Essential Data Breach Protection Tips
What is a data breach? A data breach is when sensitive, protected, or confidential information is exposed to …
Data breaches represent one of the biggest threats businesses face today.
It’s not enough to secure your own infrastructure.
Hackers can exploit your vendors and partners to gain access to your data as well.
From exploiting vulnerabilities to leveraging stolen credentials, cybercriminals steal data for financial gain, identity theft, and fraud.
Below is a list of the top 20 breaches in recent history.
Contents
1. Yahoo
Date: August 2013
Impact: 3 billion records
In October 2017, Yahoo (now part of Oath Inc.) revealed the true scope of its 2013 data breach.
Every single Yahoo account that existed at the time (which was 3 billion in total) had been compromised.
As of today, this was the largest data breach in history.
This disclosure came as a dramatic update to their initial 2016 announcement that had estimated only 1 billion accounts were affected.
The breach compromised user account information, including names, email addresses, telephone numbers, dates of birth, hashed passwords (MD5), and security questions and answers, both encrypted and unencrypted.
The breach was initially attributed to a “state-sponsored actor.”
Ultimately, the Department of Justice charged two Russian FSB officers and two other hackers with the incident.
The delayed discovery and disclosure of the breach’s true magnitude severely damaged Yahoo’s reputation and complicated its acquisition by Verizon.
The breach was discovered during Verizon’s acquisition talks with Yahoo.
As a result, this led to a $350 million reduction in the sale price and fundamentally altered the terms of the deal.
The incident also resulted in a $50 million settlement fund for affected users, free credit monitoring services, and significant changes to Yahoo’s security infrastructure.
2. National Public Data
Date: December 2023
Impact: 2.9 billion records
In December 2023, National Public Data experienced a data breach that exposed approximately 2.9 million records.
Jericho Pictures, doing business as National Public Data, was a Florida-based data broker company that performed employee background checks.
The breach involved a massive database containing personal information, including names, addresses, phone numbers, email addresses, Social Security numbers, and other personally identifiable information.
The stolen database contained records for people in the US, UK, and Canada.
In April 2024, the stolen data was initially put up for sale by a member of the cybercriminal group “USDoD" for $3.5 million USD.
Then in August 2024, a different member of the USDoD group shared the data for free on the same hacker forum.
National Public Data eventually filed for bankruptcy as its parent company, Jerico Pictures, faced a large number of lawsuits demanding it pay damages.
3. Aadhaar
Date: January 2018
Impact: 1.1 billion records
In what became one of the largest government ID database breaches in history, India’s Aadhaar system was breached.
The breach exposed sensitive personal information for over 1.1 billion Indian residents.
The leaked data included names, addresses, phone numbers, email addresses, and photographs.
At the time, despite the leaked data, Indian officials claimed that the core biometric data remained secure.
Tribune News Service reported that unauthorized access to the Aadhaar database was being sold through WhatsApp groups for as little as 500 rupees (approximately $8 USD at the time).
The Unique Identification Authority of India (UIDAI) initially denied any breach had occurred.
They later acknowledged the breach and implemented additional security defenses.
These included mandatory facial authentication and virtual ID numbers for added protection.
4. Alibaba
Date: November 2019
Impact: 1.1 billion records
In November 2019, a developer working on behalf of a Chinese marketing company scraped around 1.1 billion pieces of user information from Alibaba’s Taobao platform.
This unauthorized scraping continued for eight months, from November 2019 to July 2020, before Alibaba detected the activity.
The data collection included user IDs, mobile phone numbers, and customer comments and ratings.
The incident was publicized in June 2021.
Court documents revealed that the developer was charged with collecting the data without Alibaba’s permission.
Both the developer and his employer were convicted.
They received three year prison sentences and were fined 450,000 Yuan (approximately $70,260 USD).
5. LinkedIn
Date: June 2021
Impact: 700 million users
In June 2021, LinkedIn experienced another significant breach when a hacker exposed the personal data of approximately 700 million users.
In other words, the breach affected about 92% of LinkedIn’s total user base at the time.
The threat actor posted a sample of 1 million LinkedIn records on a dark web forum, offering to sell the complete dataset.
The exposed information included email addresses, full names, phone numbers, physical addresses, geolocation records, LinkedIn username and profile URLs, personal and professional experience/background, and other social media accounts and usernames.
The threat actor exploited LinkedIn’s API (Application Programming Interface) through a technique called data scraping.
Having said that, LinkedIn maintained that no private member account data was compromised, as the leaked information was scraped from publicly visible profile data.
On the other hand, having a consolidated dataset was extremely useful to cybercriminals in social engineering attacks, targeted phishing campaigns, and identity theft.
6. Sina Weibo
Date: March 2020
Impact: 538 million users
In March 2020, Sina Weibo suffered a massive data breach that exposed the personal information of 538 million users.
The hacker advertised the database for sale on the dark web for merely 1,799 Chinese Yuan (approximately $250 USD).
The exposed data included real names, usernames, gender, location, and phone numbers for 172 million users.
Passwords were not included in the breach.
This probably explains why the data was for sale for only ¥1,799 (approximately $250 USD)
Having said that, the phone numbers could be used for account takeover attempts through SMS verification.
7. Facebook/Meta
Date: April 2019
Impact: 533 million users
In April 2019, Facebook (now Meta) suffered a major data breach that exposed the personal information of approximately 533 million users from 106 countries.
This was one of the largest social media data breaches in history.
The exposed data included phone numbers, Facebook IDs, full names, locations, birthdates, email addresses, and detailed biographical information.
The breach gained renewed attention in 2021 when the complete dataset was posted for free on a hacking forum.
Obviously, this dramatically increased its potential for misuse in social engineering attacks, identity theft, and SMS-based scams.
The data was obtained through a vulnerability in Facebook’s contact sync feature.
This issue allowed attackers to scrape the platform’s databases by exploiting the phone number lookup feature.
8. Marriott/Starwood
Date: November 2018
Impact: 500 million guests
In November 2018, Marriott International disclosed a massive data breach affecting approximately 500 million guests of its Starwood hotels division.
This breach marked the largest breach in the hospitality industry.
The breach began in 2014 in Starwood’s reservation system.
This was long before Marriott’s acquisition of the company in 2016.
The incident remained undetected until September 2018.
The hackers gained access to highly sensitive information, including passport numbers, travel details, and credit card numbers.
Of particular concern were approximately 5.25 million unencrypted passport numbers and 8.6 million encrypted credit card credentials that were exposed.
What made this breach especially significant was its duration and the sophisticated nature of the attack.
The attack was later attributed to Chinese state-sponsored hackers by Western intelligence agencies.
The breach resulted in multiple class-action lawsuits, a £18.4 million fine from the UK’s Information Commissioner’s Office, and forced Marriott to cover the costs of new passports for affected customers who could prove fraud.
The company ultimately spent over $100 million on breach-related costs.
9. Yahoo
Date: 2014
Impact: 500 million accounts
In September 2016, Yahoo disclosed a massive data breach that affected approximately 500 million user accounts.
At the time, this was the largest cybersecurity breach ever reported.
According to the U.S. Justice Department, a Russian national, named Alexey Belan, copied a backup of Yahoo’s user account database.
The database included names, email addresses, telephone numbers, dates of birth, hashed passwords (using MD5), and, in some cases, encrypted or unencrypted security questions and answers.
The majority of the passwords were hashed using bcrypt, which is difficult to crack.
However, a small portion of the passwords used MD5, which is easy to dehash.
The attacker, along with several other hackers, used the leaked data to search emails for gift voucher codes.
They also exploited the data to improve the search ranking of certain businesses in which they had interests.
Finally, they leveraged the data as part of a credential-stuffing attack to gain access to accounts on other platforms, like Gmail.
10. Adult Friend Finder
Date: November 2016
Impact: 412 million accounts
In November 2016, Adult Friend Finder suffered a massive data breach that exposed 412 million accounts dating back 20 years.
The breach affected multiple Friend Finder Network properties, including Adult Friend Finder, Cams.com, Penthouse.com, Stripshow.com, and iCams.com.
The exposed information included usernames, passwords (stored in either plaintext or using SHA1), email addresses, dates of last visits, browser information, IP addresses, and even membership status.
The leaked information exposed users’ sexual preferences and sensitive personal details.
Obviously, this kind of data could be exploited in many ways, such as blackmail.
A month before the breach, a security researcher published a local file inclusion vulnerability on the website.
This may have been used to carry out this attack.
To make matters worse, the company retained information from 15 million deleted accounts, that were disclosed in this breach as well.
This incident came just over a year after Adult Friend Finder’s previous breach in 2015, which exposed 3.5 million accounts.
11. MySpace
Date: May 2016
Impact: 360 million accounts
In May 2016, MySpace confirmed a data breach that exposed approximately 360 million user accounts.
The stolen data was then offered for sale on the dark web by a hacker known as “Peace_of_mind.”
The breach actually occurred in June 2013 but wasn’t discovered until 2016.
The exposed data included usernames, email addresses, and passwords that were stored using the weak SHA1 hashing algorithm.
This made the passwords relatively easy to crack despite being hashed.
Although MySpace was well past its peak popularity by 2013, the breach affected accounts created during the platform’s heyday.
Many users had long since abandoned their MySpace accounts but had reused the same passwords on other services.
Attackers were able to exploit this via credential stuffing attacks to gain access to the victim’s accounts on other platforms.
12. Exactis
Date: June 2018
Impact: 340 million records
In June 2018, Exactis, a Florida-based marketing and data aggregation firm, suffered a data breach that exposed approximately 340 million individual records.
Security researcher Vinny Troia discovered a 2-terabyte database containing detailed information about American adults and businesses that was left exposed on a publicly accessible server.
The breach was particularly extensive.
It contained up to 400 different data points on each individual.
Data points included phone numbers, home addresses, email addresses, interests, habits, and even the number, age, and gender of their children.
Unlike many other large-scale breaches that exposed basic contact information, this incident revealed highly detailed personal characteristics and behaviors that could be used for social engineering attacks or identity theft.
The incident led to multiple class action lawsuits and contributed to broader discussions about data broker regulation and the need for stronger protections around personal data collection and storage.
Exactis eventually filed for bankruptcy in 2019.
This is a classic example of how a major data breach can prove fatal for companies whose primary business revolves around data management.
13. Twitter
Date: January 2023
Impact: 235 million users
In January 2023, a data breach exposed the personal information of approximately 235 million Twitter users.
The stolen data was released as a 59 GB rar archive and was initially for sale for $30,000 USD.
A month later, it was published for free on BreachForums.
The leaked data included email addresses, names, usernames, follower counts, and account creation dates.
Several high-profile accounts had their data leaked as part of this breach, including Donald Trump Jr, Mark Cuban, and Alexandria Ocasio-Cortez.
The breach was linked to a vulnerability in Twitter’s API that allowed attackers to match email addresses and phone numbers to Twitter accounts, even when users had hidden these fields in their privacy settings.
Several different hackers exploited the the issue between June 2021 and January 2022.
The vulnerability resulted in multiple ransomware attempts and leaks in the latter half of 2022.
14. NetEase
Date: October 2015
Impact: 235 million accounts
In October 2015, NetEase, one of China’s largest internet technology companies, experienced a data breach.
Impact: breach exposed approximately 235 million user accounts from their email service 163.com and 126.com.
The leaked data included email addresses, usernames, and plaintext or weakly hashed passwords.
The severity of the breach was compounded by the fact that NetEase’s email service was one of the largest email providers in China, serving both individual users and businesses.
What made this breach particularly bad was that many of the exposed passwords were either stored in plaintext or protected using a weak hashing algorithm, making them very easy to dehash.
The breach had far-reaching implications because NetEase email accounts were often linked to other services in China’s digital ecosystem, including gaming accounts, online payments, and other web services.
This allowed attackers to leverage credential-stuffing attacks to gain unauthorized access across multiple applications.
15. Court Ventures/Experian
Date: October 2013
Impact: 200 million records
In October 2013, a data breach occurred involving Court Ventures, a company that Experian had recently acquired.
The breach exposed approximately 200 million personal records.
The breach occurred when a Vietnamese national, Hieu Minh Ngo, posed as a private investigator to gain access to Court Ventures’ database of consumer information.
Through a monthly subscription, Ngo was able to access sensitive personal data, including names, addresses, Social Security numbers, and bank account information.
Ngo then sold the data to identity thieves.
For nearly 18 months, Ngo continued to have access to the database even after Experian acquired Court Ventures.
He ultimately sold the personal information of millions of Americans to more than 1,300 customers through his fraudulent identity theft service.
Due to the way Ngo was able to leverage commercial data broker services, the breach led to congressional inquiries and multiple class-action lawsuits.
Ngo was eventually arrested in 2013 when he was lured to Guam by U.S. Secret Service agents, and later sentenced to 13 years in prison.
16. LinkedIn
Date: June 2021
Impact: 165 million users
In June 2012, LinkedIn suffered a data breach when approximately 6.5 million encrypted password hashes were posted on a Russian hacking forum.
The breach was discovered when a user known as “Peace_of_mind” (the same hacker who later sold the MySpace data) put up a database of 165 million LinkedIn users for sale for five bitcoins (the equivalent of around $2000 USD at the time).
The exposed data included LinkedIn members’ password hashes, which were stored using unsalted SHA-1 hashed.
This made the passwords very easy to dehash to plaintext.
Even by 2012 standards, SHA-1 was not considered a secure hashing algorithm.
The incident led to a class-action lawsuit against LinkedIn for failing to adequately protect user data.
The case was eventually settled for $1.25 million in 2015.
17. Dubsmash
Date: December 2018
Impact: 162 million users
In December 2018, the video sharing platform Dubsmash suffered a data breach that exposed approximately 162 million user accounts.
The breach wasn’t disclosed publicly until February 2019, when the stolen data appeared for sale on the dark web alongside data from several other major services.
The exposed data included usernames, email addresses, and passwords that were hashed using MD5.
MD5 hashes are not considered secure and can be easily dehashed to plaintext.
The stolen Dubsmash data was initially put up for sale on the dark web for around $1,000 in Bitcoin.
Later the breach became part of a larger collection of nearly 620 million accounts from 16 different websites, all being sold together.
From an attacker’s perspective, bundling multiple data breaches together increases the overall value of the data.
This makes the subsequent pack extremely useful in credential-stuffing attacks.
18. Adobe
Date: October 2013
Impact: 153 million users
In October 2013, Adobe disclosed a data breach that exposed approximately 153 million user records.
The stolen data included email addresses, encrypted passwords, password hints (stored in plaintext), and in some cases, customer names, credit card information, and other customer order details.
The breach was discovered when security researcher Brian Krebs found a 40 GB file containing source code as well as a a 3.8 GB file titled “users.sql.tar.gz” containing users credentials.
The files were hosted on the same server used by the threat actors who hacked into LexisNexis, Dun & Bradstreet, and Kroll.
The incident resulted in a $1.1 million legal settlement and became a textbook example of poor cryptographic practices in enterprise systems.
19. Equifax
Date: September 2017
Impact: 147.9 million consumers
In September 2017, Equifax disclosed a data breach that exposed the sensitive personal information of approximately 147.9 million Americans.
In other words, this breach impacted roughly half of the U.S. population.
The breach occurred between May and July 2017 through an unpatched vulnerability in Apache Struts (CVE-2017-5638).
The exposed data included highly sensitive information such as Social Security numbers, birth dates, addresses, driver’s license numbers, and credit card numbers of approximately 209,000 consumers.
To make matters worse, the company did not do a good job post breach.
Equifax waited six weeks to disclose the breach after discovery, and then created a very suspicious looking website for consumers to check if they were affected.
The original version included arbitration clauses that would waive consumers’ rights to sue when they check if they were part of the breach.
They even accidentally directed consumers to a fake phishing site through one of their Tweets.
The incident forced several top executives, including the CEO, CIO, and CSO, to resign.
Equifax ultimately agreed to pay $700 million to settle federal and state investigations.
20. eBay
Date: May 2014
Impact: 145 million users
In May 2014, eBay disclosed a data breach that compromised approximately 145 million users’ personal information.
The breach occurred between late February and early March 2014.
The attackers gain initial access by compromising employee credentials.
They then maintained access to eBay’s corporate network for 229 days.
The exposed data included names, encrypted passwords, email addresses, physical addresses, phone numbers, and dates of birth.
Financial information was stored separately and reportedly not compromised.
The passwords were also hashed using bcrypt, which is difficult to crack.
Having said that, the breach still exposed a large amount of personal data that could be used for identity theft and social engineering attacks.
The incident resulted in investigations by multiple states’ attorneys general and data protection authorities in various countries.
