A hacker attack happens every 39 seconds in the US. This frequency may be worrisome at first. In reality, most attacks have little impact on society in general, even though high profile attacks do happen. They’re not Voldemort-dangerous, but some of them come pretty close.
There are five key targets the biggest data breaches in modern history share. These are your full name, email address, physical address, IP address, and credit card information.
Here’s a taste of what we are talking about:
- Yahoo’s decline was certainly accelerated by the largest reported data breach up until this moment: 3 billion accounts were exposed
- Sneaky hackers managed to collect the personal data of over 500 million guests of Marriot International over the course of 4 years
- 412 million members of adult network FriendFinder was also penetrated by eager data thefts
- It took a single young hacker several years to access over 200 million user accounts with sensitive information; they belonged exclusively to Court Ventures
- LinkedIn became known as LeakedIn after 117 million accounts were stolen
- Fitness enthusiasts weren’t spared the blushes either – nearly 113 million FitMetrix users shared unwillingly their personal data with unknown hackers
- Going further back in time, in 2008 134 million credit card numbers were lifted from Heartland Payment Systems
- While on topic, Equifax reported the payment data of over 145.5 million users exposed as recently as 2017
I won’t be reviewing the Great Papyrus Attack back in the day, even though it was a massive breach in its own right. I’ll instead take a look at the pitfalls of modern security and how they’ve affected us.
The numbers will show you how vulnerable user data can be and might also nudge you to take a little extra care whenever you are online.
Yahoo is far from its former glory. The massive fall of the Yahoo empire started in 2013. A yet unknown party broke into Yahoo’s database, gaining access to 3 billion accounts. This is the biggest hack Yahoo has ever encountered. And they only discovered it in 2016.
The attack happened right in the middle of their negotiations with Verizon, which later acquired Yahoo for $4.48 billion. The revised price was $350 million less than previously expected, but that was just the tip of the iceberg for Yahoo.
The stolen information included full names, dates of birth, email addresses and passwords, and security issues correspondence (questions/answers).
The company claims the attack was conducted by state-funded hackers. A Vice article further shows the Department of Justice is pointing to members of the Russian Federal Security Service as the initiators of the massive Yahoo data breach.
The personal details were allegedly used to compromise (possibly blackmail) both US and Russian officials, journalists, and some private sector individuals. Some of the account details were also put up for sale on “TheRealDeal”, a known darknet virtual marketplace.
Knowledge is power, right?
Although it happened five years ago, this is still the highest-ranked entry on the Data Breaches Leaderboard.
2. River City Media
One of the more concerning recent data breaches happened in the spring of 2017 when River City Media encountered massive data exposure.
I’ve never seen a person jump in joy upon seeing a spam email. To my genuine surprise, it turns out many people open those, thus providing some metrics of data to spam-oriented enterprises.
River City Media somehow managed to allow unauthorized access to a large database of emails and postal addresses. This resulted in 1.37 billion subscriber records suddenly being released out in the wild.
However… this wasn’t exactly a breach.
The Jackson, Wyoming-based marketing company granted free access to a 200GB repository. According to Chris Vickery, who first discovered the issue, the data was quietly waiting in a system with no password protection.
Turns out some of the biggest data breaches of all time aren’t always caused by hackers, eh?
OK, let’s see what the sloppy fellas leaked – real, full names, and IP/email/physical addresses. Tens of millions of people had their data exposed to anyone willing to access it.
In addition, the breach shed light onto RCM’s development plans, along with a list of undisclosed affiliates of the company.
River City Media didn’t respond to the leak right away, as they kept their intentions secret. However, high profile data breaches don’t usually appreciate silence.
The brand tried to explain their lack of action by later on stating that all data was legally obtained according to the FTC and Can-Spam Act of 2003 requirements. However, this didn’t save them from receiving a Spamhaus blacklist mark.
3. Marriott International
We’re moving to the hotel business for a bit. Marriott International announced on November 30th that their data records have been breached. The hackers had access to their records from 2014 all up to late 2018.
As far as cyber security breaches go, this was one of the longest standing ones. Bullseye.
The spoils of the breach were estimated to be the personal information of 500 million people.
The database contained names (full and partial combinations), mailing/email addresses, phone numbers, account info, date-of-birth, gender, reservation dates, arrival/departure times, payment card numbers/expiration dates, and passport information.
Thankfully, all credit card information (8.6 million credit/debit card numbers) was under AES-128 encryption. OK, at least the payment information is safe. If nothing else.
This is one of the largest data breaches and a large portion of the data was readable by anyone.
For example, 5.25 million customer passport numbers were unencrypted. This was just slightly north of 20% of all numbers on record, as another 20.3 million of them were actually encrypted. Marriott International made a further evaluation of the damages and estimated the number of affected customers at 383 million.
Alright, so who has any use of so many guest records? A naïve question, yes, but experts believe that Chinese intelligence-gathering teams are behind the attack.
The fact to the matter is, Marriott International still hasn’t disclosed who it thinks is behind one of the most famous data breaches ever.
They reacted to the news about the breach by saying their primary objectives were “to figure out what occurred” and “how they can best help their guests”.
4. FriendFinder Network
Some people would prefer giving away access to their bank account rather than having their sexual history made public. That’s why it’s no wonder this one was named “the biggest breach of 2016”. The exposed records amounted to over 412 million pieces of information, including usernames and passwords, and email addresses.
Hacking the user base of the “World’s Largest Sex & Swinger Community” could easily classify as one of the world’s biggest data breaches, considering the sensitive nature of the information. The FriendFinder Network suffered a breach containing customer data, accumulated over more than two decades. The data was spread across six different databases – FriendFinder, Adultfinder, Cams, Penthouse, iCams, and Stripshow.
LeakedSource’s assessment is that all sensitive information was held in plaintext or SHA1 hashing. Which is a lousy way to store customer data. Again, Leaked Source points to October as the most likely period of the hack.
Yes, this time it’s hackers.
FriendFinder claims they care about their clients’ security. Well, they could have shared the information about the security breaches sooner. It’s just common courtesy to set things straight with their clients and warn them. “Hey, people, we kind of got hacked… just so you know.”
Additionally, LeakedSource even managed to crack 99% of the encrypted passwords. Naturally, the most used password turned out to be 123456. I’m not saying “vanillaicecream1902” is easier to remember, but it may make your account just a bit safer. (And it still is much safer, according to experts.)
February 2016 wasn’t at all calm for MySpace.
Even though many have forgotten about the platform, it still exists. It was responsible for one of the biggest data breaches to date, scoring over 360 million points on the Stolen Account Records app.
(There is no such app, don’t search for it.)
Although Time Inc., the current owner of MySpace, confirmed the stolen data was old, it is still a big hit. According to them, the hackers only managed to acquire data from before 11 June 2013. And what did they get? Email addresses and passwords. Even a second password once in a while.
MySpace CFO, Jeff Bairstow, was quick to reassure the users that they take data security “extremely seriously”.
Even though it doesn’t seem as severe as the previous cybersecurity breaches, these accounts hold all kinds of personal information. Name, occupation, network activity, and some prehistoric metrics from when MySpace was popular.
Also, consider this – many users are accustomed to typing the same password for all of their online accounts. If anyone gains knowledge of your MySpace password, chances are they will be able to log into at least one of your other internet profiles.
So, variety is key.
While looking at all the recent data breach cases in 2018, it wasn’t long before the name Exactis surfaced. A data aggregation/marketing company situated in Palm Coast, Florida, that… you guessed it, was also hacked.
It seems that they support the approach of showing less while knowing a whole lot more.
It’s concerning that Exactis somehow managed to expose personal information about 230 million US citizens in 2018. The breach came to light in June by the hand of Vinny Troia, a security researcher who was checking the defenses of the company ElasticSearch.
Troia used Shodan, a search engine targeting internet-connected devices, to discover one of the biggest data breaches in 2018 – about 7,000 different databases on public servers. One of those belonged to Exactis and it was just chillin’ out, totally unprotected.
Just like your high-school lunch left on the common table in the cafeteria.
Unlike the precious food bite, however, the Exactis database consisted of around 340 million records. A little over 66% of those are tied to individuals, while the rest belong to nation-wide operating companies.
No social security numbers or credit card numbers were disclosed but a lot of other information was leaked: physical addresses, email addresses, phone numbers, age, gender, even the customers’ children’s gender, religious affiliation, and smoking habits.
Yet again, it is unclear if this was a coordinated hacker breach or just a sloppy leak.
This one is slightly different than the common data breach examples.
In 2018, Twitter discovered a bug that turned all user passwords visible on an internal log. Usually, the hashing algorithm of any respectable site encrypts your password, so that nobody else knows it.
However, someone, or something, meddled in Twitter’s business and caused all passwords on the platform to appear in plain-text. I’m not calling it a breach because it was found “on time”.
Or at least it seems that way.
Nevertheless, Twitter didn’t share how long the alleged hack was active, and how many user passwords were actually compromised during this recent data breach of 2018.
They urged the Twitter user base to change their passwords, just to be safe. This makes me inclined to believe there really was a massive leak. Or at least a good possibility of one.
This theory becomes even more likely after more recent information surfaced in January 2019. Twitter informed all Android users about a possible security flaw in their Android app. The “Protect Your Tweets” option apparently wasn’t working right. All Android tweets from 2014 till now were probably accessible by third parties.
Was the leak caused by dedicated hacker attacks or a simple spaghetti code? We still don’t have an answer to this question.
8. Court Ventures
Getting back to major hacking events for a change, October 2013 brought Court Ventures, a company belonging to Experian, a breach where 200 million consumer records were exposed. The way the breach took place is fascinating.
Hieu Minh Ngo, aged 25, managed to run a completely unseen identity theft operation for quite some time. The hacker posed as a P.I. with an address in the United States to gain access to customer information for as long as ten months.
This was enough to gather 200 million records of sensitive personal information.
He then sold it to over 1,300 people on both his ID theft websites – Superget.info and Findget.me. Information security breaches can be quite profitable sometimes.
He did all of this while based in Vietnam. Nonetheless, he was later sentenced to 13 years in a US federal prison in July 2015.
According to The San Diego Union-Tribune, it’s possible that more than 30 million consumers were victims of stolen data. In addition, 13,000 fabricated tax return forms were filled by Ngo and his possible affiliates.
This resulted in gathering $65 million in non-existing tax refunds.
Experian stated back in December 2013 that no customers were harmed by the breach. At least not to their knowledge.
9. Deep Root Analytics
December 2015 saw one of the largest cyber security breaches around Christmas, with Donald Trump still just a presidential candidate.
Turns out over 198 million voters’ records were kept in a poorly protected database – full names, state of residence, addresses, date of birth, phone numbers, and voting details were all disclosed to the public. Ethnicity and religion details were also in the pack.
Chris Vickery was again the one to spot the vulnerability. He shared that all the information was kept on a cloud server without any defenses. 1.1TB of data was up for grabs by anyone with a quick mind.
TargetPoint Consulting and Data Trust were also involved in the election breach but the main responsibility lays with Deep Root Analytics.
Following the previous data breaches in Mexico and the Philippines, which affected a tad over 100 million individuals, the DRA breach raised concerns about how voting information is protected around the world.
Going back to 2012, LinkedIn suffered a 6.5 million user accounts theft. Naturally, the internet community awarded them with the nickname “LeakedIn”.
This is easily one of the world’s biggest data breaches up to date.
While 6.5 million is still a lot, LinkedIn acted swiftly and deactivated the compromised accounts.
The acquired data was posted for sale on a Russian-based forum. LinkedIn reacted, and the problem was soon no more. This gave it time to recover, but in May 2018 new gruesome details surfaced.
The alleged count of the 6.5 million leaked accounts suddenly turned out to be 117 million instead. On top of that, they were available for purchase on the DarkWeb marketplace. “Peace” or “Peace_of_Mind”, a Russia-based hacker, put them up for sale at five BTC (Bitcoin) and turned LinkedIn into one of the most famous data breaches to date.
LeakedSource claims to also own a searchable list of this database, available with a $4-one-day-trial option.
Carry Scott, CISO at LinkedIn stated they’ve reset the leaked accounts’ passwords.
11. Massive American Breach
(Source: Technology Review)
This one was a massive, coordinated attack.
A group of Russian hackers has managed to access and gather credit/debit card numbers from several companies for the whole seven years, between 2005 and 2012.
There was a total of 15 hacked companies – 7-Eleven, JC Penney, Heartland Payment Systems, Carrefour, Wet Seal, Dexia, Commidea, Hannaford, JetBlue, Euronet, Dow Jones, Global Payment, Visa Jordan, Ingenicard, and Diners Singapore.
Back in the day, the operation was called “the largest hacking and data breach scheme ever produced in the United States” by a New Jersey prosecutor, Paul Fishman. Although we now know of bigger breaches, this one was shockingly big at the time.
The breach caused hundreds of millions in losses for the companies that have been hacked and their consumers. In addition to those, three corporate victims reported over $300 million in losses due to the attack.
Not to mention the numerous identity theft possibilities.
According to the Newark Federal Court, the perpetrators were Vladimir Drinkman, Alexandr Kalinin, Roman Kotov, Mikhail Rytikov, and Dmitriy Smilianets – all based in either Russia or Ukraine.
Reports suggest that Smilianets managed to sell the stolen data and shared the profit with his team members before they were convicted.
In March 2018, the health app MyFitnessPal made public one of the largest data breaches in the healthcare niche.
150 million users affected. The stolen records included usernames, email addresses, and hashed passwords. Now, as you may have already noticed, there’s a silver lining to this situation – the passwords were hashed. This means the hackers have had a hard time decrypting the data, even after it was already in their possession. If you’re unfamiliar with this sort of thing, you may wonder why.
Well, depending on the hashing algorithm complexity, passwords can stay safe for decades, even after major data breaches. Or be decrypted in a matter of minutes. So yes, just because there’s encryption doesn’t mean the passwords are safe.
What is more, weak passwords aren’t assisted by the hashing process, as all most common passwords are stored in separate, “rainbow tables”. If you are a hacker, you’d logically go for those first.
Although respected companies use the highest ranked encrypting tools, users are still advised to change their passwords after such a breach.
Being one of the more benign data breach examples, Under Armour ensured customers that no financial data was leaked. Good thing they store financial and general info in separate locations.
No driver’s license or social security numbers were leaked as part of the breach either.
All in all, this attack didn’t have such destructive aftermath, but it’s concerning nevertheless.
In 2014, eBay announced it has become a victim of a cyber attack.
145 million customers’ personal information and encrypted passwords were obtained.
This was one of the biggest data breaches of all time and was conducted by using employee login credentials, of all things. It’s not public knowledge whether the employee was “in” on the plan, or if the company was actually hacked.
The personal information I referred to included dates of birth, mailing addresses, phone numbers, and full names. No financial information was compromised according to the platform.
Two weeks after the breach occurred, the company assured users no suspicious activity took place in any of the user accounts.
No financial details were disclosed, but the eBay data breach still consisted of nearly 150 million records. More than enough information to do some damage.
According to Al Pascual, an experienced security analyst at Javelin Strategy and Research, the breach was likely approached with a spear phishing campaign. Spear phishing is an email-spoofing tactic, designed to target specific members of a company to acquire unauthorized access.
“The system is as secure as its weakest link, and that is very often its people,” added the expert.
“We are working with law enforcement and leading security experts to aggressively investigate the matter,” the brand shared after the initial breach report.
A chilling example of the most recent data breaches was exposed in 2017. The hacker attack affected 145.5 million United States consumers, gaining access to detailed personal information.
Equifax, a renowned company in the credit reporting field, discovered the breach on July 29. The breach was big, as it released full names, social security numbers, birth dates, addresses, and driver’s license numbers to public use.
Equifax’s advice to customers was just general reassurances and no substance. That’s the route many companies take in situations like these.
After the Equifax data breach, they shed some light on the hacker attack in a detailed press release. According to them, the perpetrators used a vulnerability in the US website app to break their defenses.
However, no unauthorized activity seems to have happened in the compromised accounts.
Preventing such breaches should be a top interest for any enterprise. It takes time, dedication, and understanding of the environment. Then again, this applies to hacking as well.
15. Heartland Payment Systems
A decade ago, the Heartland Payment Systems breach was considered the biggest such operation yet.
During one of the most damaging high profile data breaches, intruders stole 134 million unique credit cards, including the coded data on the magnetic card strips.
This was a big one.
Heartland Payment Systems conducted around 100 million transactions in 2008, servicing 175,000 merchants. All of them relied on this company to keep their clients’ information safe. As you can imagine, any leaked information affected not just the company, but all the businesses they were working with. Most of those were small to mid-sized retailers.
Considering this was one of the biggest data breaches ever, it happened in a fairly pedestrian way. The operation was initiated by an SQL injection. Simply put, hackers included additional database commands in web scripts to get the server to obey their commands.
The hackers had been taking advantage of the vulnerability for eight years as the initial breach happened all the way back in 2009.
According to the Heartland report, hackers took eight months to enter the payment processing system without being detected. All antivirus providers Heartland used were unable to spot them.
As major hacking events go, the people behind this one were going for the long con. Attackers’ determination finally paid off when a “sniffer” spyware entered the scene.
Usually, such spyware can be used to gather and monitor network traffic – companies then analyze it and solve any issues present.
On the other hand, “sniffers” can also point hackers to their target information. Reports suggest the group had all the information they needed to use the stolen credit cards after the breach.
The grim result for Heartland Payment Services was a termination of their connection with PCI DSS, a decrease of revenue, $145 million in compensations, and a total of over $200 million in losses.
The list of recent data breaches can’t be complete without the one where Facebook was involved.
I think we all have at least some passing knowledge of what happened during the Facebook-Cambridge Analytica scandal some time ago. Mass panic, “I’ll delete my Facebook” claims, Zuckerberg is a robot.
I’m not going to go deeper into the scandal itself, but rather focus on Nametests.
I reacted the same way when I first heard it. Turns out Nametests is a Facebook Quiz app used to determine which fictional character suits you best.
Nametests made its way into the biggest data breaches of 2018 by exposing the personal data of 120 million users. Had Inti De Ceukelaire not detected it, the app would have continued to abuse user information.
The security researcher spotted the Nametests slip during Facebook’s Data Abuse Bounty program.
Ceukelaire set up a newly created website and established a connection to Nametests. He didn’t break a sweat accessing all stored Facebook profile details – names, pictures, posts, occupation, and so on.
In addition, Nametests was distributing tokens granting real-time access to users’ feeds. Even if you have deleted the app, it would still share your personal information with any third-party on its website.
In 2018, FitMetrix became a part of the MindBody family. And it also joined the club of companies that have been hacked.
MindBody, a gym and wellness service giant themselves, paid $15.3 million for the acquisition. Little did they know, it would cost them a lot more than that.
A massive data breach of 113.5 million user accounts took place at FitMetrix. Each record consisted of usernames, email addresses, gender, phone number, pictures, height, weight, shoe sizes, and desired gym locations.
Emergency contacts were also listed, as well as bits of information labeled “more information”.
Bob Diachenko discovered this fairly recent data breach in 2018. Diachenko is a director of cyber-risk research at Hacken, and is considered an expert on the topic. His report showed a number of MindBody servers were not password-protected.
One of their databases even had a ransom note attached to it.
In his opinion, the intruders were accessing a database, exporting it, deleting it, and attaching the ransom note afterward. MindBody didn’t put much thought into his findings.
They acted on the breach only after a TechCrunch article came to light.
“We took immediate steps to close this vulnerability,” stated the company. You know, the months-later kind of immediately.
18. TJX Stores
One of the biggest data breaches of 2007 became public knowledge when TJX Companies disclosed information about a hacker attack targeting over 100 million customer records.
Hackers were targeting the usual types of information such as credit card numbers, purchase return records, full names, and driver’s license numbers.
45.6 million of those were card numbers belonging to users in various countries. However, the suing claim against TJX puts the actual number at 94 million.
Similarly to the data breaches of 2018, this one from twelve years ago managed to affect the company’s market valuation. According to 2007-8 stock market statistics, the shares of the company suffered a decline, going from $30 to $29 – a 3.4% decrease in company value.
TJX breach expenses added up to around $250 million. This included security flaws research, claims, lawsuits, and fines.
The hacker first held responsible for the breach, Albert Gonzales, was determined to have acted with the full authorization of the US Secret Service.
He managed to appeal his sentence in 2011, but the TJX breach will remain in history as the most shocking of its time.
Another of the recent data breaches sends us to VK.com, the most developed social networking platform in Russia.
The site suffered a breach that resulted in over 100 million records being leaked in 2016.
It is believed that the accessed records included full names, email addresses, locations, phone numbers, and plain-text passwords.
The last item on this list is enough to question not only the security level of VK, but their whole attitude towards cyber-security. Being a social network giant (therefore having this massive bullseye on their back), it’s criminal incompetence to store user credentials without any form of encryption.
Therefore, this is one of those major data breaches that could have been easily avoided.
The illegally obtained information was later put up for sale by no other but Peace. He seems to be involved in a lot of these operations – Tumblr, MySpace, LinkedIn, and VK. And those are just the ones we are aware of.
In 2016, all VK records were available for purchase for 1 Bitcoin. This used to translate to $600 back then.
This sale opportunity revealed that most of the credible data stolen was from the 2012-2013 period. This is a positive sign, as at least some of it was likely outdated.
On the other hand, that’s a lot of time for a company to remain unaware that one of the biggest data breaches ever occurred under its roof.
If you have used Firebase (from Google) in 2018, chances are you will be concerned by the upcoming paragraphs.
In essence, Firebase offers an array of services and tools to mobile and web-based app developers.
Android developers are particularly attracted to the platform as it enables push notifications, cloud messaging, analytics, ads, databases, and more. All of these are convenient for coordinated app development.
So far, so good.
All those neat goodies are the perfect setup for a quality app. However, a high-quality app doesn’t necessarily mean foolproof security, as we’ll soon find out. This case is about one of the biggest data breaches of 2018.
An Appthority report showed in January of 2018 that more than 113GB of sensitive data was held unprotected in the Firebase databases.
2,271 unique databases… all of which were connected to 3,046 apps in total – 2,446 for Android and 600 for iOS.
In pure numbers, these amounted to over 100 million records that were up for the taking.
The records contained over 2.6 million plain-text passwords and usernames, over 4 million Protected Health Information records, 25 million GPS locations, 50,000 financial records, and 4.5 million social network tokens.
What do companies that have been hacked do in such situations?
It turns out, Firebase requires developers to secure their own databases during the development process. The platform itself doesn’t have security protocols. In essence, this means there were 3,046 Firebase users that need to get a lesson (or two) in cyber security.
I hope they are reading this article.
This super popular website took a serious hit in 2018. You’d think that such an intelligent website would have better thought-out security in place.
Alas, on November 30, the site detected their data was being compromised by a third-party.
100 million stolen records listed Quora among the biggest data breaches ever.
The taken user details listed names, email addresses, and hashed passwords.
Imported data by legitimate users, non-public content, and direct messages were also included. The hackers retrieved questions and answers publicly visible on the website as well. (Not that the latter is much of a breach in itself; more like a regular usage of Quora.)
As for the further investigation of the problem, Quora stated they’ve identified the root cause and have taken steps to address the issue. They also promised to continue to make security improvements.
Each of the recent data breaches listed here caused the leak of more than 100 million records.
A hundred years ago, a lost mail cargo with a thousand letters would have seemed like a big deal. Nowadays, the numbers are in another league altogether and so is the wealth of information they hold.
Thankfully, the internet users’ ability to protect themselves online is on the rise as well.
Internet users (companies and individuals alike) slowly, but surely recognize online security as important. Having a unique, strong password for each virtual account is the first logical step to protect yourself. That way, even the biggest data breaches will have limited (if any) impact.
Browsing the Web also requires sensible thinking – make sure you’re on the right website, avoid suspicious links, change your login credentials frequently.
The internet is such an inextricable part of our daily lives that it only makes sense to learn to take care of ourselves online. For all its benefits, there’s a responsibility we must take in order to use it.