The 15 biggest data breaches of the 21st century

Information breaches affecting millions of users are far also mutual. Here are some of the biggest, baddest breaches in recent memory.

lock circuit board bullet hole computer security breach
Thinkstock

In today'south information-driven world, data breaches can affect hundreds of millions or even billions of people at a time. Digital transformation has increased the supply of data moving, and information breaches have scaled upwardly with it as attackers exploit the information-dependencies of daily life. How large cyberattacks of the future might get remains speculation, but as this listing of the biggest data breaches of the 21st Century indicates, they have already reached enormous magnitudes.

For transparency, this list has been calculated by the number of users impacted, records exposed, or accounts affected. We take also made a stardom betwixt incidents where data was actively stolen or reposted maliciously and those where an organization has inadvertently left data unprotected and exposed, but in that location has been no significant evidence of misuse. The latter have purposefully non been included in the list.

So, here it is – an up-to-appointment list of the xv biggest data breaches in contempo history, including details of those afflicted, who was responsible, and how the companies responded (as of July 2021).

1. Yahoo

Engagement: Baronial 2013
Impact: 3 billion accounts

Securing the number one spot – most seven years later on the initial breach and iv since the true number of records exposed was revealed – is the assail on Yahoo. The company offset publicly announced the incident – which information technology said took identify in 2013 – in Dec 2016. At the time, information technology was in the procedure of being acquired by Verizon and estimated that account information of more than a billion of its customers had been accessed by a hacking group. Less than a yr later, Yahoo announced that the actual effigy of user accounts exposed was 3 billion. Yahoo stated that the revised gauge did not represent a new "security issue" and that it was sending emails to all the "additional affected user accounts."

Despite the attack, the deal with Verizon was completed, albeit at a reduced price. Verizon's CISO Chandra McMahon said at the time: "Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats. Our investment in Yahoo is allowing that team to continue to take significant steps to heighten their security, equally well as do good from Verizon's feel and resources." After investigation, it was discovered that, while the attackers accessed account information such as security questions and answers, plaintext passwords, payment card and banking company data were not stolen.

2. Alibaba

Date: November 2019
Impact: 1.ane billion pieces of user data

Over an eight-calendar month period, a developer working for an affiliate marketer scraped customer data, including usernames and mobile numbers, from the Alibaba Chinese shopping website, Taobao, using crawler software that he created. It appears the developer and his employer were collecting the data for their own use and did not sell it on the black market, although both were sentenced to 3 years in prison.

A Taobao spokesperson said in a statement: "Taobao devotes substantial resources to combat unauthorized scraping on our platform, as data privacy and security is of utmost importance. Nosotros have proactively discovered and addressed this unauthorized scraping. We will continue to work with law enforcement to defend and protect the interests of our users and partners."

3. LinkedIn

Date: June 2021
Impact: 700 million users

Professional person networking giant LinkedIn saw information associated with 700 million of its users posted on a dark web forum in June 2021, impacting more than ninety% of its user base. A hacker going by the moniker of "God User" used data scraping techniques by exploiting the site's (and others') API before dumping a outset information information prepare of effectually 500 1000000 customers. They then followed up with a boast that they were selling the full 700 million customer database. While LinkedIn argued that every bit no sensitive, individual personal data was exposed, the incident was a violation of its terms of service rather than a data breach, a scraped data sample posted past God User contained data including email addresses, phone numbers, geolocation records, genders and other social media details, which would give malicious actors plenty of information to craft disarming, follow-on social engineering science attacks in the wake of the leak, every bit warned by the United kingdom's NCSC.

4. Sina Weibo

Date: March 2020
Bear upon: 538 million accounts

With over 600 meg users, Sina Weibo is one of Prc's largest social media platforms. In March 2020, the company announced that an aggressor obtained office of its database, impacting 538 million Weibo users and their personal details including existent names, site usernames, gender, location, and phone numbers. The assailant is reported to have then sold the database on the dark web for $250.

China's Ministry of Manufacture and It (MIIT) ordered Weibo to enhance its data security measures to improve protect personal information and to notify users and authorities when information security incidents occur. In a statement, Sina Weibo argued that an assaulter had gathered publicly posted information by using a service meant to assistance users locate the Weibo accounts of friends by inputting their phone numbers and that no passwords were affected. Notwithstanding, it admitted that the exposed data could exist used to associate accounts to passwords if passwords are reused on other accounts. The company said it strengthened its security strategy and reported the details to the advisable authority.

5. Facebook

Date: Apr 2019
Touch on: 533 million users

In April 2019, it was revealed that two datasets from Facebook apps had been exposed to the public internet. The data related to more than 530 million Facebook users and included phone numbers, account names, and Facebook IDs. Nonetheless, 2 years afterwards (April 2021) the data was posted for free, indicating new and real criminal intent surrounding the data. In fact, given the sheer number of phone numbers impacted and readily available on the night web every bit a result of the incident, security researcher Troy Chase added functionality to his HaveIBeenPwned (HIBP) breached credential checking site that would allow users to verify if their phone numbers had been included in the exposed dataset.

"I'd never planned to make telephone numbers searchable," Hunt wrote in blog mail. "My position on this was that information technology didn't make sense for a bunch of reasons. The Facebook data changed all that. There's over 500 million phone numbers but only a few million email addresses so >99% of people were getting a miss when they should accept gotten a hitting."

6. Marriott International (Starwood)

Date: September 2018
Impact: 500 one thousand thousand customers

Hotel Marriot International announced the exposure of sensitive details belonging to half a one thousand thousand Starwood guests following an set on on its systems in September 2018. In a statement published in November the same twelvemonth, the hotel giant said: "On September viii, 2018, Marriott received an alert from an internal security tool regarding an try to admission the Starwood guest reservation database. Marriott quickly engaged leading security experts to assist determine what occurred."

Marriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. "Marriott recently discovered that an unauthorized party had copied and encrypted information and took steps towards removing information technology. On November nineteen, 2018, Marriott was able to decrypt the information and adamant that the contents were from the Starwood guest reservation database," the statement added.

The data copied included guests' names, mailing addresses, phone numbers, electronic mail addresses, passport numbers, Starwood Preferred Guest account data, dates of nativity, gender, inflow and departure data, reservation dates, and advice preferences. For some, the data also included payment card numbers and expiration dates, though these were apparently encrypted.

Marriot carried out an investigation assisted past security experts following the breach and announced plans to phase out Starwood systems and accelerate security enhancements to its network. The company was eventually fined £18.4 one thousand thousand (reduced from £99 one thousand thousand) by UK information governing body the Information Commissioner's Office (ICO) in 2020 for declining to keep customers' personal data secure. An article past New York Times attributed the attack to a Chinese intelligence group seeking to gather data on Us citizens.

seven. Yahoo

Date: 2014
Affect: 500 one thousand thousand accounts

Making its second appearance in this listing is Yahoo, which suffered an attack in 2014 split up to the one in 2013 cited above. On this occasion, state-sponsored actors stole data from 500 million accounts including names, electronic mail addresses, phone numbers, hashed passwords, and dates of birth. The company took initial remedial steps dorsum in 2014, but it wasn't until 2016 that Yahoo went public with the details afterwards a stolen database went on auction on the black market.

8. Adult Friend Finder

Engagement: Oct 2016
Bear upon: 412.two meg accounts

The adult-oriented social networking service The FriendFinder Network had xx years' worth of user data across six databases stolen by cyber-thieves in Oct 2016. Given the sensitive nature of the services offered by the company – which include casual hookup and adult content websites like Adult Friend Finder, Penthouse.com, and Stripshow.com – the breach of information from more than than 414 1000000 accounts including names, email addresses, and passwords had the potential to be specially damming for victims. What's more, the vast majority of the exposed passwords were hashed via the notoriously weak algorithm SHA-i, with an estimated 99% of them cracked by the time LeakedSource.com published its analysis of the data set on November xiv, 2016.

nine. MySpace

Date: 2013
Touch on: 360 one thousand thousand user accounts

Though it had long stopped being the powerhouse that it in one case was, social media site MySpace striking the headlines in 2016 after 360 one thousand thousand user accounts were leaked onto both LeakedSource.com and put upwardly for auction on dark web market The Real Deal with an request price of half-dozen bitcoin (around $3,000 at the time).

Co-ordinate to the company, lost data included email addresses, passwords and usernames for "a portion of accounts that were created prior to June xi, 2013, on the old Myspace platform. In order to protect our users, we accept invalidated all user passwords for the afflicted accounts created prior to June 11, 2013, on the old Myspace platform. These users returning to Myspace volition be prompted to authenticate their account and to reset their countersign by following instructions."

It's believed that the passwords were stored as SHA-1 hashes of the first 10 characters of the password converted to lowercase.

10. NetEase

Date: Oct 2015
Impact: 235 million user accounts

NetEase, a provider of mailbox services through the likes of 163.com and 126.com, reportedly suffered a breach in Oct 2015 when email addresses and plaintext passwords relating to 235 million accounts were being sold by nighttime spider web market place vendor DoubleFlag. NetEase has maintained that no information alienation occurred and to this day HIBP states: "Whilst there is evidence that the data itself is legitimate (multiple HIBP subscribers confirmed a password they apply is in the data), due to the difficulty of emphatically verifying the Chinese alienation it has been flagged as "unverified."

11. Court Ventures (Experian)

Engagement: October 2013
Bear on: 200 1000000 personal records

Experian subsidiary Courtroom Ventures fell victim in 2013 when a Vietnamese human tricked it into giving him access to a database containing 200 1000000 personal records by posing every bit a individual investigator from Singapore. The details of Hieu Minh Ngo'south exploits only came to light following his abort for selling personal information of The states residents (including credit menu numbers and Social Security numbers) to cybercriminals across the earth, something he had been doing since 2007. In March 2014, he pleaded guilty to multiple charges including identity fraud in the US District Court for the District of New Hampshire. The DoJ stated at the fourth dimension that Ngo had fabricated a total of $2 1000000 from selling personal data.

12. LinkedIn

Date: June 2012
Impact: 165 million users

With its second appearance on this listing is LinkedIn, this fourth dimension in reference to a breach it suffered in 2012 when information technology appear that 6.5 meg unassociated passwords (unsalted SHA-one hashes) had been stolen by attackers and posted onto a Russian hacker forum. However, it wasn't until 2016 that the full extent of the incident was revealed. The same hacker selling MySpace's data was found to exist offering the electronic mail addresses and passwords of around 165 million LinkedIn users for just 5 bitcoins (around $2,000 at the fourth dimension). LinkedIn acknowledged that it had been made enlightened of the alienation, and said it had reset the passwords of affected accounts.

thirteen. Dubsmash

Date: December 2018
Impact: 162 meg user accounts

In December 2018, New York-based video messaging service Dubsmash had 162 one thousand thousand email addresses, usernames, PBKDF2 countersign hashes, and other personal information such every bit dates of nativity stolen, all of which was so put upwardly for auction on the Dream Marketplace dark web marketplace the post-obit December. The information was existence sold as role of a nerveless dump also including the likes of MyFitnessPal (more than on that below), MyHeritage (92 meg), ShareThis, Armor Games, and dating app CoffeeMeetsBagel.

Dubsmash acknowledged the breach and auction of information had occurred and provided communication around password changing. However, it failed to state how the attackers got in or confirm how many users were affected.

14. Adobe

Date: October 2013
Impact: 153 1000000 user records

In early on Oct 2013, Adobe reported that hackers had stolen almost iii 1000000 encrypted customer credit bill of fare records and login data for an undetermined number of user accounts. Days later on, Adobe increased that guess to include IDs and encrypted passwords for 38 million "active users." Security blogger Brian Krebs then reported that a file posted simply days earlier "appears to include more than than 150 million username and hashed password pairs taken from Adobe." Weeks of research showed that the hack had also exposed customer names, password, and debit and credit carte du jour data. An understanding in August 2015 called for Adobe to pay $one.1 million in legal fees and an undisclosed amount to users to settle claims of violating the Customer Records Act and unfair business practices. In Nov 2016, the amount paid to customers was reported to be $1 million.

15. My Fitness Pal

Date: Feb 2018
Impact: 150 million user accounts

In February 2018, diet and exercise app MyFitnessPal (endemic by Under Armour) exposed effectually 150 1000000 unique e-mail addresses, IP addresses and login credentials such as usernames and passwords stored as SHA-one and bcrypt hashes. The post-obit yr, the data appeared for sale on the dark spider web and more broadly. The company acknowledged the breach and said information technology took action to notify users of the incident. "Once we became aware, we quickly took steps to determine the nature and scope of the issue. We are working with leading data security firms to assist in our investigation. We take besides notified and are analogous with law enforcement authorities," information technology stated.

Copyright © 2021 IDG Communications, Inc.