Data breaches happen daily around the world so it’s difficult to keep track of all of them. Below we’ve comprised a list of some of the largest and most damaging data breaches in history.
Friend Finder (412 million accounts, 2016)
Casual-hookup and adult-content websites are perfectly legal in most Western nations, but that doesn’t prevent data breaches involving them from being any less embarrassing. The FriendFinder network, comprising Adult Friend Finder, Penthouse.com, Cams.com, iCams.com and Stripshow.com, was breached sometime in mid-October 2016, and details of user databases immediately began leaking out of cybercrime forums.
MySpace (360 million, unknown date)
Stolen MySpace credentials turned up in the great data-breach wave of 2016, during which a Russian hacker calling himself “Peace” tried to sell off the contents of several old (and hence no longer valuable) data breaches.
What was surprising was the size of the MySpace breach: 360 million account records, including email addresses, usernames and weakly hashed passwords. A list of the most popular passwords in the MySpace breach included references to Michael Jordan and Blink-182, indicating the breach occurred in the mid-2000s.
LinkedIn (165 million, 2012)
The world’s top business-networking website disclosed its 2012 data breach soon after it happened, but password-reset notifications at the time indicated that only 6.5 million user accounts had been affected. LinkedIn never confirmed the actual number, and in 2016, we learned why: A whopping 165 million user accounts had been compromised, including 117 million passwords that had been hashed but not “salted” with random data to make them harder to reverse. Left unanswered is why LinkedIn did not further investigate the original breach, or to inform more than 100 million affected users, in the intervening four years.
Equifax (145 million, 2017)
On Sept. 7, 2017, consumer-credit-reporting agency Equifax reported a security breach that took place from mid-May through July. While the breach, totaling 143 million users (later revised to 145 million), isn’t the largest ever, it’s one of the most damaging.
Hackers gained access to a treasure trove of names, Social Security numbers, birth dates, street addresses and, in some instances, driver’s license numbers. With those sets of information, miscreants can pose as you to set up credit cards, mortgages, loans and other important agreements. Visit Equifax’s website to see if your information was compromised.
EBay (145 million, 2014)
The online auction giant reported a cyberattack in May 2014 that it said exposed names, addresses, dates of birth and encrypted passwords of all of its 145 million users. The company said hackers got into the company network using the credentials of three corporate employees, and had complete inside access for 229 days, during which time they were able to make their way to the user database.
It asked its customers to change their passwords, but said financial information, such as credit card numbers, was stored separately and was not compromised. The company was criticized at the time for a lack of communication informing its users and poor implementation of the password-renewal process.
Heartland Payment Systems (130 million, 2008-9)
In early 2009, this Princeton, New Jersey-based payment processor announced the largest data breach ever to affect an American company. Heartland’s breach exposed information from approximately 130 million credit and debit cards to cybercriminals.
Malware planted on Heartland’s network recorded card data as it arrived from retailers. Because the company processed payments for more than 250,000 businesses across the country, the impact was huge.
Target Stores (110 million, 2013)
In December 2013, retail giant Target confirmed that hackers had infected the company’s payment-card readers, making off with approximately 40 million credit and debit card numbers that had been used at Target stores in the United States during the 2013 post-Thanksgiving shopping surge.
In January 2014, Target announced that the contact information — full names, addresses, email addresses and telephone numbers — of 70 million customers had also been compromised. Some of those customers probably also had credit-card data compromised in the earlier breach, but it’s possible that as many as 110 million people were affected by the Target breaches.
Sony online entertainment services (102 million, 2011)
In April 2011, attackers whose identities are still unknown targeted the PlayStation Network that links Sony’s home gaming consoles, as well as Sony Online Entertainment, which hosts massively multiplayer online PC games, and the Qriocity video- and music-streaming service.
Initially, Sony said that only the personal information of 78 million PlayStation Network users — login credentials, names, addresses, phone numbers and email addresses — had been exposed. But the tally of compromised accounts rose by 24.6 million when investigators discovered the attackers had also penetrated SOE and Qriocity. The credit-card data of approximately 23,400 SOE users in Europe was also stolen.
Rambler (98 million, 2014)
English-language websites weren’t the only ones hit by the 2016 disclosures. VKontake, the Facebook of Russia, denied that it had lost 171 million sets of credentials. But Rambler, more or less the Yahoo of Russia, admitted that 98 million of its accounts had been compromised in a breach that the company said occurred in March 2014. (The pay-to-verify breach-data site LeakedSource said the data came from 2012.)
National Archive and Records Administration (76 million, 2008)
Not all data breaches are the result of criminal activity. In late 2008, a hard drive at the National Archive and Records Administration (NARA) stopped working. It held the names, contact information and Social Security numbers of 76 million U.S. military veterans.
Instead of being destroyed on-site, the drive was sent for repair to a government contractor, which determined the drive could not be fixed — so it was sent it out to be scrapped. It is not clear whether the drive was actually destroyed.
Anthem (69-80 million, 2015)
In February 2015, Anthem, formerly known as WellPoint and the second-largest health insurer in the U.S., revealed its customer database had been breached. Stolen data included names, addresses, dates of birth, Social Security numbers and employment histories — everything an identity thief might need. As many as 80 million current and former customers were thought to be affected.
Dropbox (68 million, 2012)
Peace wasn’t the only person disclosing old breaches in 2016. A different hacker, calling himself “doubleflag,” offered the video-news site Vocativ 68 million sets of Dropbox credentials for 2 bitcoin, or about $1,100. Other sources confirmed that the data was real, and Dropbox admitted the data was related to a previously disclosed hacking incident in 2012.
Was Dropbox negligent in not discovering and/or disclosing the extent of the breach earlier? Perhaps. But unlike the LinkedIn breach that had a similar timeline, the passwords in the Dropbox data were strongly protected.
Epsilon (20-250 million, 2011)
In March 2011, the Texas-based marketing firm Epsilon, which handled email communications for more than 2,500 clients worldwide — including seven Fortune 10 companies — announced that databases pertaining to about 50 Epsilon clients had been stolen.
Email addresses of at least 60 million customers ended up in the hands of cybercriminals, and more than a dozen major retailers, banks, hotels and other companies were affected, including Best Buy, JPMorgan Chase, Capital One Bank and Verizon.
Tumblr (65 million, 2013)
The image-heavy short-blogging site Tumblr admitted in 2016 that it had been hacked in 2013, following reports that a set of 65 million were circulating online. Peace told VICE Motherboardthat the passwords had been strongly hashed and salted, and hence the data set was not worth much. Nonetheless, Tumblr forced its affected users to reset their passwords.
Home Depot (56 million, 2015)
In September 2014, hardware and building-supplies warehouse retailer Home Depot admitted what had been suspected for weeks. Beginning in April or May of the same year, “carders” had infected its point-of-sale systems at stores in the U.S. and Canada with malware that pretended to be antivirus software, but instead stole customer credit and debit cards.
Evernote (50 million +, 2013)
In March 2013, users of the note-taking and archiving service Evernote learned that their email addresses, usernames and encrypted passwords had been exposed by a security breach. No financial data was stolen, and the company confirmed that none of the user-generated content on its servers had been compromised.
However, as had been the case for those affected by Epsilon’s 2011 breach, Evernote users who had their usernames and email addresses stolen were vulnerable to spam emails and phishing campaigns — some of which pretended to be password-reset emails coming from Evernote itself.