Do you know where your data is?
June 22, 2022
Corporate data is more valuable than gold these days and especially more valuable than crypto currency. So stop worrying about how bad the Crypto and NFT market is and start asking the question “How bad is your corporations network and cloud security?” Data breaches are sky rocketing and if you don’t want to be on this list next year you better let Tenfold Security help you out.
We’ve compiled a list of the 20 largest data breaches in history, and you won’t believe who made the list!
Today we will share with you the 20 biggest data breaches ranked by impact.
Date: March 2020
Impact: 10.88 billion records.
Adult video streaming website CAM4 has had its Elasticsearch server breached exposing over 10 billion records.
The breached records included the following sensitive information:
- Full names
- Email addresses
- Sexual orientation
- Chat transcripts
- Email correspondence transcripts
- Password hashes
- IP addresses
- Payment logs
Many of the exposed email addresses are linked to cloud storage services. If hackers were to launch successful phishing attacks on these users, they could gain deeper access to personal photos and business information.
Due to the licentious connection of the breached database, compromised users could fall victim to blackmail and defamation attempts for many years to come.
- Yahoo! 2017
Date: October 2017
Impact: 3 billion accounts
Yahoo disclosed that a breach in August 2013 by a group of hackers had compromised 1 billion accounts. In this instance, security questions and answers were also compromised, increasing the risk of identity theft. The breach was first reported by Yahoo while in negotiations to sell itself to Verizon, on December 14, 2016. Yahoo forced all affected users to change passwords and to reenter any unencrypted security questions and answers to re-encrypt them.
However, by October of 2017, Yahoo changed the estimate to 3 billion user accounts. An investigation revealed that users’ passwords in clear text, payment card data and bank information were not stolen. Nonetheless, this remains one of the largest data breaches of this type in history.
Date: March 2018
Impact: 1.1 billion people
In March of 2018, it became public that the personal information of more than a billion Indian citizens stored in the world’s largest biometric database could be bought online.
This massive data breach was the result of a data leak on a system run by a state-owned utility company. The breach allowed access to private information of Aadhaar holders, exposing their names, their unique 12-digit identity numbers, and their bank details.
The type of information exposed included the photographs, thumbprints, retina scans and other identifying details of nearly every Indian citizen.
- First American Financial Corp.
Date: May 2019
Impact: 885 million users
In May 2019, First American Financial Corporation reportedly leaked 885 million users’ sensitive records that date back more than 16 years, including bank account records, social security numbers, wire transactions, and other mortgage paperwork.
Date: February 2019
Impact: 763 million users
In February 2019, email address validation service verifications.io exposed 763 million unique email addresses in a MongoDB instance that was left publicly facing with no password. Many records also included names, phone numbers, IP addresses, dates of birth and genders.
- LinkedIn 2021
Date: June 2021
Impact: 700 million users
Data associated with 700 million LinkedIn users was posted for sale in a Dark Web forum on June 2021. This exposure impacted 92% of the total LinkedIn user base of 756 million users.
The data was dumped in two waves, initially exposing 500 million users, and then a second dump where the hacker “God User” boasted that they were selling a database of 700 million LinkedIn.
The hackers published a sample containing 1 million records to confirm the legitimacy of the breach. The data included the following:
- Email addresses
- Full names
- Phone numbers
- Geolocation records
- LinkedIn username and profile URLs
- Personal and professional experience
- Other social media accounts and details
The hacker scraped the data by exploiting LinkedIn’s API.
LinkedIn claims that, because personal information was not compromised, this event was not a ‘data breach but, rather, just a violation of their terms of service through prohibited data scraping.
But the leaked data is sufficient to launch a deluge of cyberattacks targeting exposed users, which makes the incident heavily weighted towards a data breach classification.
- Facebook 2019
Date: April 2019
Impact: 533 million users
In April 2019, it was revealed that two third-party Facebook app datasets had been exposed to the public Internet. One, originating from the Mexico-based media company Cultura Colectiva, weighs in at 146 gigabytes and contains over 533 million records detailing comments, likes, reactions, account names, FB IDs and more. This same type of collection, in similarly concentrated form, has been cause for concern in the recent past, given the potential uses of such data.
This database was leaked on the dark web for free in April 2021, adding a new wave of criminal exposure to the data originally exfiltrated in 2019. This makes Facebook one of the recently hacked companies 2021, and therefore, one of the largest companies to be hacked in 2021.
- Yahoo! 2014
Impact: 500 million accounts
Yahoo believed that a “state-sponsored actor” was behind this initial cyberattack in 2014. The stolen data included personal information such as names, email addresses, phone numbers, hashed passwords, birth dates, and security questions and answers, some of which were unencrypted. Yahoo had become aware of this breach back in 2014, taking a few initial remedial actions but failing to investigate further. It was only about two years later that Yahoo publicly disclosed the breach after a stolen database from the company allegedly went up for sale on the black market.
- Starwood (Marriott)
Date: November 2018
Impact: 500 million guests
In November 2018, Marriott International announced that hackers had stolen data about approximately 500 million Starwood hotel customers. The attackers had gained unauthorized access to the Starwood system back in 2014 and remained in the system after Marriott acquired Starwood in 2016. However, the discovery was not made until 2018.
The information that was exposed included names, contact information, passport number, Starwood Preferred Guest numbers, travel information, and other personal information. Marriott believes that financial information such as credit and debit card numbers, and expiration dates of more than 100 million customers were stolen, although the company is uncertain whether the attackers were able to decrypt the credit card numbers.
According to the New York Times, the breach was eventually attributed to a Chinese intelligence group, The Ministry of State Security, seeking to gather data on US citizens. If true, this would be the largest known breach of personal data conducted by a nation-state.
- Adult Friend Finder
Date: October 2016
Impact: 412.2 million accounts
In October 2016, hackers collected 20 years of data on six databases that included names, email addresses and passwords for The AdultFriendFinder Network. The FriendFinder Network includes websites like Adult Friend Finder, Penthouse.com, Cams.com, iCams.com, and Stripshow.com.
Most of the passwords were protected only by the weak SHA-1 hashing algorithm, which meant that 99% of them had been cracked by the time LeakedSource.com published its analysis of the entire data set on November 14.
- MySpace 2013
Date: June 2013
Impact: 360 million accounts
In June 2013 around 360 million MySpace accounts were compromised by a Russian hacker, but the incident was not publicly disclosed until 2016. The information that was leaked included account information such as the owner’s listed name, username, and birthdate. Between 2013 and 2016, anyone who gained access to this breached information could have taken over any Myspace account. The former social media network giant has since invalidated all passwords belonging to accounts that were set up prior to 2013.
Date: June 2018
Impact: 340 million people
In June of 2018, Florida-based marketing and data aggregation firm Exactis exposed a database containing nearly 340 million records on a publicly accessible server. The breach exposed highly personal information such as people’s phone numbers, home, and email addresses, interests, and the number, age, and gender of their children. This data exposure was discovered by security expert Vinny Troia, who indicated that the breach included data on hundreds of millions of US adults and millions of businesses.
- Twitter 2018
Date: May 2018
Impact: 330 million users
In May of 2018, social media giant Twitter notified users of a glitch that stored passwords unmasked in an internal log, making all user passwords accessible to the internal network. Twitter told its 330 million users to change their passwords but the company said it fixed the bug and that there was no indication of a breach or misuse, but encouraged the password update as a precaution. Twitter did not disclose how many users were impacted but indicated that the number of users was significant and that they were exposed for several months.
Date: October 2015
Impact: 234 million users
In October 2015, NetEase (located at 163.com) was reported to suffered from a data breach that impacted hundreds of millions of subscribers. While there is evidence to say that the data is legitimate (many users confirmed their passwords where in the data), it is difficult to verify emphatically.
The breach contained email addresses and plain text passwords.
Date: January 2021
Impact: 200 million records
Sociallarks, a rapidly growing Chinese social media agency suffered a monumental data leak in 2021 through its unsecured ElasticSearch database.
Sociallarks’ server wasn’t password-protected, wasn’t encrypted, and it was a publicly exposed asset. This lethal combination meant that anybody with knowledge of the server IP address could access the leaked sensitive data, and that’s exactly what happened.
The breached database stored the scraped data of over 200 million Facebook, Instagram, and Linkedin users.
Exposed data included:
- Phone numbers
- Email addresses
- Profile descriptions
- Follower and engagement data
- LinkedIn profile links
- Connected social media account login names
- Deep Root Analytics
Date: Jun 2017
Impact: 200 million U.S voters
The records of 200 million voters was accessed from Deep Root Analytics, a firm working on behalf of the Republican National Committee (RNC).
The data consisted of 1.1 terabytes of voter Personal Identifiable Information (PII) including names, addresses and birthdates.
The accessed data also contained comprehensive voter analysis based on Reddit post activity which could be used to predict how somebody would vote on a particular issue.
- Court Ventures (Experian)
Date: Oct 2013
Impact: 200 million personal records
Court Ventures, a subsidiary of credit card monitoring firm Experian, was breached exposing 200 million personal records.
The hacker was running a business selling Personal Identifiable Information and was selling the credit card numbers and social security numbers he had accessed in the breach.
Penetration was achieved by the hacker posing as a private investigator from Singapore and convincing staff to relinquish access to the internal database.
Experian suffered another breach in 2020, when a threat actor claiming to be Experian’s client convinced staff to relinquish customer information for marketing purposes.
These events have earned Experian the reputation of suffering one the biggest data breaches in the financial services sector.
- LinkedIn 2012Date: June 2012Impact: 165 million usersIn June 2012, LinkedIn disclosed a data breach had occurred, but password-reset notifications at the time indicated that only 6.5 million user accounts had been affected. LinkedIn never confirmed the actual number, and in 2016, we learned why: a whopping 165 million user accounts had been compromised, including 117 million passwords that had been hashed but not “salted” with random data to make them harder to reverse.That revelation prompted other services to comb their LinkedIn data and force their own users to change any passwords that matched (kudos to Netflix for taking the lead on this one.) Left unanswered is why LinkedIn did not further investigate the original breach, or inform more than 100 million affected users, in the intervening four years.
Date: December 2018
Impact: 162 million users
In December 2018, Dubmash suffered a data breach that exposed 162 million unique email addresses, usernames and DBKDF2 password hashes. In 2019, this data appeared for sales on the dark web and was circulated more broadly.
Date: October 2013
Impact: 152 million
In October 2013, 153 million Adobe accounts were breached. The data breach contained an internal ID, username, email, encrypted password and password hint in plain text. The encryption was weak and many were quickly resolved back to plain text, the password hints added to the damage making it easy to guess the passwords of many users.
The moral of this story is that if you think your company’s not susceptible to hacking then you would be WRONG! Let TenFold Security help to stop these terrible attacks and ultimately keep your company off of this list. Call toady! (913) 361-0357