users." Security blogger Brian Krebs and then reported that a file posted but days earlier "appears to include more than 150 million username and hashed countersign pairs taken from Adobe." Weeks of inquiry showed that the hack had likewise exposed customer names, password, and debit and credit card information. An agreement in August 2015 called for Adobe to pay $1.1 one thousand thousand in legal fees and an undisclosed amount to users to settle claims of violating the Customer Records Act and unfair business practices. In November 2016, the corporeality paid to customers was reported to be $1 meg.

fifteen. My Fettle Pal

Date: February 2018
Impact: 150 million user accounts

In February 2018, diet and exercise app MyFitnessPal (endemic by Nether Armour) exposed around 150 meg unique electronic mail addresses, IP addresses and login credentials such equally usernames and passwords stored as SHA-1 and bcrypt hashes. The following twelvemonth, the data appeared for auction on the night web and more broadly. The company acknowledged the alienation and said it took action to notify users of the incident. "One time we became enlightened, we quickly took steps to determine the nature and scope of the issue. We are working with leading information security firms to help in our investigation. Nosotros have as well notified and are coordinating with law enforcement regime," it stated.

Copyright © 2021 IDG Communications, Inc.