Data breaches in today’s data-driven society can touch hundreds of millions, if not billions, of individuals at once. As the supply of data moving has expanded due to digital transformation, so have data breaches as attackers exploit the data dependencies of everyday life. The size of future cyberattacks is unknown, but as this list of the largest data breaches of the twenty-first-century shows, they have already reached gigantic proportions.
To ensure openness, this list was compiled based on the number of users affected, records exposed, or accounts affected. We also distinguished between situations in which data was deliberately stolen or intentionally reposted and those in which an organization inadvertently left data unprotected and exposed, but there was no significant evidence of abuse. The latter has been purposely left off the list.
So, here it is an up-to-date list of the 15 largest data breaches in recent history, complete with information on those affected, who was responsible, and how the companies responded (as of July 2021).
- August 2013 on Yahoo:
Year: August 2013
Impact: 3 billion user accounts
The attack on Yahoo has taken the top rank almost seven years after the initial breach and four years after the true quantity of documents leaked was revealed. The incident, which occurred in 2013, was first made public by the firm in December 2016. It was in the midst of being acquired by Verizon at the time, and it was thought that a hacking gang had accessed the account information of over a billion of its subscribers. Yahoo stated less than a year later that the real number of user accounts exposed was 3 billion. Yahoo maintained that the increased estimate did not reflect a new “security risk,” and that emails were being sent to all “additional affected user accounts.”
Despite the criticism, the Verizon purchase was finalized, although at a lower price. “Verizon is committed to the highest levels of accountability and openness, and we proactively work to guarantee the safety and security of our users and networks in a dynamic landscape of cyber threats,” stated Verizon’s CISO Chandra McMahon at the time. Our investment in Yahoo enables that team to take substantial measures to improve their security while also benefiting from Verizon’s experience and resources.” Following an examination, it was discovered that, while the attackers gained access to account information such as security questions and answers, no plaintext passwords, credit card or bank data were obtained.
- Aadhaar:
Year: January 2018.
Impact: The identity/biometric information of 1.1 billion Indian residents.
In early 2018, it was revealed that malicious actors have penetrated Aadhaar, the world’s largest ID database, exposing information on over 1.1 billion Indian individuals, including names, addresses, photographs, phone numbers, and emails, as well as biometric data such as fingerprints and iris scans. Furthermore, because the database, which was developed by the Unique Identification Authority of India (UIDAI) in 2009, contained information about bank accounts linked to unique 12-digit numbers, it became a credit breach as well. Despite the fact that the UIDAI first denied that the database contained such information,
The hacker gained access to the Aadhaar database via the website of Indane, a state-owned power firm that was linked to the government database via an application programming interface, which allowed apps to retrieve data stored by other applications or software. Unfortunately, there were no access controls on Indane’s API, making its data accessible. Access to the data was offered for as little as $7 via a WhatsApp group. Despite warnings from security researchers and IT groups, Indian officials did not take the insecure access point offline until March 23, 2018.
3. Alibaba:
Year: November 2019
Impact: 1.1 billion user data points
Over an eight-month period, a developer working for an affiliate marketer collected consumer data from the Alibaba and Taobao, using a crawler software he developed. Although sentenced to three years in prison, it appears that the developer and his company were collecting the information for their personal purposes and did not sell it on the black market.
“Taobao commits extensive resources to combat illicit scraping on our site since data privacy and security are of the utmost concern,” a Taobao representative said in a statement “We were aggressive in detecting and addressing this unlawful scrape. We will continue to collaborate with law enforcement to defend and protect our users’ and partners’ interests.”
4. LinkedIn:
Year: June 2021
Impact: 700 million users
In June 2021, data linked with 700 million of LinkedIn members was released on a dark website, affecting more than 90% of the company’s user base. A hacker known as “God User” employed data scraping techniques to breach the site’s (and others) API before releasing the first data collection of around 500 million clients. They then boasted that they were selling the entire 700 million client database. While LinkedIn argued that the incident was a violation of its terms of service rather than a data breach because no sensitive, private personal data was exposed, a scraped data sample posted by God User contained information including email addresses, phone numbers, geolocation records, genders, and other social media details, giving malicious actors plenty of data to craft convincing, follow-up social engineering attacks in the aftermath of the leak, as warned by the U.S.
- Sina Weibo:
Year: March 2020
Impact: 538 million accounts
Sina Weibo is one of China’s major social media networks, with over 600 million members. In March 2020, the firm said that an attacker had gained access to a portion of its database, affecting 538 million Weibo users and their personal information such as real names, site usernames, gender, location, and phone numbers. According to reports, the attacker then sold the database on the dark web for $250.
The Ministry of Industry and Information Technology (MIIT) of China has directed Weibo to improve its data security measures in order to better secure personal information and to alert users and authorities when data security incidents occur. Sina Weibo claimed in a statement that an attacker acquired publicly available information by utilising a tool designed to help users identify friends’ Weibo accounts by providing their phone numbers, and that no passwords were compromised. It did admit, however, that the leaked data might be used to link accounts to passwords if passwords are repeated on other accounts. According to the corporation, it has enhanced its security policy and has disclosed the facts to the appropriate authorities.
- Facebook:
Year: April 2019
Impact: 530 million user accounts
It was revealed in April 2019 that two datasets from Facebook apps had been exposed to the public internet. The data includes phone numbers, account names, and Facebook IDs for over 530 million Facebook members. However, the data was freely available two years later (April 2021), showing new and genuine criminal intent surrounding the data. Given the sheer number of phone numbers impacted and readily available on the dark web as a result of the incident, security researcher Troy Hunt added functionality to his HaveIBeenPwned (HIBP) breached credential checking site that allowed users to verify if their phone numbers were included in the exposed dataset.
“I had no intention of making phone numbers searchable,” Hunt stated in a blog post. “My stance on this was that it didn’t make sense for a variety of reasons. The Facebook data changed everything. Because there are over 500 million phone numbers but only a few million email addresses, >99% of people were missing out when they should have been getting a hit.”
- Marriott International, Inc. :
Year: September 2018.
Impact: 500 million customers
Following an assault on its networks in September 2018, Hotel Marriot International revealed the exposure of sensitive information belonging to half a million Starwood guests. “On September 8, 2018, Marriott got an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database,” the hotel giant claimed in a statement released in November of the same year. Marriott promptly enlisted the assistance of top security professionals to help determine what happened.”
During the inquiry, Marriott discovered that there had been unauthorised access to the Starwood network since 2014. “Marriott recently found that an unauthorised person had copied and encrypted data and took efforts to remove it. “Marriott was able to decrypt the material on November 19, 2018, and determined that the contents were from the Starwood guest reservation database,” the statement continued.
Names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, dates of birth, gender, arrival and departure information, reservation dates, and communication preferences were among the information copied. Payment card details and expiration dates were also given in certain cases, albeit these were supposedly encrypted.
Following the hack, Marriott conducted an investigation with the assistance of security professionals and announced measures to phase down Starwood systems and speed network security enhancements. In 2020, the UK data regulatory agency the Information Commissioner’s Office (ICO) penalised the corporation £18.4 million (down from £99 million) for failing to keep customers’ personal data secure. According to a New York Times piece, the hack was carried out by a Chinese intelligence outfit looking to obtain information on US residents.
- Yahoo:
Year: 2014
Impact: 500 million User
Yahoo makes its second appearance on this list, having experienced an attack in 2014 in addition to the one mentioned above. State-sponsored attackers stole data from 500 million users on this occasion, including names, email addresses, phone numbers, hashed passwords, and dates of birth. The corporation took initial corrective action in 2014, but it wasn’t until 2016 that Yahoo made the details public after a stolen database was sold on the black market.
- Adult Friend Finder :
Year: October 2016
Impact: 412.2 million accounts
In October 2016, cyber-thieves stole 20 years’ worth of subscriber data from the adult-oriented social networking service The FriendFinder Network across six databases. Given the sensitive nature of the company’s services, which include casual hookup and adult content websites such as Adult Friend Finder, Penthouse.com, and Stripshow.com, the breach of data from over 414 million accounts, including names, email addresses, and passwords, had the potential to be especially damaging for victims. Furthermore, the vast majority of the revealed passwords were hashed using the notoriously weak SHA-1 algorithm, with an estimated 99% of them broken by the time LeakedSource.com published its data set analysis on November 14, 2016.
- Myspace:
Year: 2013
Impact: 360 million user accounts
Though it has long since ceased to be the powerhouse that it once was, social media site MySpace made headlines in 2016 after 360 million user accounts were stolen onto both LeakedSource.com and listed for sale on the dark web market The Real Deal for 6 bitcoin (about $3,000 at the time).
Email addresses, passwords, and usernames for “a percentage of accounts created before to June 11, 2013, on the former Myspace platform,” according to the firm, were lost. To protect our users, we have invalidated all user passwords for affected accounts generated on the previous Myspace platform prior to June 11, 2013. These users will be prompted to confirm their accounts and reset their passwords by following the instructions.”
The passwords were most likely saved as SHA-1 hashes of the first ten characters of the password converted to lowercase.
- NetEase:
Year : October, 2015
Impact: 235 million user accounts
NetEase, a supplier of mailbox services through sites like 163.com and 126.com, purportedly suffered a hack in October 2015 when dark web marketplace vendor DoubleFlag sold email addresses and unencrypted passwords for 235 million accounts. NetEase has maintained that no data breach occurred, and HIBP continues to state: “Whilst there is evidence that the data itself is legitimate (multiple HIBP subscribers confirmed a password they use is in the data), the Chinese breach has been flagged as “unverified” due to the difficulty of emphatically verifying it.”
- Court Partnerships (Experian):
Year: October 2013.
Impact: 200 million personal records
In 2013, a Vietnamese guy fooled Experian subsidiary Court Ventures into giving him access to a database comprising 200 million personal records by acting as a private investigator from Singapore. Hieu Minh Ngo’s adventures were only revealed after his arrest for selling personal information of US residents (including credit card data and Social Security numbers) to hackers all over the world, which he had been doing since 2007. In March 2014, he pleaded guilty in the US District Court for the District of New Hampshire to various offences, including identity fraud. The Department of Justice alleged at the time that Ngo made a total of $2 million from selling personal data.
- LinkedIn:
Year: June 2012
Impact: 165 million user accounts
LinkedIn makes its second appearance on this list, this time in regard to a 2012 breach in which it stated that 6.5 million un-associated passwords (unsalted SHA-1 hashes) had been taken by attackers and uploaded on a Russian hacker forum. However, the entire scope of the tragedy was not exposed until 2016. The same hacker who sold Myspace data was discovered to be selling the email addresses and passwords of around 165 million LinkedIn users for only 5 bitcoins (approximately $2,000 at the time). LinkedIn confirmed being made aware of the breach and stated that it had reset the passwords for affected accounts.
- Dubsmash:
Year: December 2018
Impact: 162 million user accounts
Dubsmash, a New York-based video messaging service, had 162 million email addresses, usernames, PBKDF2 password hashes, and other personal data such as dates of birth stolen in December 2018, and all of this was subsequently sold on the Dream Market dark web market the following December. The data was sold as part of a larger dump that included MyFitnessPal (more on that below), MyHeritage (92 million), ShareThis, Armor Games, and dating service CoffeeMeetsBagel.
Dubsmash acknowledged the breach and sale of information and advised users to change their passwords. However, it did not specify how the attackers gained access or clarify how many users were affected.
- Adobe
Year: October 2013
Impact: 153 million user records
Early in October 2013, Adobe confirmed that hackers had obtained nearly three million encrypted consumer payment card records as well as login information for an unknown number of user accounts. After a few days, Adobe revised their estimate to include IDs and encrypted passwords for 38 million “active users.” According to security blogger Brian Krebs, a file leaked just days before “appears to comprise more than 150 million login and hashed password pairs obtained from Adobe.” After weeks of investigation, it was discovered that the attack had also exposed customer names, passwords, and debit and credit card information. In August 2015, Adobe agreed to pay $1.1 million in legal fees and an unknown amount to users to settle charges of Customer Records Act violations and unfair business practises. The sum paid to customers was estimated to be $1 million in November 2016.