The Top Nine Information Breaches of the 21st Century
Data breaches in today’s data-driven society may touch hundreds of millions, if not billions, of individuals at once. As the quantity of data flowing has expanded due to digital transformation, so have data breaches as attackers exploit the data dependencies of everyday life. The size of future cyberattacks is unknown, but as this list of the largest data breaches of the twenty-first century shows, they have already reached gigantic proportions.
To ensure openness, this list was compiled based on the number of people affected, data disclosed or accounts affected. We also distinguished between situations in which data was deliberately stolen or intentionally republished and those in which an organization mistakenly left data unsecured and exposed, but there was no strong indication of abuse. The latter has been purposely left from the list.
So, here is a list of the 10 largest data breaches in recent history, complete with information on the people impacted, who was responsible, and how the organizations reacted.
1. Yahoo.com
August 2013
3 billion accounts have been affected.
The assault on Yahoo has taken the top rank almost seven years after the first breach and four years after the full quantity of documents leaked was disclosed. The event, which occurred in 2013, was first made public by the firm in December 2016. It was in the midst of being bought by Verizon at the time, and it was thought that a hacker gang had obtained the account information of over a billion of its subscribers. Yahoo stated less than a year later that the real number of user accounts exposed was 3 billion. Yahoo maintained that the increased estimate did not reflect a new “security risk,” and that emails were being sent to all “additional impacted user accounts.”
Despite the criticism, the Verizon purchase was finalized, although at a lower price. Chandra McMahon, CISO at Verizon, said at the time: “Verizon is dedicated to the highest levels of accountability and openness, and we work hard to guarantee the safety and security of our customers and networks in an ever-changing world of online threats. Our investment in Yahoo enables that team to take substantial measures to improve their security while also benefiting from Verizon’s knowledge and resources.” Following an examination, it was revealed that, although the attackers gained access to account information such as security questions and answers, no plaintext passwords, credit card, or bank data were obtained.
2. Alibaba.com [Aadhaar]
January 2018
Identity/biometric information of 1.1 billion Indian residents was compromised.
In early 2018, it was revealed that hostile actors have penetrated Aadhaar, the world’s biggest ID database, exposing information on over 1.1 billion Indian individuals, including names, addresses, photographs, phone numbers, and emails, as well as biometric data such as fingerprints and iris scans. Furthermore, since the database, which was developed by the Unique Identification Authority of India (UIDAI) in 2009, included information on bank accounts linked to unique 12-digit numbers, it became a credit breach as well. Despite the fact that the UIDAI first denied that the database included such information,
The actors gained access to the Aadhaar database through the website of Indane, a state-owned power firm that was linked to the government database via an application programming interface, which enabled apps to obtain data held by other applications or software. Unfortunately, there were no access restrictions on Indane’s API, making its data accessible. Access to the data was offered for as low as $7 through a WhatsApp group. Despite warnings from security experts and IT organizations, Indian officials did not take the insecure access point down until March 23, 2018.
3. LinkedIn.com
June 2021
700 million users will be affected.
In June 2021, data linked with 700 million LinkedIn members were released on a dark website, affecting more than 90% of the company’s user base. A hacker known as “God User” employed data scraping methods to breach the site’s (and others') API before releasing the first data collection of around 500 million clients. They then boasted that they were selling the whole 700 million client database. While LinkedIn argued that the incident was a violation of its terms of service rather than a data breach because no sensitive, private personal data was exposed, a scraped data sample posted by God User contained information including email addresses, phone numbers, geolocation records, genders, and other social media details, giving malicious actors plenty of data to craft convincing, follow-up social engineering attacks in the aftermath of the leak, as warned by the U.S.
4. Facebook.com
April 2019,
533 million users will be affected.
It was reported in April 2019 that two databases from Facebook applications had been leaked to the public internet. The data includes phone numbers, account names, and Facebook IDs for over 530 million Facebook members. However, the data was freely available two years later (April 2021), showing fresh and genuine criminal intent around the data. Given the sheer number of phone numbers impacted and readily available on the dark web as a result of the incident, security researcher Troy Hunt added functionality to his HaveIBeenPwned (HIBP) breached credential checking site that allowed users to verify if their phone numbers were included in the exposed dataset.
“I had no intention of making phone numbers searchable,” Hunt stated in a blog post. “For a variety of reasons, I held that it did not make sense. The Facebook data altered everything. There are over 500 million phone numbers but just a few million email accounts, therefore >99% of individuals missed out when they should have.”
5. Yahoo.com
on 2014
500 million accounts will be affected.
Yahoo makes its second entry on this list, having experienced an assault in 2014 in addition to the one mentioned above. State-sponsored attackers stole data from 500 million users on this occasion, including names, email addresses, phone numbers, hashed passwords, and dates of birth. The corporation took early corrective action in 2014, but it wasn’t until 2016 that Yahoo made the facts public after a stolen database was sold on the black market.
6. MySpace.com
on 2013
360 million user accounts have been affected.
Though it has long since ceased to be the powerhouse that it once was, social networking site MySpace made news in 2016 when 360 million user identities were stolen onto both LeakedSource.com and listed for sale on the dark web market The Real Deal for 6 bitcoin (about $3,000 at the time).
According to the firm, the lost data includes email addresses, passwords, and usernames for other websites “a subset of accounts formed on the previous Myspace platform prior to June 11, 2013. To safeguard our users, we have invalidated all user passwords for impacted accounts generated on the previous Myspace platform prior to June 11, 2013. When these individuals return to Myspace, they will be requested to verify their account and change their password by following the on-screen instructions.”
The passwords were most likely saved as SHA-1 hashes of the first ten characters of the password converted to lowercase.
7. LinkedIn.com
June 2012
165 million users are affected.
LinkedIn makes its second entry on this list, this time in regard to a 2012 breach in which it stated that 6.5 million unassociated passwords (unsalted SHA-1 hashes) had been taken by attackers and uploaded on a Russian hacker forum. However, the entire scope of the tragedy was not exposed until 2016. The same hacker who sold MySpace data was discovered to be selling the email addresses and passwords of around 165 million LinkedIn members for just 5 bitcoins (approximately $2,000 at the time). LinkedIn confirmed being made aware of the hack and said that it has changed the passwords for impacted users.
8. Dubsmash.com
December 2018.
162 million user accounts have been affected.
Dubsmash, a New York-based video messaging service, has 162 million email addresses, usernames, PBKDF2 password hashes, and other personal data such as dates of birth stolen in December 2018, and all of this was subsequently sold on the Dream Market dark web market the following December. The data was sold as part of a larger dump that included MyFitnessPal (more on that below), MyHeritage (92 million), ShareThis, Armor Games, and dating service CoffeeMeetsBagel.
Dubsmash confirmed the compromise and selling of information and advised users to change their passwords. However, it did not specify how the attackers gained access or clarify how many people were impacted.
9. Adobe.com
October 2013.
153 million user records have been affected.
Early in October 2013, Adobe confirmed that hackers had obtained over three million encrypted consumer payment card details as well as login information for an unknown number of user accounts. After a few days, Adobe revised their estimate to include Identities and encrypted passwords for 38 million “active users.” According to security writer Brian Krebs, a file leaked only days before “appears to comprise more than 150 million login and hashed password combinations obtained from Adobe.” After weeks of investigation, it was discovered that the attack had also revealed customer names, passwords, and debit and credit card information. In August 2015, Adobe agreed to pay $1.1 million in legal expenses and an unknown sum to users to resolve charges of Customer Records Act violations and unfair business practices. The sum paid to customers was estimated to be $1 million in November 2016..
Lessons Learned from Massive Breaches
If these disasters have taught us anything, it is that we must prioritize data security. Companies of all sizes collect sensitive information, yet often do not protect it. If government agencies and huge firms are leaking data owing to lax security and cyberattacks, we can only conclude that small and medium-sized businesses are as well.
The quantity of data we gather is increasing dramatically as IoT devices proliferate. To accommodate this development and prevent future assaults, we need stronger cybersecurity legislation and harsher punishments for businesses that fail to secure critical information. These solutions, together with increased cybersecurity training and staff awareness, have the potential to put the worst data breaches in history behind us.
References
Bug Zero is a bug bounty, crowdsourcing platform for security testing. The platform is the intermediatory entity that enables client organizations to publish their service endpoints so that bug hunters (security researchers / ethical hackers) registered in the platform can start testing the endpoints without any upfront charge. Bug hunters can start testing as soon as a client organization publishes a new program. Bug Zero also offers private bug bounty programs for organizations with high-security requirements.
Bug Zero is available for both hackers and organizations.
For organizations and hackers, register with Bug Zero for free, and let’s make cyberspace safe.
