Throughout the course of cybersecurity history, cybercriminals have become more adept at stealing sensitive data from companies, sometimes resulting in billions of dollars in victim losses.
If it seems like incidents have grown on an exponentially larger scale in recent years, you'd be correct. In the last decade, we've seen some of the biggest data breaches of all time affecting billions of people around the world. Whether because of a company's negligence or some malicious third-party, we've rounded up five of the largest data breaches to date.
1. Yahoo! (2013-2014)
In July 2016, Yahoo! announced it had discovered millions of account credentials for sale on the dark web, deducing those account details had been stolen in a 2014 hack that compromised 500 million accounts. But the worst was yet to come. An investigation revealed 1 billion accounts had been compromised in a 2013 cookie-based attack; that number later ballooned to encompass every single Yahoo account—about 3 billion accounts. The two combined attacks make up the largest data breach in history.
2. First American Corporation (2019)
In May 2019, real estate developer Ben Shoval discovered more than 885 million records—including bank account details, Social Security numbers, wire transactions, and mortgage paperwork—were publicly accessible on a web server owned by First American Corporation, a financial services company based in California. Shoval notified cybersecurity reporter Brian Krebs, who in turn notified authorities and First American Corporation of the oversight.
The company discovered the information access had been caused by a "design defect" in a production application and began working with a forensics team to find the effect—if any—of the unauthorized access. In the meantime, at least one client has filed suit against the company for failing "to implement even rudimentary security measures."
3. Facebook (2019)
In April 2019, a cybersecurity team at Upguard reported datasets from two third-party, Facebook-integrated apps had leaked more than 540 million user records to the public internet. One set, originating from a Mexican media company called Cultura Colectiva, contained 146 gigabytes of information including comments, likes, reactions, account names, and Facebook IDs. The other set, originating from an app called At the Pool, included user IDs, friends, likes, interests, check-ins, and passwords. Although the leaked passwords were for the At the Pool app and not necessarily Facebook, many users may not follow best practices for passwords and reuse the same password across multiple apps, putting themselves at risk.
4. Marriott International (2014-2018)
In 2018, hotel giant Marriott International announced its Starwood reservation system had been hit with a cyberattack, exposing up to 500 million guests' personal information. The attack, dating back to 2014, exposed guests' names, addresses, phone numbers, birth dates, email addresses, and credit card details. The cyberattack was later revealed by officials as an act of state-sponsored cybercrime by the Chinese government.
5. Friend Finder Network (2016)
In 2016, data notification service LeakedSource announced it had obtained details for more than 412 million accounts from adult dating and entertainment company Friend Finder Network, which operates sites like AdultFriendFinder.com. According to ZDnet, the details—which were stolen by an anonymous hacker—included usernames, email addresses, and passwords, along with site membership data, browser information, IP addresses, and from one site, 15 million deleted accounts that were never purged from the site's server.
What are some of the biggest data breaches you can remember? Comment below!