The 15 biggest data breaches of the 21st century

Information breaches affecting millions of users are far too common. Hither are some of the biggest, blue-chip breaches in recent memory.

lock circuit board bullet hole computer security breach
Thinkstock

In today'due south data-driven globe, information breaches can touch on hundreds of millions or fifty-fifty billions of people at a time. Digital transformation has increased the supply of information moving, and data breaches have scaled upwards with it as attackers exploit the data-dependencies of daily life. How large cyberattacks of the future might go remains speculation, but as this list of the biggest data breaches of the 21st Century indicates, they accept already reached enormous magnitudes.

For transparency, this list has been calculated by the number of users impacted, records exposed, or accounts afflicted. We have as well fabricated a distinction between incidents where data was actively stolen or reposted maliciously and those where an organisation has inadvertently left data unprotected and exposed, but there has been no significant evidence of misuse. The latter have purposefully non been included in the listing.

So, hither it is – an up-to-date list of the xv biggest data breaches in recent history, including details of those affected, who was responsible, and how the companies responded (as of July 2021).

1. Yahoo

Date: August 2013
Impact: 3 billion accounts

Securing the number one spot – most seven years after the initial alienation and iv since the true number of records exposed was revealed – is the attack on Yahoo. The company first publicly announced the incident – which it said took identify in 2013 – in Dec 2016. At the time, information technology was in the process of being acquired past Verizon and estimated that account information of more than a billion of its customers had been accessed past a hacking group. Less than a year later, Yahoo announced that the actual figure of user accounts exposed was three billion. Yahoo stated that the revised estimate did not represent a new "security issue" and that it was sending emails to all the "additional affected user accounts."

Despite the set on, the deal with Verizon was completed, albeit at a reduced price. Verizon's CISO Chandra McMahon said at the fourth dimension: "Verizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats. Our investment in Yahoo is allowing that team to continue to accept significant steps to enhance their security, also as do good from Verizon'south experience and resources." After investigation, it was discovered that, while the attackers accessed account information such every bit security questions and answers, plaintext passwords, payment carte and depository financial institution data were not stolen.

2. Alibaba

Date: November 2019
Impact: 1.one billion pieces of user information

Over an 8-month catamenia, a programmer working for an affiliate marketer scraped customer data, including usernames and mobile numbers, from the Alibaba Chinese shopping website, Taobao, using crawler software that he created. Information technology appears the developer and his employer were collecting the information for their own utilise and did non sell information technology on the black market, although both were sentenced to 3 years in prison.

A Taobao spokesperson said in a argument: "Taobao devotes substantial resources to gainsay unauthorized scraping on our platform, every bit data privacy and security is of utmost importance. We take proactively discovered and addressed this unauthorized scraping. We volition keep to work with law enforcement to defend and protect the interests of our users and partners."

3. LinkedIn

Appointment: June 2021
Impact: 700 meg users

Professional person networking giant LinkedIn saw data associated with 700 million of its users posted on a dark web forum in June 2021, impacting more xc% of its user base. A hacker going past the moniker of "God User" used data scraping techniques by exploiting the site's (and others') API before dumping a showtime information data fix of around 500 million customers. They and so followed up with a avowal that they were selling the total 700 million customer database. While LinkedIn argued that every bit no sensitive, private personal data was exposed, the incident was a violation of its terms of service rather than a information alienation, a scraped data sample posted by God User contained information including e-mail addresses, phone numbers, geolocation records, genders and other social media details, which would give malicious actors plenty of data to craft convincing, follow-on social engineering attacks in the wake of the leak, equally warned by the United kingdom'south NCSC.

4. Sina Weibo

Date: March 2020
Touch: 538 one thousand thousand accounts

With over 600 1000000 users, Sina Weibo is i of China's largest social media platforms. In March 2020, the company announced that an attacker obtained office of its database, impacting 538 meg Weibo users and their personal details including real names, site usernames, gender, location, and phone numbers. The attacker is reported to have and then sold the database on the dark web for $250.

People's republic of china's Ministry of Industry and It (MIIT) ordered Weibo to enhance its information security measures to better protect personal data and to notify users and government when data security incidents occur. In a argument, Sina Weibo argued that an assaulter had gathered publicly posted information by using a service meant to help users locate the Weibo accounts of friends by inputting their phone numbers and that no passwords were afflicted. All the same, it admitted that the exposed data could be used to associate accounts to passwords if passwords are reused on other accounts. The company said information technology strengthened its security strategy and reported the details to the appropriate authority.

v. Facebook

Date: April 2019
Impact: 533 meg users

In April 2019, information technology was revealed that 2 datasets from Facebook apps had been exposed to the public internet. The information related to more than 530 1000000 Facebook users and included phone numbers, business relationship names, and Facebook IDs. However, two years subsequently (April 2021) the information was posted for free, indicating new and existent criminal intent surrounding the data. In fact, given the sheer number of phone numbers impacted and readily bachelor on the dark web as a result of the incident, security researcher Troy Hunt added functionality to his HaveIBeenPwned (HIBP) breached credential checking site that would allow users to verify if their phone numbers had been included in the exposed dataset.

"I'd never planned to make phone numbers searchable," Hunt wrote in blog post. "My position on this was that information technology didn't make sense for a bunch of reasons. The Facebook data inverse all that. There's over 500 million phone numbers simply only a few million email addresses and so >99% of people were getting a miss when they should have gotten a hitting."

half dozen. Marriott International (Starwood)

Date: September 2018
Impact: 500 one thousand thousand customers

Hotel Marriot International announced the exposure of sensitive details belonging to half a one thousand thousand Starwood guests following an attack on its systems in September 2018. In a statement published in November the aforementioned twelvemonth, the hotel giant said: "On September 8, 2018, Marriott received an alarm from an internal security tool regarding an effort to access the Starwood guest reservation database. Marriott apace engaged leading security experts to help determine what occurred."

Marriott learned during the investigation that in that location had been unauthorized admission to the Starwood network since 2014. "Marriott recently discovered that an unauthorized party had copied and encrypted information and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the data and determined that the contents were from the Starwood invitee reservation database," the argument added.

The data copied included guests' names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Invitee business relationship information, dates of birth, gender, arrival and divergence data, reservation dates, and communication preferences. For some, the information also included payment card numbers and expiration dates, though these were apparently encrypted.

Marriot carried out an investigation assisted by security experts following the breach and announced plans to phase out Starwood systems and advance security enhancements to its network. The visitor was eventually fined £18.4 million (reduced from £99 one thousand thousand) by United kingdom data governing body the Data Commissioner'south Office (ICO) in 2020 for failing to proceed customers' personal data secure. An article past New York Times attributed the attack to a Chinese intelligence group seeking to gather information on US citizens.

7. Yahoo

Date: 2014
Bear on: 500 1000000 accounts

Making its second advent in this list is Yahoo, which suffered an attack in 2014 split up to the ane in 2013 cited in a higher place. On this occasion, state-sponsored actors stole data from 500 million accounts including names, email addresses, telephone numbers, hashed passwords, and dates of birth. The company took initial remedial steps back in 2014, but it wasn't until 2016 that Yahoo went public with the details after a stolen database went on sale on the blackness market place.

eight. Adult Friend Finder

Date: October 2016
Touch: 412.ii meg accounts

The adult-oriented social networking service The FriendFinder Network had 20 years' worth of user information across six databases stolen past cyber-thieves in October 2016. Given the sensitive nature of the services offered by the company – which include casual hookup and adult content websites like Developed Friend Finder, Penthouse.com, and Stripshow.com – the breach of data from more than 414 meg accounts including names, email addresses, and passwords had the potential to exist particularly damming for victims. What'southward more, the vast majority of the exposed passwords were hashed via the notoriously weak algorithm SHA-1, with an estimated 99% of them cracked past the time LeakedSource.com published its analysis of the data ready on November fourteen, 2016.

9. MySpace

Date: 2013
Impact: 360 million user accounts

Though it had long stopped existence the powerhouse that it one time was, social media site MySpace hit the headlines in 2016 after 360 million user accounts were leaked onto both LeakedSource.com and put up for sale on dark web market The Existent Bargain with an asking toll of half-dozen bitcoin (around $3,000 at the time).

According to the company, lost data included electronic mail addresses, passwords and usernames for "a portion of accounts that were created prior to June eleven, 2013, on the onetime Myspace platform. In order to protect our users, we have invalidated all user passwords for the affected accounts created prior to June 11, 2013, on the old Myspace platform. These users returning to Myspace will be prompted to authenticate their account and to reset their password by post-obit instructions."

It'due south believed that the passwords were stored as SHA-ane hashes of the first x characters of the password converted to lowercase.

10. NetEase

Appointment: Oct 2015
Bear upon: 235 million user accounts

NetEase, a provider of mailbox services through the likes of 163.com and 126.com, reportedly suffered a alienation in Oct 2015 when email addresses and plaintext passwords relating to 235 million accounts were existence sold past dark web marketplace vendor DoubleFlag. NetEase has maintained that no information alienation occurred and to this twenty-four hour period HIBP states: "Whilst in that location is evidence that the data itself is legitimate (multiple HIBP subscribers confirmed a password they use is in the data), due to the difficulty of emphatically verifying the Chinese breach it has been flagged as "unverified."

11. Court Ventures (Experian)

Engagement: Oct 2013
Bear on: 200 one thousand thousand personal records

Experian subsidiary Court Ventures brutal victim in 2013 when a Vietnamese human being tricked it into giving him admission to a database containing 200 million personal records by posing as a private investigator from Singapore. The details of Hieu Minh Ngo'south exploits but came to light following his arrest for selling personal information of United states residents (including credit carte du jour numbers and Social Security numbers) to cybercriminals across the world, something he had been doing since 2007. In March 2014, he pleaded guilty to multiple charges including identity fraud in the US District Court for the District of New Hampshire. The DoJ stated at the time that Ngo had made a total of $ii meg from selling personal data.

12. LinkedIn

Appointment: June 2012
Bear upon: 165 million users

With its second appearance on this list is LinkedIn, this time in reference to a breach it suffered in 2012 when information technology announced that vi.5 meg unassociated passwords (unsalted SHA-1 hashes) had been stolen by attackers and posted onto a Russian hacker forum. However, it wasn't until 2016 that the total extent of the incident was revealed. The same hacker selling MySpace'due south information was found to exist offer the email addresses and passwords of effectually 165 million LinkedIn users for only 5 bitcoins (around $2,000 at the time). LinkedIn acknowledged that it had been fabricated aware of the breach, and said it had reset the passwords of afflicted accounts.

13. Dubsmash

Date: December 2018
Bear upon: 162 million user accounts

In Dec 2018, New York-based video messaging service Dubsmash had 162 million electronic mail addresses, usernames, PBKDF2 password hashes, and other personal information such equally dates of nativity stolen, all of which was so put upward for auction on the Dream Market place nighttime spider web marketplace the following December. The information was existence sold equally function of a collected dump also including the likes of MyFitnessPal (more on that below), MyHeritage (92 meg), ShareThis, Armor Games, and dating app CoffeeMeetsBagel.

Dubsmash acknowledged the breach and sale of information had occurred and provided communication effectually password changing. Even so, it failed to state how the attackers got in or ostend how many users were affected.

14. Adobe

Date: October 2013
Affect: 153 meg user records

In early October 2013, Adobe reported that hackers had stolen almost three million encrypted customer credit carte du jour records and login data for an undetermined number of user accounts. Days later, Adobe increased that estimate to include IDs and encrypted passwords for 38 million "agile users." Security blogger Brian Krebs then reported that a file posted just days earlier "appears to include more than 150 1000000 username and hashed countersign pairs taken from Adobe." Weeks of research showed that the hack had also exposed client names, password, and debit and credit card information. An agreement in August 2015 called for Adobe to pay $ane.one million in legal fees and an undisclosed amount to users to settle claims of violating the Customer Records Act and unfair business practices. In Nov 2016, the amount paid to customers was reported to be $1 million.

15. My Fitness Pal

Engagement: February 2018
Impact: 150 million user accounts

In Feb 2018, diet and exercise app MyFitnessPal (owned by Under Armour) exposed effectually 150 million unique e-mail addresses, IP addresses and login credentials such as usernames and passwords stored as SHA-i and bcrypt hashes. The following yr, the data appeared for auction on the dark web and more than broadly. The company acknowledged the breach and said it took activeness to notify users of the incident. "Once we became enlightened, we chop-chop took steps to determine the nature and telescopic of the issue. We are working with leading data security firms to assist in our investigation. We have also notified and are analogous with police force enforcement authorities," it stated.

Copyright © 2021 IDG Communications, Inc.