• Sign In | Home | Advertising | Subscribe

    • Biggest data breaches in history

    You entrust multiple organizations with your personal data every day, but given the number of data breaches that are reported each year, the odds are that your information has fallen into the wrong hands at some point. We reveal the biggest data breaches in history. In 2005, AOL suffered a data breach involving 92 million email addresses and screen names after an ex-employee stole the list. While astronomical, this data breach figure pales in comparison to the more recent breaches of 10.88 billion CAM4 records, 5 billion Cognyte records (which, ironically, were from previous data breach victims), and 3 billion Yahoo user accounts (discovered in 2016). Based on data breaches affecting over 10m records, over 50bn records have been impacted by the biggest US data breaches since 2005. Some of the biggest have occurred in the last few years. So how have data breaches developed over the years? How many records have been affected? And what industries have been most impacted? Check out our interactive dashboards below to find out where the biggest data breaches in the US and worldwide have occurred: Breach type definitions: Disc (unintentional disclosure, e.g. leaving a database unsecured), Hack (attacked by an external source or with malware), Insd (theft by an employee, contract, or third-party), Port (loss or theft of a portable device, e.g. laptop), Rans (loss of data via a ransomware attack), and Unknwn (unknown source of data loss).

    The top 10 biggest US-based data breaches

    1. Yahoo ? 3 billion records affected: In August 2013, hackers attacked Yahoo and compromised user accounts. In its initial acknowledgment of the breach, which was only in December 2016, Yahoo said 1bn user accounts had been affected. But in 2017, it updated this to say it believed all 3bn of its users? accounts had been impacted. These updated figures make it the largest breach in US history.
    2. Dropbox, LinkedIn et. al. ? 2.2 billion records affected: More than 2.2bn records were stolen from across a number of large websites, including Dropbox and LinkedIn. Hackers dumped the stolen records on the dark web in 2019 in an attempt to sell them. Dubbed ?Collection #1?, it appeared the data had been collected over a number of years and included usernames and passwords.
    3. Comcast ? 1.5 billion records affected: A total of 1,507,301,521 records, including Comcast email addresses, client IPs, and hashed passwords were found in a non-password protected database. It was discovered by security researchers in December 2020. It wasn?t the first Comcast data breach, either. A data incident in 2018 saw 26.5m Comcast Xfinity users? social security numbers and home addresses being exposed. And, in 2014, an employee mistakenly gave two unauthorized people access to a tool that led to the theft of 24.5m records that contained personally identifiable information (PII).
    4. River City Media ? 1.34 billion records affected: An improperly configured backup led to the exposure of 1.34 billion email addresses in 2017. Some records also contained IP addresses, physical addresses, and names, while River City Media?s sensitive business information, e.g. accounts and Hipchat logs, were also available for everyone to see. There was some good to come from the leak, however, as it exposed River City Media?s illicit IP hijacking techniques that had allowed them to create spam campaigns.
    5. Evite, et. al. ? 932 million records affected: During the first few months of 2019, hacker ?Gnosticplayers? uploaded almost 1 billion records from 44 companies, including Evite, MindJolt, and Wanelo. The data uploaded included usernames, passwords, email addresses, and IP addresses.
    6. First American ? 885 million records affected: For over two years, nearly 900 million First American customers? sensitive files were left exposed. The data, which was discovered in May 2019, included social security numbers, bank account numbers and statements, driver?s license images, and more. This gave would-be identity thieves more than enough information to steal money from the victims (although nothing was confirmed). In June 2019, First American settled a $500,000 fine for the breach.
    7. DreamHost ? 815 million records affected: In May 2021, one of the biggest web hosts in the world was reported as having exposed 815 million records in an unprotected database. According to DreamHost, the database was only available for around 12 hours before it was removed, but this still gave threat actors enough time to potentially steal clients? data, which included names and usernames.
    8. LinkedIn ? 700 million records affected: Just two months after a data breach of 500 million LinkedIn users? records was exposed, the personal data of 700 million of its users (almost 93 percent of its total users) was posted online. All of the data was available to buy for a mere $5,000. Although the data had been scraped from the website (rather than breached), the information contained full names, email addresses, physical addresses, phone numbers, geolocation records, and more.
    9. Dubsmash, et. al. ? 616.7 million records affected: After 16 websites were hacked, 617 million online account details were put up for sale on the dark web in 2019 for less than $20,000 in Bitcoin. Records came from multiple companies and websites, including Dubsmash (162 million), MyFitnessPal (151 million), MyHeritage (92 million), ShareThis (41 million), HauteLook (28 million), EyeEm (22 million), 8fit (20 million), and Whitepages (18 million).
    10. Facebook ? 540 million records affected: In April 2019, nearly 540 million Facebook users? records were found on unsecured Amazon servers used by Cultura Colectiva, a Mexican social media firm. Facebook confirmed the data, which contained account names, ID numbers, reactions, and comments, had been removed. Just two years later, Facebook?s user data was exposed again with around 533 million user records from 106 countries being found on a hacking forum in April 2021. The data had been scraped in before August 2019.

    The top 10 biggest non-US data breaches

    While the US is home to some of the biggest data breaches in US history, there are a couple that eclipse these.
    1. CAM4 ? 10.88 billion records affected: In the biggest-ever breach of data, CAM4, an adult website, left an ElasticSearch database unsecured before it was found by security researchers in March 2020. The data was made up of 7TB of data?a total of 10.88 billion records. Names, email addresses, payment logs, IP addresses, sexual preferences, and chat transcripts were all part of the data set. Experts believe around 6.6m US users, 5.4m Brazilian users, 4.9m Italian users, and 4.2m French users were part of the breach. CAM4 said there was no indication bad actors had accessed the database before it was taken down.
    2. Cognyte ? 5 billion records affected: In May 2021, Bob Diachenko, who leads Comparitech?s security research team, discovered an exposed database that was accessible to all users without any form of authentication. Ironically, the database was stored by cybersecurity analytics firm, Cognyte. It formed part of its cyber intelligence service, which would alert users if their data was part of third-party data exposure. Included within the 5bn records were names, passwords, email addresses, and the original source of the leak.
    3. Verifications.io ? 2.07 billion records affected: Another unsecured database was discovered by Bob Diachenko in February 2019. It contained 808.5m records which, as well as email addresses, also included personally identifiable information. Upon further analysis, researchers suggested as many as 2.07 billion records had been exposed in total. The database was traced back to verifications.io, an email marketing company.
    4. Aadhaar ? 1.1 billion records affected: In 2018, the Indian government?s ID database, Aadhaar, was impacted by a number of breaches which left the 1.1bn citizens registered on the database vulnerable to exploitation. Reports stated that in January 2018, criminals were granting access to the database for 10 minutes at a cost of Rs500 (around $8 at the time).
    5. Taobao (Alibaba) ? 1.1 billion records affected: Joint with the Aaadhaar breach is the hack of Alibaba?s shopping website, Taobao. For eight months (from November 2019), web-crawling software was used by a developer to gather customers? information, including mobile numbers and user IDs.
    6. Shanghai National Police (Unconfirmed) ? 950 million records affected: In June 2022, a massive database containing nearly 1 billion records was put up for sale for 10 bi...

      Want to keep reading? This content is for subscribers only.

      Login Subscribe

    Share :

    CATEGORIES

    Newsletter

    Subscribe to our newsletter to stay.