Advanced Cyber Security

You are here: SecPoint Cyber Security News

Top 20 Biggest Cyber Security Breaches

In 2021, the average data breach has cost around $4.24 million. It sounds like an alarming number, but just imagine owning a company with the clients' sensitive information. What happens if that gets into the wrong hands? 

Your company can face millions of dollars in lawsuits. You probably think that this is a rare incidence, but in actuality, it happens to big companies like Yahoo, Twitter, Facebook, etc. This shows that it can also happen to you; continue reading to learn about the top 20 cyber security breaches, so you know why cybersecurity protection should be a priority.

Top 20 Biggest Cyber Security Breaches

1) CAM4 data

The CAM 4 Data breach happened in March 2020. The Elasticsearch server was hacked, revealing over 10 billion data. The compromised records included the following sensitive data:

  • Complete names
  • Addresses 
  • Sexual Orientation
  • Transcripts of conversations
  • Transcripts of email communication
  • Passwords
  • Internet Protocol addresses
  • Payment records

Several email addresses are on cloud storage services. If hackers succeed in phishing attempts against these users, they will have access to personal pictures and corporate information. Compromised users could get ransomed and defamed for many years to come.

2) Yahoo 

Yahoo revealed in August 2013 that a breach by a gang of hackers affected one billion accounts. Plus, security questions and answers were also compromised, posing an increased risk of identity theft. Yahoo disclosed the incident on December 14, 2016, while contemplating selling itself to Verizon. 

Yahoo required all affected users to reset their passwords and re-enter any unencrypted security questions and answers to re-encrypt them. Luckily, the users' plain text passwords, credit card data, and bank information were not taken. 

3) Aadhaar data

In March 2018, the personal info of over a billion Indian residents was available for purchase online via the world's largest biometric database. This huge data breach occurred due to a data leakage on a state-owned power company's system. The hack exposed Aadhaar users' sensitive information, including:

  • Their names
  • Their unique 12-digit identification numbers
  • Their bank account information
  • Photographs
  • Thumbprints
  • Retina scans

In addition to what's listed, other identifying data of almost every Indian citizen were also revealed.

4) First American Financial Corp

In May 2019, First American Financial Corporation exposed 885 million customers' sensitive data for over 16 years. This includes:

  • Bank account information
  • Social security numbers
  • Wire transfers
  • Other mortgage documentation

They had to pay a hefty price to settle the lawsuits from the damages caused by the data breach.

5) Verifications.io

In February 2019, verifications.io exposed 763 million unique email addresses in an unprotected MongoDB server. Numerous entries contained private info, like names, phone numbers, IP addresses, dates of birth, and genders.

6) LinkedIn 

On June 2021, a Dark Web forum advertised data connected with 700 million LinkedIn users for sale. This vulnerability affected 92% of LinkedIn's overall user base of 756 million members. The data was leaked in two waves, first revealing 500 million members and then a second dump in which the hacker "God User" bragged of selling a 700 million-user LinkedIn database.

The hackers released a sample of 1 million records to demonstrate the breach's authenticity. They obtained these info:

  • Addresses 
  • Complete names and telephone numbers
  • Geolocation data
  • LinkedIn usernames and URL profiles
  • Genders
  • Additional social media accounts and information

The hacker uses Linkedin's API to scrape data. LinkedIn asserts that since no personal information was stolen, this was not a "data breach." They claim that it was a violation of their terms of service through illegal data scraping.

7) Facebook

In April 2019, the UpGuard Cyber Risk team disclosed the public exposure of a third-party Facebook app dataset. The exposure is from a media firm called Cultura Colectiva in Mexico City. 

They are 146 terabytes in size and contain over 533 million records, including comments, likes, responses, account names, and Facebook IDs. This database revealed free info on the dark web in April 2021, showcasing the data in 2019 to a fresh round of criminal exposure.

8) Yahoo

Yahoo believes that the first hack in 2014 was perpetrated by a "state-sponsored actor." They obtained personal information, like:

  • Names
  • Email addresses
  • Phone numbers
  • Hashed passwords
  • Birth dates,
  • Security questions and answers 

Yahoo became aware of this incident in 2014 and took a few early corrective measures but did not pursue the matter further. Two years later, they revealed the hack after the suspected sale of a stolen database from the firm on the black market.

9) Starwood (Marriott)

Marriott International reported in November 2018 that hackers had stolen data on roughly 500 million Starwood hotel guests. The attackers obtained illegal access to the Starwood system in 2014 and stayed in the system after Marriott's 2016 acquisition of Starwood. However, it was not until 2018 that the finding was discovered.

These information were taken:

  • Names
  • Contact information
  • Passport numbers
  • Starwood Preferred Guest numbers
  • Travel details
  • Financial information
  • Credit card number
  • Debit card number

According to the New York Times, the hack was ultimately traced to a Chinese intelligence organization. Their Ministry of State Security was collecting data on US individuals. 

10) Adult Friend Finder

In October 2016, hackers compromised data containing 20 years' worth of info for The AdultFriendFinder Network. This includes:

  • User names
  • Email addresses
  • Passwords

SHA-1 hashing method secures most passwords. This means that hackers can crack 99 percent of the info.

11) Myspace

In June 2013, a Russian hacker hacked about 360 million MySpace accounts, but the event was not revealed until 2016. The data breach exposed account details such as the owner's stated name, username, and birthday. 

Between 2013 and 2016, anybody with access to this compromised data could take over any Myspace account. Myspace has now deactivated any passwords associated with accounts created before 2013.

12) Exactis

Exactis is a marketing and data aggregation company headquartered in Florida. The hacker exposed a database holding over 340 million records on a publicly accessible server in June 2018. The hack revealed sensitive information about the individuals, including their:

  • Phone numbers
  • Home and email addresses
  • Hobbies
  • Age
  • Gender of their children

Security specialist Vinny Troia uncovered the data leak, which exposed information on hundreds of millions of US individuals and companies.

13) Twitter

Twitter informed users in May 2018 of a bug that left passwords unmasked in an internal log. This made all user passwords exposed to the internal network. Twitter advised its 330 million users to change their passwords. 

Twitter would not reveal the number of affected individuals. However, they did suggest that the amount was substantial and that they were exposed for many months.

14) NetEase

NetEase has experienced a data breach in October 2015, affecting hundreds of millions of users. While there is evidence that the data is genuine (several users verified that their passwords were included in the data), it is impossible to prove categorically. Email addresses and plain text passwords were exposed in the hack.

15) Sociallarks

Sociallarks is a fast-growing Chinese social media firm. In 2021, they had a massive data breach through an unprotected ElasticSearch database. The server was neither password-protected nor encrypted; it was a publicly accessible asset.

This deadly combination meant that anybody who knew the server's IP address could access critical data. The following data were exposed:

  • Names
  • Numerous telephone numbers
  • Addresses 
  • Descriptions of the individuals
  • Data on followers and engagement locations
  • Links to LinkedIn profiles
  • Login credentials for connected social media accounts
  • Breach of data at Deep Root Analytics

Over 200 million Facebook, Instagram, and LinkedIn users' scraped data was kept in the hacked database.

16) Deep Root Analytics

Deep Root Analytics is a company working on behalf of the Republican National Committee. They released the voter data of 200 million people (RNC). The data set included 1.1 gigabytes of personally identifiable information (PII) on voters, including their names, residences, and birthdates.

The accessible data included extensive voter analysis based on Reddit post activity can forecast how an individual would vote on a specific topic. The UpGuard Cyber Research team found the compromised database.

17) Court Ventures

A division of credit card monitoring company Experian exposed 200 million personal information. The hacker ran a company selling Personally Identifiable Information, including credit card and social security information obtained during the attack.

The hacker gained access to the internal database by masquerading as a private investigator from Singapore and persuading employees to surrender access.

18) Tetrad

Tetrad is a marketing research company. The hacker exposed the data of 120 million clients in Amazon S3 storage in February of this year. The leaked data included sensitive information from customers such as Kate Spade, Chipotle, and Bevmo.

Three Mosaic text files, each exceeding 10 GB in size, comprised a total of 130 million rows of data on US homes. These files included household addresses, names, gender, and the Mosaic group ID.

19) Dubsmash

Dubmash had a data breach in December 2018 that revealed:

  • 162 million email addresses
  • DBKDF2 password hashes
  • Usernames and DBKDF2 password hashes

In 2019, this data became available for purchase on the dark web. Eventually, the hacker distributed the information worldwide.

20) Adobe

Adobe accounts totaling 153 million compromised data in October 2013. The data breach exposed an:

  • Internal identifier
  • A username
  • An email address
  • An encrypted password
  • A plain text password hint

The encryption was insecure, and many passwords were rapidly resolved to plain text. The password suggestions exacerbated the problem by making it easy to guess and crackdown.

Ways to Protect Yourself From Cyber Security Breaches

As the percentage of internet users grows, the security threats also increase rapidly. The United States Federal Government established a research and development agency. Their mission is to formulate strategies for creating technology and establishing regulations to mitigate cybersecurity threats.

With the increased usage of social media sites and networks, individuals expose more personal information to the online world. This makes data protection increasingly challenging. Fortunately, there are ways to safeguard your online identity and sensitive information, such as:

Secure Passwords

When establishing a password, ensure that it is difficult to break or decode. Never use a word or number that connects with you, like your first and last name, your spouse or kid's name, your address, or any other identifying letters or numbers.

To protect yourself from online security breaches, mix up the letters and numbers in your password. Use symbols and a mixture of upper and lowercase numbers wherever feasible. It's also critical not to share your password with anybody. 

Seek Out Encryption

Before doing any financial transaction online, check for website security. To do so, look for two things: trustworthy security lock symbols and an additional "s" after http in the URL or web address bar. 

When you are on a page that requests your credit card information, the "http" becomes "https" to indicate that you are on a secure site. Simultaneously, a lock icon will appear on the right side of the address bar or in the lower left corner of your browser window. These two indicators reveal that the site is encrypted, meaning no one can view the data sent to the website's owner. 

Configure Security Suites

Security suites are a collection of security applications that prevent hackers and programs from infecting your computer and stealing your information and data. This includes preventing malicious software such as malware, viruses, and phishing scams from being installed undetected while you are online. 

Blacklisting for Web Browsers

Several web browsers have enhanced security features such as blacklisting. This enables you to choose the criteria for the websites you visit. That means only safe and trustworthy websites will be accessible for you to browse.

Identify and Avoid Phishing Scams

Phishing scams employ several strategies to acquire sensitive information and steal your identity. To prevent falling prey to a phishing scam, never open attachments or emails from an unknown sender. Also, avoid clicking on links included in odd emails. 

Ignore anybody who offers money, unusual employment opportunities, or requests for charitable contributions. They may be part of a scheme to acquire your personal information and online identity.

Update Software Regularly

Experts suggest updating all software and operating systems on a regular basis. Hackers and malwares often adapt and changes strategies to bypass software protection protocol. Constant updates prevents your programs from these vulnerabilities and attacks.

Where Can You Seek Help for a Security Breach?

Hackers are on a rampage to obtain personal info, like social security numbers and credit card information. This is an opportunity for them to steal your identity and money. Without the proper security protocol, your business and you are vulnerable to these attacks.

Protection from cyber security breaches is very complex. It's challenging to do it alone, but we can help. Contact us today for strategies, services, and products for optimal protection.