In at this time’s data-driven world, information breaches can have an effect on tons of of thousands and thousands and even billions of individuals at a time. Digital transformation has elevated the provision of knowledge shifting, and information breaches have scaled up with it as attackers exploit the data-dependencies of every day life. How massive cyberattacks of the long run would possibly turn into stays hypothesis, however as this listing of the most important information breaches of the 21st Century signifies, they’ve already reached huge magnitudes.
For transparency, this listing has been calculated by the variety of customers impacted, information uncovered, or accounts affected. We’ve additionally made a distinction between incidents the place information was actively stolen or reposted maliciously and people the place a company has inadvertently left information unprotected and uncovered, however there was no important proof of misuse. The latter have purposefully not been included within the listing.
So, right here it’s – an up-to-date listing of the 15 largest information breaches in latest historical past, together with particulars of these affected, who was accountable, and the way the businesses responded (as of July 2021).
1. Yahoo
Date: August 2013
Influence: 3 billion accounts
Securing the primary spot – virtually seven years after the preliminary breach and 4 because the true variety of information uncovered was revealed – is the assault on Yahoo. The corporate first publicly introduced the incident – which it mentioned happened in 2013 – in December 2016. On the time, it was within the strategy of being acquired by Verizon and estimated that account data of greater than a billion of its clients had been accessed by a hacking group. Lower than a 12 months later, Yahoo introduced that the precise determine of consumer accounts uncovered was 3 billion. Yahoo acknowledged that the revised estimate didn’t characterize a brand new “safety situation” and that it was sending emails to all of the “extra affected consumer accounts.”
Regardless of the assault, the cope with Verizon was accomplished, albeit at a lowered value. Verizon’s CISO Chandra McMahon mentioned on the time: “Verizon is dedicated to the best requirements of accountability and transparency, and we proactively work to make sure the protection and safety of our customers and networks in an evolving panorama of on-line threats. Our funding in Yahoo is permitting that workforce to proceed to take important steps to boost their safety, in addition to profit from Verizon’s expertise and assets.” After investigation, it was found that, whereas the attackers accessed account data reminiscent of safety questions and solutions, plaintext passwords, cost card and financial institution information weren’t stolen.
2. Aadhaar [tie with Alibaba]
Date: January 2018
Influence: 1.1 billion Indian residents’ id/biometric data uncovered
In early 2018, information broke that malicious actors has infiltrated the world’s largest ID database, Aadhaar, exposing data on greater than 1.1 billion Indian residents together with names, addresses, images, cellphone numbers, and emails, in addition to biometric information like fingerprints and iris scans. What’s extra, because the database – established by the Distinctive Identification Authority of India (UIDAI) in 2009 – additionally held details about financial institution accounts related with distinctive 12-digit numbers, it turned a credit score breach too. This was regardless of the UIDAI initially denying that the database held such information
The actors infiltrated the Aadhaar database by means of the web site of Indane, a state-owned utility firm related to the federal government database by means of an utility programming interface that allowed functions to retrieve information saved by different functions or software program. Sadly, Indane’s API had no entry controls, thus rendering its information weak. Hackers bought entry to the information for as little as $7 by way of a WhatsApp group. Regardless of warnings from safety researchers and tech teams, it took Indian authorities till March 23, 2018, to take the weak entry level offline.
2. Alibaba [tie with Aadhaar]
Date: November 2019
Influence: 1.1 billion items of consumer information
Over an eight-month interval, a developer working for an affiliate marketer scraped buyer information, together with usernames and cellular numbers, from the Alibaba Chinese language purchasing web site, Taobao, utilizing crawler software program that he created. It seems the developer and his employer had been accumulating the knowledge for their very own use and didn’t promote it on the black market, though each had been sentenced to a few years in jail.
A Taobao spokesperson mentioned in an announcement: “Taobao devotes substantial assets to fight unauthorized scraping on our platform, as information privateness and safety is of utmost significance. We’ve proactively found and addressed this unauthorized scraping. We are going to proceed to work with regulation enforcement to defend and shield the pursuits of our customers and companions.”
4. LinkedIn
Date: June 2021
Influence: 700 million customers
Skilled networking large LinkedIn noticed information related to 700 million of its customers posted on a darkish net discussion board in June 2021, impacting greater than 90% of its consumer base. A hacker going by the moniker of “God Consumer” used information scraping methods by exploiting the positioning’s (and others’) API earlier than dumping a primary data information set of round 500 million clients. They then adopted up with a boast that they had been promoting the total 700 million buyer database. Whereas LinkedIn argued that as no delicate, non-public private information was uncovered, the incident was a violation of its phrases of service quite than a knowledge breach, a scraped information pattern posted by God Consumer contained data together with electronic mail addresses, cellphone numbers, geolocation information, genders and different social media particulars, which might give malicious actors loads of information to craft convincing, follow-on social engineering assaults within the wake of the leak, as warned by the UK’s NCSC.
5. Sina Weibo
Date: March 2020
Influence: 538 million accounts
With over 600 million customers, Sina Weibo is certainly one of China’s largest social media platforms. In March 2020, the corporate introduced that an attacker obtained a part of its database, impacting 538 million Weibo customers and their private particulars together with actual names, website usernames, gender, location, and cellphone numbers. The attacker is reported to have then bought the database on the darkish net for $250.
China’s Ministry of Business and Info Expertise (MIIT) ordered Weibo to boost its information safety measures to higher shield private data and to inform customers and authorities when information safety incidents happen. In an announcement, Sina Weibo argued that an attacker had gathered publicly posted data through the use of a service meant to assist customers find the Weibo accounts of mates by inputting their cellphone numbers and that no passwords had been affected. Nonetheless, it admitted that the uncovered information could possibly be used to affiliate accounts to passwords if passwords are reused on different accounts. The corporate mentioned it strengthened its safety technique and reported the small print to the suitable authority.
6. Fb
Date: April 2019
Influence: 533 million customers
In April 2019, it was revealed that two datasets from Fb apps had been uncovered to the general public web. The knowledge associated to greater than 530 million Fb customers and included cellphone numbers, account names, and Fb IDs. Nonetheless, two years later (April 2021) the information was posted totally free, indicating new and actual legal intent surrounding the information. In reality, given the sheer variety of cellphone numbers impacted and available on the darkish net because of the incident, safety researcher Troy Hunt added performance to his HaveIBeenPwned (HIBP) breached credential checking website that might enable customers to confirm if their cellphone numbers had been included within the uncovered dataset.
“I’d by no means deliberate to make cellphone numbers searchable,” Hunt wrote in weblog publish. “My place on this was that it didn’t make sense for a bunch of causes. The Fb information modified all that. There’s over 500 million cellphone numbers however only some million electronic mail addresses so >99% of individuals had been getting a miss when they need to have gotten a success.”
7. Marriott Worldwide (Starwood)
Date: September 2018
Influence: 500 million clients
Resort Marriot Worldwide introduced the publicity of delicate particulars belonging to half 1,000,000 Starwood company following an assault on its programs in September 2018. In an announcement printed in November the identical 12 months, the lodge large mentioned: “On September 8, 2018, Marriott acquired an alert from an inside safety software relating to an try to entry the Starwood visitor reservation database. Marriott shortly engaged main safety consultants to assist decide what occurred.”
Marriott discovered in the course of the investigation that there had been unauthorized entry to the Starwood community since 2014. “Marriott just lately found that an unauthorized celebration had copied and encrypted data and took steps in direction of eradicating it. On November 19, 2018, Marriott was capable of decrypt the knowledge and decided that the contents had been from the Starwood visitor reservation database,” the assertion added.
The info copied included company’ names, mailing addresses, cellphone numbers, electronic mail addresses, passport numbers, Starwood Most well-liked Visitor account data, dates of start, gender, arrival and departure data, reservation dates, and communication preferences. For some, the knowledge additionally included cost card numbers and expiration dates, although these had been apparently encrypted.
Marriot carried out an investigation assisted by safety consultants following the breach and introduced plans to section out Starwood programs and speed up safety enhancements to its community. The corporate was ultimately fined £18.4 million (lowered from £99 million) by UK information governing physique the Info Commissioner’s Workplace (ICO) in 2020 for failing to maintain clients’ private information safe. An article by New York Occasions attributed the assault to a Chinese language intelligence group searching for to assemble information on US residents.
8. Yahoo
Date: 2014
Influence: 500 million accounts
Making its second look on this listing is Yahoo, which suffered an assault in 2014 separate to the one in 2013 cited above. On this event, state-sponsored actors stole information from 500 million accounts together with names, electronic mail addresses, cellphone numbers, hashed passwords, and dates of start. The corporate took preliminary remedial steps again in 2014, nevertheless it wasn’t till 2016 that Yahoo went public with the small print after a stolen database went on sale on the black market.
9. Grownup Pal Finder
Date: October 2016
Influence: 412.2 million accounts
The adult-oriented social networking service The FriendFinder Community had 20 years’ price of consumer information throughout six databases stolen by cyber-thieves in October 2016. Given the delicate nature of the providers supplied by the corporate – which embrace informal hookup and grownup content material web sites like Grownup Pal Finder, Penthouse.com, and Stripshow.com – the breach of knowledge from greater than 414 million accounts together with names, electronic mail addresses, and passwords had the potential to be significantly damming for victims. What’s extra, the overwhelming majority of the uncovered passwords had been hashed by way of the notoriously weak algorithm SHA-1, with an estimated 99% of them cracked by the point LeakedSource.com printed its evaluation of the information set on November 14, 2016.
10. MySpace
Date: 2013
Influence: 360 million consumer accounts
Although it had lengthy stopped being the powerhouse that it as soon as was, social media website MySpace hit the headlines in 2016 after 360 million consumer accounts had been leaked onto each LeakedSource.com and put up on the market on darkish net market The Actual Take care of an asking value of 6 bitcoin (round $3,000 on the time).
In accordance with the corporate, misplaced information included electronic mail addresses, passwords and usernames for “a portion of accounts that had been created previous to June 11, 2013, on the previous Myspace platform. With a purpose to shield our customers, we now have invalidated all consumer passwords for the affected accounts created previous to June 11, 2013, on the previous Myspace platform. These customers returning to Myspace will likely be prompted to authenticate their account and to reset their password by following directions.”
It’s believed that the passwords had been saved as SHA-1 hashes of the primary 10 characters of the password transformed to lowercase.
11. NetEase
Date: October 2015
Influence: 235 million consumer accounts
NetEase, a supplier of mailbox providers by means of the likes of 163.com and 126.com, reportedly suffered a breach in October 2015 when electronic mail addresses and plaintext passwords regarding 235 million accounts had been being bought by darkish net market vendor DoubleFlag. NetEase has maintained that no information breach occurred and to at the present time HIBP states: “While there’s proof that the information itself is reputable (a number of HIBP subscribers confirmed a password they use is within the information), because of the problem of emphatically verifying the Chinese language breach it has been flagged as “unverified.”
12. Court docket Ventures (Experian)
Date: October 2013
Influence: 200 million private information
Experian subsidiary Court docket Ventures fell sufferer in 2013 when a Vietnamese man tricked it into giving him entry to a database containing 200 million private information by posing as a non-public investigator from Singapore. The small print of Hieu Minh Ngo’s exploits solely got here to gentle following his arrest for promoting private data of US residents (together with bank card numbers and Social Safety numbers) to cybercriminals the world over, one thing he had been doing since 2007. In March 2014, he pleaded responsible to a number of prices together with id fraud within the US District Court docket for the District of New Hampshire. The DoJ acknowledged on the time that Ngo had made a complete of $2 million from promoting private information.
13. LinkedIn
Date: June 2012
Influence: 165 million customers
With its second look on this listing is LinkedIn, this time in reference to a breach it suffered in 2012 when it introduced that 6.5 million unassociated passwords (unsalted SHA-1 hashes) had been stolen by attackers and posted onto a Russian hacker discussion board. Nonetheless, it wasn’t till 2016 that the total extent of the incident was revealed. The identical hacker promoting MySpace’s information was discovered to offer the e-mail addresses and passwords of round 165 million LinkedIn customers for simply 5 bitcoins (round $2,000 on the time). LinkedIn acknowledged that it had been made conscious of the breach, and mentioned it had reset the passwords of affected accounts.
14. Dubsmash
Date: December 2018
Influence: 162 million consumer accounts
In December 2018, New York-based video messaging service Dubsmash had 162 million electronic mail addresses, usernames, PBKDF2 password hashes, and different private information reminiscent of dates of start stolen, all of which was then put up on the market on the Dream Market darkish net market the next December. The knowledge was being bought as a part of a collected dump additionally together with the likes of MyFitnessPal (extra on that under), MyHeritage (92 million), ShareThis, Armor Video games, and relationship app CoffeeMeetsBagel.
Dubsmash acknowledged the breach and sale of knowledge had occurred and supplied recommendation round password altering. Nonetheless, it did not state how the attackers acquired in or affirm what number of customers had been affected.
15. Adobe
Date: October 2013
Influence: 153 million consumer information
In early October 2013, Adobe reported that hackers had stolen virtually three million encrypted buyer bank card information and login information for an undetermined variety of consumer accounts. Days later, Adobe elevated that estimate to incorporate IDs and encrypted passwords for 38 million “lively customers.” Safety blogger Brian Krebs then reported {that a} file posted simply days earlier “seems to incorporate greater than 150 million username and hashed password pairs taken from Adobe.” Weeks of analysis confirmed that the hack had additionally uncovered buyer names, password, and debit and bank card data. An settlement in August 2015 referred to as for Adobe to pay $1.1 million in authorized charges and an undisclosed quantity to customers to settle claims of violating the Buyer Information Act and unfair enterprise practices. In November 2016, the quantity paid to clients was reported to be $1 million.
Copyright © 2022 IDG Communications, Inc.
