What are the biggest data breaches in the last two decades?
Since the internet became a centerpiece in most businesses’ operations, it has brought both opportunities and challenges.
On the good side, businesses have access to information, can network with greater ease, and can access customers that other channels cannot.
On the flip side, they have been hit by numerous cybercriminal attacks. If you
Reports of hacks, data breaches, malware, and ransomware attacks are too much to get by. In fact, since the onset of the pandemic, the rate of cybercrimes has increased by 600% as reported by PurpleSec.
If you are ready to take your internet privacy seriously by using a VPN then check out my other article on how to choose a VPN.
The conversation is no longer a topic just for IT professionals. Major data breaches have compromised every type of business.
Tech unicorns such as Facebook, Twitter, and Instagram haven’t been spared either in this growing trend of more sophisticated attacks.
In this article, I’ll take you through some of the major data breaches and hacks of the 21st century, based on dataset sizes in ascending order.
Let’s dive in
15. British Airways Hack – 185,000 Customers
In 2018, hackers attacked the British Airways website and made away with payment card details belonging to more than 185000 customers.
The breach was only discovered in September when investigating another breach in the website that affected 380,000 transactions. Apparently, both attacks were conducted by the same group.
Besides payment card details, the attackers also accessed the names, physical addresses, and emails of customers.
Over 100,000 customers lost personal details apart from the CVV number for their payment cards.
The attack which is one of the biggest recent data breaches cost the company 20 Million Euros in fines by the General Data Protection Regulation.
Nevertheless, since the hack, the company claimed it hasn’t come across any verified cases of fraud.
14. EasyJet Data Breach – 9 Million Customers
In April 2020, EasyJet fell victim to a highly sophisticated hack that compromised the personal details of over 9 million customers. In addition, 2208 customers had their credit card details and travel details accessed
Following the hack, the company first informed the customers whose financial details had been accessed to take protective measures.
Later on, it went public to warn the 9 million customers whose email addresses had been stolen to be wary of phishing attacks and take email security measures for their safety.
Because customer credit card information was leaked, the company might be liable to one of the recent data privacy trends; regulations such as the General Data Protection Regulation which could fine it up to 4% of its global annual turnover.
Ultimately the EasyJet hack stands as one of the major data breaches in the last 2 years.
13. Colonial Pipeline – 4.4 Million in Bitcoin
A cybercriminal group called DarkSide with Russian affiliations launched a ransomware attack on the Colonial Pipeline and disrupted the petroleum supply chain of the company with a 45% stake in the East Coast supply of petroleum.
The attack started with a hack into the company’s database where the group stole nearly 100 GB of data and threatened to release it to the internet unless the ransom was paid.
Colonial Pipeline resolved to pay.
In a Senate hearing, the CEO blamed the hack on the use of a legacy Virtual Private Network VPN which did not have multi-factor authentication in place.
The attacker was only required to enter a password to gain access to the system and install the ransomware.
Colonial Pipeline data breach was arguably one of the costliest major data breaches of 2021.
12. Bonobos Data Breach – 12.3 Million
Men’s cloth store Bonobos suffered one of the top data breaches this year which led to the exposure of personal information belonging to 12.3 million customers.
The cybercriminal by the alias ShinyHunters who’s notorious for hacking online platforms and selling stolen databases compromised the company’s backup server containing customer data and accessed the information.
Details included shipping address records, personal account records, and partial credit cards data.
Although the data in question was only a backup and contained no payment information as claimed by the company, threat actors still had the ability to exploit the stolen data and use insights to run targeted social engineering attacks on customers.
Fortunately, the database was not connected to Bonobo’s private data which was well protected.
11. Under Armour Hack – 143.6 Million records
In March 2018, Under Armour, a fitness apparel company reported a data breach on its app that allows users to track their exercise, meal, and sleep activities.
The breach affected 143.6 million records and exposed personal details including usernames, emails, and passwords.
The potential severity of the hack came from the irregular application of password encryption algorithms; while some used the impenetrable bcrypt, others used the weak SHA-1 hashing.
Passwords using the latter hashing were hacked.
Fortunately, MyFitnessPal, a sister app with premium features, wasn’t hacked in the incident.
Unapproved access to the app database created one of the worst data breaches in history but the company’s response to the cyberattack was commendable.
While most companies would take months or years to report a data breach. Under Armour took only four days after discovering the breach.
10. Dubsmash Data Breach – 162 Million users
In late 2018, Dubmash, a popular video-sharing platform, suffered a data breach that compromised the accounts of over 162 million users.
The hack was part of a synchronized hack of 16 popular websites of which Dubsmash was the biggest victim.
The leaked data included names, usernames, email addresses, hashed passwords, and location, etc.
The hacker posted the data on a marketplace on the dark web for sale to spammers and other interested parties at 0.549 BTC for each of the databases.
Following the data breach, Dubsmash users were encouraged to change their passwords and check their accounts for abnormalities.
Despite the hack report, the continued growth of monthly viewers indicates that consumer trust in the platform was regained after one of the top data breaches of all time.
9. Socialarks Data Breach – 214 Million Records
Early this year, a rapidly growing Chinese social media company faced one of the worst data breaches of 2021.
The data leak was initiated by a misconfigured ElasticSearch database which contained personally identifiable information of over 214 million users from social media platforms.
Researchers found that the database had no security key, encryption, or passwords and instead all the data use segmented indices to save data from various social media platforms.
The data contained biographies, phone numbers, email addresses, comments, and most used hashtags, among other personal details. Anybody with knowledge of the server IP address could access the leaked data.
Following the hack report, questions arose from cybersecurity professionals as to how Socialarks was able to scrape and collect very personal information from Facebook, Instagram, and LinkedIn which don’t allow scraping.
This reminds me why internet cooperations are some of the biggest stakeholders in violating people’s online privacy besides the 5 eyes countries who they go to bed with.
8. NetEase Data Breach – 234 million users
In October 2015, NetEase, a Chinese mailbox services provider that uses the domains 163.com and 126.com, was breached, and data containing personal details of over 235 million accounts were obtained.
The details included email addresses and plaintext passwords which would allow attackers to take control of users’ accounts. A hacker was reportedly selling the accounts on the dark web marketplace; DoubleFlag.
While this is one of the worst data breaches in history, the severity of the hack cannot be verified emphatically.
Some users confirmed that their passwords were in the data and others reported their accounts being tied to a mysterious QQ account with the ability to change and recover passwords.
Despite these reports, the company has maintained till today that no data breach occurred.
7. MySpace Hack – 360 million Account
In 2013, social media site MySpace was breached by a Russian hacker who gained access to over 360 million accounts.
Users’ information which included names, usernames, and passwords, were compromised.
However, the hack, one of the major data breaches, first hit the headlines in 2016 after the hacker put the data on sale on the dark web market “The Real Deal” for 6 BTC.
Anyone who had access to the data prior to 2016 would gain control of any Myspace account considering the passwords were stored in SHA-hashes of the first ten characters of the password converted to lowercase.
The company invalidated the password thereafter, but considering that most people use similar passwords in various accounts, the risk of attackers hacking accounts of former MySpace users still exists.
6. AdultFriendFinder Hack – 412 million Accounts
In October 2016, hackers gained access to data on databases belonging to AdultFriendFinder, an adult dating and entertainment company, and 5 other partner websites.
Prior to the attack, a security researcher known as Revolver had disclosed a local file inclusion flaw on the AdultFriendFinder site which would allow a hacker to remotely run malicious code on the webserver if well exploited.
Thanks to the poor security protocols where passwords were stored as SHA-1 hashes, almost every account password was cracked.
Besides the millions of account details collected for 20 years, 15 million deleted accounts that had not been purged were also acquired.
Security protocols are major factors determining how secure you are. When selecting a VPN you need to consider the best VPN protocols to secure your internet traffic.
The Friend Finder Network hack leads to the top data breaches of the decade in the adult industry.
5. Starwood Data Breach – 500 million guests
In 2014, hackers gained access to Starwood system and remained in the system after Marriot acquired Starwood in 2016.
The hack wasn’t discovered until November 2018 when Marriott international announced that attackers had stolen account information associated with 500 million Starwood hotel customers making it one of the biggest company data breaches.
The details included names, contacts, passport numbers, travel information, and other personal data.
The severity of the hack is attributed to the idea that loyalty account details and travel preferences would allow cybercriminals to personalize phishing campaigns on targets which would have been greatly successful.
In addition, credit card information for more than 100 million customers was stolen. The hack was attributed to a Chinese intelligence group seeking to gather data on US citizens.
4. Sina Weibo Data Breach – 538 million accounts
In mid-2019, a hacker performed one of the major data breaches in the last 5 years by hacking Weibo and obtaining a dump of the company’s user database which contained details for 538 million Weibo users.
The details included, names, usernames, gender, location, and phone numbers.
In a public statement, the company argued that the attacker had gathered publicly published data using a service designed to help users locate the Weibo accounts of friends by putting their phone numbers.
Nevertheless, security experts dismissed the excuse especially based on the fact that the data came from an SQL database dump which does not match with the company’s explanation.
The attacker is reported to have later sold the database on the dark web for $250. Luckily, no passwords were affected as the company doesn’t store passwords in plain text.
3. LinkedIn Data Breach – 700 Million users
In June this year, it became apparent that LinkedIn had had one of the biggest data breaches in 2021 when data associated with 700 million LinkedIn users was posted for sale in a dark web forum.
To confirm the legitimacy, the hackers published a sample containing 1 million records with details such as names, emails, genders, phone numbers, and location.
Initially, data associated with 500 million users was dumped as the hacker by the alias “God User” boasted they were selling a database with 700 million users’ information.
The breach was conducted by exploiting LinkedIn’s API which allowed hackers to scrape data.
Despite the incident being termed as a mere violation of terms of service, the leaked data is sufficient to launch cyberattacks on targeted users.
2. Aadhaar Data Breach > 1 Billion Accounts
Aadhaar is an Indian Biometric database designed to standardize the process of data collection and ease money remittance from government schemes.
In March 2018, it became apparent that the platform had one of the worst data breaches ever as a result of a data leak on a system run by a state-owned utility.
200 official government websites had accidentally made public personal data. The breach gave access to personal information of more than 1 billion account holders including their names, identity numbers, and bank details.
An anonymous group on WhatsApp which had access to this information went on to sell Aadhaar details for $7.2. Before the vulnerability was fixed, over 100,000 people were estimated to have illegally accessed the information.
1. Yahoo Hack – 3 Billion Accounts
In December 2016, Yahoo revealed that a hack on its server in 2013 had compromised the accounts of more than 1 billion users.
Less than a year later the full scale of the hack was revealed during acquisition negotiations with Verizon; all its 3 billion users’ accounts had been compromised.
The hack was orchestrated by Aleksey Belan and Karim Baratov who had Russian ties. They set it off by targeting spear-phishing emails on company employees.
It only took one click and the hackers gained access to the company’s network where he made a backup of the accounts database and cryptographic keys unique to each account.
Yahoo’s hack is one of the biggest data breaches of the decade.
As large businesses come to terms with the reality of the precarious digital platform, internet users also need to understand that they have a responsibility to secure their online data.
This list of worst data breaches only reveals a handful of the cybercrimes that take place online and cost the globe trillions of dollars annually. I always recommend using an effective VPN to add a security layer that eliminates a good chunk of such cybercrimes.
The next cause of action for users who have accounts in platforms that have experienced data breaches over the recent past is to change passwords and upgrade to more secure authentication processes if provided.
Meanwhile, small businesses also need to stay alert as such cybercrimes have a greater impact on them by virtue of being small.