
Top 10 Data Breaches in History
Has your data been breached? If not, count your lucky stars.
Statistics show
that the number of data breaches in 2023 reached a record 2,814.
News about those incidents only keep coming, just this past week,
it was reported
that the data of 7.5 million customers
of the Indian electronic company boAt Lifestyle
was breached and exposed on the dark web.
PII (personally identifiable information) such as names,
email addresses and phone numbers are now for sale in forums
and could eventually be used for different malicious purposes like phone scams,
phishing emails or blackmail.
These kinds of attacks can pose serious issues
not only for customers but also for the companies that are breached.
The consequences for companies may include financial loss,
reputational damage, customer loss, legal ramifications
and production downtime; all of these things may occur simultaneously.
As it has been proven time and time again,
we learn from hardships.
And these organizations have had to learn some hard lessons
as a result of malicious actors leveraging
their lax cybersecurity practices.
In this post,
we want to look back at the top ten known data breaches of all time,
ranked by the number of users/accounts affected.
Before going forward, let’s keep two things in mind:
(1) in order to save face, affected parties don’t always provide
details on how they were attacked or what was breached,
and (2) the difference between data breach and data leak
(the former involves intentional unauthorized access to data,
while the latter typically involves accidental exposure of sensitive data).
10 – LinkedIn
In mid-2012, hackers infiltrated
the social media
system and stole 117 million email addresses and passwords from users,
both premium and free.
At first it was believed that 6.5 million users had been affected,
to which LinkedIn did little to nothing to warn them about the incident.
But then came 2016,
and sales of all the stolen data were seen on the dark web.
It was then that the company acknowledged the attack
and put out a statement advising their users to change their passwords,
avoid password reuse and leverage advanced security features
like two-factor authentication.
U.S. premium users
of the employment platform filed a collective lawsuit,
to which the company agreed and compensated a total of $1.25 million
to victims who paid for a subscription between 2006 and 2012.
9 – Dubsmash
The once-trendy video messaging app
was affected by a data breach in 2018.
The company disclosed the situation in 2019
after seeing hackers selling the stolen data on the dark web.
Malicious actors infiltrated the app’s system
and accessed user data that included
account holders’ names, usernames, email addresses, geographical locations
and hashed passwords, which is still a security risk since attackers
with enough resources and time could crack these passwords.
162 million Dubsmash users’ information was compromised,
to which the company only replied with advice
on what to do in case of a breach.
8 – Wattpad
This popular website
for storytelling and publishing was hacked in 2020.
The data breach involved the exposure of account information
belonging to more than 270 million users.
The database, which included usernames, encrypted passwords,
geographic locations and emails,
was secretly sold on the dark web for 10 bitcoins
(almost $100,000 at the time).
Not much was disclosed about the breach,
but it’s known that it impacted everyone
who joined the website before 2017.
A statement from the company said
that “out of an abundance of precaution” Wattpad
had reset all user’s passwords.
7 – Marriott International
This leading hospitality chain
became the target of a major data breach that was announced in 2018
and exposed the personal information of millions of guests.
That year,
it became known to the public that hackers
had gained unauthorized access to Starwood Hotels’ systems in 2014,
which Marriott purchased in 2016,
and that they had copied guest data before
the company was even aware of it.
Though some duplicates may have inflated the number,
potentially up to 327 million guests’ data was compromised.
Exposed information included a variety of personal details,
such as names, mailing addresses, phone numbers, email addresses,
dates of birth, and, in some cases, passport numbers
and payment card details.
The breach was a significant blow to Marriott’s reputation
and a major financial blow that resulted in legal repercussions from customers,
a fine for the violation of British citizens’ privacy rights
under the GDPR,
and system recovery costs.
6 – MySpace
The same sellers that offered the stolen LinkedIn data
in 2016 also claimed to have credentials from an unreported breach.
Back in 2013,
the formerly-popular website
MySpace suffered a breach that compromised 360 million user data.
Still,
either they didn’t know or didn’t make a statement
because it was only until 2016 that the data breach
was exposed by malicious actors looking for gains.
By then, MySpace had been purchased by Time Inc.,
which informed this social network’s users of the breach
and explained that their credentials
could have been used to access other websites.
For MySpace,
which was already struggling
to compete with newer social media platforms,
the revelation of the breach was a major blow
to its reputation and user trust.
5 – FriendFinder Networks
This 2016 data breach impacted 412 million user accounts
across 6 different websites owned by
this online dating and adult entertainment company.
FriendFinder Networks had inadequate security practices,
like storing passwords in plain text,
which contributed to the scope of the breach.
The 6 databases that were stolen included information like client names,
email addresses and passwords.
This was a major privacy nightmare for users,
who were exposed to identity theft,
extortion attempts and phishing attacks.
The company didn’t fare well either,
losing a critical number of customers and its reputation along the way,
not to mention the investigations
and fines from data protection agencies it faced.
4 – Yahoo (2014)
This web services provider
’s data breach of 2014 was publicly revealed in 2016
and affected a massive 500 million accounts.
The stolen information included a significant amount of user data like names,
email addresses, phone numbers, dates of birth, hashed passwords
and encrypted and unencrypted security questions and answers.
Even though passwords were encrypted,
hackers were able to crack the hashes over time,
and the security questions that were unencrypted
were used to take over accounts.
It was very concerning that Yahoo waited over two years
to disclose the breach to the public,
giving that time to the attackers
so they could exploit the breached information.
At the time, Verizon Inc. was in the middle
of negotiations to purchase Yahoo’s core internet business.
Due to this breach and the legal measures taken by consumers and authorities,
Verizon was able to purchase Yahoo’s for a significantly
lower amount than first planned.
It won’t be the last time we hear from this online company
as we make our way down this list.
3 – Aadhaar
The Indian government’s ID database
was breached in 2018 by malicious actors
who exploited vulnerabilities in the encryption mechanism
and leveraged outdated security protocols to access sensitive data.
The scope of the breach was monumental,
as complete names, addresses, biometric data
and Aadhaar numbers of 815 million citizens
were stolen and later up for sale on the dark web.
Those affected by the breach were vulnerable to financial fraud,
incursion of privacy and a trust deficit in government initiatives
and digital systems.
As a good example of a positive response from the compromised entity,
the Indian government learned its lessons and implemented
the latest encryption technologies,
stricter access controls and advanced authentication protocols,
thus fortifying the nation’s cybersecurity infrastructure.
2 – Indonesia SIM card
In 2022,
a massive data breach involved SIM card registrations
of 1.3 billion users from Indonesia.
A hacker named “Bjorka” emerged in a popular dark web forum
selling these SIM card registration profiles
that revealed national identity numbers, phone numbers,
and names of telecommunications providers,
among other information.
It’s important to note that Indonesia’s population
is less than the number of registered cards (275.5 million as of 2022),
which suggests the data might include duplicates or registrations
for people with multiple SIM cards.
The Indonesian government initially downplayed the situation,
denying the extent of the breach.
Unfortunately,
Indonesians are used to their information being exposed
since it’s done so often that they even jokingly call Indonesia
an “open-source country.”
The attacker released a statement claiming he only executed
the breach to show the “terrible data protection policy”
of the country,
especially if it is run by the government.
This, among many other cybersecurity incidents,
have sparked calls for stricter data protection regulation
and enforcement in the Asian country.
1 – Yahoo (2013)
This breach was labeled by the NY Times
as the “biggest known breach of a company’s computer network” ever.
After the company was purchased by Verizon,
it came to light that Yahoo had been breached in 2013
and that 3 billion users’ data had been compromised.
This is not to be confused with the 2014 breach
that was acknowledged in 2016.
The company confirmed this breach in 2017,
after new intelligence was obtained and indicated
that all Yahoo user accounts were affected by the 2013 breach.
The attack,
which compromised the same user data as the 2014 breach,
had immense financial repercussions for Yahoo.
The costs for investigating the breach,
enhancing security measures, legal fees, million-dollar settlements
and regulatory fines reached over $150 million.
Reputational damages also emerged,
as the incident raised concerns about the company’s ability
to protect user data and keep up with cybersecurity standards;
all of these contributed to a decline in the Yahoo user base.
Something worth stressing is that the majority
of these data breaches were the result of attacks
in which vulnerabilities were spotted
and exploited to gain unauthorized access.
When developing software,
finding vulnerabilities early
in the SDLC is far preferable to doing so after a breach.
That’s why we recommend
our Continuous Hacking solution,
which identifies, exploits and discloses vulnerabilities
in your software so you can address them immediately.
Contact us for more information.
*** This is a Security Bloggers Network syndicated blog from Fluid Attacks RSS Feed authored by Wendy Rodriguez. Read the original post at: https://fluidattacks.com/blog/top-10-data-breaches/