Data breaches, where confidential or protected data is obtained by an unauthorised party, can be hugely impactful for a company both financially and reputationally.
Companies and self-employed individuals of all types can be targeted if they have data in their possession. Here, we look at the seven largest known data breaches of all time.
7. LinkedIn: 167 million account records
Encrypted passwords for more than 6.5 million LinkedIn user accounts were posted online in 2012, but that wasn’t the end of the matter.
Four years later, it was revealed that the hack on LinkedIn’s user base was much, much worse than initially known – with a total of 167 million account records being placed on a dark web marketplace by a hacker known as ‘Peace’.
Out of the 167 million accounts, details for 117 million included both emails and encrypted passwords, with LinkedIn forced to reset passwords for all members whose details were breached as a result.
6. Court Ventures – 200 million personal records
In 2014 a data breach of 200 million personal records came to light at Court Ventures, a data broker acquired by credit monitoring firm Experian two years prior.
Vietnamese man Hieu Minh Ngo is said to have breached the database by posing as a private investigator from Singapore, going on to sell the information to more than 1,000 cybercriminals.
Ngo, aged 25 at the time of his sentencing, pleaded guilty in 2015 and was given 13 years in prison on charges which included identity fraud and wire fraud.
5. MySpace – 360 million accounts, 427 million passwords
Though former social networking king MySpace may have lost its crown to Facebook many years ago, it does still boast millions of visitors each month and has a large historical userbase.
With that, it was big news when Peace – the same hacker behind the aforementioned LinkedIn data breach, began selling what they claimed to be 360 million emails of MySpace members, with over 427 million passwords also attributed to the accounts.
Though first reported in May 2016, it is unknown exactly when the breach occurred, and the entire database was later made available to download by independent security researcher Thomas White – also known as ‘TheCthulu’ – in June 2016.
4. Friend Finder Network – 412 million user accounts
Adult dating and entertainment network Friend Finder shocked members of its numerous websites in November 2016 when 412 million user accounts were exposed.
Of the 412 million accounts impacted by the breach, 339 million were from Adult Friend Finder, a website described as “the world’s largest sex and swinger community.” 62 million accounts from live sex camera website Cams.com and 7 million from adult site Penthouse.com were also obtained; as were a combined 2.5 million accounts from Stripshow.com, iCams.com and another unknown domain.
The attack saw email addresses, passwords, IP addresses, site membership status, and even dates of members visiting the websites were taken.
Friend Finder remained relatively quiet about the breach following initial reports, with some members failing to receive emails notifying them of the incident. Many instead discovered the issue in a message only when they logged into one of the network’s websites.
3. Yahoo – 500 million user accounts
Internet giant Yahoo revealed in September 2016 that it had discovered a data attack in which information from 500 million user accounts was obtained by what is believed to have been a state-sponsored actor.
Names, email addresses, telephone numbers, dates of birth, hashed passwords, and – in certain cases – even encrypted or unencrypted security questions and answers were all taken during the breach, said to have taken place in late 2014.
2.Yahoo – 1 billion user accounts
In December 2016 Yahoo shocked the connected world for a second time by confirming that data from more than 1 billion user accounts was stolen, in an act believed to be distinct from the previous incident in which the 500 million user accounts were obtained illegally.
Yahoo chief information security officer Bob Lord said that the unauthorised third party is thought to have taken the data in August 2013, with it including names, telephone numbers, dates of birth, email addresses, and hashed passwords. As with the previous case, encrypted or unencrypted security questions and answers were also stolen.
1. River City Media – 1.37 billion email addresses
In March 2017 it emerged that a database of details for 1.37 billion email accounts was seemingly exposed accidentally by email marketing firm River City Media, considered by many to be a spam operation due to sending up to 1 billion emails every day.
Discovered by MacKeeper Security Researcher Chris Vickery, the database consists of email accounts and, in many cases, the full names, IP addresses and physical addresses associated with the account holders.
Though the leak has not been fully verified at the time of writing, Vickery has found details he knows to be correct within the database – with anti-spam organisation Spamhaus blacklisting the River City Media’s entire infrastructure as a result.