Did you know that hackers are known to attack every 39 seconds from somewhere around the world?
You probably know how vulnerable your personal data is. Although there are a lot of things you can do to protect it, at the end of the day, it is entirely dependent on the security prowess of the organisations that hold it.
The biggest data breaches of the 21st century have proven that any system is hackable, and your personal data can end up in the internet backwaters before you know it. Even the experts feel it is not a question of whether you will be breached, but a matter of when.
Of course, advanced measures like predictive analytics does an excellent job in preventing data breaches on a daily basis. Using intricate machine learning algorithms, organisations can continually look out for disparities and abnormalities in user behaviour and initiate counter measures before anything becomes a threat.
But the majority of times, the flaws and prejudice that accompany a human’s decision-making process seems to be the culprit here.
For example, in the case of Yahoo data breach, the top among the world’s biggest data breaches, 3 billion user accounts were exposed because an employee opened a spear-phishing email.
The reality is that what may seem trivial, for example, using your date of birth as your debit card number may cause irreparable harm. In this article, we’ll look at the most devastating and biggest data breaches in history and see how it shaped the respective company’s outlook towards security.
What Are the World’s Biggest Data Breaches?
- Yahoo – 3 billion user accounts
- Verifications.io – 763 million consumer records
- Facebook – 540 million records
- Marriott International – 500 million customers
- Adult Friend Finder – 412.2 million accounts
- MySpace – 360 million user accounts
- Exactis – 340 million user records
- Twitter – 330 million users accounts
- NetEase – 235 million user accounts
- LinkedIn – 165 million user accounts
- Adobe – 153 million user records
- MyFitnessPal – 150 million user accounts
- Equifax – 147.9 million consumers
- eBay – 145 million user accounts
- Antheus Tecnologia – 81.5 million records
If you were to ask to name the three biggest data breaches of all time, then undoubtedly, Yahoo will top the list. And interestingly, the hack began with just a click of a button. The hackers sent a spear-phishing email to an employee at Yahoo in 2014 – which exposed nearly 3 billion user accounts.
If you’re wondering what spear-phishing emails are, they’re highly targeted email scams, sent to a specific individual of an organisation, in order to steal data or install malicious software programs. The scammer often disguises themselves as a trustworthy entity and communicates via emails or social media.
The hackers could access user information such as names, email addresses, phone numbers, and calendar data. The announcement of the data breach was at such bad timing as Verizon, which was in the process of acquiring Yahoo, knocked off US$350 million from the acquisition cost.
To prevent such future incidents, Yahoo pledged to invalidate unencrypted security questions and answers and also requested the users to change their passwords. Yahoo also increased the restrictions on data that can be accessed by employees.
In February of 2019, Verifications.io left a MongoDB instance unprotected and publicly accessible, which exposed 763 million unique email addresses. The 150 GB of exposed data contained customer records including, names, phone numbers, date of birth, gender, interest rate, and personal mortgage amount.
Although the organisation immediately made corrective measures, the breach could have been prevented if the database had encryption and multi-factor authentication. The incident tops the list of biggest data breaches of 2019 and MongoDB databases are still popular targets among cybercriminals.
Although Verification.io claimed that the stored data came from public sources, hackers who may have accessed the exposed data can undoubtedly use it for illicit purposes.
The UpGuard Cyber Team in April 2019, identified that two third-party Facebook app datasets, containing over 540 million records were exposed. And the reason – poor security.
The incident once again criticised Facebook’s casual approach towards protecting user data as only recently was the organisation scrutinised for the Cambridge Analytica scandal – a data leak that took place in 2018 due to which the personal data of millions of Facebook users were harvested (without consent) and used for political advertising.
A Mexico-based media company, Cultura Colectiva was responsible for the Facebook data breach of 146 gigabytes of data, which contained records such as Facebook IDs, account names, comments, and likes. The data was left unprotected on Amazon cloud servers.
In November 2018, Marriott International announced that one of its reservation systems was compromised – thereby exposing up to 500 million customer records and becoming one of the devastating and biggest data breaches of 2018.
Personal information such as names, addresses, credit and debit card numbers, their expiration dates, passport numbers, and travel schedules was leaked and the New York Times attributed the breach to a Chinese intelligence group. A fine of US$124 million was levied upon the company by the Information Commissioner’s Office.
Experts state the primary reason for the Marriott data breach was the failure to segregate the encrypted data and the key used for encrypting it. Marriott Hotels were also affected by a breach on March 31st, 2020, which exposed up to 5.2 million account details, including names, addresses, emails, preferences, and phone numbers.
5. Adult Friend Finder
The data breach associated with the FriendFinder Network was not just another story of security due to the nature of services offered by the company. The organisation’s network of services included casual hookup and adult content websites like Penthouse.com, Adult Friend Finder, and iCams.com.
The stolen data accounted for 20 years of user information, including names, email addresses, and passwords. The algorithm that protected the majority of the passwords was weak, and it is estimated that 99% of them were cracked.
The data breach became a heavily discussed controversy as along with the 412 million accounts, 15 million deleted accounts (which still remained in the database) were exposed.
Outdated coding practices, a number of technical mistakes, including not keeping up with the latest cybersecurity trends, and neglecting the previous breaches are cited as primary reasons for this controversial breach.
No one knows precisely when MySpace, the Facebook forerunner, got hacked. This is because the majority of its users ditched the platform when Facebook hit the mainstream. The breach was identified in 2016, only when the password records of 360 million users were exposed online.
Even though the majority of users aren’t active anymore, the reason why this is one of the biggest data breaches is that many individuals are known to use the same password in multiple websites.
The leaked data included account information such as user name, owner’s listed name, and birthdate and was put up for sale on a dark web marketplace with an asking price of six bitcoins (around US$3000 at the time).
Exactis, a Florida-based data aggregation and marketing company, was responsible for the data leak of 340 million records. Although its website isn’t explicit about what it does, the firm is known to sell consumer data and has more than 3.5 billion records, updated every month.
As the company recorded more than 400 characteristics of an individual, the leaked data can include information such as email addresses, physical addresses, religious affiliation, phone number, gender, and smoking habits.
The haul comprised nearly two terabytes of data and according to experts, could have been easily prevented, if not for carelessly leaving huge volumes of data accessible in the public internet. Information revolving around 400 characteristics of an individual is more than enough for cybercriminals to commit identity theft.
In May 2018, Twitter notified its users of a glitch that stored passwords in an internal log, which made all user passwords accessible to the internal network – thereby becoming one of the biggest data breaches of 2018.
Twitter soon requested its 330 million users to change their passwords as they were exposed for several months. Twitter fixed the bug that caused the glitch, and there wasn’t any indication of misuse.
Also, only recently did Twitter make headlines when several of the verified Twitter accounts of high profile personalities, including that of Elon Musk, Bill Gates, and Barack Obama were hacked.
The hackers posted fake tweets from these accounts, offering to double the payments made to a Bitcoin address. If you thought no one would fall for this, the scammers swindled US$121,000 in Bitcoin in just 300 transactions.
NetEase, which owns 163.com and 126.com, is a Chinese technology company. It’s known for email services and is reported to have been hacked in October of 2015 – affecting nearly 235 million user accounts.
The data breach was identified after a dark web marketplace vendor, known as DoubleFlag, tried to sell the email addresses and plain text passwords of nearly 235 million NetEase users. The same vendor was also infamous for selling information illicitly taken from other big names such as Sina Corporation and Tencent’s QQ.com.
However, HaveIBeenPwned (a website that is useful to check whether your personal data has been compromised due to any data breach) lists NetEase’s breach as “unverified” due to the difficulty of verifying it.
In June of 2012, LinkedIn served password-reset notifications to nearly 6.5 million users, stating a data breach has occurred. The millions of user passwords stolen were posted on a Russian hacker forum.
However, the company never made an official statement regarding the total number of users affected by the breach. In 2016, it was reported that nearly 165 million user accounts were compromised – making it one of the world’s biggest data breaches.
The email addresses and passwords of 165 million users were sold by a hacker (who allegedly is the same hacker who sold MySpace’s data) for just five bitcoins.
It is still unclear why LinkedIn never made any further investigation nor informed the millions of users about the breach – which, according to experts, is a critical thing to do. However, the majority of tech giants, including Netflix (more precisely a content giant), forced its users to change any of the passwords that were related to LinkedIn.
In October of 2013, 153 million user accounts under Adobe were breached. Initially, Adobe reported that only 3 million encrypted credit card records of customers were stolen, along with the login data of an undisclosed number of users.
The same month, Adobe announced that the numbers are far beyond the initial estimates and would, at the least, include the login data of more than 38 million active users. However, Brian Krebs, a security blogger, reported that login data of more than 150 million users were exposed.
The reason for the breach was poor security, and the encryption that guarded the data was weak. Since the hackers got hold of password hints as well, guessing the passwords of users was way easier.
For violating the Customer Records Act, Adobe had to pay US$1.1 million in legal fees, along with an undisclosed amount to users. Addressing the breach, Adobe created a Chief Security Officer (CSO) role in the organisation and introduced several proactive measures to prevent future mishaps.
The years 2011 to 2013 were critical for Adobe (in terms of cybersecurity) as they were transitioning from desktop licenses to cloud-based SaaS (Adobe Creative Suite to Adobe Creative Cloud).
In February of 2018, MyFitnessPal, the famous application used to track diet and exercise and owned by Under Armour, suffered a data breach. The incident became one of the biggest data breaches of 2018 and exposed 150 million email addresses, login credentials and even IP addresses.
MyFitnessPal did acknowledge the breach and requested the users to change their passwords. But the company wasn’t explicit about the number of users affected. The number of users affected only became evident when the stolen data was put up for sale on a dark web marketplace in 2019.
Allegedly, the reason behind the data breach was mainly referred to SHA-1, a cryptographic hash function. Although according to the company’s Q&A site, the majority of passwords were protected with bcrypt (a password hashing function), the rest were protected using SHA-1.
Under Armour hasn’t stated any specific reason behind the data breach and has undergone measures to monitor suspicious activity and to enhance its security systems. The company also announced it is working with numerous security firms and law enforcement to investigate the source of the breach.
Equifax, one among the three largest consumer credit companies in the US, announced in September 2017 that its systems were compromised, leading to a data breach that exposed around 147.9 million consumer records of Americans.
An application vulnerability in one of their sites led to this breach, and the compromised sensitive personal data included names, addresses, phone numbers, social security numbers, dates of birth, and driver’s license numbers.
Additionally, the credit card information of nearly 209,000 consumers was also exposed due to this breach. Equifax’s response to the data breach was relatively slow, and the company took almost six weeks to disclose the situation.
As a response to the breach, Equifax set up a separate domain, equifaxsecurity2017.com, to deliver resources to the potentially affected individuals. But the very act became controversial as lookalike domains are extensively used for phishing scams.
Equifax also stated that it had spent nearly US$1.4 billion as cleanup costs, which included the costs of incorporating the latest technology infrastructure and enhancement in data security.
In May of 2014, eBay reported that a data breach had exposed the user data of its 145 million users, which included information such as names, dates of birth, addresses, and even passwords. As a result, eBay directed all of its affected users to reset their passwords.
The hackers who caused the breach used the credentials of three employees to access eBay’s network and ultimately, the data. The hackers had complete access to the user database for 229 days – which is more than enough time to fully utilise the opportunity.
eBay also reported that financial information such as credit card numbers wasn’t compromised as it was stored separately. The company was massively criticised at the time for lack of communication with its customers, and it took nearly a month to disclose the breach.
Some sources state that 233 million users were originally affected by the breach, and eBay tried to downplay the severity by saying that only 145 million users were affected. Interestingly, many labelled eBay’s response as “how not to handle a crisis” and “how not to respond to a data breach”.
15. Antheus Tecnologia
Antheus Tecnologia is a Brazillian biometric solutions company that develops and distributes technology such as the Automated Fingerprint Identification Systems (AFIS). The company is responsible for one of the recent data breaches in 2020 when in March, a team of security researchers revealed the breach.
According to the researchers, the company left 16 gigabytes of data with 81.5 million records on an unsecured server. The breached data comprised sensitive information such as 76,000 fingerprints, admin login information, email addresses, and employee phone numbers.
Although the company responded by claiming that the data was hashed, experts disagree with it. Unlike passwords, facial recognition and fingerprint information are permanent to an individual – making it nearly impossible to eradicate the chances of identity theft with the exposed data.
You may be thinking that organisations are slow snails when it comes to containing data breaches. But the reality is that it takes an average of 197 days to identify a breach and 69 more to contain it.
If you think 197 days is too long, there have been instances where the data breach went unnoticed for nearly 8 years. The main reason why breaches go undetected is because most organisations lack the tools and expertise to detect one – the majority of breaches are reported by a third-party.
Even if there’s a detection system in place, it’s common for many cases to be ignored as false-positives. Also, insider breaches may take even more time to be uncovered. Since breaches can negatively impact the financial standing of a company, they may be reluctant to confirm the incident as well.
From the biggest data breaches discussed, it is clear that changing your password on a regular basis can significantly reduce the damages you may face. However, “will you” or “how will” you be affected by a data breach are unanswerable questions.
For organisations, no breach is too low to be neglected. Investing more resources and time in enhancing the security of user data storage can improve a company’s trustworthiness from a consumer’s point of view. The thing is, it might take only a click of a button, like in the case of Yahoo, to lose millions of dollars.