The Biggest Data Breaches of the 21st Century

Posted by Trevagh Stankard on Thu, Jul 29th, 2021

Data breaches are devastating to organizations. They lose money from litigation, incident response, compliance violations, and a loss in customer trust. The brand damage can cost millions in lost revenue, and litigation can last for years. The wave of large data breaches started with Target in 2013, and massive data continues to be stolen every year as more organizations learn the importance of cybersecurity and data protection. Here are a few of the largest data breaches to date where billions of records were stolen.

Equifax - 147.9 Million Consumers Affected

July 2017

Equifax handles consumer credit ratings and reports, so it comes as no surprise that this data breach resulted in a loss of massive financial data. Attackers were able to exploit outdated server software with known cybersecurity vulnerabilities. Developers for the server software released an update several weeks prior to the compromise, so Equifax server administrators were negligent. Equifax was also accused of being slow to report the breach, which triggered a change in policies that now require organizations to report a data breach within a specified amount of time.

LinkedIn – 165 Million User Accounts Affected

2012 and 2016

LinkedIn is the hub for all career-oriented information and business connections. Anyone in the job market benefits from keeping a LinkedIn profile, which makes it an ideal target for attackers seeking personal information. It’s a major target for attackers using social engineering against an organization. An attacker uses LinkedIn to perform reconnaissance and find organizational charts with high-level employee names and contact information.

An attacker breached the website and stole millions of SHA-1 passwords. SHA-1 is cryptographically insecure, making the stolen passwords vulnerable to brute-force attacks. The passwords were available for sale on hacker forums for $2000 in bitcoin. Should an attacker successfully brute force user passwords, it’s possible that the attacker could gain access to other user accounts with the same password across other internet websites.

Yahoo – 3 Billion User Accounts Affected

2013-2014

To date, the Yahoo data breach resulted in the biggest loss of data to attackers, and Yahoo was widely criticized for hiding one breach for years. Yahoo stores contact information including date of birth and telephone numbers for millions of users, and an attacker was able to exploit the Yahoo email system to steal information on 500 million users. In 2016, Yahoo disclosed a 2013 data breach where an attacker stole 1 billion records, but the company later amended the record count to 3 billion. During the time of the announcement, Yahoo was in negotiations with Verizon to sell its core business. Because Yahoo failed to disclose the original data breach, the company was forced to reduce its buyout price by $350 million.

Read Guide: Guide to Data Breach Prevention - How Companies Get Hacked!

Sina Weibo – 538 Million User Accounts Affected

March 2020

Sina Weibo is China’s version of Twitter, so it was the target of attackers for user real names, demographic information, location, and phone numbers. China has different data privacy and regulation laws compared to the EU and the US, so it’s unknown the consequences Sina Weibo faced in the aftermath. The phone numbers stolen in the data breach were posted for sale on darknet markets, but passwords were not available online after the breach. The breach used a logic flaw in the Sina Weibo API that allowed an attacker to cross reference contacts with the address book available through the API endpoint.

MySpace – 360 Million User Accounts Affected

2013

Although MySpace has long lost its popularity, the web application is still available and contains contact information including email addresses, passwords and MySpace usernames. The data stolen was stored on the old MySpace platform, so only accounts created prior to June 2013 were affected. Older accounts used the SHA-1 hashing algorithm, which is not cryptographically secure. Any hashed value using SHA-1 is vulnerable to brute-force attacks, so the stolen MySpace hashes could disclose the targeted user’s password. If the user uses the same password across multiple sites, then their other account would also be vulnerable to a compromise.

Marriott International – 500 Million Customers Affected

2014-2018

It takes a while for administrators to discover a breach, but Marriott fell victim to a breach for four years. The compromise occurred in 2014, but it was not discovered until 2018. Attackers were able to steal password information and contact data for travel customers. 100 million credit card numbers used to pay for hotel rooms were also stolen.  It’s believed that the attackers were state sponsored from China to gather intelligence information on US citizens.   

Closing the Data Breach gap

The gap between secure systems and cybercriminal activity must be closed to prevent data breaches. Research from a consortium made up of Google, PayPal, Samsung, and Arizona State University provide some intelligence on how to mitigate phishing campaigns. The results set out several effective mechanisms to prevent phishing-based attacks that end in stolen data. This includes the use of browser-based warnings that can reduce compromised phishing successes within one hour after detection to 71.51%. The researchers conclude, however, that the use of proactive mitigation and an extended anti-phishing ecosystem is the best way to deal with sophisticated and complex campaigns to steal data.

This year, we should expect that data breaches will continue to be the food that fuels cybercrime. However, with some mitigating measures that focus on reducing the likelihood of phishing businesses can make inroads into a complex system of attacks.

Protect your organization from data breaches by using an email security solution such as SpamTitan. Book a demo to discover how SpamTitan can protect your organization and customers.