Biggest data breaches in history

Published by on June 16, 2017 in Information Security

Number_of_data_breaches_by_year (5)
With a history of more than 5,000 data breaches over the last 12 years, it’s a safe bet that any electronic information relating to you is either at risk or has already been compromised at least once. As James Comey, the former director of the FBI puts it, “there are two kinds of companies. Those that have been hacked and those that don’t know yet that they’ve been hacked.”

The need for online privacy and anonymity grows with every breach that occurs, and there does not appear to be any end in sight. Every corporation is gathering intel on their customers, clients and random people. Large corporations invest billions of dollars every year on data gathering systems, database technologies to store it all, expensive servers with massive amounts of storage, and data analysts to make sense of it.

It’s not just a game for businesses. Intelligence agencies the world over gather and try to make sense of information as their primary agenda. The unfortunate irony here is that nobody seems overly concerned with keeping that information safe and out of the hands of others once they have it.

The list below shows an annual breakdown of the largest of these data breaches, with a minimum of 10 million records at risk of being exposed to unauthorized persons.

The data breaches by year

2017

17 breaches reported so far in 2017, with five of them making the list.

  • Dailymotion: The email addresses and usernames of approximately 85.2 million users of one of the most popular video sharing sites on the internet were hacked early in 2017. About one fifth of those accounts also had their hashed passwords copied, but the passwords were encrypted with fairly strong encryption making them difficult to crack or guess.
  • River City Media: A massive database of over 1.37 billion email addresses were exposed due to an improperly configured backup. Some of those records also contain extra details like names, real world addresses and IP addresses. The leak also exposed River City Media’s entire operation including details like business plans, Hipchat logs, accounts and more. River City Media is one of the largest providers of spam in the world, according to the news report.
  • Interpark: South Korea is accusing North Korea of stealing the data of 10 million customers of the online mall, Interpark, in an attempt to obtain foreign currency.
  • Telegram: Iranian hackers are accused of breaking into an ultra secure instant messaging service by compromising a dozen accounts. The hack exposed 15 million users phone numbers to the hackers. This will allow the hackers to add new devices to user’s account and give those new devices access to chat histories as well as new messages.
  • Deep Root Analytics: A database containing political information on over 198 million US voters was discovered on an Amazon cloud storage system without any form of password protection. The Republican National Committee hired Deep Root Analytics to compile and analyze the data consisting of names, dates of birth, home addresses, phone numbers and voter registrations. Deep Root Analytics has since taken full responsibility for the breach and implemented security measures to protect the data.
  • Equifax: 143 million records including social security numbers, credit card numbers, drivers license numbers, and names breached at one of the three major US credit reporting agencies.
  • Spambot: More than 700 million email addresses and some passwords leaked publicly due to a misconfigured spambot.
  • Zomato: A hacker on the DarkNet is selling a database that includes emails and password hashes of 17 million registered Zomato users.

2016

399 data breaches and counting were reported with 14 of them, so far, hitting above the 10 million mark.

  • Yahoo: More than 1 billion accounts were compromised in 2013 but not made public until 2016, most likely unrelated to the 500 million records stolen in 2014. Yahoo blamed the largest breach in history on hackers working on behalf of a government. The intruders used forged cookies to access user accounts without their passwords.
  • Foursquare: More than 22.5 million records were apparently taken from publicly available sources containing Foursquare usernames, email addresses, and Twitter and Facebook IDs.
  • Weebly: 43.4 million records were stolen, but the means of how this theft was committed is not yet known. It is known that the compromised data contains email addresses, usernames, passwords, and logged IP addresses of users computers.
  • yahoo-logoYahoo! (again): The big one of 2016, with 500 million records stolen, actually occurred in 2014, but was not announced or acknowledged by Yahoo until two years after the fact. It is not yet known what information was stolen. It could be just usernames, or it could be entire profiles. Only time will tell. All that is certain is that the database that was accessed contained records of over 500 million of Yahoo’s users.
  • Twitter: 32 million login credentials, including plain text passwords, are for sale online. The data appears to have been stolen directly from users rather than from a hack of Twitter’s servers.
  • MySpace: Over 360 million usernames and passwords were stolen from MySpace. The passwords were stored as “unsalted SHA-1 hashes” and were broken using a cracking server capable of running millions of SHA-1 calculations per second.
  • Friend Finder network: Over 412 million accounts representing 20 years of user data including email addresses, passwords, usernames, the database outline, sites in the network visited by users, site registration data and much more.
  • Securus Technologies: 70 million prisoner phone calls were recorded and leaked by an unidentified hacker via SecureDrop. The fact that a portion of these calls were between inmates and their attorneys proves a massive breach of client-attorney privilege.
  • Kromtech: Sensitive account details of 13 million users of MacKeeper, Zoebit and Kromtech were accessible via a database that was publicly searchable and discovered by an independent security researcher. The database server along with three others has now been secured and is no longer publicly available.
  • VTech: The records of 11.6 million children and their parents has been leaked due to a serious lack of security on the behalf of VTech. The records include home addresses, names of the parents and children, a picture of the child used as their online avatar, weakly encrypted passwords, plaintext secret questions and answers, email addresses, and just about anything needed to find any of these kids.
  • Mossack Fonseca: This Panamanian law firm specializes in setting up anonymous offshore companies. The leak is of 11.5 million encrypted documents like emails, PDF files, photos, and excerpts from an internal database. The main purpose of this collection appears to be hiding the true owners of several of the offshore companies sold by Mossack Fonseca. Given that a lot of the information stored in these files includes evidence of illegal activities, the wish for anonymity is rather obvious.
  • Turkish citizenship database: A database was discovered online containing 49.6 million entries–the entire Turkish citizenship–with names, national IDs, parents names, gender, city of birth, date of birth, ID registration city and district, and their full address.
  • Philippines’ Commission on Elections: A database containing every registered voter in the Philippines, some 55 million people, was leaked online. The leak came on the heels of a defacement of the Philippines’ Commission on Elections website.
  • Uber: 57 million customers’ and drivers’ names, e-mail addresses, and phone numbers were hacked in 2016. Uber then tried to cover up the breach by paying off the hackers who “promised” to delete the data. News of the breach broke in November 2017.

2015

Only 270 data breaches were reported in 2015 so far, but eight of them were fairly large losses.

  • Voter Database: A publicly available database full of information on 191 million U.S. voters was found on the internet. The database contains names, home addresses, voter IDs, phone numbers, dates of birth, political affiliations, and detailed voting histories since 2000.
  • Experian’s T-Mobile customers: 15 million records of potential T-Mobile customers that had credit checks done by Experian. The records consist of names, addresses, social security numbers, dates of birth, and various identification numbers including passports, driver’s licenses, or military identification numbers.
  • Sony Pictures: 10 million to 10.5 million records were stolen by hackers containing names, birth dates, social security numbers, mailing addresses, telephone numbers, claims, and financial payment information including some credit card numbers.
  • Ashley Madison: The company’s user databases, financial records, and other confidential information were leaked to the public. 37 million user records were stolen and dumped to the DarkNet. The hackers attempted to blackmail Ashley Madison into shutting down the website or the stolen database would be released to the public, exposing all of its users. Ashley Madison refused to comply and the data was released, along with several copycat databases containing bogus information.
  • Office of Personnel Management in Washington, D.C.: 21.5 million entries in a database of government workers and more specifically, anyone who had applied for a security clearance going back to 2000. SSNs and information related to what officials ask during interviews for security clearance were leaked.
  • Premera Blue Cross: 11 million records of medical files, personal and financial information including bank account numbers, social security numbers, birth dates names addresses, and “other personal information.”
  • Anthem: Over 80 million records stolen consisting of names, birthdays, medical IDs, social security numbers street addresses, email addresses, employment, and income information. On June 27th, 2017, Anthem agreed to a $115 million settlement for damages caused by this breach.
  • JP Morgan Chase: Hackers made off with names, addresses, phone numbers, and email addresses of over 76 million account holders by gaining access to the administrative rights on the affected servers.

2014

331 data breaches were reported with six over the 10 million record threshold, including the largest database of stolen usernames and passwords in history.

    • The Home Depot: The Home Depot got hit twice in 2014. In February, three employees were suspected of stealing 30,000 records. Then in September, it was hit again for 56 million credit and debit cards due to a hack of the point-of-sales systems in over 2,200 stores in the U.S.
    • J.P. Morgan Chase: 76 million bank accounts were accessed by Russian hackers, some of which were only modified while others were completely wiped out.
    • Target Corp.: 70 million payment card records were stolen during the Thanksgiving and Christmas holidays of 2013. This incident was used as a precedent for passing legislation in the U.S. implementing chip card technology.
    • Over 420,000 different websites: An impressive database of over a billion usernames and passwords along with more than 500 million email addresses was discovered on the DarkNet by a security firm. It was apparently the work of a Russian gang of hackers collecting info from hundreds of thousands of websites.
    • eBay: Data loss of over 145 million records. The hackers gained access to eBay’s user database using employee login credentials. The data copied consisted of email addresses, encrypted passwords, birth dates and mailing addresses.
    • Korea Credit Bureau: A temporary consultant was arrested and charged with stealing bank and credit card data on 20 million users of the credit bureau.

2013

588 data breaches were reported in 2013, four of which hit above the 10 million mark.

      • Adobe: User accounts of over 38 million Adobe users were stolen. Adobe sent out a notice to all affected users warning them to change their passwords and watch for suspicious activity on their accounts.
      • LivingSocial: Up to 50 million member accounts were at risk of being copied, consisting of names, email addresses, dates of birth, and encrypted passwords. At the time, an estimated 29 million people used LivingSocial, many with multiple accounts.
      • evernoteEvernote: The biggest loss of data in 2014 with 50 million records exposed. Users were told to reset their passwords after the attack was detected.
      • Yahoo Japan: 22 million user accounts were put at risk when an attempt to access administrative portions of Yahoo Japan’s servers was detected. No personally identifiable information was stolen, according to Yahoo!.

2012

676 data breaches were reported for the year, the highest amount of individual data breach reports in any one year, with six of them making the list.

      • Dropbox: 68 million Dropbox users had their email addresses and hashed passwords copied. They then received spam messages in which the sender posed as Dropbox.
      • Zappos.com: 24 million user accounts were detected as accessed including names, email addresses, billing and shipping addresses, phone numbers, final four digits of credit card numbers, and possibly encrypted passwords.
      • Court Ventures: Court Ventures was in the business of selling off credit information to a Vietnamese identity theft service, resulting in over 200 million records sold over several years. These records included financial data, credit status, social security numbers, and bank information.
      • Apple: Over 12 million unique Apple IDs were stolen from a small mobile firm called BlueToad. The hackers claimed to have compromised an FBI laptop, but it turns out they simply broke into BlueToad’s database.
      • Blizzard: Players of Diablo III, Starcraft II and World of Warcraft, some 14 million gamers, were informed of a data breach that put their user accounts on Blizzard.net at risk. Encrypted passwords, the answers to security questions and email addresses of users outside of China were stolen in the breach.
      • Massive American Business Hack: 160 million credit and debit cards and over 800,000 bank accounts were stolen by a group of Russian hackers and one Ukranian from several U.S. businesses including 7-Eleven, Nasdaq, and Heartland Payment Systems.

2011

594 data breaches were reported in 2011 with eight of them over 10 million records lost or put at risk.

      • Steam: Hackers defaced a forum on Steam which prompted an investigation that revealed unauthorized access to a database containing user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information on over 35 million users.
      • Sony, Playstation Network, Sony Online Entertainment: Sony detected an intrusion of 24.6 million user accounts out of a database of 101.6 million. The database contained names, addresses, email addresses, dates of birth, login credentials for the Playstation Network (PSN) and Qriocity along with PSN IDs and handles. It is suspected that hackers may also have accessed purchase histories, billing addresses and security questions.
      • Sony’s Playstation Network: 77 million records were hacked along with 23,000 financial data records as well.
      • WordPress: Hackers accessed data on several of WP’s servers exposing source code, API security keys and social media passwords of 18 million WordPress users.
      • episolonEpsilon: This data breach of anywhere between 50-250 million records took place. Epsilon reported that only email addresses and names were stolen. Customers were warned to expect phishing emails.
      • 178.com: Hackers stole 10 million user accounts from the Chinese gaming site, along with several other gaming sites in China.
      • Nexon Korea Corp: 13.2 million subscribers of an online game in Korea were stolen through a hack of the site’s servers.
      • Tianya: 28 million clear text passwords and 40 million user accounts showed up on the DarkNet from China’s 12th most popular website at the time.

2010

609 data breaches were reported in 2010, but only one of them made the list.

      • devianartdeviantART, Silverpop Systems Inc.: The largest data breach in 2010 was also the only one above 10 million at 13 million records stolen. Hackers were able to penetrate deviantART through the marketing company Silverpop Systems Inc. The exposed database consisted of user names, email addresses and birth dates of all deviantART users.

2009

254 data breaches were reported in 2009, with three of them making our
list.

      • RockYou: An SQL injection flaw in RockYou’s database exposed their entire list of usernames, email addresses, and passwords–around 32 million records. The passwords were stored in plain text and the database included login credentials for various social networks like Facebook and MySpace.
      • U.S. Military Veterans: 76 million detailed records were reported at risk of being exposed when a defective hard drive was sent off for repair without first having its data destroyed. The drive was part of a RAID array of six drives that held an Oracle database filled with veterans’ information. The drive was deemed irreparable and was then sent to another entity for recycling, again, without being erased.
      • heartlandHeartland Payment Systems: 130 million credit cards were stolen through a hack of this credit card processor. The problem was exacerbated by the processor’s delays and inaccurate disclosures regarding the breach. One of the perpetrators was a Secret Service informant and suspect in the previous year’s TJ Stores hack.

2008

355 data breaches were reported in 2008 with four of them going over the 10 million minimum.

      • Countrywide Financial Corp.: A former employee reportedly stole and sold sensitive personal information on 17 million account holders’ profiles. It should be noted that Countrywide was the “poster boy” of the subprime lending crisis.
      • Bank of New York Mellon: 12.5 million records containing names, social security numbers, and possibly bank account numbers were “lost” when a box of backup tapes arrived at a storage facility with one tape missing.
      • auction.co.krAuction.co.kr: The records of 18 million members of this South Korean auction site were stolen by a Chinese hacker. The records included user information and a large amount of financial data.
      • GS Caltex: Two compact discs containing this company’s customer list of 11.9 million customers were found on a street in Seoul.

2007

452 data breaches were reported in 2007, with two of them going over 10 million.

      • TJ StoresTJ Stores: Over 100 million records lost consisting of credit and debit card numbers; merchandise return records containing names and driver’s license numbers, as well as credit card account numbers. Special note: the primary hacker, Albert Gonzalez, appealed his conviction in 2011 on the grounds that he was acting with authorization from the Secret Service. The U.S. government acknowledged that Gonzalez was a key undercover informant for the Secret Service at the time. Mr. Gonzalez blamed his attorneys for not using this information as part of his defense.
      • HM Revenue and Customs: Computer disks containing confidential information on 25 million recipients of child benefits were lost in the UK. The disks were lost in transit from their headquarters in Newcastle to an insurer’s headquarters in Edinburgh.

2006

482 data breaches were reported this year. Four of those breaches surpassed the 10 million records mark.

      • VAU.S. Dept. of Veterans Affairs: A laptop and computer storage device containing sensitive data on 26.5 million veterans were stolen from the home of an unidentified employee of the Department of Veterans Affairs. The information consisted of names, social security numbers, dates of birth, phone numbers, and addresses on all American veterans discharged since 1975. The laptop and storage device were recovered almost two months later. According to an FBI investigation, the data had not been copied. In spite of this, the VA was still held accountable for ineffectual computer security policies and neglecting to take proper security precautions regarding such sensitive data.
      • iBill: Over 17 million records were posted online containing names, phone numbers, addresses, email addresses, IP addresses, login credentials, credit card types, and purchase amounts. It is unclear as to whether the breach was the work of a dishonest insider or malicious software injected into iBill’s systems.
      • T-Mobile, Deutsche Telecom: Thieves made off with a storage device containing names, addresses, cell phone numbers, some birth dates, and some email addresses for some high profile German citizens. Luckily the stolen device did not contain any financial details like credit cards or bank accounts.
      • AOL: AOL, for reasons still not understood, released 20 million web query records of 650,000 registered users. The data included searches from users over a three month period. It also included whether or not the users selected a result, what the result was and where it appeared in the search list.

2005

136 data breaches reported for the year with only one of them over our minimum of 10 million.

    • cardsystemsCardSystems: 40 million credit card accounts were exposed due to a security breach that occurred at a third-party processor. The information exposed included names, card numbers and card security codes. CardSystems filed for bankruptcy in May of 2006. In 2009 it was revealed that CardSystems stored unencrypted credit card information on its servers.

2004

Funny enough, the only data breach that we have information on in 2004 was also a rather major one.

  • AOLAOL: A former software engineer of AOL stole 92 million email addresses belonging to an estimated 30 million users. He then sold the list of addresses to a man in Las Vegas who began spamming the list with an advertisement for an offshore gambling website. Even the judge involved in the case admitted to canceling his AOL email account because of all the spam.

The big unknown

The above information does not include any of the 1,800-plus data breaches where it is unknown how many records were at risk of being stolen or possibly lost. Currently, there is not any legislation in place requiring mandatory reporting of data breach details. Not reporting a breach can lead to lawsuits from affected users, so most companies do report when they have been hacked or lose some information.

However, the amount of information reported is entirely left up to the reporting company, even to the point of just admitting that there was a breach with no details as to what data or even how much data was at risk of being accessed by unauthorized individuals. Over 1,800 companies have opted to not report how much of the data entrusted to them has been leaked or even how many of their customers may be at risk.

Now factor in the knowledge that some of these companies are collecting information without first informing subjects of their data mining that their information is being loaded into a database. Any retail outlet that a person walks into collects information on what they look at, pick up, purchase, and leave their store with. Match that data to facial recognition from the security cameras, as well as the information received from the point-of-sale system, and they have an identity to attach to that data entry.

Just about every retail outlet now has some form of membership that customers are encouraged to voluntarily sign up for with offers of discounts on fuel, points toward in store savings, customized digital coupons, and other similar incentives. All of these are not, in fact, free. You are selling your personally identifiable information to these companies in exchange for the perks attached to the store’s membership system.

What can you do?

There are some things that you can do to minimize the damage or even prevent your information getting into the wrong hands. From using an online anonymity tool, to changing your passwords every couple months, to using stronger passwords or even randomly generated passwords.

On the more extreme end, there is always the option of contacting any company that you have entrusted your information with. You can ask them about what they have in place for not only preventing data breaches, but what actions they take when they become aware of a leak.

Have you experienced any side effects, or even direct effects of a data breach? How did you recover? Leave your comments below along with any tips you might have for other readers.

Data Breach” by BlogtrepreneurCC BY 2.0

Leave a Reply

Your email address will not be published. Required fields are marked *