Think about this - every day, how many times do you log in to a website or smartphone app? The number of usernames and passwords we have at our disposal is growing by the day - and hackers and criminals aim to have them at their disposal too, leading many to be at risk of some of the biggest data breaches of all time.
The 10 biggest data breaches of all time
We collated this list of the largest data breaches to show how personal data is constantly at risk of vulnerability. These security breaches affected some of the largest organizations in the world - and millions of their users.
1) Yahoo
Date: August 2013
Number of affected users: 3 billion
What happened: In 2016, Yahoo revealed details of a data breach which compromised more than one billion user accounts. The attack took place three years prior in August 2013. Yahoo disclosed that sensitive personal information - including names, telephone numbers, dates of birth and encrypted passwords - had been part of the breach.
In October 2017, Yahoo’s parent company Verizon revised the estimate upwards, stating that all three billion user accounts had been affected, confirming it as the biggest data breach to date.
2) Marriott Hotels
Date: November 2018
Number of affected users: 500 million
What happened: Hotel chain Marriott announced in November 2018 its reservation system had been hacked, resulting in the potential exposure of personal data belonging to 500 million guests. After purchasing the Starwood hotel group in 2016, Marriott identified the hackers had unauthorized access to the Starwood reservation database since 2014. The hacked data included names, addresses and passport numbers.
The New York Times reported in December 2018 that the Marriott hack was the target of a coordinated attempt by Chinese intelligence-gathering operators.
3) FriendFinder Network
Date: November 2016
Number of affected users: 412 million
What happened: Over 412 million user accounts registered across the FriendFinder Network umbrella, including Adult Friend Finder, were compromised in October 2016. The hack exposed user information including email addresses, passwords, IP addresses and membership status. The company stored user passwords in plaintext or using the weak SHA1 algorithm, meaning 99% of all passwords could be easily cracked, according to LeakedSource, a breach notification website.
FriendFinder Network subsequently released a statement advising that the company did “...fix a vulnerability that was related to the ability to access source code through an injection vulnerability."
4) MySpace
Date: May 2016
Number of affected users: 360 million
What happened: Users of the social networking site MySpace were notified in May 2016 that their old information could be available for sale online. Time Inc., which purchased MySpace in February of the same year, reported that 360 million accounts were compromised. Although the breach was dated back to June 2013, usernames and passwords could have been re-used to access information on other websites.
The Russian hacker allegedly behind the MySpace hack was also purported to be the mastermind of other attacks on social sites such as LinkedIn and Tumblr.
5) Twitter
Date: May 2018
Number of affected users: 330 million
What happened: In May 2018, Twitter urged its 330 million users to change their passwords after discovering a glitch which caused some passwords to be stored in readable text on its internal computer system. While an internal investigation found no evidence that passwords had been compromised, the company advised all users of the social network to change their passwords and enable the two-factor authentication service as an additional layer of protection.
The U.S. Federal Trade Commission had previously settled a dispute with Twitter in 2010 over accusations that “serious lapses” in data security had resulted in hackers accessing private user data on two occasions.
6) Deep Root Analytics
Date: June 2017
Number of affected users: 198 million
What happened: Deep Root Analytics, a marketing firm specializing in identifying audiences for political advertisements, was revealed to have stored internal documents on a publicly accessible Amazon server in June 2017. The leak contained 1.1 terabytes of data on 198 million American citizens - approximately 61% of the US population - and not only revealed personal data such as home addresses, birth dates and phone numbers, but also advanced sentiment analysis on political issues such as gun ownership and abortion.
The company was subject to a class-action lawsuit that alleged Deep Root Analytics had failed to “secure and safeguard the public’s personally identifiable information,” leaving US citizens open to identity theft.
7) MyFitnessPal / Under Armour
Date: February 2018
Number of affected users: 150 million
What happened: Under Armour announced in March 2018 that 150 million users of its MyFitnessPal app had their usernames and email addresses compromised. While personal information such as payment card data and social security numbers were not affected by the data breach, Under Armour encouraged all users to change their passwords immediately.
It was subsequently revealed that Under Armour had used the same notoriously weak SHA1 algorithm as FriendFinder Network prior to their 2016 hack.
8) eBay
Date: February/March 2014
Number of affected users:145 million
What happened: In early 2014, cyber-attackers managed to obtain customer data for all 145 million eBay users. The hackers used credentials for three corporate employees and eventually gained access to the user database, from where they were able to access usernames and encrypted passwords belonging to users of the auction website.
eBay initially believed no customer data had been compromised, but quickly made a public announcement when the true extent of the breach became apparent.
9) Heartland Payment Systems
Date: January 2009
Number of affected users: 130 million
What happened: The payment processor Heartland reported in January 2009 that millions of credit card and debit card transactions passing through their system had been breached. Although no merchant data or cardholder information was jeopardized, the hacked data included the digital information encoded onto the magnetic strip built into the back of credit and debit cards - enabling criminals to potentially manufacture counterfeit cards using the stolen information.
In total, 130 million credit card numbers were stolen. Computer hacker Albert Gonzalez was eventually convicted and handed a 20-year sentence for his involvement in the Heartland hack, as well as credit card data hacks of other companies including TJX, Office Max and Barnes & Noble in 2010.
10) LinkedIn
Date: June 2012
Number of affected users: 117 million
What happened: LinkedIn was hacked in 2012, affecting over 117 million members of the professional social network. Originally, the company thought only 6.5 million passwords had been stolen, but a May 2016 announcement on LinkedIn’s website announced that over 100 million passwords were compromised. Hackers were selling the stolen data on an online black market.
Following the announcement, LinkedIn advised its users to change their passwords and use two-factor authentication for extra security.
Check out the relative scale of these top ten data breaches in this diagram.
How to stay protected against major data breaches
As the list shows, data breaches can affect some of the most prominent businesses in the world. If this list of largest data breaches has made you think about how your organization approaches data security, our articles on preventing data breaches, how to stay protected and how to protect your organization’s data contain useful insights - you can also contact us directly with any questions, by filling out the form below.