privacy

SecurityTrails Blog · Sep 14 · by Sara Jelen

The 10 Largest Data Breaches and Leaks: Overview, Impact and Settlements

Reading time: 15 minutes
Listen to this article

Today, every company holds some sensitive information that can be of value to malicious actors. To say that we now see cyber attacks and data breaches happen routinely would be an understatement. We’re hit almost weekly with news about attacks crippling entire fuel pipelines, exposing government and largest-enterprise networks to attackers, and personal information belonging to billions of people all around the world put up for sale on the dark web.

With so much exposure to this kind of news, we can become desensitized to the numbers involved in these situations, but it’s important to understand how dangerous and wide-reaching they can be.

We’ve put together a list of the largest data breaches involving attackers infiltrating some of the largest companies’ networks, and the misfortunate data leaks that exposed personal data of billions of people. Focusing on how these breaches happened, how companies responded, the kind of data compromised, and the repercussions felt throughout the targeted organizations, check out the 10 biggest data breaches we’ve seen so far.

Here they are, listed in order of impact—starting with the biggest:

The 10 largest data breaches

1. Yahoo

Year: 2012-2016
Impact: 3 billion accounts
Penalties: $117.5 million

When talking about Yahoo, one can’t really discuss things in terms of ‘a single data breach’—as the company’s security-related incidents tend to be ongoing, and have made quite a few headlines—both for the breadth of the attacks, and for Yahoo’s responses and reactions to them.

Yahoo’s years-long history of data breaches and security incidents began in 2012 and spans all the way to 2016. The initial security intrusion took place in 2012, when two separate cybercriminals broke into their online infrastructure without taking any data.

The following year, in 2013, cyber criminals managed to steal Yahoo’s data containing records from all of their 3 billion accounts. Within those records, users’ plain text passwords, payment card data and bank information were not compromised. Just a year later however, in 2014, cyber criminals again targeted Yahoo and impacted around 500 million users. This time, the breached records included people’s names, email addresses, passwords and phone numbers.

While we know this information today, it was a strange road to follow until we learned all of the details surrounding this breach, considered to be one of the largest of all time. Yahoo only reported the breach in 2016, when it was in negotiations to be sold to Verizon. The fallout from the incidents resulted in decreasing their value by $350 million. First, they disclosed that 1 billion accounts were compromised. A year later, we learned that the estimate was actually 3 billion, and that Yahoo believes that the breaches in 2012 and 2013 involved state-sponsored actors.

The settlement associated with the above-mentioned security incidents that Yahoo agreed on was $117.5 million. This included an incident in 2015-2016 when cyber criminals used cookies to break into the accounts of around 32 million users.

2. First American Financial Corporation

Year: 2019
Impact: 885 million customers’ sensitive records
Penalties: $487,616

On Memorial Day weekend in 2019, millions of Americans were unpleasantly surprised when the news broke out—reported by Brian Krebs— that the United States’ second-largest mortgage and settlement company at that time had a data leak.

Krebs reported that 885 million documents containing sensitive customer information were exposed online. The files were stored on the company’s website, firstam.com, and contained bank account numbers, bank statements, mortgage records, tax documents, and even wire transfer receipts with Social Security numbers and photos of drivers’ licenses. To make things worse, information was uncovered that dated all the way back to 2003 and was available for viewing without any protection, not even a simple password.

While these documents were available only on First American’s website, there is no information on whether they were used by malicious actors for fraud. Nonetheless, the wealth of information exposed by First American could’ve been a gold mine for scammers.

Besides the volume and wealth of this exposed information, something else that drew public attention to the First American data leak was the settlement that many considered too low. Only recently in June 2021, the U.S. Securities and Exchange Commission settled its investigation after the company agreed to pay a penalty of less than $500,000. In July of 2020, however, the New York State Department of Financial Services said that First American was the target of their first cybersecurity enforcement action and that the charges can bring fines of up to $1,000 per violation. We have yet to see the resolution of this investigation.

3. Verifications.io

Year: 2019
Impact: 808 million records
Penalties: None

Email verifiers are services that allow marketing and sales teams to verify that the email address used to create an account, sign up for a newsletter or make an order on their website is valid. And over the years, billions of users’ data has been exposed online as a result of insecure databases belonging to email validation companies—with the Verifications.io data leak being the most infamous to date.

In early 2019, security researchers Bob Diachenko and Vinny Troia discovered an unsecured MongoDB database that exposed over 800 million records to the public. The exposed data included names, email addresses, dates of birth, employers, job titles, genders, geo locations, IPs, phone numbers and physical addresses.

Thankfully, the leaked data didn’t include highly sensitive data such as passwords, credit card information or Social Security numbers. And even though the database was accessible for some time, Verifications.io had taken their service offline as soon as they learned about the leaked records.

What caused controversy around this data leak was that Verifications.io claimed that the exposed data included some that they drew from publicly available sources. This caused some concerns. Did this mean that personal data found online is fair game to be sifted through, and even potentially misused?

4. LinkedIn

Year: 2012; 2021
Impact: 165 million users; 700 million users
Penalties: $1.25 million

Just like Yahoo, LinkedIn has endured several security mishaps that made the headlines. Let’s go back to June 2012, when LinkedIn disclosed that they had suffered a data breach that affected 6.5 million accounts. Users of the compromised accounts were no longer able to access their accounts, and LinkedIn encouraged all users to change their passwords.

That number of accounts affected by the data breach was later changed, when in 2016 LinkedIn discovered that an additional 100 million sets of email addresses and passwords had been compromised in the 2012 breach—and were put up for sale on a Russian password forum. The cracker doing the selling claimed to possess data of 167 million LinkedIn users, including emails and encrypted passwords of 117 million.

Security experts alleged that the passwords were easy to obtain because they had not been salted with random data when hashed, meaning attackers easily reversed them. And more information sparked further controversies over LinkedIn’s security practices: their iOS app would grab personal names, emails and calendar notes without user approval. One cyber criminal involved in this attack, Yevgeniy Nikulin, was convicted and sentenced to 88 months in prison. In 2015, LinkedIn agreed to pay $1.25 million to settle a class action lawsuit stemming from this case.

Now, in 2021, data associated with 700 million LinkedIn users has been posted for sale on the dark web. This incident was dubbed “the data breach that wasn’t” as there was never a breach on LinkedIn’s system or network; instead, malicious actors used data scraping to exploit LinkedIn’s API. While LinkedIn argued that there was no private personal data exposed and denied any data breach on its systems, the scraped data did include email addresses, phone numbers, geolocations and other social media details which attackers can leverage for future social engineering attacks.

5. Sina Weibo

Year: 2020
Impact: 538 million accounts
Penalties: Unknown

Sina Weibo is one of China’s largest social media sites. Just last year in March 2020, a cyber criminal obtained a large part of their user database. Personal information of more than 500 million Weibo users was impacted, including their full names, usernames, genders and locations. Additionally the phone numbers of 172 million users were also compromised.

What’s really interesting is that the data was put up for sale on the dark web for only ¥1,799, or $250. The cracker claimed to have breached Weibo in 2019 and obtained a dump of their user database.

Also notable about this case was Weibo’s response. In a statement, they claimed that phone numbers were obtained via a dictionary attack in 2018 when their engineers discovered several accounts that were uploading large batches of contacts in order to match accounts with their phone number against their API.

Exactly how this data was obtained remains open for debate, as Chinese security experts found technical irregularities with Weibo’s official statement. Firstly, the dark web ad indicated that the data was obtained from an SQL database dump, not via a dictionary attack. Secondly, the official statement didn’t explain how details such as gender and location—that are not public information nor returned by the API when matching contacts—were obtained. Weibo’s official version of the events, however, remains the same to this date.

6. Facebook

Year: 2019; 2021
Impact: 87 million users; 533 million accounts
Penalties: TBA

Facebook has a long history of security-related incidents and outright controversies. We won’t get into all of their data breaches and security incidents that predate 2019 as that would require dedicating an entire blog post to them.

In 2019, hundreds of millions of phone numbers belonging to Facebook users were discovered in a server exposed to the internet. The server contained more than 400 million records over several databases, and each record contained a user’s Facebook ID and a phone number associated with the account. The server wasn’t protected with a server, meaning anyone could access the database. A Facebook spokesperson claimed the data had been obtained by attackers abusing a flaw in a Facebook address book contacts import feature. The vulnerability that allowed this to happen was patched the same year, according to Facebook.

This came just a year after Facebook’s Cambridge Analytica scandal in 2018 when the news broke that they had scraped data of 80 million users, against Facebook’s terms of service, in order to target voters with political ads in the 2016 election.

And that wasn’t the end of their troubles. In 2021, the data of over 533 million Facebook users including their phone numbers, Facebook IDs, full names, locations, birthdays, bios and in some cases email addresses, was posted on the dark web. This 2021 breach led to security researcher Troy Hunt adding a new functionality to the HaveIBeenPwned (HIBP) website, one that allows users to check if their credentials have been impacted in a breach. This functionality now lets Facebook users verify whether or not their phone numbers have been included in the huge exposed dataset.

It became clear rather quickly that this was not a new data breach but that this data was scraped before they fixed the 2019 vulnerability. But while the “data is not new” and Facebook claims that after fixing the vulnerability there is no possibility that their data can be scraped again, the fact remains that millions of people now have their personal information out in the open, for any malicious actor to use for fraud, scams and, potentially, identity theft.

7. Marriott International (Starwood)

Year: 2018
Impact: 500 million guests
Penalties: £18.4 million

In 2018, an internal security tool flagged a potentially malicious attempt to access the internal guest database for Mattiott’s Starwood brands. This was quickly followed up by an internal investigation that discovered that the Starwood network had already been compromised—in 2014, back before Starwood had been purchased by Marriott. And while the attempt was flagged two years after the acquisition, Marriott was still using IT infrastructure from Starwood.

The security tool actually flagged an unusual database query made by a user with administrator privileges. It was revealed, however, that the person who owned the account was not the one who made the query—someone had taken over their account. In the system, investigators discovered a Remote Access Trojan (RAT) as well as MimiKatz, a tool used for sniffing username/password combos in system memory, and these two tools could give the attackers control of the admin account.

Marriott also discovered data that the malicious actors encrypted and probably successfully removed from Starwood systems. The data included highly sensitive information involving up to 500 million guests, such as their credit cards and passport numbers.

While the specific attack vectors are crucial knowledge in this investigation, in the background of this large breach lay many cultural and business factors, such as the fact that the attack went undetected for four years. Additionally, a different attacker breached Starwood’s system in 2015, remaining undetected for several months.

The UK’s Information Commissioner’s Office (ICO) first levied a fine of £99 million but the Marriott Hotel chain was ultimately fined £18.4 million.

And that wasn’t even the end of Marriott’s hard times. In March of 2020, Marriott announced that a network of an unspecified hotel chain was breached and that the attackers obtained login credentials of two Marriott employees and may have accessed guest information. That information may have included names, birthdays and phone numbers, among others. The data amounted to information of 5.2 million guests.

8. AdultFriendFinder

Year: 2016
Impact: 412.2 million accounts
Penalties: None

AdultFriendFinder, a popular adult-oriented dating site, suffered a major breach in 2016. But that wasn’t really their first breach. In 2015, just a year prior, FriendFinder Network (the company behind AdultFriendFinder) saw 3.5 million records exposed in several databases—with information including data on IP addresses, emails, handles, geolocations, gener, race and birth dates of their users, as well as their sexual orientation and whether they were seeking an extramarital affair. It was claimed that the exploit used in 2015 to gain access to the network was the same exploit used in 2016, when it was reported by white hat researchers.

In the 2016 breach, a whopping 412 million records were found exposed across 6 databases and included information such as usernames, emails, join dates and the date of each user’s last visit as well as unprotected passwords and passwords poorly protected with hashing via SHA-1. The data even included 15 million “deleted” accounts, and the records originated from affiliate sites besides AdultFriendFinder: Cams.com, iCams.com and Stripshow.com. The breach went unannounced for weeks, causing turmoil in the security community, and when information about the breach was released to the public, it wasn’t by FriendFinder Networks, but from LeakedSource.

FriendFinder Networks was accused of failing to apply basic standards of user protection and not notifying users when the data breach occurred. It faced a lawsuit in California by a man claiming his personal information was compromised in the breach. In 2020, FriendFinder Networks announced that the lawsuit was settled and terminated, with FFD denying both any liability and paying anything for the lawsuit’s termination.

9. MySpace

Year: 2013
Impact: 360 million user accounts
Penalties: Unknown

In 2016, news broke out that MySpace, once the most popular social media website, predating Facebook and Twitter, announced that it had suffered a breach—a few years earlier. The breach occurred in 2013 and affected close to 360 million accounts.

The accounts were put up for sale on the dark web with an asking price of around $3,000 in bitcoin, with data including email addresses, passwords and usernames for accounts that were created prior to June 11, 2013, when the website was relaunched with stronger security.

While the breach itself and the data set may be old, there could still be repercussions. Because the breach was made public and put under investigation nearly three years later, anyone who gained access to this information could have easily taken control of any MySpace account. MySpace has since invalidated all passwords belonging to accounts that were created prior to 2013.

10. Court Ventures (Experian)

Date: 2013
Impact: 200 million records
Penalties: Unknown

Experian is one of the main credit reporting agencies that in 2012 acquired Court Ventures, a company which gathers and aggregates information from public records. Court Ventures had been selling their information to a number of third parties, including being tricked into selling it to a Vietnamese fraudster who then gained access to a database containing 200 million records, including private information such as financial information and Social Security numbers, which was then used for identity theft.

The fraudster involved in this case was Hieu Minh Ngo, whose actions were discovered after he was arrested for selling U.S. residents’ personal information to other cyber criminals, an activity he had engaged in since 2007. In 2014, he pleaded guilty to multiple charges, including identity fraud, and it was claimed Ngo made $2 million from his illegal activities.

Famously, Experian filed a suit against the former owners of Court Ventures for allowing the sale of data to Ngo. Additionally, Experian was hit with a lawsuit from the San Diego city attorney, claiming that the agency failed to notify millions of their customers, victims of this data breach, and that as “self proclaimed experts’‘, Experian should’ve easily seen through the scam as it wasn’t a sophisticated cyber attack.

(Dis)honorable mentions

  • Twitter

    Year: 2018
    Impact: 330 million user accounts
    Penalties: €450,000

  • Equifax

    Year: 2017
    Impact: personal data of 148 million individuals
    Penalties: $700 million

  • Uber

    Year: 2016
    Impact: personal information of 57 million users and 600,000 drivers
    Penalties: $1.17 million

Sara Jelen Blog Author
SARA JELEN

Sara believes the human element is often at the core of all cybersecurity issues. It’s this perspective that brings a refreshing voice to the SecurityTrails team. Her ability to bridge cognitive/social motivators and how they impact the cybersecurity industry is always enlightening.