Data breaches have become a near-daily occurrence. Some breaches grab headlines despite their size (like the Equifax breach), but large counts of breached records always deserve attention. Here, we explore the five biggest data breaches of all time.
1. Yahoo – 3 billion
Yahoo is well-known for its poor data security, with multiple data breaches in recent years; however, the 2013 Yahoo breach takes the prize of the largest data breach of all time. In December 2016, when in negotiations for sale of part of the company to Verizon, Yahoo revealed the data breach. This was the first in a series of disclosures about the breach that eventually revealed the scope of the incident (all 3 billion users) and the breaches data (name, date of birth, email address, password and security questions/answers).
2. Marriott – 500 million
The Marriott breach has recently been in the news due to the substantial 99 million Euro penalty that the UK’s Information Commissioner’s Office (ICO) has announced. The Marriott breach, which affected 500 million users, originated as a breach of the Starwood Hotels systems. The breach began in 2014, continued through Marriott’s acquisition of Starwood in 2016, and was finally discovered in September 2018. At a minimum, affected customers’ name and contact information was breached, but some parties lost significantly more data.
3. Adult Friend Finder – 412.2 million
The Friend Finder Network consists of a set of websites and was breached in October 2016. As a result of the vulnerability, 20 years of data (affecting 412.2 million accounts) was collected by the hackers, including names, email addresses and passwords. The passwords were poorly protected, making it easy for hackers to crack them and gain access to affected accounts.
4. Myspace 360 million
The early social media website Myspace was breached in 2016 to the tune of 360 million accounts. Like the Friend Finder breach, the passwords leaked during this attack were poorly protected, making them easy prey for hackers. As a result, email addresses, usernames and passwords were revealed in this breach.
5. eBay - 145 million
The final breach in this top-5 list involved eBay and was reported in May of 2014. This attack took advantage of stolen employee credentials to steal the personal information of 145 million users of the online auction site. Attackers had internal access to the organization for a significant period of time (229 days) and gained access to names, addresses, dates of birth and encrypted passwords for all of its users. Fortunately, payment card information was stored separately and not leaked during the breach.