World’s Largest Data Breaches: Know them to Learn ?
Data is rapidly becoming one of the most valuable assets in the modern world. The digital giants that monopolize data are arguably the most powerful companies in the world, prompting ongoing conversations about anti-trust legislation and digital privacy.
Despite the overwhelming value controlled by these entities, as we’ll see, even companies such as Facebook are vulnerable to the byproduct of the rapid move to digitization — the data breach epidemic.
What is a data breach? An information security incident in which personal information is publicly exposed or accessed without authorization. Although companies such as Yahoo and Facebook have gotten widespread attention for the impact of these incidents of cyber risk exposure, data breaches can affect businesses of all sizes in a variety of ways.
They are difficult to identify, are costly to address, and cause reputational damage that some businesses never recover from. However, given the value of data and the inevitability of cyber risk, the best that companies can do to mitigate the effects of a breach is to implement a thorough risk management practice for the detection, containment and communication in the wake of a data breach. According to IBM, companies that contained a breach in less than 30 days saved more than $1 million compared to those that took more than 30 days.
Biggest Data Breaches by People Impacted
Each of these data breaches had an impact on millions of people, and provide different examples of how a company can be compromised or leave an extraordinary number of records exposed.
Date: October 2017
Impact: 3 billion accounts
Yahoo disclosed that a breach in August 2013 by a group of hackers had compromised 1 billion accounts. In this instance, security questions and answers were also compromised, increasing the risk of identity theft. The breach was first reported by Yahoo while in negotiations to sell itself to Verizon, on December 14, 2016, and forced all affected users to change passwords, and to reenter any unencrypted security questions and answers to make them encrypted in the future.
However, by October of 2017, Yahoo changed the estimate to 3 billion user accounts. An investigation revealed that users’ passwords in clear text, payment card data and bank information were not stolen. Nonetheless, this remains one of the largest data breaches of this type in history.
Date: March 2018
Impact: 1.1 billion people
In March of 2018, it became public that the personal information of more than a billion Indian citizens stored in the world’s largest biometric database could be bought online.
This massive data breach was the result of a data leak on a system run by a state-owned utility company. The breach allowed access to private information of Aadhaar holders, exposing their names, their unique 12-digit identity numbers, and their bank details.
The type of information exposed included the photographs, thumbprints, retina scans and other identifying details of nearly every Indian citizen.
3. First American Financial Corp.
Date: May 2019
Impact: 885 million users
In May 2019, First American Financial Corporation reportedly leaked 885 million users’ sensitive records that date back more than 16 years, including bank account records, social security numbers, wire transactions, and other mortgage paperwork.
Date: February 2019
Impact: 763 million users
In February 2019, email address validation service verifications.io exposed 763 million unique email addresses in a MongoDB instance that was left publicly facing with no password. Many records also included names, phone numbers, IP addresses, dates of birth and genders.
Date: April 2019
Impact: 540 million users
In April 2019, the UpGuard Cyber Risk team revealed two third-party Facebook app datasets had been exposed to the public Internet. One, originating from the Mexico-based media company Cultura Colectiva, weighs in at 146 gigabytes and contains over 540 million records detailing comments, likes, reactions, account names, FB IDs and more. This same type of collection, in similarly concentrated form, has been cause for concern in the recent past, given the potential uses of such data. Read more about this Facebook data breach here.
Impact: 500 million accounts
Yahoo believed that a “state-sponsored actor” was behind this initial cyberattack in 2014. The stolen data included personal information such as names, email addresses, phone numbers, hashed passwords, birth dates, and security questions and answers, some of which were unencrypted. Yahoo had become aware of this breach back in 2014, taking a few initial remedial actions but failing to investigate further. It was only about two years later that Yahoo publicly disclosed the breach after a stolen database from the company allegedly went up for sale on the black market.
Date: November 2018
Impact: 500 million guests
In November 2018, Marriott International announced that hackers had stolen data about approximately 500 million Starwood hotel customers. The attackers had gained unauthorized access to the Starwood system back in 2014 and remained in the system after Marriott acquired Starwood in 2016. However, the discovery was not made until 2018.
The information that was exposed included names, contact information, passport number, Starwood Preferred Guest numbers, travel information, and other personal information. Marriott believes that financial information such as credit and debit card numbers, and expiration dates of more than 100 million customers were stolen, although the company is uncertain whether the attackers were able to decrypt the credit card numbers.
According to the New York Times, the breach was eventually attributed to a Chinese intelligence group, The Ministry of State Security, seeking to gather data on US citizens. If true, this would be the largest known breach of personal data conducted by a nation-state.
8. Adult Friend Finder
Date: October 2016
Impact: 412.2 million accounts
In October 2016, hackers collected 20 years of data on six databases that included names, email addresses and passwords for The FriendFinder Network. The FriendFinder Network includes websites like Adult Friend Finder, Penthouse.com, Cams.com, iCams.com and Stripshow.com.
Most of the passwords were protected only by the weak SHA-1 hashing algorithm, which meant that 99% of them had been cracked by the time LeakedSource.com published its analysis of the entire data set on November 14.
Date: June 2013
Impact: 360 million accounts
In June 2013 around 360 million accounts were compromised by a Russian hacker, but the incident was not disclosed publicly 2016. The information that was leaked included account information such as the owner’s listed name, username, and birthdate. Between 2013 and 2016, anyone who gained access to this breached information could have taken over any Myspace account. The former social media network giant has since invalidated all passwords belonging to accounts that were set up prior to 2013.
Date: June 2018
Impact: 340 million people
In June of 2018, Florida-based marketing and data aggregation firm Exactis exposed a database containing nearly 340 million records on a publicly accessible server. The breach exposed highly personal information such as people’s phone numbers, home and email addresses, interests and the number, age and gender of their children. This data exposure was discovered by security expert Vinny Troia, who indicated that the breach included data on hundreds of millions of US adults and millions of businesses.
Date: May 2018
Impact: 330 million users
In May of 2018, social media giant Twitter notified users of a glitch that stored passwords unmasked in an internal log, making all user passwords accessible to the internal network. Twitter told its 330 million users to change their passwords but the company said it fixed the bug and that there was no indication of a breach or misuse, but encouraged the password update as a precaution. Twitter did not disclose how many users were impacted but indicated that the number of users was significant and that they were exposed for several months.
Date: October 2015
Impact: 234 million users
In October 2015, NetEase (located at 163.com) was reported to suffered from a data breach that impacted hundreds of millions of subscribers. While there is evidence to say that the data is legitimate (many users confirmed their passwords where in the data), it is difficult to verify emphatically.
The breach contained email addresses and plain text passwords.
Date: June 2012
Impact: 165 million users
In June 2012, Linkedin disclosed a data breach had occurred, but password-reset notifications at the time indicated that only 6.5 million user accounts had been affected. LinkedIn never confirmed the actual number, and in 2016, we learned why: a whopping 165 million user accounts had been compromised, including 117 million passwords that had been hashed but not “salted” with random data to make them harder to reverse.
That revelation prompted other services to comb their LinkedIn data and force their own users to change any passwords that matched (kudos to Netflix for taking the lead on this one.) Left unanswered is why LinkedIn did not further investigate the original breach, or to inform more than 100 million affected users, in the intervening four years.
Date: December 2018
Impact: 162 million users
In December 2018, Dubmash suffered a data breach that exposed 162 million unique email addresses, usernames and DBKDF2 password hashes. In 2019, this data appeared for sales on the dark web and was circulated more broadly.
Date: October 2013
Impact: 152 million
In October 2013, 153 million Adobe accounts were breached. The data breach contained an internal ID, username, email, encrypted password and password hint in plain text. The encryption was weak and many were quickly resolved back to plain text, the password hints added to the damage making it easy to guess the passwords of many users.
Date: February 2018
Impact: 150 million users
In February 2018, the diet and exercise app MyFitnessPal (owned by Under Armour) suffered a data breach, exposing 144 million unique email addresses, IP addresses and login credentials such as usernames and passwords stored as SHA-1 and bcrypt hashes (the former for earlier accounts, the latter for newer accounts). In 2019, this sensitive data appeared listed for sale on a dark web marketplace and began circulating more broadly, so it was identified and provided to data security website Have I Been Pwned.
Date: September 2017
Impact: 148 million people
In September 2017, Equifax, one of the three largest consumer credit reporting agencies in the United States, announced that its systems had been breached and the sensitive personal data of 148 million Americans had been compromised. The data compromised included names, home addresses, phone numbers, dates of birth, social security numbers, and driver’s license numbers. The credit card information of approximately 209,000 consumers was also exposed through this data breach. The sensitivity of the information processed by Equifax makes this breach unprecedented, and one of the largest data breaches to date.
Date: February/March 2014
Impact: 145 million users
Between February and March 2014, eBay was the victim of a breach of encrypted passwords, which resulted in asking all of its 145 million users to reset their password. Attackers used a small set of employee credentials to access this trove of user data. The stolen information included encrypted passwords and other personal information, including names, e-mail addresses, physical addresses, phone numbers and dates of birth. The breach was disclosed in May 2014, after a month-long investigation by eBay.
Date: May 2019
Impact: 137 million users
In May 2019, online graphic design tool Canva suffered a data breach that impacted 137 million users. The exposed data included email addresses, names, usernames, cities and passwords stored as bcrypt hashes.
The suspected culprit(s) — Gnosticplayers — contacted ZDNet to boast about the incident, saying that Canva had detected their attack and remediate the issue that caused the data breach. The attacker also claimed to have gained OAuth login tokens for users who signed in via Google.
Canva confirmed the incident, notified users, and prompted them to change passwords and reset OAuth tokens.
20. Heartland Payment Systems
Date: March 2008
Impact: 134 million credit cards exposed
At the time of the breach, Heartland was processing north of 100 million credit card transactions per month for 175,000 merchants. The breach was discovered by Visa and MasterCard in January 2009 when Visa and MasterCard notified Heartland of suspicious transactions. The attackers exploited a known vulnerability to perform a SQL injection attack.
The company paid an estimated $145 million in compensation for fraudulent payments.
Date: July 2018
Impact: 126 million users
In July 2018, Apollo left a database containing billions of data points publicly exposed. A subset of the data was sent to Have I Been Pwned which had 126 million unique email addresses. The full dataset included personally identifiable information (PII) like names, email addresses, place of employment, roles held and location.
Date: July 2013
Impact: 112 million users
In June 2013, a data breach allegedly originating from social website Badoo was found to be circulated. The breach contained 112 million unique email addresses and PII like names, birthdates and passwords stored as MD5 hashes.
23. Capital One
Date: July 2013
Impact: 106 million credit card numbers
In July 2013, Capital One identified a security breach of its customer records that exposed the personal information of its customers, including credit card data, social security numbers, and bank account numbers.
Date: August 2013
Impact: 101 million users
In April 2019, Evite, a social planning and invitation site identified a data breach from 2013. The exposed data included 101 million unique email addresses, as well as phone numbers, names, physical addresses, dates of birth, genders and passwords stored in plain text.
Date: December 2018
Impact: 100 million users
Quora, a popular site for Q&A suffered a data breach in 2018 exposed the personal data of up to 100 million users.
The types of leaked data included personal information such as names, email addresses, encrypted passwords, user accounts linked to Quora and public questions and answers posted by users. There was no evidence discovered that anonymously posted questions and answers were affected by the breach.
Date: January 2012
Impact: 93 million users
Russian social media site VK was hacked and exposed 93 million names, phone numbers, email addresses and plain text passwords.
Date: June 2018
Impact: 92 million users
MyHeritage, a genealogical service website was compromised, affecting more than 92 million user accounts. The breach occurred in October 2017, but wasn’t disclosed until June 2018. A security researcher discovered a file on a private server containing email addresses and encrypted passwords. The security team at MyHeritage confirmed that the content of the file affected the 92 million users, but found no evidence that the data was ever used by the attackers. MyHeritage earned praise for promptly investigating and disclosing details of the breach to the public.
Date: December 2016
Impact: 92 million users
Youku a Chinese video service exposed 92 million unique user accounts and MD5 password hashes.
Date: March 2014
Impact: 91 million users
A dump of 91 million accounts from Rambler (“Russian Yahoo”) was traded online containing usernames (that form part of a Rambler email) and plain text passwords.
Date: early 2018 (this is when a Cambridge Analytica whistleblower disclosed the story)
Impact: 87 million users
Though a slightly different type of data breach as the information was not stolen from Facebook, the incident that affected 87 million Facebook accounts represented the use of personal information for purposes that the affected users did not appreciate. Cambridge Analytica was a data analytics company that was commissioned by political stakeholders including officials in the Trump election and pro-Brexit campaigns. Cambridge Analytica acquired data from Aleksandr Kogan, a data scientist at Cambridge University, who harvested it using an app called “This Is Your Digital Life”. One of the most controversial elements of this breach was that users did not appreciate or consent to the political usage of data from a seemingly-innocuous lifestyle app.
UpGuard’s researchers also discovered and disclosed a related breach by AggregateIQ, a Canadian company with close ties to Cambridge Analytica. Details about these discoveries can be found in our Aggregate IQ breach series (part 1, part 2, part 3 and part 4).
Date: October 2016
Impact: 85 million users
In October 2016, Dailymotion a video sharing platform exposed more than 85 million user accounts including emails, usernames and bcrypt hashes of passwords.
Date: February 2015
Impact: Theft of up to 78.8 million current and former customers
In February 2015, a single user at an Anthem subsidiary clicked on a phishing email which gave attackers access to names, addresses, dates of birth, and employment histories of current and former customers.
Impact: 69 million users
In mid 2012, Dropbox suffered a data breach which exposed 68 million records that contained email addresses and salted hashes of passwords (half SHA1, half bcrypt).
Date: February 2013
Impact: 66 million users
In February 2013, tumblr suffered a data breach that exposed 65 million accounts. The breach included email addresses and salted SHA1 password hashes.
Date: Late 2016
Impact: Personal information of 57 million Uber users and 600,000 drivers exposed.
In late 2016, Uber learned that two hackers were able to access the names, email addresses, and mobile phone numbers of 57 million users of the Uber app. They also got the driver’s license numbers of 600,000 Uber drivers. In addition, the hackers were able to access Uber’s GitHub account, where they found Uber’s Amazon Web Services credentials.
36. Home Depot
Date: September 2014
Impact: Exposure of the credit card information of 56 million customers
Home Depot announced that its POS systems had been infected with a custom-built malware, which posed as anti-virus software.
Biggest data breaches infographic