Not long ago, a breach that compromised the data of a few million people would have been big news. Now, breaches that affect hundreds of millions or even billions of people are far too common. About 3.5 billion people saw their personal data stolen in the top two of 15 biggest breaches of this century alone. The smallest incident on this list involved the data of a mere 134 million people.
CSO compiled this list of the biggest 21st Century breaches using simple criteria: The number of people whose data was compromised. We also made a distinction between incidents where data was stolen for malicious intent and those where an organization inadvertently left data unprotected and exposed. Twitter, for example, left the passwords of its 330 million users unmasked in a log, but there was no evidence of any misuse. So, Twitter did not make this list.
Without further ado, here, listed in alphabetical order, are the 15 biggest data breaches in recent history, including who was affected, who was responsible, and how the companies responded.
Biggest data breaches
- Adult Friend Finder
- Heartland Payment Systems
- Marriott International
- My Fitness Pal
- Sina Weibo
Date: October 2013
Impact: 153 million user records
Details: As reported in early October of 2013 by security blogger Brian Krebs, Adobe originally reported that hackers had stolen nearly 3 million encrypted customer credit card records, plus login data for an undetermined number of user accounts.
Later that month, Adobe raised that estimate to include IDs and encrypted passwords for 38 million “active users.” Krebs reported that a file posted just days earlier “appears to include more than 150 million username and hashed password pairs taken from Adobe.” Weeks of research showed that the hack had also exposed customer names, IDs, passwords and debit and credit card information.
An agreement in August 2015 called for Adobe to pay a $1.1 million in legal fees and an undisclosed amount to users to settle claims of violating the Customer Records Act and unfair business practices. In November 2016, the amount paid to customers was reported at $1 million.
Adult Friend Finder
Date: October 2016
Impact: 412.2 million accounts
Details: This breach was particularly sensitive for account holders because of the services the site offered. The FriendFinder Network, which included casual hookup and adult content websites like Adult Friend Finder, Penthouse.com, Cams.com, iCams.com and Stripshow.com, was breached in mid-October 2016. The stolen data spanned 20 years on six databases and included names, email addresses and passwords.
The weak SHA-1 hashing algorithm protected most of those passwords. An estimated 99% of them had been cracked by the time LeakedSource.com published its analysis of the data set on November 14, 2016.
As CSO reported at the time that, “A researcher who goes by 1×0123 on Twitter and by Revolver in other circles posted screenshots taken on Adult Friend Finder (that) show a Local File Inclusion vulnerability (LFI) being triggered.” He said the vulnerability, discovered in a module on the production servers used by Adult Friend Finder, “was being exploited.”
Date: May 2019
Impact: 137 million user accounts
Details: In May 2019 Australian graphic design tool website Canva suffered an attack that exposed email addresses, usernames, names, cities of residence, and salted and hashed with bcrypt passwords (for users not using social logins — around 61 million) of 137 million users. Canva says the hackers managed to view, but not steal, files with partial credit card and payment data.
The suspected culprit(s) — known as Gnosticplayers — contacted ZDNet to boast about the incident, saying that Canva had detected their attack and closed their data breach server. The attacker also claimed to have gained OAuth login tokens for users who signed in via Google.
The company confirmed the incident and subsequently notified users, prompted them to change passwords, and reset OAuth tokens. However, according to a later post by Canva, a list of approximately 4 million Canva accounts containing stolen user passwords was later decrypted and shared online, leading the company to invalidate unchanged passwords and notify users with unencrypted passwords in the list.
Date: May 2014
Impact: 145 million users
Details: eBay reported that an attack exposed its entire account list of 145 million users in May 2014, including names, addresses, dates of birth and encrypted passwords. The online auction giant said hackers used the credentials of three corporate employees to access its network and had complete access for 229 days—more than enough time to compromise the user database.
The company asked customers to change their passwords. Financial information, such as credit card numbers, was stored separately and was not compromised. The company was criticized at the time for a lack of communication with its users and poor implementation of the password-renewal process.
Date: July 29, 2017
Impact: 147.9 million consumers
Details: Equifax, one of the largest credit bureaus in the US, said on Sept. 7, 2017 that an application vulnerability in one of their websites led to a data breach that exposed about 147.9 million consumers. The breach was discovered on July 29, but the company says that it likely started in mid-May. The breach compromised the personal information (including Social Security numbers, birth dates, addresses, and in some cases drivers’ license numbers) of 143 million consumers; 209,000 consumers also had their credit card data exposed. That number was raised to 147.9 million in October 2017.
Equifax was faulted for a number of security and response lapses. Chief among them was that the application vulnerability that allowed the attackers access was unpatched. Inadequate system segmentation made lateral movement easy for the attackers. Equifax was also slow to report the breach.
Date: December 2018
Impact: 162 million user accounts
Details: In December 2018, New York-based video messaging service Dubsmash had 162 million email addresses, usernames, PBKDF2 password hashes, and other personal data such as dates of birth stolen, all of which was then put up for sale on the Dream Market dark web market the following December. The information was being sold as part of a collected dump also including the likes of MyFitnessPal (more on that below), MyHeritage (92 million), ShareThis, Armor Games, and dating app CoffeeMeetsBagel.
Dubsmash acknowledged the breach and sale of information had occurred — and provided advice around password changing — but failed to say how the attackers got in or confirm how many users were affected.
Heartland Payment Systems
Date: March 2008
Impact: 134 million credit cards exposed
Details: At the time of the breach, Heartland was processing 100 million payment card transactions per month for 175,000 merchants — mostly small- to mid-sized retailers. The breach was discovered in January 2009 when Visa and MasterCard notified Heartland of suspicious transactions from accounts it had processed. The attackers exploited a known vulnerability to perform a SQL injection attack. Security analysts had warned retailers about the vulnerability for several years, and it made SQL injection the most common form of attack against websites at the time.
Because of the breach, the Payment Card Industry (PCI) deemed Heartland out of compliance with its Data Security Standard (DSS) and did not allow it to process payments of major credit card providers until May 2009. The company also paid an estimated $145 million in compensation for fraudulent payments.
The Heartland breach was a rare example where authorities caught the attacker. A federal grand jury indicted Albert Gonzalez and two unnamed Russian accomplices in 2009. Gonzalez, a Cuban American, was alleged to have masterminded the international operation that stole the credit and debit cards. He was sentenced in March 2010 to 20 years in federal prison.
Date: 2012 (and 2016)
Impact: 165 million user accounts
Details: As the major social network for business professionals, LinkedIn has become an attractive proposition for attackers looking to conduct social engineering attacks. However, it has also fallen victim to leaking user data in the past.
In 2012 the company announced that 6.5 million unassociated passwords (unsalted SHA-1 hashes) were stolen by attackers and posted onto a Russian hacker forum. However, it wasn’t until 2016 that the full extent of the incident was revealed. The same hacker selling MySpace’s data was found to be offering the email addresses and passwords of around 165 million LinkedIn users for just 5 bitcoins (around $2,000 at the time). LinkedIn acknowledged that it had been made aware of the breach, and said it had reset the passwords of affected accounts.
Impact: 500 million customers
Details: Marriott International announced in November 2018 that attackers had stolen data on approximately 500 million customers. The breach initially occurred on systems supporting Starwood hotel brands starting in 2014. The attackers remained in the system after Marriott acquired Starwood in 2016 and were not discovered until September 2018.
The attackers were able to take some combination of contact information, passport number, Starwood Preferred Guest numbers, travel information, and other personal information. The credit card numbers and expiration dates of more than 100 million customers were believed to be stolen, but Marriott is uncertain whether the attackers were able to decrypt the credit card numbers. The breach was eventually attributed to a Chinese intelligence group seeking to gather data on US citizens, according to a New York Times article.
My Fitness Pal
Date: February 2018
Impact: 150 million user accounts
Details: As well as Dubsmash, UnderArmor-owned fitness app MyFitnessPal was among the massive information dump of 16 compromised sites that saw some 617 million customers accounts leaked and offered for sale on Dream Market.
In February 2018 the usernames, email addresses, IP addresses, SHA-1 and bcrypt-hashed passwords of around 150 million customers were stolen and then put up for sale a year later at the same time as Dubsmash et al. MyFitnessPal acknowledged the breach and required customers to change their passwords, but didn’t share how many accounts were affected or how the attackers gained access to the data.
Impact: 360 million user accounts
Details: Though it had long stopped being the powerhouse that it once was, social media site MySpace hit the headlines in 2016 after 360 million user accounts were leaked onto both LeakedSource (a searchable databased of stolen accounts) and put up for sale on dark web market The Real Deal with an asking price of 6 bitcoin (around $3,000 at the time).
According to the company, lost data included email addresses, passwords and usernames for “a portion of accounts that were created prior to June 11, 2013, on the old Myspace platform.” According to Troy Hunt of HaveIBeenPwned, the passwords were stored as SHA-1 hashes of the first 10 characters of the password converted to lowercase.
Date: October 2015
Impact: 235 million user accounts
Details: NetEase is a provider of mailbox services through the likes of 163.com and 126.com. It was reported in that email addresses and plaintext passwords of some 235 million accounts from NetEase customers were being sold by a dark web marketplace vendor known as DoubleFlag. The same vendor was also selling information taken from other Chinese giants such as Tencent’s QQ.com, Sina Corporation and Sohu, Inc. NetEase has reportedly denied any breach. HaveIBeenPwned lists this breach as “unverified.”
Date: March 2020
Impact: 538 million accounts
Details: With over 500 million users, Sina Weibo is China’s answer to Twitter. However, in March 2020 it was reported that the real names, site usernames, gender, location, and — for 172 million users — phone numbers had been posted for sale on dark web markets. Passwords were not included, which may indicate why the data was available for just ¥1,799 ($250).
Weibo acknowledged the data for sale was from the company, but claimed the data was obtained by matching contacts against its address book API. It also said that since doesn’t store passwords in plaintext, users should have nothing to worry about. This, however, doesn’t tally as some of the information being offered such as location data, isn’t available via the API. The social media giant said it had notified authorities about the incident and China’s Cyber Security Administration of the Ministry of Industry and Information Technology said it is investigating.
Impact: 3 billion user accounts
Details: Yahoo announced in September 2016 that in 2014 it had been the victim of what would be the biggest data breach in history. The attackers, which the company believed we “state-sponsored actors,” compromised the real names, email addresses, dates of birth and telephone numbers of 500 million users. Yahoo claimed that most of the compromised passwords were hashed.
Then in December 2016, Yahoo disclosed another breach from 2013 by a different attacker that compromised the names, dates of birth, email addresses and passwords, and security questions and answers of 1 billion user accounts. Yahoo revised that estimate in October 2017 to include all of its 3 billion user accounts.
The timing of the original breach announcement was bad, as Yahoo was in the process of being acquired by Verizon, which eventually paid $4.48 billion for Yahoo’s core internet business. The breaches knocked an estimated $350 million off the value of the company.
Date: September 2019
Impact: 218 million user accounts
Details: Once a giant of the Facebook gaming scene, Farmville creator Zynga is still one the biggest players in the mobile game space with millions of players worldwide.
In September 2019, a Pakistani hacker who goes by the name Gnosticplayers claimed to have hacked into Zynga’s database of Draw Something and Words with Friends players and gained access to the 218 million accounts registered there. Zynga later confirmed that email addresses, salted SHA-1 hashed passwords, phone numbers, and user IDs for Facebook and Zynga accounts were stolen.
Editor’s note: This article, originally published in March 2014, is frequently updated to account for new breaches.
Copyright © 2021 IDG Communications, Inc.