Biggest data breaches in history.

With a history of almost 9,000 US data breaches over the last 12 years, it’s a safe bet that any electronic information relating to you is either at risk or has already been compromised at least once. As James Comey, the former director of the FBI puts it, „there are two kinds of companies. Those that have been hacked and those that don’t know yet that they’ve been hacked.“

The need for online privacy and anonymity grows with every breach that occurs, and there does not appear to be any end in sight. Every corporation is gathering intel on their customers, clients, and even random people. Large corporations invest billions of dollars every year on data gathering systems, database technologies to store it all, expensive servers with massive amounts of storage, and data analysts to make sense of it.

It’s not just a game for businesses. Intelligence agencies the world over gather and try to make sense of information as their primary agenda. The unfortunate irony here is that many companies seem to lack concern over keeping that information safe and out of the hands of others once they have it. If it does fall into the wrong hands, there are various potential repercussions for those involved, including increased risk of falling victim to crimes such as spear phishing schemes, ransomware attacks, and identity theft.

The list below shows an annual breakdown of the largest of these data breaches, with a minimum of 10 million records at risk of being exposed to unauthorized persons. Note that the total number of reported breaches cited refers to breaches involving US companies or that have affected US customers.

Data breaches by year

2018

Marriott homepage.

In 2018, 700 reported breaches have occurred so far, with 11 of them involving more than 10 million records.

Marriott International

Up to 500 million Marriott International guests may have been involved in this massive breach that began in 2014. More than 320 million customers‘ data was breached, including names, addresses, and passport numbers, prompting many angry guests to demand that Marriott pay for the issue of new passports.

Exactis

In June 2018, marketing and data aggregation firm, Exactis, leaked almost 340 million records onto a server that could be accessed by the public. Information on individuals and businesses was involved, including phone numbers, home addresses, and email addresses.

Under Armour

An estimated 150 millions users of Under Armour’s food and nutrition app, MyFitnessPal, may have had their information exposed. Data involved in the leak is thought to include email addresses, usernames, and hashed passwords.

MindBody – FitMetrix

Fitness software FitMetrix — which was acquired by MindBody earlier in 2018 — was involved in a breach that affected more than 113 million records, though the number of users this correlates to is unknown. The breach was discovered by a security researcher who found that three of FitMetrix’s servers were unprotected and leaking data.

Facebook

In September 2018, a data security breach was discovered in the form of a bug that allowed attackers to take over control of people’s Facebook accounts. 50 million accounts were known to have been affected, but up to 40 million more could have been involved.

Facebook (Cambridge Analytica)

Prior to the above breach, the Cambridge Analytica scandal had come to light. The data analysis firm had accessed and stored the personal data of 50 million Facebook users via a third-party researcher. The acquisition of the data violated Facebook’s terms of service, and as such, represented a massive breach of user information.

Localblox

Localblox is similar to Cambridge Analytica in that it scrapes information from publicly accessible sources to create profiles. It stored data on an unsecured container, a fact discovered by UpGuard, a cybersecurity research firm. As many as 48 million user profiles were being stored without a password, and although Localblox took immediate action, it’s unclear if anyone else accessed the 1.2 TB of data in the meantime.

Chegg

40 million users of textbook rental and tutorial company, Chegg, and its family of brands were informed in September 2018 that their personal data may have been exposed to an unauthorized party which gained access to a company database. Leaked information included names, passwords, email addresses, and shipping addresses.

Ticketfly

A malicious cyberattack led to the personal information of around 27 million Ticketfly account holders being accessed. Customers‘ data that was breached included names, addresses, email addresses, and phone numbers.

The Sacramento Bee

After the company left more than 19 million voter records exposed online by failing to restore a protective firewall to its server, a ransomware attack was launched by malicious hackers. The newspaper refused to pay the ransom and notified voters of the breach.

SaverSpy

In September 2018, the details of almost 11 million users were leaked from an e-marketing company database due to an unsecured server. Names, email addresses, gender details, and physical addresses were reportedly involved. The database was thought to have belonged to a company named SaverSpy.

2017

Deep Root Analytics

There were reportedly 853 breaches in 2017, with nine of them making the list.

River City Media

A massive database of over 1.37 billion email addresses was exposed due to an improperly configured backup. Some of those records contained extra details like names, physical addresses, and IP addresses. The leak also exposed River City Media’s entire operation, including details like business plans, Hipchat logs, accounts, and more. River City Media is one of the largest providers of spam in the world, according to the news report.

Deep Root Analytics

A database containing political information on over 198 million US voters was discovered on an Amazon cloud storage system without any form of password protection. The Republican National Committee hired Deep Root Analytics to compile and analyze the data consisting of names, dates of birth, home addresses, phone numbers, and voter registrations. Deep Root Analytics has since taken full responsibility for the breach and implemented improved data security measures.

Equifax

More than 145 million records including social security numbers, credit card numbers, drivers license numbers, and names were breached at one of the three major US credit reporting agencies.

Name Tests

It was revealed in 2018 that Nametests.com, the website responsible for a popular Facebook quiz app, had a flaw that publicly exposed details about its more than 120 million users.

MyHeritage

This breach was announced in 2018 but actually occurred in October 2017 and involved the more than 92 million customers‘ data. A security researcher discovered the information, which included email addresses and hashed passwords, on a private server that didn’t belong to MyHeritage.

T-Mobile

A security hole in T-Mobile’s website enabled attackers to use a phone number to access account details, including email addresses and a phone’s IMSI network code. Up to 76 million users may have been affected.

Panera Bread

The Panera Bread breach began in 2017 but apparently no action was taken until 2018. Names, email addresses, home addresses, and phone numbers of up to 37 million customers was leaked from the site in plain text. The last four digits of customers’ credit card numbers were also involved.

Dun & Bradstreet

It was revealed that records from a commercial corporate database regarding more than 33 million people were leaked by Dun & Bradstreet. Of the people involved, more than 100,000 worked for the Ministry of Defence and over 70,000 for major financial institutions. While the information wouldn’t be considered sensitive data (it included things like email addresses, job title, and company address), in the wrong hands, it would make executing scams like spear phishing and whaling far simpler.

Zomato

A hacker on the DarkNet is selling a database that includes emails and password hashes of 17 million registered Zomato users.

2016

Dailymotion homepage.

823 data breaches were reported to occur in 2016, with eight of them hitting above the 10 million mark.

FriendFinder network

Over 412 million accounts representing 20 years of user personal data including email addresses, passwords, usernames, the database outline, sites in the network visited by users, site registration data, and much more.

MySpace

Over 360 million usernames and passwords were stolen from MySpace. The passwords were stored as „unsalted SHA-1 hashes“ and were broken using a cracking server capable of running millions of SHA-1 calculations per second.

LinkedIn

Between 117 million and 167 million records are believed to have been stolen from the popular business social network, including user email address, hashed passwords, and LinkedIn ID numbers. The breach is said to have started in 2012 but in 2016, the data was up for sale online.

Dailymotion

The email addresses and usernames of approximately 85.2 million users of one of the most popular video sharing sites on the internet were accessed in 2016. About one fifth of those accounts also had their hashed passwords copied, but the passwords were encrypted with fairly strong encryption making them difficult to crack or guess.

Uber

57 million customers’ and drivers’ names, e-mail addresses, and phone numbers were hacked in 2016. Uber then tried to cover up the breach by paying off the attackers who „promised“ to delete the data. News of the breach broke in November 2017.

Weebly

43.4 million records were stolen, but the means by which this theft was committed is not yet known. It is known that the compromised data contained email addresses, usernames, passwords, and logged IP addresses of users computers.

Twitter

32 million login credentials, including plain text passwords, ended up for sale online. The data appeared to have been stolen directly from users rather than from a hack of Twitter’s servers.

FourSquare

More than 22.5 million records were apparently taken from publicly available sources. The records contained FourSquare usernames, email addresses, and Twitter and Facebook IDs.

2015

Anthem homepage.

547 data breaches were reported to occur in 2015, but seven of them were fairly large losses.

Voter Database

A publicly available database full of information on 191 million US voters was found on the internet. The database contained names, home addresses, voter IDs, phone numbers, dates of birth, political affiliations, and detailed voting histories since 2000.

Anthem

Over 80 million records were stolen, consisting of names, birthdays, medical IDs, social security numbers, street addresses, email addresses, and employment and income information, with the breach starting as early as 2014. On June 27th, 2017, Anthem agreed to a $115 million settlement for damages caused by this breach.

Ashley Madison

The company’s user databases, financial records, and other confidential information were leaked to the public. 37 million user records were stolen and dumped to the DarkNet. The hackers attempted to blackmail Ashley Madison into shutting down the website or the stolen database would be released to the public, exposing all of its users. Ashley Madison refused to comply and the data was released, along with several copycat databases containing bogus information.

Office of Personnel Management in Washington, DC

This involved 21.5 million entries in a database of government workers and more specifically, anyone who had applied for a security clearance going back to 2000. SSNs and information related to what officials ask during interviews for security clearance were leaked.

Experian’s T-Mobile customers

15 million records of potential T-Mobile customers that had credit checks done by Experian were breached. The records consisted of names, addresses, social security numbers, dates of birth, and various identification numbers, including passports, driver’s licenses, and military identification numbers.

Premera Blue Cross

This involved 11 million records of medical files and personal and financial information, including bank account numbers, social security numbers, birth dates, names, addresses, and „other personal information.“

Excellus BlueCross Blue Shield

It appears this was the year for healthcare industry breaches as yet another huge attack hit health insurer, Excellus BlueCross Blue Shield. The information of more than 10 million individuals was leaked.

2014

Yahoo homepage.

869 breaches were reported with five over the 10 million record threshold.

Yahoo

This breach actually occurred in 2014, but was not announced or acknowledged by Yahoo until two years after the fact. The database that was accessed contained records of over 500 million of Yahoo’s users, including names, phone numbers, email addresses, hashed passwords, birth dates, and „encrypted or unencrypted security questions and answers.“

Russian hacking discovered by Hold Security

An impressive database of over a billion usernames and passwords along with more than 500 million email addresses was discovered on the DarkNet by a security firm. It was apparently the work of a Russian gang of hackers collecting information from hundreds of thousands of websites.

eBay

This breach involved a data loss of over 145 million records. Hackers gained access to eBay’s user database using employee login credentials. The data copied consisted of email addresses, encrypted passwords, birth dates, and mailing addresses.

JP Morgan Chase

76 million bank accounts were accessed by Russian hackers, some of which were only modified while others were completely wiped out.

The Home Depot

The Home Depot got hit twice in 2014. In February, three employees were suspected of stealing 30,000 records. Then in September, it was hit again for the details of 56 million credit and debit cards due to a hack of the point-of-sales systems in over 2,200 stores in the U.S.

2013

Evernote homepage.

890 data breaches were reported in 2013, five of which hit above the 10 million mark.

Yahoo

More than 1 billion accounts were compromised in 2013, but this breach was not made public until 2016, and was most likely unrelated to the 500 million records stolen in 2014. Yahoo blamed the largest breach in history on hackers working on behalf of a government. The intruders used forged cookies to access user accounts without their passwords.

Target Corp.

Up to 110 million payment card records were stolen during the Thanksgiving and Christmas holidays of 2013. This incident was used as a precedent for passing legislation in the U.S. implementing chip card technology.

Tumblr

In 2013, hackers accessed more than 65 million passwords of Tumblr users, although the breach was not reported until 2016.

Evernote

The biggest loss of data in 2014 with 50 million records exposed. Users were told to reset their passwords after the attack was detected.

LivingSocial

Up to 50 million member accounts were at risk of being copied, consisting of names, email addresses, dates of birth, and encrypted passwords. At the time, an estimated 29 million people used LivingSocial, many with multiple accounts.

Adobe

User accounts of up to 38 million Adobe users were stolen. Adobe sent out a notice to all affected users warning them to change their passwords and watch for suspicious activity on their accounts.

2012

Dropbox homepage.

886 data breaches were reported for the year, with two of them making the list.

Dropbox

68 million Dropbox users had their email addresses and hashed passwords copied. They then received spam messages in which the sender posed as Dropbox.

Zappos.com

24 million user accounts were detected as accessed including names, email addresses, billing and shipping addresses, phone numbers, final four digits of credit card numbers, and possibly encrypted passwords.

2011

Epsilon homepage.

793 data breaches were reported for 2011 with four of them over 10 million records lost or put at risk.

Epsilon

This data breach of anywhere between 50-250 million records took place. Epsilon reported that only email addresses and names were stolen. Customers were warned to expect phishing emails.

Sony, PlayStation Network

77 million PlayStation Network (PSN) users and more than 24 million Sony Online Entertainment customers were affected during this 2011 hack. Leaked details included names, addresses, email addresses, dates of birth, login credentials for PSN and Qriocity, and PSN IDs and handles. It is suspected that hackers may also have accessed purchase histories, billing addresses and security questions.

Steam

Hackers defaced a forum on Steam which prompted an investigation that revealed unauthorized access to a database containing user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information on over 35 million users.

WordPress

Hackers accessed data on several of WP’s servers exposing source code, API security keys and social media passwords of 18 million WordPress users.

2010

deviantart homepage.

801 data breaches were reported for 2010, but only one of them made the list.

DeviantART, Silverpop Systems Inc.

The largest data breach in 2010 was also the only one above 10 million at 13 million records stolen. Hackers were able to penetrate deviantART through the marketing company Silverpop Systems Inc. The exposed database consisted of user names, email addresses and birth dates of all deviantART users.

2009

Heartland Payment Systems.

270 data breaches were reported for 2009, with three of them making our list.

Heartland Payment Systems

130 million credit cards were stolen through a hack of this credit card processor. The problem was exacerbated by the processor’s delays and inaccurate disclosures regarding the breach. One of the perpetrators was a Secret Service informant and suspect in the previous year’s TJ Stores hack.

U.S. Military Veterans

76 million detailed records were reported at risk of being exposed when a defective hard drive was sent off for repair without first having its data destroyed. The drive was part of a RAID array of six drives that held an Oracle database filled with veterans‘ information. The drive was deemed irreparable and was then sent to another entity for recycling, again, without being erased.

RockYou

An SQL injection flaw in RockYou’s database exposed their entire list of usernames, email addresses, and passwords–around 32 million records. The passwords were stored in plain text and the database included login credentials for various social networks like Facebook and MySpace.

2008

BNY Mellon.

355 data breaches were reported for 2008 with two of them going over the 10 million mark.

Countrywide Financial Corp.

A former employee reportedly stole and sold sensitive data on 17 million account holders‘ profiles. It should be noted that Countrywide was the „poster boy“ of the subprime lending crisis.

Bank of New York Mellon

12.5 million records containing names, social security numbers, and possibly bank account numbers were „lost“ when a box of backup tapes arrived at a storage facility with one tape missing.

2007

TJX stores.

456 data breaches were reported to have occurred in 2007, with one of them involving more than 10 million records.

TJ Stores

Over 100 million records lost consisting of credit and debit card numbers; merchandise return records containing names and driver’s license numbers, as well as credit card account numbers. Special note: the primary hacker, Albert Gonzalez, appealed his conviction in 2011 on the grounds that he was acting with authorization from the Secret Service. The U.S. government acknowledged that Gonzalez was a key undercover informant for the Secret Service at the time. Mr. Gonzalez blamed his attorneys for not using this information as part of his defense.

2006

Veterans Affairs.

482 data breaches were reported this year. Two of those breaches surpassed the 10 million records mark.

U.S. Dept. of Veterans Affairs

A laptop and computer storage device containing sensitive data on 26.5 million veterans were stolen from the home of an unidentified employee of the Department of Veterans Affairs. The information consisted of names, social security numbers, dates of birth, phone numbers, and addresses on all American veterans discharged since 1975. The laptop and storage device were recovered almost two months later. According to an FBI investigation, the data had not been copied. In spite of this, the VA was still held accountable for ineffectual data security policies and neglecting to take proper security precautions regarding such sensitive data.

iBill

Over 17 million records were posted online containing names, phone numbers, addresses, email addresses, IP addresses, login credentials, credit card types, and purchase amounts. It is unclear as to whether the breach was the work of a dishonest insider or malicious software injected into iBill’s systems.

2005

136 data breaches reported for the year with only one of them over our minimum of 10 million.

CardSystems

40 million credit card accounts were exposed due to a security breach that occurred at a third-party vendor. The information exposed included names, card numbers and card security codes. CardSystems filed for bankruptcy in May of 2006. In 2009 it was revealed that CardSystems stored unencrypted credit card information on its servers.

2004

Funny enough, the only data breach that we have information on in 2004 was also a rather major one.

AOL

A former software engineer of AOL stole 92 million email addresses belonging to an estimated 30 million users. He then sold the list of addresses to a man in Las Vegas who began spamming the list with an advertisement for an offshore gambling website. Even the judge involved in the case admitted to canceling his AOL email account because of all the spam.

Largest non-US breaches

There have also been some pretty massive breaches in various other parts of the globe over the years. Here are some of the most prominent:

Aadhaar (2018)

A data breach could have potentially risked the data of all 1.1 billion citizens of India. In early January, anonymous sellers on WhatsApp were offering access to any Aadhaar number and its associated details, including name, address, phone number, photo, and email address. The information was being sold with the option of software for printing ID cards, presumably for use in identity theft and other related crimes.

Interpark (2017)

In 2017, South Korea accused North Korea of stealing the data of 10 million customers of the online mall, Interpark, in an attempt to obtain foreign currency.

Telegram (2017)

In 2017, Iranian hackers are accused of breaking into an ultra secure instant messaging service by compromising a dozen accounts. The hack exposed 15 million users phone numbers to the hackers. This will allow the hackers to add new devices to user’s account and give those new devices access to chat histories as well as new messages.

Mossack Fonseca (2016)

This Panamanian law firm specializes in setting up anonymous offshore companies. The leak is of 11.5 million encrypted documents like emails, PDF files, photos, and excerpts from an internal database. The main purpose of this collection appears to be hiding the true owners of several of the offshore companies sold by Mossack Fonseca. Given that a lot of the information stored in these files includes evidence of illegal activities, the wish for anonymity is rather obvious.

Turkish citizenship database (2016)

A database was discovered online containing 49.6 million entries–the entire Turkish citizenship–with names, national IDs, parents names, gender, city of birth, date of birth, ID registration city and district, and their full address.

Philippines‘ Commission on Elections (2016)

A database containing every registered voter in the Philippines, some 55 million people, was leaked online. The leak came on the heels of a defacement of the Philippines‘ Commission on Elections website.

Korea Credit Bureau (2014)

A temporary consultant was arrested and charged with stealing bank and credit card data on 20 million users of the credit bureau.

Yahoo Japan (2013)

22 million user accounts were put at risk when an attempt to access administrative portions of Yahoo Japan’s servers was detected. No personally identifiable information was stolen, according to Yahoo.

Court Ventures (2012)

Court Ventures was in the business of selling off credit information to a Vietnamese identity theft service, resulting in over 200 million records sold over several years. These records included financial data, credit status, social security numbers, and bank information.

Blizzard (2012)

Players of Diablo III, Starcraft II and World of Warcraft, some 14 million gamers, were informed of a data breach that put their user accounts on Blizzard.net at risk. Encrypted passwords, the answers to security questions and email addresses of users outside of China were stolen in the breach.

178.com (2011)

Hackers stole 10 million user accounts from the Chinese gaming site, along with several other gaming sites in China.

Nexon Korea Corp (2011)

13.2 million subscribers of an online game in Korea were stolen through a hack of the site’s servers.

Tianya (2011)

28 million clear text passwords and 40 million user accounts showed up on the DarkNet from China’s 12th most popular website at the time.

Auction.co.kr (2008)

The records of 18 million members of this South Korean auction site were stolen by a Chinese hacker. The records included user information and a large amount of financial data.

GS Caltex (2008)

Two compact discs containing this company’s customer list of 11.9 million customers were found on a street in Seoul.

HM Revenue and Customs (2007)

Computer disks containing confidential information on 25 million recipients of child benefits were lost in the UK. The disks were lost in transit from their headquarters in Newcastle to an insurer’s headquarters in Edinburgh.

T-Mobile, Deutsche Telecom (2006)

Thieves made off with a storage device containing names, addresses, cell phone numbers, some birth dates, and some email addresses for some high profile German citizens. Luckily the stolen device did not contain any financial details like credit cards or bank accounts.

The big unknown

It should be noted that some reported breaches affect an unknown number of customers, so there may be other breaches that have topped the 10 million records mark. Plus, breaches may go undiscovered, entirely or for a period of time.

The new General Data Protection Regulation (GDPR) in the EU includes a requirement that companies report data breaches (that meet certain criteria) within 72 hours. While there is a California state law that pertains to data breach reporting, there is no federal legislation in place requiring mandatory reporting of data breach details. However, not reporting a breach can lead to lawsuits from affected users, so most companies do report when they discover they have been hacked or lose some information.

Although, the amount of information reported is entirely left up to the reporting company, even to the point of just admitting that there was a breach with no details as to what data or even how much data was at risk of being accessed by unauthorized individuals. According to Privacy Rights Clearinghouse, thousands of companies have opted not to report how much of the data entrusted to them has been leaked or even how many of their customers may be at risk.

Now factor in the knowledge that some of these companies are collecting information without first informing subjects of their data mining that their information is being loaded into a database. Any retail outlet that a person walks into collects information on what they look at, pick up, purchase, and leave their store with. Match that data to facial recognition from the security cameras, as well as the information received from the point-of-sale system, and they have an identity to attach to that data entry.

Just about every retail outlet now has some form of membership that customers are encouraged to voluntarily sign up for with offers of discounts on fuel, points toward in-store savings, customized digital coupons, and other similar incentives. All of these are not, in fact, free. You are selling your personally identifiable information to these companies in exchange for the perks attached to the store’s membership system.

What can you do?

There are some things that you can do to minimize the damage or even prevent your information getting into the wrong hands. Things like using an online anonymity tool (such as a VPN), installing anti-virus software, using strong passwords, and enabling two-factor authentication can help. In the case of the latter, if the platform you’re trying to secure doesn’t offer two-factor authentication, you may be able to use a third-party two-factor authentication app, such as DUO Mobile and Google Authenticator.

On the more extreme end, there is always the option of contacting any company you have entrusted your information with. You can ask them about what they have in place for not only preventing data breaches, but what actions they take when they become aware of a leak.

If you want to check to see if your information has been involved in a data breach, a handy tool is the have I been pwned? website

Have you experienced any side effects, or even direct effects of a data breach? How did you recover? Leave your comments below along with any tips you might have for other readers.

Data Breach“ by Blogtrepreneur CC BY 2.0

Inhalte