Top 15 data breaches in the 21st century

Not so long ago, the breach that compromised the data of millions of people became a hot topic. But now, incidents of breaches affecting hundreds or even billions of people are too common. In the 21st century, in 15 breaches, only the top two saw personal data of about 3.5 billion people leaked. The smallest case in this article is the case where the data of 134 million people were stolen.

We have compiled a list of the largest infringement cases of the 21st century through simple selection criteria. The selection criterion is the number of violated users. It also distinguished between cases in which data was stolen with malicious intent and cases in which a company accidentally exposed data without protecting it. For example, Twitter exposed the passwords of 330 million users to logs unencrypted, but there was no evidence of misuse. So, Twitter wasn’t on this list.

This article lists the 15 biggest data breaches in alphabetical order, including:

Biggest data breaches

• Adobe
• Adult Friend Finder
• 캔바(Canva)
• Dubsmash
• EBay
• Equifax
• Heartland Payment Systems
• LinkedIn
• Marriott International
• My Fitness Pal
• MySpace
• NetEase
• Sina Weibo
• Yahoo
• Zynga

Adobe

-Date of incident: October 2013
-Impact: 155 million users
Details: As security reporter Brian Krebs reported in early October 2013, Adobe said the original hacker stole about 3 million encrypted customer credit card records and login data for an unverified number of user accounts.

Since then, Adobe has added 38 million’active users’ IDs and encrypted passwords. A few days before the announcement, Krebs reported, “The file appears to contain over 150 million usernames and encrypted passwords from Adobe.” According to several weeks of research, the hack also revealed customer names, IDs, passwords, debit and credit card information.

In August 2015, Adobe was required to pay users $1.1 million in lawsuits and an undisclosed amount to resolve a lawsuit for violating the Customer Records Act and unfair business practices. In November 2016, the amount paid to customers was reported at $1 million.

Adult Friend Finder

-Date of incident: October 2016
-Impact: 4112.2 million accounts
-Details: This infringement case was particularly sensitive to account holders due to the nature of the services provided by Adult Friend Finder. Friends including adult content websites and promiscuous heterosexual connections such as Adult Friend Finder, Penthouse.com, Cams.com, iCams.com and Stripshow.com Finder Network suffered an incident in mid-October 2016. The stolen data had been stored for 20 years in six databases, including names, email addresses, and passwords.

The weak SHA-1 hashing algorithm was protecting this password, and on November 14, 2016, 99% of the time when leakedsource, a database that can search for stolen accounts, published an analysis of the data set. Is assumed to have been decoded.

At the time, this magazine posted a screen shot in Adult Friend Finder by a researcher working at 1×0123 on Twitter. The screen reported that the Local File Inclusion (LFI) vulnerability appeared to have been triggered. The researcher said that the vulnerability found in the module of the production server used by Adult Friend Finder was being exploited.

캔바(Canva)

-Date of incident: May 2019
-Impact: 137 million user accounts
-Details: In May 2019, Canva, an Australian graphic design tool website, exposed email addresses, usernames, real names, and cities of residence of 137 million users, and encrypted passwords (about users who do not use social logins). It was attacked to hack 61 million). Canva said the attacker was able to view files that contained some of the credit card and payment data, but could not steal them.

Known as the suspect, Gnosticplayers contacted an IT media and said Canva had detected the attack and shut down the data breach server. The attacker also claimed to have obtained an OAuth login token for users logged in through Google.

After confirming the incident, Canva sent a notification to the user, changed his password, and reset the Otsu token. However, according to a later post, when a list of about 4 million Canva accounts containing stolen user passwords was later decrypted and shared online, Canva invalidated the unchanged password and informed the user of the unencrypted password.

EBay

-Date of incident: May 2014
-Impact: 145 million users
-Details: Online auction site eBay revealed that the attack revealed a full account list of approximately 145 million users, including name, address, date of birth, and encrypted password in May 2014. EBay said the attacker used the credentials of three corporate employees to access the network and had full access for 229 days, enough time to compromise the user database.

EBay asked the customer to change their password. Financial information, such as credit card numbers, was stored separately and was not compromised. At the time, eBay was criticized for lack of communication with users and inexperience in the password renewal process.

Equifax

-Incident Date: July 29, 2017
-Impact: 147.9 million consumers
-Details: Equifax, one of the nation’s largest credit institutions, said on September 7, 2017 that one of its websites leaked data from approximately 147.9 million consumers due to an application vulnerability. The incident was discovered on July 29, but Equifax said it may have started in mid-May. The breach has compromised the personal information of 143 million consumers (including social security numbers, date of birth, address and, in some cases, driver’s license numbers), and exposed credit card data of 29,000 consumers. This number rose to 147.9 million in October 2017.

Equifax had several security and response flaws. The most important of these is that application vulnerabilities that allow attackers access are not patched. Improper system partitioning made it easier for attackers to move to the side. In addition, Equifax took a long time to report the incident.

Dubsmash

-Incident Date: December 2018
-Impact: 162 million user accounts
-Details: In December 2018, DuxMesh, a video messaging service based in New York, stolen 162 million email addresses, usernames, encrypted passwords and other personal data such as date of birth, and in December of the following year. All of this data was sold on the dark web market, Dream Market. This information was sold as part of the vast amount of data collected, including My Fitness Pal, My Heritage (92 million), ShareThis, Armor Games, and data app CoffeeMeetsBagel.

DubSmash acknowledged that information leaks and sales took place and offered advice on changing passwords, but did not disclose how the attacker broke in or how many users were affected.

Heartland Payment Systems

-Date of incident: March 2008
-Impact: 134 million credit cards exposed
-Details: At the time of the breach, Heartland was processing 100 million payment cards per month for 175,000 merchants (mostly small and medium-sized retailers). The infringement was revealed in January 2009 when Visa and Mastercard informed of a suspicious transaction on an account handled by Heartland. The attacker performed a SQL injection attack by exploiting a known vulnerability. Security analysts have warned retailers about the vulnerability for years, and SQL injection attacks were the most common form of attack against websites at the time.

The payments industry considered Heartland to be non-compliant with the Data Security Standard (DSS) and prevented major credit card providers from processing payments until May 2009. Heartland Payment Systems has paid approximately $145 million in compensation for fraudulent payments.

The Heartland infringement was a rare case where US authorities arrested an attacker. The US Grand Jury prosecuted Albert Gonzalez and two anonymous Russian accomplices in 2009. Cuban-American Gonzalez was accused of leading an international operation of stealing credit and debit cards and was sentenced to 20 years in a federal prison in the United States in March 2010.

LinkedIn

-Date of incident: 2012, 2016
-Impact: 165 million user accounts
-Details: LinkedIn, a major social network for business professionals, was an attractive target for attackers attempting social engineering attacks, and eventually became a victim of user data breaches.

In 2012, LinkedIn announced that 6.5 million passwords (unsalted SHA-1 hashes) were stolen by an attacker and posted on a Russian hacker forum. However, it wasn’t until 2016 that the full picture of the incident was revealed. The same attacker who sold MySpace data was found to be providing about 165 million LinkedIn users email addresses and passwords for 5 bitcoins (about $2,000 at the time). LinkedIn said it was aware of the breach and had reset the password for the affected account.

Marriott International

-Date of incident: 2014-2018
-Impact: 500 million customers
-Details: In November 2018, Marriott International announced that attackers had stolen data from about 500 million customers. The breach first occurred in a system supporting the Starwood Hotel brand in 2014. The attacker remained in the system after Marriott acquired Starwood in 2016, and was not discovered until September 2018.

The attackers stole a combination of contact information, passport numbers, Starwood Preferred Guest, travel information, and other personal information. Credit card numbers and expiration dates for more than 100 million customers were estimated to have been stolen, but Marriott said it was uncertain whether the attacker was able to crack the credit card number. According to a New York Times article, the breach was ultimately caused by a Chinese spy group trying to collect data on American citizens.

My Fitness Pal

-Date of incident: February 2018
-Impact: 150 million user accounts
-Details: Like DubSmash, My FitnessPal, a fitness app owned by UnderArmor, was one of the vast data of 16 hacked sites sold in the dark web market due to the leakage of approximately 611 million customer accounts.

In February 2018, usernames, email addresses, IP addresses, SHA-1 and bcrypt-hashed passwords of about 150 million customers were stolen, and a year later, they went into sale at the same time with Dubsmash and others. My FitnessPal acknowledged the breach and asked customers to change their passwords, but it did not share the number of affected user accounts or how the attacker accessed the data.

MySpace

-Date of incident: 2013
-Impact: 360 million user accounts
-Details: MySpace, which was once a social media powerhouse, attracted attention to various media after 366 million user accounts were leaked to the leak source in 2016 and sold for 6 bitcoins (about $3,000 at the time) on the dark web. received.

According to MySpace, the stolen data included email addresses, passwords, and usernames of some accounts created on the old MySpace platform before June 11, 2013. According to Troy Hunt of Have I Been Pwned (HIBP), a site that tells if personal information was hacked, the password was stored as a SHA-1 hash of the first 10 characters of the password converted to lowercase.

NetEase

-Date of incident: October 2015
-Impact: 235 million user accounts
-Details: Netis is a mail service provider such as 163.com and 126.com. A dark website known as DoubleFlag is reported to be selling email addresses and plaintext passwords for approximately 235 million Netis customers’ accounts. Doubleflag was also selling information from large Chinese companies such as Tencent’s QQ.com, Sina Corporation and Sohu. Netis is known to have denied all infringements. HIBP has marked this infringement as’unconfirmed’.

Sina Weibo

-Date of incident: March 2020
-Impact: 538 million accounts
-Details: Sina Weibo with more than 500 million users is China’s Twitter. In March 2020, it was reported that real names, site usernames, gender, location and phone numbers of 172 million users were posted for sale on the dark web market. Because the password was not included, the data was sold at a bargain price (19,000 won).

Weibo admitted that the data sold was its own, but claimed that the data was obtained by matching the contacts with the address book API. It also said that users don’t have to worry because it doesn’t store passwords in plain text. However, some information, such as location data, was not provided through the API. Weibo notified the Chinese authorities of the incident, and said the Cybersecurity Bureau of the Ministry of Industry and Information Technology of China is investigating.

Yahoo

-Date of incident: 2013-2014
-Impact: 3 billion user accounts
-Details: Yahoo announced in September 2016 that it suffered the largest data breach in history in 2014. Yahoo said state-sponsored attackers compromised 500 million users’ real names, email addresses, birthdates and phone numbers. Yahoo claimed that most of the leaked passwords were encrypted.

Subsequently, in December 2016, Yahoo announced that another attacker had breached a billion people’s names, dates of birth, email addresses and passwords, and security questions and answers of user accounts. Yahoo revised the number and extent of damage in October 2017 to cover all 3 billion user accounts.

At the time of the first infringement announcement, Yahoo had been acquired by Verizon and paid $4.48 billion for Yahoo’s core Internet business, which had a pretty bad impact. Yahoo’s value dropped by about $350 million because of this incident.

Zynga

-Date of incident: September 2019
-Impact: 218 million user accounts
Details: Once a Facebook gaming giant, Farmville’s maker Zynga is still a mobile game provider with millions of players worldwide.

In September 2019, a Pakistani hacker named Nostic Players claimed to have hacked into Zynga’s Draw Something and Words With Friends player databases to access 218 million registered accounts. Zynga later confirmed that email addresses, encrypted passwords, phone numbers, and user IDs for Facebook and Zynga accounts were stolen.

This article was first published in March 2014 and keeps updating new incidents of infringement (Note to editors). editor@itworld.co.kr