What are the biggest data leak in the history

You may remember the 2013 Target Stores data breach that put the credit-card numbers and personal information of millions of people into the hands of cyber criminals. Or you may have been asked to change your Yahoo password in 2016. Both were the results of huge data breaches — yet neither breach was the worst in history.

Here are the 13 biggest and worst verified data breaches that we know of — so far. (We’re not including those that haven’t been confirmed, such as the Vkontakte breach reported in 2016; had an unknown number of victims, such as the 2014 eBay breach; or didn’t involve sensitive data, such as the 2014 JPMorgan Chase breach that exposed only contact information.)

Yahoo, 2013

3 billion 1 billion user accounts compromised

A photo illustration shows a Yahoo logo on a smartphone in front of a displayed cyber code and keyboard on December 15, 2016.

In a truly remarkable turn of events, Yahoo in 2016 not only claimed the crown of Biggest Data Breach Ever with the September disclosure of a 2014 breach that affected 500 million users. It came back in December to disclose a breach from 2013 that compromised a whopping 1 billion user accounts. That’s one for every seven or eight people on Earth.

The unidentified 2013 hackers, said to be unconnected to those behind the 2014 break-in, got the whole shebang: names, dates of birth, email addresses, security questions and answers and weakly protected passwords. (The passwords in the 2014 breach had better protection.)

You may be wondering why Yahoo took two or three years to discover these breaches. We wish we had an answer to that question.

UPDATE: It gets worse. In October 2017, Yahoo’s new owner Verizon discovered that 3 billion, not 1 billion, accounts had been compromised in the 2013 breach. That’s every single account on Yahoo, Flickr, Tumblr and dozens of other Yahoo-owned online properties had at the time.

Yahoo, 2014

500 million accounts compromised

The massive Yahoo breach revealed in late September 2016 not only capped a summer of huge data-breach disclosures, but was the biggest data breach on record until another Yahoo breach doubled it.  Yahoo, in the middle of selling itself to Verizon, said “a state-sponsored actor” instead of a regular cybercriminal was likely behind the theft, said to have occurred in late 2014.

Compromised information included real names, email addresses, dates of birth and telephone numbers, helpful to spammers and identity thieves. The good news is that the “vast majority” of the passwords were hashed (run through a irreversible mathematical algorithm) using the so-far-uncrackable Bcrypt method.

FriendFinder, 2016

412 million accounts compromised

Casual-hookup and adult-content websites are perfectly legal in most Western nations, but that doesn’t prevent data breaches involving them from being any less embarrassing. The FriendFinder network, comprising Adult Friend Finder, Penthouse.com, Cams.com, iCams.com and Stripshow.com, was breached sometime in mid-October 2016, and details of user databases immediately began leaking out of cybercrime forums.

To add insult to injury, most of the passwords were protected by the weak SHA-1 hashing algorithm, with the result that 99 percent of them had been cracked by the time LeakedSource.com published its analysis of the entire data set on Nov. 14. As with the breach of the “Have an Affair” Ashley Madison dating service in 2015, a lot of people likely had some explaining to do.

MySpace, date unknown

360 million accounts compromised

MySpace dominated social media a decade ago, and it was kind of a chaotic mess. Users quickly found they could hack their own pages to embed any kind of content. Rather than fixing the flaw, MySpace’s administrators embraced it, resulting in thousands of loud, ugly personal pages.

So it shouldn’t be too surprising that stolen MySpace credentials turned up in the great data-breach wave of 2016, during which a Russian hacker calling himself “Peace” tried to sell off the contents of several old (and hence no longer valuable) data breaches.

What was surprising was the size of the MySpace breach: 360 million account records, including email addresses, usernames and weakly hashed passwords. A list of the most popular passwords in the MySpace breach included references to Michael Jordan and Blink-182, indicating the breach occurred in the mid-2000s.

LinkedIn, 2012

165 million accounts compromised

The world’s top business-networking website disclosed its 2012 data breach soon after it happened, but password-reset notifications at the time indicated that only 6.5 million user accounts had been affected. LinkedIn never confirmed the actual number, and in 2016, we learned why: A whopping 165 million user accounts had been compromised, including 117 million passwords that had been hashed but not “salted” with random data to make them harder to reverse.

That revelation prompted other services to comb the LinkedIn data and force their own users to change any passwords that matched. (Kudos to Netflix for taking the lead on this one.) Left unanswered is why LinkedIn did not further investigate the original breach, or to inform more than 100 million affected users, in the intervening four years.

Equifax, 2017

145 million accounts compromised

On Sept. 7, 2017, consumer-credit-reporting agency Equifax reported a security breach that took place from mid-May through July. While the breach, totaling 143 million users (later revised to 145 million), isn’t the largest ever, it’s one of the most damaging.

Hackers gained access to a treasure trove of names, Social Security numbers, birth dates, street addresses and, in some instances, driver’s license numbers. With those sets of information, miscreants can pose as you to set up credit cards, mortgages, loans and other important agreements. Visit Equifax’s website to see if your information was compromised.

When asked why Equifax waited until Sept. 7 to inform the public when it discovered the intrusion on July 29, the company’s director of social media and PR, Francesca De Girolami, shared the following statement:

As soon as Equifax discovered the unauthorized access, Equifax acted immediately to stop the intrusion. The company promptly engaged a leading, independent cybersecurity firm which has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted.  Because this incident involves a substantial amount of personal identifying information, the investigation has been complex and time-consuming. As soon as we had enough information to begin notification, we took appropriate steps to do so.

Target Stores, 2013

110 million records compromised

In December 2013, retail giant Target confirmed that hackers had infected the company’s payment-card readers, making off with approximately 40 million credit and debit card numbers that had been used at Target stores in the United States during the 2013 post-Thanksgiving shopping surge.

In January 2014, Target announced that the contact information — full names, addresses, email addresses and telephone numbers — of 70 million customers had also been compromised. Some of those customers probably also had credit-card data compromised in the earlier breach, but it’s possible that as many as 110 million people were affected by the Target breaches.

Sony online entertainment services, 2011

102 million records compromised

In April 2011, attackers whose identities are still unknown targeted the PlayStation Network that links Sony’s home gaming consoles, as well as Sony Online Entertainment, which hosts massively multiplayer online PC games, and the Qriocity video- and music-streaming service.

Initially, Sony said that only the personal information of 78 million PlayStation Network users — login credentials, names, addresses, phone numbers and email addresses — had been exposed. But the tally of compromised accounts rose by 24.6 million when investigators discovered the attackers had also penetrated SOE and Qriocity. The credit-card data of approximately 23,400 SOE users in Europe was also stolen.

Following the initial breach disclosure, the PlayStation Network went dark worldwide for more than three weeks. In May 2011, Sony estimated its cleanup costs — which included fighting 65 class-action lawsuits brought against the company — at $171 million.

Anthem, 2015

69 million to 80 million records compromised

WOODLAND HILLS, CA – FEBRUARY 9: The Anthem Blue Cross headquarters is seen after the health insurer began informing its individual policyholders of rate hikes up to 39 percent to take effect at the beginning of March, on February 9, 2010 in Woodland Hills, California. Anthem Blue Cross, which has the highest number of individual customers in California, raised rates by as much as 68 percent in 2009. Health insurance companies in California can legally raise their rates at any time by as much and as they want. (Photo by David McNew/Getty Images)

In February 2015, Anthem, formerly known as WellPoint and the second-largest health insurer in the U.S., revealed its customer database had been breached. Stolen data included names, addresses, dates of birth, Social Security numbers and employment histories — everything an identity thief might need. As many as 80 million current and former customers were thought to be affected.

Dropbox, 2012

68 million accounts compromised

Peace wasn’t the only person disclosing old breaches in 2016. A different hacker, calling himself “doubleflag,” offered the video-news site Vocativ 68 million sets of Dropbox credentials for 2 bitcoin, or about $1,100. Other sources confirmed that the data was real, and Dropbox admitted the data was related to a previously disclosed hacking incident in 2012.

Was Dropbox negligent in not discovering and/or disclosing the extent of the breach earlier? Perhaps. But unlike the LinkedIn breach that had a similar timeline, the passwords in the Dropbox data were strongly protected.

Tumblr, 2013

65 million accounts compromised

The image-heavy short-blogging site Tumblr admitted in 2016 that it had been hacked in 2013, following reports that a set of 65 million were circulating online. Peace told VICE Motherboard that the passwords had been strongly hashed and salted, and hence the data set was not worth much. Nonetheless, Tumblr forced its affected users to reset their passwords.

Home Depot, 2014

56 million payment cards compromised

In September 2014, hardware and building-supplies warehouse retailer Home Depot admitted what had been suspected for weeks. Beginning in April or May of the same year, “carders” had infected its point-of-sale systems at stores in the U.S. and Canada with malware that pretended to be antivirus software, but instead stole customer credit and debit cards.

The theft may have been the largest haul of payment cards resulting from a direct attack on a retailer, if the lower estimate from the TJX breach (see below) is accepted. But unlike the Target theft less than a year earlier, the Home Depot theft didn’t result in customers staying away, nor did it generate quite the same media outcry.

Evernote, 2013

More than 50 million records compromised

In March 2013, users of the note-taking and archiving service Evernote learned that their email addresses, usernames and encrypted passwords had been exposed by a security breach. No financial data was stolen, and the company confirmed that none of the user-generated content on its servers had been compromised.

However, as had been the case for those affected by Epsilon’s 2011 breach, Evernote users who had their usernames and email addresses stolen were vulnerable to spam emails and phishing campaigns — some of which pretended to be password-reset emails coming from Evernote itself.

 

Comments
  • Cyber Security Startup CallSign Raises $35 Million

    London-based Callsign Inc, authentication startup that had developed AI-based technology I…
Load More Related Articles
Load More In all