Recent data breaches at Facebook, Google Plus, Ashley Madison and others have highlighted how vulnerable every piece of our online information is. Security breaches have become an integral part of our digital lives. Facebook reported that personal information of more than 50 million users was leaked in July 2017. But it’s not the biggest data breach in the history of the Internet. In fact, it’s not even among the top 10 biggest data breaches of all time. Here we take a look at the biggest security compromises since the dawn of the Internet era.
Top 10 biggest data breaches ever
According to the Identity Theft Resource Center, 8,069 data breaches have occurred between 2005 and 2017. There is a good chance the personal data of almost every active Internet user has been compromised at some point. Heck, some of our personal data might be up for sale on the dark web without us knowing. This list is based on the number of records compromised.
10- Heartland Payment Systems. 100 million users affected. May 2008
Heartland Payment Systems was one of the world’s largest payment processing firms about a decade ago. It was processing more than 100 million transactions per month for more than 200,000 merchants. The company discovered in January 2009 that hackers had planted malware on its network that recorded credit and debit card data as it arrived from merchants. It exposed the credit and debit card details of more than 100 million customers to cybercriminals. Albert Gonzalez, the mastermind behind the massive breach, was sentenced to 20 years of prison in 2010. Heartland was banned from processing payments until May 2009, and it had to pay out roughly $150 million in compensation for fraudulent transactions.
9- Target stores. 110 million users affected. November 2013
Target revealed in January 2014 that its systems were hit by a massive data breach right before the 2013 holiday shopping season. Hackers installed malware in its payment card readers, stealing the contact details such as names, addresses, and emails, and telephone numbers of more than 70 million customers. About 40 million credit and debit card numbers were also exposed. However, security experts estimate that more than 110 million users were affected by the Target breach. The same malware was later found in the POS systems of Home Depot. Target has since beefed up its cybersecurity since then.
8- eBay. 145 million people affected. May 2014
The auction giant asked 145 million of its customers in May 2014 to change their passwords. The eBay breach had exposed the names, emails, street addresses, dates of birth, as well as encrypted passwords of 148 million users. Fortunately for users, financial details such as credit card numbers were stored separately, so they were not affected. Hackers were able to gain access to the login credentials of 145 million customers by first obtaining the credentials of three eBay employees. The attackers had full access to its servers for 229 days.
7- Equifax. 147.9 million users affected. July 2017
Between May and July 2017, hackers broke into credit reporting agency Equifax’s systems to access the data of more than 143 million users. Though Equifax later bumped up the figure to 145 million, security experts put the number of affected users at around 147.9 million. It is one of the most damaging data breaches in history. However, Equifax didn’t report the breach until September 2017. Hackers had amassed vital information about millions of people, including names, street addresses, driver’s license numbers, birth dates, and even social security numbers. Hackers exploited a vulnerability in the open-source software Apache Struts to access its servers.
6- Under Armor. 150 million users affected. February 2018
Earlier this year, the active-wear company told millions of its users that their data had been compromised. The security breach affected 150 million users of its MyFitnessPal app. The leaked information included hashed passwords, emails, and user names. Payment details were not affected because Under Armor collects and stores them separately. Under Armor discovered the breach on March 25th, when it noticed that an unauthorized party had accessed MyFitnessPal user data in February.
5- MySpace. 360 million accounts affected. May 2016
MySpace was leading the social media sector before the emergence of Facebook. But it was a mess in terms of data security. And the company never really took user data seriously. People could hack their own pages to embed whatever content they desired. So, data breaches were pretty common. In 2016, a Russian hacker going by the nickname Peace put the MySpace data of more than 360 million accounts on sale. An investigation by independent security researchers suggested that the breach occurred sometime in the mid-2000s.
4- Adult FriendFinder. 412 million accounts compromised. October 2016
The FriendFinder Network operates several websites such as Adult FriendFinder, Cams.com, iCams.com, Stripshow.com, and Penthouse.com. Its servers were breached in October 2016, and user details began emerging on numerous cybercrime forums. Hackers were able to collect about 20 years of data including names, emails, and passwords. The passwords were protected by the rather weak SHA-1 hashing algorithm. As a result, almost all the accounts had been cracked before LeakedSource.com could publish its analysis of the entire database.
3- Marriott / Starwood Hotels. 500 million accounts compromised. 2014-2018
Marriott said in November 2018 that hackers had stolen personal information of more than 500 million guests who had booked rooms or stayed at properties run by its Starwood subsidiary. The data breach began in 2014, about two years before Marriott acquired Starwood Hotels, and continued through much of 2018. The stolen details included names, street addresses, emails, passport numbers, genders, and dates of birth of more than 500 million customers.
2- Aadhar. 1.1 million users affected. January 2018
Aadhar is the national ID database in India. Almost every citizen in India has a 12-digit unique Aadhar number. The Aadhar database consists of the names, addresses, photos, phone numbers, emails, and biometric information of nearly 1.1 billion people. But user data is not secure on the government’s servers. Though the Indian government has refuted all reports of the Aadhar data breach, the Tribune News Service reported in January 2018 that anonymous sellers were selling Aadhar credentials of any user over WhatsApp for as little as $10. You could retrieve anyone’s Aadhar details by paying that sum. Independent investigation by ZDNet later revealed that the Aadhar details of 1.1 billion people were easily available to anyone. But the Indian government has done little to fix the security loopholes.
1- Yahoo. 3 billion users affected. August 2013
This is by far the biggest data breach in the history of the Internet. In August 2013, unidentified hackers broke into Yahoo servers to steal the data of more than 3 billion users. It means every single account on Yahoo, Tumblr, Flickr, and other Yahoo-owned properties was compromised. But Yahoo reported the security breach only in 2016. The company also revealed that another hack conducted by “a state-sponsored actor” in late 2014 compromised the data of 500 million users. The US government indicted Russian hackers for the 2014 data breach.
Over the years, companies have increased their spending on cybersecurity. But hackers are almost always a step ahead. They are now using complex methods to break into highly secure servers. The recent Google+ data leak is just one example. More breaches would continue to occur in the near future.