The Biggest Data Breaches & Hacks Since 2000

Data breaches have increasingly put companies under the spotlight. This includes Twitter, Microsoft, Facebook, Sina Weibo, Zoom, and even the U.K. National Health Service (NHS). In this article we will take a look at some of the whoppers that have occurred over the past two decades.

Data breaches have increasingly put companies under the spotlight. Part of the reason is that data compromised during these incidents is often highly confidential. For example personal, medical, or even financial information.

Although the terms ‘data breach’ and ‘hack’ are often used interchangeably, there are some fundamental differences. Irrespective, the end result is a potentially a crisis situation for whoever’s data has been stolen. 

Another major problem is that we are seeing increasingly large and frequent data breaches or hacks resulting therein over the years. Let’s take a look at some of the whoppers that have occurred over the past two decades.

UK National Health Service (NHS), 2021

Impact: Unknown

UK National Health Service (NHS)

One of the last things you’d probably want to happen is to have all your nasty medical records revealed to the public. Unfortunately that’s what the UK’s National Health Service (NHS) did when a security gap the size of Uranus appeared in its vaccination booking website.

Well, there is good news and that is details that were leaked only pertained to vaccination status. So no, not all nasty medical records were in plain view. Noone knows how many details were stolen and the NHS kept mum about the matter.

Peloton, 2021

Impact: Unknown

When If rst read this I blinked my eyes and went “Pelo-who?”. Yet I doubt that’s how Peloton users react to learning that an API flaw was leaking their private information. The flaw was discovered by security researchers who duly notified the company.

Peloton then rapidly proceeded … to do nothing over the next three months. It was only when media outlet TechCrunch contacted the company about the matter that they finally fixed the vulnerability.

Sina Weibo, 2020

Impact: 538 million users

Sina Weibo

Sina Weibo is equivalent to China’s Twitter. Unfortunately, in March 2020 it was reported (note: link is in Chinese) that the real names, site usernames, gender, location, and phone numbers were posted for sale on dark web markets.Thankfully, password data were not included.

Weibo acknowledged this but claimed that the data was obtained by matching contacts against its address book API. However, some of the information offered such as location data, wasn’t available via the API. 

This brought about public outcry with netizens investigating and confirming that the records were indeed circulating on the dark web. The company later claimed it was the work of a hacker who gathered publicly posted information by using a service meant to help users locate the Weibo accounts of friends, via their phone numbers. 

Broadvoice, 2020

Impact: 350 million records

Cases of secured databases getting breached aren’t unusual today but Broadvoid took one incident a step further. The company inadvertently left a massive database collection open and up for grabs.

We’re unsure if anyone really did grab any of the 350 million customer records but they certainly were comprehensive. The usual personal details were included, but also an eye-raising collection of over two million voicemails.

Zoom, 2020

Impact: 500,000 records

Zoom came under a massive spotlight during the COVID-19 pandemic. Millions of users moved onto the platform to facilitate remote work as the world entered lockdowns on a massive scale. Unfortunately things didn’t go swimmingly as over half a million Zoom account credentials were found floating around the Dark Web.

Data records included the Zoom Host Key and were being sold for pennies on the dollar. Some account details were even made available for free – something I doubt even a cybercrime business would frown upon.

123RF, 2020

Impact: 8.3 million records

2020 was a bumper year of data breaches and website 123RF joined in the joy. Still, they only lost 8.3 million user records, which was a drop in the ocean compared to the massive boo-boos we saw from the likes of Microsoft and Facebook.

While no financial information came to light, there was the disturbing presence of PayPal-linked email address along with other personal details. Another somewhat positive note was that the information was rather outdated, indicating older loss.

Twitter, 2020

Impact: Unknown

Twitter was one of the companies that took the initiative to step forward and contact customers about a possible security incident. A bug on the platform resulted in potential data leaks via the users’ web browser caches.

Business user data leaks included contact information and even part of credit card information – albeit only the last couple of digits. It’s unknown how much data was leaked as a result of the bug.

Facebook, 2020

Impact: 267 million profiles

Facebook

Facebook has done it over again and lost even more data. They’re by now known for everything from lax security to poor oversight over third parties using its platform. This time round the social media giant had profile details of over 260 million users stolen. 

The data was being sold on the dark web for approximately $623 which was less than my desktop PC cost. Researchers actually purchased the database to verify if the data was legit – and it was.

Also read – What does Facebook know about you

Spotify, 2020

Impact: Unknown

Spotify

In late 2020 music streaming platform Spotify circulated a letter entitled “Notice of Data Breach.” Sent to customers, the company was formally apologetic about potential information leak to the platform’s business partners.

While it was unknown how much information was leaked at least this time, it was somewhat internalized within the official immediate business circle. It took steps to reset customer passwords but no further information was revealed.

First American Financial Corporation, 2019

Impact: 885 million users

In May 2019 First American Financial Corporation reportedly leaked 885 million users’ sensitive records dating back more than 16 years. Information leaked included bank account records, social security numbers, mortgage and tax records, wire transactions, driver’s license images and other mortgage paperwork. 

The data was available publicly to anyone with a web browser. The company then realized that there was a design defect in an application that made possible unauthorized access to customer data. They took immediate action to shut down external access to the application. 

Microsoft, 2019

Impact: 250 million records

Software giant Microsoft was hit by a security breach in late 2019 that saw over 250 million customer support records eventually leaked. The company was unaware of the incident until a security researcher reported it.

Among the information in those records were identifying data such as email and IP addresses with even details of the support cases being included. Thankfully, Microsoft was quick to secure the source of the breach on the same day it was reported.

Zynga, 2019

Impact: 218 million user accounts

Zynga, once a giant in the Facebook gaming scene, still remains as a major player in the mobile game space with millions of customers worldwide. A Pakistani hacker, known as ‘Gnosticplayers’ claimed to have hacked into Zynga’s database of Draw Something and Words with Friends, ultimately accessing data in 218 million registered accounts. 

Zynga later confirmed that login IDs, names, email addresses, salted SHA-1 hashed passwords, phone numbers, and user IDs for Facebook and Zynga accounts were indeed stolen. Zynga has since taken steps to protect their users’ accounts from invalid logins. 

Facebook, 2019

Impact: 540 million users

Facebook works with many third party apps. In 2019 it was reported that there were two Facebook app datasets that had been exposed to the public Internet. One leak originated from the Mexico-based digital media company Cultura Colectiva which left more than 540 million records open for public access.

The second came from a backup file on a storage server by defunct California-based app maker At The Pool which contained more sensitive data, including scraped information. Data involved included user’s friends lists, interests, photos, group memberships and check-ins. 

Amazingly, neither company responded to requests to have the data removed, so Facebook contacted Amazon to pull the data offline.

Verification.io, 2019

Impact: 763 million users

Verification.io, an email address validation service provider, exposed 763 million unique email addresses in a MongoDB instance that was left open publicly with no password access required. Data including names, phone numbers, IP addresses, dates of birth and gender, email addresses, and other personal information was exposed.

Aadhaar, 2018

Impact: 1.1 billion users

Aadhaar

India’s ID database Aadhaar reportedly suffered multiple breaches that potentially compromised the records of over 1.1 billion registered citizens. Private information that included identity and biometric information on India residents were exposed. 

Other information like their names, their unique 12-digit identity numbers, services they are connected to, such as their bank details and other private information were also compromised. The leak occurred due to state-owned utility company, Indane, not securing their APIs properly.

Criminals were reported to be selling access to the database at a rate of Rs500 (approximately $6.78) for 10 minutes.

Marriott International, 2018

Impact: 500 million customers

This data breach initially occurred on systems supporting Starwood hotel brands in 2014. However, attackers remained in the system even after Marriott acquired Starwood in 2016 and were only discovered in September 2018

Stolen information included names, email and physical addresses, phone numbers, passport numbers, account info, birth dates, gender, travel and accommodation information. Even worse was the loss of hashed credit card information; credit card numbers and their expiration dates.

The breach was attributed to a Chinese intelligence group seeking to gather data on US citizens.

Exactis, 2018

Impact : 340 million

Exactis

The Exactis data breach is somewhat unique as in there’s no proof that cybercriminals actually stole any data. However, experts believe that criminals did. Exactis is a Florida-based marketing firm and has records of 340 million Americans stored in an unsecured server. 

Any cybercriminal could easily gain access to this server via a special search engine called Shodan. While the breach did not include sensitive data like credit card and Social Security numbers, it did include detailed personal information, including phone numbers, email and physical addresses, and even pet ownership.

It was later confirmed that 2TB of data was relocated to a public site for all to see, but as for who did it, that remains unknown. 

Twitter, 2018

Impact: 330 million users

Social media giant Twitter notified users of a glitch that stored unmasked passwords in an internal log. Those were thus accessible to the internal network. The company claims to protect user passwords via hashing, which shows random characters in place of the actual ones. 

Unfortunately, the passwords revealed showed in their original plain-text form instead. Following the incident, Twitter informed its 330 million users to change their passwords and said it fixed the bug. 

River City Media, 2017

Impact: 1.37 billion users

A huge email marketing organization called River City Media failed to safeguard backups of its database of 1.37 billion email accounts. The result was all of them being available for anyone to see – all because of improper configuration.

The available information included details like IP addresses, names and even physical addresses. It was also reported that River City Media was able to gather the information through a spam operation that involved sending emails promising ‘credit checks, sweepstakes and education opportunities’. 

Yahoo, 2013 & 2016

Impact: 3 billion user accounts

Claimed as the biggest data breach in history, Yahoo fell victim to attackers who the company believed were “state-sponsored actors”. In 2013, information compromised included the real names, email addresses, dates of birth and telephone numbers of 500 million users. Yahoo claimed that since most of the compromised passwords were hashed, they were safe.

But in December 2016, Yahoo disclosed another breach by a different attacker that included the names, dates of birth, email addresses, passwords and unencrypted security questions and answers of 1 billion user accounts. 

Yahoo later revised this estimated figure in October 2017 to include all of its 3 billion users. An investigation reported that users’ passwords in clear text, payment card data and bank information were not stolen.

Adult Friend Finder, 2016

Impact: 412.2 million users

A huge data breach detected on the adult dating and entertainment company, Friend Finder Network has exposed more than 412 million accounts. Cybercriminals penetrated the site’s defences and stole usernames, encrypted passwords, emails, dates of last visit and membership statuses for 412 million accounts. 

Before this a previous data breach affected four million users, exposing information like sexual preferences and whether or not the user was looking for an extramarital affair. The nature of this breach was particularly sensitive due to the type of services offered. The Friend Finder Network also includes casual hookup and adult content websites. 

The stolen data spanned twenty years across six databases with weak SHA-1 hashing protecting most passwords. Around 99% of them were cracked by November 14, 2016.

MySpace, 2016

Impact: 360 million users

Social media site MySpace hit the headlines in 2016 after 360 million user accounts were put up for sale on the dark web. Information was also made available in LeakedSource, a searchable database of stolen accounts. 

Stolen passwords were encrypted with SHA1 which was easily cracked. MySpace then invalidated all passwords belonging to accounts that were set up prior to 2013. 

NetEase, 2015

Impact: 235 million users

Chinese site NetEase suffered from a data breach that impacted hundreds of millions of subscribers. While there is proof that this report is accurate as many users confirmed their passwords were leaked and were sold by a dark web marketplace, it was difficult to verify emphatically. NetEase has reportedly denied this.This was then tagged as unverified.

eBay, 2014

Impacted: 145 million users

eBay was the victim of a 2015 data breach which resulted in it asking all its 145 million users to reset their password. Attackers used a small set of employee credentials to access this user data. 

Stolen information included encrypted passwords and other personal information, including names, e-mail addresses, physical addresses, phone numbers and dates of birth.

Adobe, 2013

Impact: 152 million users

Adobe

In 2013 Adobe accounts were breached with data lost including an internal ID, username, email, encrypted password and password hint in plain text. Encryption employed was weak and many were quickly broken into plain text. Furthermore, the password hints added to the damage making it easy to guess the passwords of many users.

LinkedIn, 2012

Impact: 165 million users

Linkedin reported a data breach which had occurred in 2012. Although never claiming an official number, in 2016 figures suggested that as many as 165 million user accounts were compromised. Data lost included 117 million passwords that had been hashed but not “salted” using random data to make them harder to reverse. 

Sony PlayStation, 2011

Impact: 77 million users

In April 2011 a cyber-attack on the Sony PlayStation Network and Qriocity services led to the compromise of 77 million user accounts. Thieves made off with personal user information, including dates of birth, e-mails, home addresses and login credentials.

While credit card information appeared to be safe at first, the company later acknowledged that 12 million credit card numbers were unencrypted and could easily be read. Multiple class-action lawsuits were filed against the company.

Netflix, 2010

Impact: 100 million users

In 2010, Netflix supplied data sets containing over 100 million subscriber movie ratings and preferences to contest participants. Although Netflix insists that the data sets were anonymized and did not contain subscriber names or other personal information, experts confirmed that Netflix’s anonymization process was easily crackable to identify individual subscribers.

While technically not a data breach, the move was clearly not planned through properly. Many considered it a violation of privacy due to the nature of the records involved. 

Heartland Payment Systems, 2008 & 2009

Impact: 134 million records

This payment processing firm experienced a data breach when hackers exploited a SQL injection vulnerability to break into their systems and install a sniffer software.The breach was discovered by Visa and MasterCard due to suspicious transactions. The company has since strengthened its security measures.

T.J Maxx Security, 2007

Impacted: 94 million records

TJX disclosed that more than 45 million credit and debit card numbers may have been stolen from its IT systems over a 18-month timeframe. Hackers broke into the retail company’s wireless LAN. Court filings revealed that banks sued the retailer, claiming that the number was closer to 94 million.

AOL, 2003 – 2004 & 2006

Impacted: 30 million users / 500,000 users

Between 2003 to 2004, a former software engineer of AOL stole 92 million email addresses belonging to an estimated 30 million users. He then sold the list of addresses to someone in Las Vegas who began spamming the list with an advertisement for an offshore gambling website. 

However, AOL itself also isn’t completely sane. Search engines mostly recognize that releasing complete search history of users poses privacy risks. In 2006, AOL decided otherwise and posted a complete three-month set of search queries for several hours. It was long enough for the data to be accessed publicly.

CardSystems, 2005

Impact: 40 million users

It was confirmed that 40 million credit card accounts were exposed due to a security breach that occurred at a third-party vendor of CardSystems in 2005. The information included credit card numbers and security codes. It was only in 2009 that CardSystems was found to have stored unencrypted credit card information on its servers.

Microsoft, 2001 & 2002

Impact: Source code exposure

Microsoft

Circa 2001/2002, hackers gained access to some of Microsoft’s essential product secrets and the company acknowledged a security breach had occurred. It was reported that the unknown hackers had gained access to the source code to its most valuable software, including latest versions of Windows and Office.

Data Breach: What You Need to Know

What is a data breach?

A data breach is an incident in which information is accessed by unauthorized parties. In the first six months of 2019, over 4.1 billion records were compromised from over 3,800 publicly disclosed data breaches and hacks. Data breaches hurt both individuals and organizations by compromising sensitive information.

As an Individual

Being a victim of stolen data could prove detrimental to you as this can lead to serious damage. This includes possible financial loss and even emotional trauma. Once compromised, it can be extremely difficult to regain your sense of cyber identity and security.

As an Organization

Significant revenue loss is the common result of a security breach for any company. This comes in the form of not just monetary loss, but also serious reputational damage. Studies have shown that 29% of businesses which face a data breach end up losing revenue and of these, 38% experienced a loss of 20% or more.

A data breach is a security incident in which information is accessed without authorization. Data breaches can hurt businesses and consumers in a variety of ways. They are a costly expense that can damage lives and reputations and take time to repair.

How Data Breaches can Occur?

Hacking

Most organizations’ IT infrastructure is not foolproof. Once a hacker targets something, he/she will relentlessly probe to find loopholes. Often, they will seek to take advantage of software bugs or vulnerabilities. 

In these circumstances, chances are that eventually at least one loophole will be found – and that is generally sufficient. A single point of entry is enough in many cases to allow access to entire networks and the information contained therein. 

Negligence

Based on surveys done, employee negligence remains the biggest worry for companies. Part of this is that it is a major contributor towards data loss. Between 2017 to 2019, an average of 20% of data loss incidents were due to negligence. 

Malware

Malware is the name used collectively for malicious software, including viruses, ransomware and spyware. They are collections of code developed with the express intention to cause damage or gain unauthorized access to systems. 

Malware is delivered through many means -from the form of a hyperlink or even file sent over email. Typically, action on the receiver’s part is required to execute the malware, such as opening the file or link. 

Phishing

This occurs when someone or something mimics a trusted, reputable entity in order to collect private information from you. You, in turn will provide the required private information, trusting the source of the email. 

This happens frequently to banking customers and is not exclusive to the Internet. Other phishing methods could be in the form of in-person calls from those claiming to be a representative of a reputable company.

SQL Injection

This is an attack that exploits weaknesses in the SQL database of unsecured websites in order to get the website to extract information from the database. This is one of the least sophisticated types of attacks, requiring minimal technical knowledge. It does, however, require that the target has not patched this particular vulnerability.

What You Can Do?

Using the web responsibly is as much on you as it is on the sites and service you leverage on. Online security needs to be taken seriously and there are both methods and means through which this can be achieved.

As an individual

1. Make Use of Privacy Tools

Using an online anonymity and privacy tool such as a Virtual Private Network (VPN) helps to protect your online identity and secure your data. These allow you to access the web though secure servers and help by encrypting data as well.

2. Anti-Malware Software

The line between Antivirus and anti-malware applications is beginning to blur. In some cases you will find applications capable of doing both. They help safeguard you from the many nasty bugs floating around the net and can also help by removing malicious scripts. 

3. Have Good Security Practices

This can be a pretty exhaustive list of things to do since we can always learn more ways to stay safe online. However, to attempt everything can be somewhere difficult (and overly paranoid). To give you an idea, here are a few tips from a very exhausting list:

  • Consistently reset your passwords after certain periods of usage
  • Use only strong passwords and do not reuse them across sites
  • Delete accounts on sites or services you no longer need
  • Avoid sharing too much personal information online
  • Make use of secure authentication where possible, such as 2FA

4. Always Monitor your Financial Accounts

Always be on the alert for any suspicious activity where you bank accounts are concerned. If you feel uncomfortable with the nature of any transactions, just give a call to the bank to find out more. Remember, it is usually possible to set limits on your financial transactions through online banking systems.

5. Monitor your Inbox

Look out for any suspicious emails. Be especially careful of phishing emails. Opportunistic cybercriminals love to send out phishing emails spoofed to look like they’re coming from hacked accounts in an attempt to get you to give up personal information. 

For Businesses:

It is a known fact that a data breach is costly and very detrimental to an organization’s overall health. So, doesn’t it make sense to be proactive about data security and avoid a breach in the first place? Some things you can consider include:

1. Data Segmentation

By using data segmentation, you spread out your data. While this might not prevent data from being stolen, it can potentially slow criminals down or even mitigate some damage. 

2. Enforce Principle of Least Privilege

There have been many cases whereby unauthorized employees have exploited company data. Part of this is due to the possibility of having unrestricted privileges. Principle of Least Privilege (PoIP) restricts each user account to onl;y being able to handle what it was designed to. 

3. Use a Business VPN

There are two main categories for VPN services – consumer and business. Business VPNs are typically expensive, but smaller companies can opt for solutions like NordVPN Teams. These small-scale VPNs solutions are cost effective and help boost your security immensely.

Conclusion

Over the years, data breaches have simply gotten worse as more of the world gets connected. Companies are also more haphazardly collecting data, since it has become such a wonderful source of revenue. Google and Facebook alone are two good examples of this.

What’s even scarier is that oftentimes, data breaches can go undetected for many years. By the time they are discovered, it may be too late for many of those whose information has been compromised. 

Do your part and be aware of this. Take charge of your online security and privacy today and help build a better web.