Data breaches are quite popular these days owing to the fact that the companies, big or small, manage lump sum data that is inevitable to both the companies and the threat actors. While the companies make sure to keep their data private, the threat actors out there are always looking for nicks through which they can cause data breaches and the data can be utilized some way or the other. In some cases, the data are sold on the dark web markets (sometimes free of cost, sometimes at a high price) while in other cases, they conduct ransomware that would fetch them mouth-watering money. The smaller data heist would cause harm to merely a couple of hundred people while the massive ones can compromise data of hundreds of millions or billions of individuals.
Dark Web Link has compiled a list of the top twelve massive data breaches till date in the 21st century depending on a single factor, the number of people affected. We have also mentioned the role of the party for which the data leak was possible. For example, if the data was leaked due to the company’s negligence or the hackers are smart enough to get past the security.
So, without much waiting, let’s discuss about the largest data breaches in the world. Also, the list put up here will be according to the year of occurrence. The companies that face cyber attacks for a couple of years at a stretch, the first year of occurrence is taken into consideration.
Biggest Data Breaches of The 21st Century
LinkedIn has undergone the data breach back in the year 2012 and later in the year 2016 that has impacted 165 million user accounts. The actual cyber breach took place in the year 2012 when the company had announced that the hackers have compromised 6.5 million unsalted SHA-1 hashes (unassociated passwords) and have posted them onto a Russian Hacker Forum. Until 2016, the complete extent of the incident was not known. The compromised email ids and passwords were up for sale against just 5 Bitcoins which was somewhere around $2,000 at that time. However, later the passwords were reset.
Adobe was hit by a data leak in October 2013 affecting 153 million user records. In early October 2013, Adobe had reported that the hackers have compromised nearly 3 million of the encrypted customer credit card records along with login data for an undetermined number of the user accounts. Later in the same month, they have reported an estimated 38 million active users’ ID and encrypted passwords. The cyber hack has also simultaneously exposed customer names, debit and credit card information.
MySpace had been hit by the cybercriminal group in the year 2013, where 360 million user accounts have been compromised. The leaked data had been put up onto both the LeakedSource, a searchable database of the stolen accounts and then put up for sale on The Real Deal market asking 6 BTC that amounted to $3,000 at that time. The company had stated that the lost data included the email addresses and the passwords along with the usernames. The passwords were stored as SHA-1 hashes, where the first ten characters of the passwords were converted into lowercase.
Back in September 2016, Yahoo had announced that it had suffered from a massive data heist back in 2014, which was considered to be the largest data breach in the history. The threat actors compromised the real names, dates of birth, email addresses and contact numbers of 500 million users. Most of the breached passwords were hashed. In December 2016, the company had disclosed another attack in 2013 by a different hacker. In this attack along with the usual names, dates of birth, passwords and email addresses, security questions and answers of one billion user accounts have been compromised. Later the number was revised to 3 billion users. The breach had cost the company $350 million.
In May 2014, eBay has been hit by a data breach where an entire account list of 145 million users have been compromised that included details such as names, dates of birth, addresses and the encrypted passwords. The company has revealed that hackers possess the credentials of three corporate employees and accessed their network for 229 days. Also, the financial information like the credit card numbers was stored separately and that they were not compromised.
Back in November 2018, Marriott International has announced that the hackers had stolen data of approximately 500 million customers. The data breach had initially occurred on the systems that supported Starwood Hotel brands commencing in 2014. The attackers stayed in the system following Marriott’s acquisition of Starwood in 2016 and remained undiscovered till September 2018. The attackers took some combination of passport numbers, contact information, travel information, Starwood Preferred Guest numbers and as well as other personal information. It is believed that the credit card numbers and their expiration dates of over 100 million customers were stolen, while the company is still not sure whether the cybercriminals were able to decrypt the credit card numbers.
NetEase, a provider of mailbox services had undergone a data breach in October 2015, the email addresses and plaintext passwords of about 235 million accounts from the customers were being sold by a darknet marketplace vendor having pseudonym “DoubleFlag”. It was reported but, the company has denied of any data breaches. However, the website HaveIBeenPwned has listed this breach as “unverified”.
Adult Friend Finder
The company survived a data breach that hit it in mid-October 2016 and has affected 412.2 million of the user accounts. Adult Friend Finder offered specific services (hookup and adult content website) that made the breach particularly sensitive for the account holders. The stolen database stayed for a really long time on six databases. The breached details contained email addresses, names and the passwords. The passwords contained weak SHA-1 hashing algorithm that protected most of the stolen passwords but an estimated 99% of them had been cracked by the time the website LeakedSource.com had published its analysis of the data set back in 14th of November, 2016.
Equifax, which is one of the humongous credit bureaus in the US revealed on the 7th September 2017 that they have experienced an application vulnerability in one of their websites that has led to a data loss. This incident has exposed nearly 147.9 million consumers. Although the data theft was uncovered on the 29th of July, but the company has said the breach has likely started in mid-May. The privacy data breach has compromised various personal information such as the names, dates of birth, addresses, Social Security Numbers or SSNs and in some other cases the numbers to the drivers’ licenses. Apart from this, the credit card data of 209,000 consumers have also been exposed. Nevertheless, the company was also slow to report data loss.
Dubsmash, the New York-based video messaging service has been attacked by a data breach that had successfully compromised 162 million user details including the user email addresses, names, PBKDF2 password hashes, dates of birth and more. All of these stolen data from the database has been listed on the Dream market dark web market for sale. The information was being sold as a part of the dump collection. The company had acknowledged the data hack but failed to inform how the hackers had got in their database.
My Fitness Pal
Around 150 million consumer data (usernames, email ids, SHA-1 and bcrypt-hashed passwords and IP addresses) were stolen in February 2018 and put up for sale on the dark web a year after. The company was believed to be a part of the massive data dump of 16 compromised websites that experienced 617 million customers’ accounts leaked and offered for sale on the Dream Market. Although the company has later acknowledged the data breach but did not express how the hackers got into their databases.
The Australian graphic design tool website named Canva had been hit by a cyberattack that has exposed various information of 137 million users such as usernames, names, email ids, cities along with the salted and hashed with bcrypt passwords (for all the users who signed in with their social accounts – roughly 61 million). In this regard, the company had stated that the hackers managed to view the files with a partial credit card and payment data due to insufficient data protection, but unable to steal the data. The suspected group was Gnosticplayers who claimed to have gained OAuth login tokens for the users who have signed in using the Google account. Later on, about 41 million Canva accounts containing the stolen passwords of the users were decrypted and shared online that led the company to invalidate the unchanged passwords and notify the users having the unencrypted passwords in the list.
Zynga, one of the biggest mobile game creators having millions of players worldwide had been hit by a Pakistani hacker named Gnosticplayers. In September 2019, Zynga’s database of Draw Something and the Words with Friends has been hacked where the hackers have gained access to the 218 million accounts that had been registered there. The company later revealed that hackers have compromised Zynga accounts, phone numbers, email addresses, salted SHA-1 hashed passwords and user IDs for Facebook.
Thus, it can be seen that quite a good number of companies have suffered biggest data breaches that have almost crippled their economy. Apart from these, there are various other data leaks that are not this massive, yet have affected the companies to a great extent. The cybersecurity firms are continuously striving to protect data while the cybercriminals find out new ways to get to the database and get benefitted. You must adhere to data loss prevention policies as it is crucial as non-compliance aftermath can be devastating for your businesses.