The rising development in information breaches continues to angle upwards, and because of this, there has by no means been a extra precarious time in historical past to launch and preserve a profitable enterprise.
To forestall the repetition of errors that end in information theft, we’ve compiled an inventory of the 72 greatest information breaches in historical past, which incorporates the newest information breaches in February 2022.
As you’ll see, even prestigious firms like Fb, LinkedIn, and Twitter are weak to the rising development of information breaches.
You may additionally be excited about our record of greatest information breaches within the finance and healthcare industries.
The 72 Largest Knowledge Breaches Ranked by Affect
Every of the info breaches reveals the errors that result in the publicity of as much as tens of millions of non-public information information .
1. CAM4 Knowledge Breach
Date: March 2020
Affect: 10.88 billion information.
Grownup video streaming web site CAM4 has had its Elasticsearch server breached exposing over 10 billion information.
The breached information included the next delicate info:
Full namesEmail addressesSexual orientation Chat transcriptsEmail correspondence transcriptsPassword hashesIP addressesPayment logs
Because of the licentious connection of the breached database, compromised customers may fall sufferer to blackmail and defamation makes an attempt for a few years to come back.
Study concerning the prime Vendor Threat Administration answer choices in the marketplace >
2. Yahoo Knowledge Breach (2017)
Date: October 2017
Affect: 3 billion accounts
Yahoo disclosed {that a} breach in August 2013 by a gaggle of hackers had compromised 1 billion accounts. On this occasion, safety questions and solutions had been additionally compromised, growing the chance of id theft. The breach was first reported by Yahoo whereas in negotiations to promote itself to Verizon, on December 14, 2016. Yahoo pressured all affected customers to vary passwords and to reenter any unencrypted safety questions and solutions to re-encrypt them.
Nonetheless, by October of 2017, Yahoo modified the estimate to three billion person accounts. An investigation revealed that customers’ passwords in clear textual content, fee card information and financial institution info weren’t stolen. Nonetheless, this stays one of many largest information breaches of this kind in historical past.
3. Aadhaar Knowledge Breach
Date: March 2018
Affect: 1.1 billion folks
In March of 2018, it grew to become public that the non-public particulars of greater than a billion residents in India saved on this planet’s largest biometric database may very well be purchased on-line.
This large information breach was the results of a knowledge leak on a system run by a state-owned utility firm. The breach allowed entry to the personal info of Aadhaar holders, exposing their names, their distinctive 12-digit id numbers, and their financial institution particulars.
The kind of info uncovered included the pictures, thumbprints, retina scans and different figuring out particulars of practically each Indian citizen.
4. Alibaba Knowledge Breach
Date: July 2022
Affect: 1.1 billion customers
In mid-2022, Chinese language e-commerce large Alibaba suffered a significant information breach that contained buyer information together with:
NamesID numbersPhone numbersPhysical addressesCriminal recordsOnline papers
In complete, over 23 terabytes of information had been compromised from Alilbaba’s cloud internet hosting servers, Alibaba Cloud, additionally the biggest public cloud service supplier in China. The breach was first introduced by a hacker by way of on-line boards, claiming to have information on the Shanghai police pressure, whose information was additionally hosted on Alibaba Cloud. Alibaba and its founder, Jack Ma, confronted large criticism for leaving essential servers fully unprotected with no password lock, regardless of dealing with extraordinarily delicate authorities info.
This was not Alibaba’s first information breach incident, as only one 12 months earlier, they had been uncovered by a third-party developer who had been scraping Alibaba’s procuring website, TaoBao, for person information. Once more, over a billion customers had been uncovered and regardless of a three-year jail sentence for the developer and his employer, Alibaba confirmed that they continued to observe lax safety going into 2022.
5. First American Monetary Company Knowledge Breach
Date: Might 2019
Affect: 885 million customers
In Might 2019, First American Monetary Company reportedly leaked 885 million customers’ delicate information that date again greater than 16 years, together with checking account information, social safety numbers, wire transactions, and different mortgage paperwork. The leak occurred by way of an internet site configuration error, permitting the general public to view delicate info with no need any authentication. As a result of First American’s information had been sequential, anybody may improve or lower the quantity within the URL to shortly view one other buyer’s information. Regardless of the huge leak, there have been no stories of any buyer info being stolen and used for malicious functions.
Discover ways to reply to the Fortigate SSL VPN vulnerability >
6. Verifications.io Knowledge Breach
Date: February 2019
Affect: 763 million customers
7. LinkedIn Knowledge Breach (2021)
Date: June 2021
Affect: 700 million customers
Knowledge related to 700 million LinkedIn customers was posted on the market in a Darkish Net discussion board on June 2021. This publicity impacted 92% of the full LinkedIn person base of 756 million customers.
The info was dumped in two waves, initially exposing 500 million customers, after which a second dump the place the hacker “God User” boasted that they had been promoting a database of 700 million LinkedIn.
Preview of leaked information – Supply: 9to5mac.com
The hackers revealed a pattern containing 1 million information to verify the legitimacy of the breach. The info included the next:
Electronic mail addressesFull namesPhone numbersGeolocation recordsLinkedIn username and profile URLsPersonal {and professional} experienceGenders Different social media accounts and particulars
The hacker scraped the info by exploiting LinkedIn’s API.
LinkedIn claims that, as a result of private info was not compromised, this occasion was not a ‘information breach however, slightly, only a violation of their phrases of service by way of prohibited information scraping.
Study concerning the distinction between a knowledge breach and a knowledge leak >
However the leaked information is adequate to launch a deluge of cyberattacks concentrating on uncovered customers, which makes the incident closely weighted in direction of a knowledge breach classification.
8. Fb Knowledge Breach (2019)
Date: April 2019
Affect: 533 million customers
This database was leaked on the darkish internet at no cost in April 2021, including a brand new wave of felony publicity to the info initially exfiltrated in 2019. This makes Fb one of many not too long ago hacked firms 2021, and subsequently, one of many largest firms to be hacked in 2021.
All 533,000,000 Fb information had been simply leaked at no cost.
Which means you probably have a Fb account, this can be very doubtless the telephone quantity used for the account was leaked.
I’ve but to see Fb acknowledging this absolute negligence of your information. https://t.co/ysGCPZm5U3 pic.twitter.com/nM0Fu4GDY8
— Alon Gal (Below the Breach) (@UnderTheBreach) April 3, 2021 9. Yahoo Knowledge Breach (2014)
Date: 2014
Affect: 500 million accounts
Study concerning the prime Third-Occasion Threat Administration options in the marketplace >
10. Starwood (Marriott) Knowledge Breach
Date: November 2018
Affect: 500 million visitors
In November 2018, Marriott Worldwide introduced that hackers had stolen information about roughly 500 million Starwood lodge prospects. The attackers had gained unauthorized entry to the Starwood system again in 2014 and remained within the system after Marriott acquired Starwood in 2016. Nonetheless, the invention was not made till 2018.
The data that was uncovered included names, contact info, passport quantity, Starwood Most popular Visitor numbers, journey info, and different private info. Marriott believes that monetary info corresponding to credit score and debit card numbers, and expiration dates of greater than 100 million prospects had been stolen, though the corporate is unsure whether or not the attackers had been in a position to decrypt the bank card numbers.
In accordance with the New York Occasions, the breach was finally attributed to a Chinese language intelligence group, The Ministry of State Safety, in search of to assemble information on US residents. If true, this might be the biggest recognized breach of non-public information carried out by a nation-state.
11. Grownup Buddy Finder Knowledge Breach
Date: October 2016
Affect: 412.2 million accounts
A lot of the passwords had been protected solely by the weak SHA-1 hashing algorithm, which meant that 99% of them had been cracked by the point LeakedSource.com revealed its evaluation of all the information set on November 14.
12. MySpace Knowledge Breach
Date: June 2013
Affect: 360 million accounts
In June 2013 round 360 million MySpace accounts had been compromised by a Russian hacker, however the incident was not publicly disclosed till 2016. The data that was leaked included account info such because the proprietor’s listed identify, username, and birthdate. Between 2013 and 2016, anybody who gained entry to this breached info may have taken over any Myspace account. The previous social media community large has since invalidated all passwords belonging to accounts that had been arrange previous to 2013.
13. Exactis Knowledge Breach
Date: June 2018
Affect: 340 million folks
14. Twitter Knowledge Breach (2018)
Date: Might 2018
Affect: 330 million customers
In Might of 2018, social media large Twitter notified customers of a glitch that saved passwords unmasked in an inside log, making all person passwords accessible to the inner community. Twitter instructed its 330 million customers to vary their passwords however the firm stated it fastened the bug and that there was no indication of a breach or misuse, however inspired the password replace as a precaution. Twitter didn’t disclose what number of customers had been impacted however indicated that the variety of customers was vital and that they had been uncovered for a number of months.
15. NetEase Knowledge Breach
Date: October 2015
Affect: 234 million customers
In October 2015, NetEase (situated at 163.com) was reported to suffered from a knowledge breach that impacted a whole lot of tens of millions of subscribers. Whereas there’s proof to say that the info is legit (many customers confirmed their passwords the place within the information), it’s troublesome to confirm emphatically.
16. Sociallarks Knowledge Breach
Date: January 2021
Affect: 200 million information
Sociallarks, a quickly rising Chinese language social media company suffered a monumental information leak in 2021 by way of its unsecured ElasticSearch database.
Sociallarks’ server wasn’t password-protected, wasn’t encrypted, and it was a publicly uncovered asset. This deadly mixture meant that anyone with information of the server IP handle may entry the leaked delicate information, and that’s precisely what occurred.
The breached database saved the scraped information of over 200 million Fb, Instagram, and Linkedin customers.
Uncovered information included:
NamesPhone numbersEmail addressesProfile descriptionsFollower and engagement dataLocationsLinkedIn profile linksConnected social media account login names17. Deep Root Analytics Knowledge Breach
Date: Jun 2017
Affect: 200 million U.S voters
The information of 200 million voters was accessed from Deep Root Analytics, a agency engaged on behalf of the Republican Nationwide Committee (RNC).
The info consisted of 1.1 terabytes of voter Private Identifiable Info (PII) together with names, addresses and birthdates.
The accessed information additionally contained complete voter evaluation primarily based on Reddit put up exercise which may very well be used to foretell how any individual would vote on a selected situation.
The breached database was found by the Cybersecurity Cyber Analysis workforce.
18. Court docket Ventures Knowledge Breach
Date: Oct 2013
Affect: 200 million private information
Court docket Ventures, a subsidiary of bank card monitoring agency Experian, was breached exposing 200 million private information.
The hacker was working a enterprise promoting Private Identifiable Info and was promoting the bank card numbers and social safety numbers he had accessed within the breach.
Penetration was achieved by the hacker posing as a non-public investigator from Singapore and convincing employees to relinquish entry to the inner database.
Experian suffered one other breach in 2020, when a risk actor claiming to be Experian’s consumer satisfied employees to relinquish buyer info for advertising functions.
These occasions have earned Experian the status of struggling one the largest information breaches within the monetary providers sector.
19. LinkedIn Knowledge Breach
Date: June 2012
Affect: 165 million customers
In June 2012, LinkedIn disclosed a knowledge breach had occurred, however password-reset notifications on the time indicated that solely 6.5 million person accounts had been affected. LinkedIn by no means confirmed the precise quantity, and in 2016, we discovered why: a whopping 165 million person accounts had been compromised, together with 117 million passwords that had been hashed however not “salted” with random information to make them tougher to reverse.
That revelation prompted different providers to comb their LinkedIn information and pressure their very own customers to vary any passwords that matched (kudos to Netflix for taking the lead on this one.) Left unanswered is why LinkedIn didn’t additional examine the unique breach, or inform greater than 100 million affected customers, within the intervening 4 years.
20. Dubsmash Knowledge Breach
Date: December 2018
Affect: 162 million customers
21. Adobe Knowledge Breach
Date: October 2013
Affect: 152 million
22. MyFitnessPal Knowledge Breach
Date: February 2018
Affect: 150 million customers
23. Equifax Knowledge Breach
Date: September 2017
Affect: 148 million folks
In September 2017, Equifax, one of many three largest client credit score reporting businesses in the USA, introduced that its methods had been breached and the delicate private information of 148 million Individuals had been compromised. The info compromised included names, residence addresses, telephone numbers, dates of start, social safety numbers, and driver’s license numbers. The bank card info of roughly 209,000 shoppers was additionally uncovered by way of this information breach. The sensitivity of the data processed by Equifax makes this breach unprecedented, and one of many largest information breaches thus far.
24. eBay Knowledge Breach
Date: February/March 2014
Affect: 145 million customers
Between February and March 2014, eBay was the sufferer of a breach of encrypted passwords, which resulted in asking all of its 145 million customers to reset their password. Attackers used a small set of worker credentials to entry this trove of person information. The stolen info included encrypted passwords and different private info, together with names, e-mail addresses, bodily addresses, telephone numbers and dates of start. The breach was disclosed in Might 2014, after a month-long investigation by eBay.
25. Canva Knowledge Breach
Date: Might 2019
Affect: 137 million customers
The suspected wrongdoer(s) — Gnosticplayers — contacted ZDNet to boast concerning the incident, saying that Canva had detected and remediate the cyber risk that triggered the info breach. The attacker additionally claimed to have gained OAuth login tokens for customers who signed in through Google.
Canva confirmed the incident, notified customers, and prompted them to vary passwords and reset OAuth tokens. This occasion was one of many greatest information breaches in Australia.
26. Heartland Cost Techniques Knowledge Breach
Date: March 2008
Affect: 134 million bank cards uncovered
On the time of the breach, Heartland was processing north of 100 million bank card transactions per thirty days for 175,000 retailers. The breach was found by Visa and MasterCard in January 2009 when Visa and MasterCard notified Heartland of suspicious transactions. The attackers exploited a recognized vulnerability to carry out a SQL injection assault.
The corporate paid an estimated $145 million in compensation for fraudulent funds.
27. Apollo Knowledge Breach
Date: July 2018
Affect: 126 million customers
28. Badoo Knowledge Breach
Date: July 2013
Affect: 112 million customers
29. Capital One Knowledge Breach
Date: July 2013
Affect: 106 million bank card numbers
In July 2013, Capital One recognized a safety breach of its buyer information that uncovered the non-public info of its prospects, together with bank card information, social safety numbers, and checking account numbers.
30. Evite Knowledge Breach
Date: August 2013
Affect: 101 million customers
31. Quora Knowledge Breach
Date: December 2018
Affect: 100 million customers
32. VK Knowledge Breach
Date: January 2012
Affect: 93 million customers
33. MyHeritage Knowledge Breach
Date: June 2018
Affect: 92 million customers
34. Youku Knowledge Breach
Date: December 2016
Affect: 92 million customers
Youku a Chinese language video service uncovered 92 million distinctive person accounts and MD5 password hashes.
35. Rambler Knowledge Breach
Date: March 2014
Affect: 91 million customers
36. Fb Knowledge Breach (2018)
Date: early 2018 (that is when a Cambridge Analytica whistleblower disclosed the story)
Affect: 87 million customers
Although a barely totally different sort of information breach as the data was not stolen from Fb, the incident that affected 87 million Fb accounts represented the usage of private info for functions that the affected customers didn’t recognize. Cambridge Analytica was a knowledge analytics firm that was commissioned by political stakeholders together with officers within the Trump election and pro-Brexit campaigns. Cambridge Analytica acquired information from Aleksandr Kogan, a knowledge scientist at Cambridge College, who harvested it utilizing an app referred to as “This Is Your Digital Life”. Some of the controversial parts of this breach was that customers didn’t recognize or consent to the political utilization of information from a seemingly-innocuous way of life app.
Cybersecurity’s researchers additionally found and disclosed a associated breach by AggregateIQ, a Canadian firm with shut ties to Cambridge Analytica. Particulars about these discoveries could be present in our Combination IQ breach sequence (half 1, half 2, half 3 and half 4).
37. Dailymotion Knowledge Breach
Date: October 2016
Affect: 85 million customers
38. Anthem Knowledge Breach
Date: February 2015
Affect: Theft of as much as 78.8 million present and former prospects
NamesAddressesDates of birthEmployment historiesSocial safety numbersHealth identification numbers
The assault additionally affected different manufacturers by way of the Anthem community, together with Blue Cross, Blue Protect, Amerigroup, Caremore, and Unicare. The breach was undiscovered and undetected for weeks whereas the hackers stole info from Anthem servers. Though the info was not required to be encrypted, Anthem nonetheless confronted backlash for failing to guard person information.
In 2017, Anthem paid a file $115 million as a part of a landmark class-action settlement in one of many largest healthcare information breaches of all time. Moreover, Anthem additionally settled with the Division of Well being and Human Companies (HHS) for $16 million for failing to implement acceptable measures to detect hackers and unauthorized community exercise.
39. Dropbox Knowledge Breach
Date: mid-2012
Affect: 69 million customers
40. tumblr Knowledge Breach
Date: February 2013
Affect: 66 million customers
41. Uber Knowledge Breach
Date: Late 2016
Affect: Private info of 57 million Uber customers and 600,000 drivers uncovered.
42. The Dwelling Depot Knowledge Breach
Date: September 2014
Affect: Publicity of the bank card info of 56 million prospects
Dwelling Depot introduced that its POS (point-of-sale) methods had been contaminated with a custom-built malware, which posed as antivirus software program, affecting prospects from throughout the US and Canada. After investigation, cyber legislation enforcement found that the cybercriminals most probably breached Dwelling Depot’s servers by way of a third-party provider, which allowed them to steal fee info undetected for nearly 5 months.
After the assault and damages leading to over $180 million, Dwelling Depot promised to spend money on cybersecurity to higher shield delicate monetary information. A lot of the damages included funds to affected people, bank card firms, banks, and lawsuits.
43. TJX Firms Inc. Knowledge Breach
Date: Jul 2005
Affect: 45.6 million card numbers
TJX, the proprietor of quite a lot of retail manufacturers, had one in every of its fee methods breached exposing over 45 million credit score and debit card numbers. The info was garnished over a number of waves of breaches
The breaches occurred over a number of events starting from July 2005 to January 2007.
TJX claimed that the names and addresses related to every stolen card quantity weren’t uncovered within the breach.
44. Goal Knowledge Breach
Date: November 2013
Affect: 32 million customers.
Goal was compromised by way of a third-party information breach. The assault vector was a portal used to share information with third-party distributors. This portal created a pathway into Goal’s community, finally resulting in the compromise. of over 41 million credit score and debit card numbers.
Goal was slapped with a number of fines, together with a $19 million class-action lawsuit.
45. Ashley Madison Knowledge Breach
Date: July 2015
Affect: 32 million customers.
Hacking group recognized as Affect Crew compromised 35 million person information from the dishonest web site Ashley Madison.
The hackers demanded that mother or father firm Avid Life Media shut down Ashley Madison and sister web site Established Males inside 30 days to keep away from the publication of compromised information.
Avid Life Media did not comply which resulted in wave after wave of categorised information dumps in Pastebin. The record of uncovered customers included members of the navy and authorities.
The next information had been included within the accessed information:
Seven years price of bank card fee historyFull namesResidential AddressesEmail addressesDescriptions of what members had been in search of
Affect Crew claimed the breach was simple to attain with little to no safety to bypass.
46. LastPass Knowledge Breach
Date: August 2022
Potential Affect: 30 million customers.
In a well-planned superior persistent assault, which concerned bypassing complicated safety measures like MFA, hackers compromised the laptop computer of a LastPass DevOps engineer to realize entry to buyer private vaults. The incident probably impacted 30 million of LastPass’ customers, calling into query the efficacy of the corporate’s info safety measures.
Study extra concerning the LastPass Knowledge breach >
47. Plex Knowledge Breach
Date: August 2022
Affect: 20 million customers
Streaming platform Plex suffered a knowledge breach impacting most of its customers, roughly 20 million. The next varieties of delicate info had been compromised within the cyberattack:
UsernamesEmail AddressesPasswords48. Bonobos Knowledge Breach
Date: January 2021
Affect: 12.3 million information
Males’s clothes retailer Bonobos suffered a knowledge breach in 2021 after a cybercriminal compromised its backup server containing buyer information.
The next classes of information had been accessed, amounting to the 12.3 million complete:
7 million delivery handle records1.8 million account info records3.5 million partial bank card information.
This database was not linked to Bonobo’s personal information, which was siloed for cover. However risk actors may nonetheless exploit the stolen info.
After the stolen information was dumped on a hacker discussion board, a risk actor claimed to have uncovered 158,000 hashed SHA-256 passwords. However the remaining passwords hashed with SHA-512 couldn’t be cracked.
49. MGM Grand Knowledge Breach
Date: Feb 2020
Affect: 10.6 million prospects.
Hackers gained entry to over 10 million visitor information from MGM Grand. The information uncovered the contact info of former lodge visitors together with Justin Bieber, Twitter CEO Jack Dorsey, and authorities officers.
MGM Grand assures that no monetary or password information was uncovered within the breach.
50. Optus Knowledge Breach
Date: Sep 2022
Affect: 9.8 million prospects.
Cybercriminals gained aceess to Optus’ inside community, getting access to a buyer information base pertaining to as much as 9.8 million prospects. The compromised information, dates way back to 2017, included the next varieties of info:
NamesBirth datesPhone numbersEmail addresses
Sub units of information additionally contains avenue addresses, drivers licenses, and passport numbers.
It’s speculated that the cybercriminal group gained entry by way of an unauthorized API endpoint, that means a person/password or another authentication methodology wasn’t required to hook up with the API.
The alleged particulars of the Optus information breach as revealed by a cybercriminal claiming duty – Supply: Twitter – Jeremy Kirk.
Study extra concerning the Optus information breach >
51. Medibank Knowledge Breach
Date: November 2022
Affect: 9.7 million information.
Utilizing stolen privileged credentials procured on the darkish internet, a cybercriminal gained entry to Medibank’s inside methods. After finding the corporate’s delicate buyer information assets, the hackers deployed a script to automate the info theft course of. When exfiltration was full, 200 GB of buyer information was stolen from Medibank, impacting 9.7 million prospects.
Compromised information included:
NamesBirth datesPassport numbersInformation on medicare claims
Study extra concerning the Medicare information breach >
52. Easyjet Knowledge Breach
Date: Might 2020
Affect: 9 million prospects.
A extremely subtle cyber assault breached uncovered the info of 9 million easyJet prospects.
As a result of buyer bank card info was leaked, this cyber assault exposes Easyjet’s breach of the Basic Knowledge Safety Regulation, which may end in a tremendous of as much as 4% of its world annual turnover.
53. 123RF Knowledge Breach
Date: Nov 2020
Affect: 8.3 million information
8.3 million database information from in style inventory photograph and vector picture vendor 123RF had been copied and posted for gross sales on a hacker discussion board.
The compromised information included:
Telephone numbersAddresses Paypal electronic mail’sIP addressesMD5 hashed passwords.
ImagineGroup (the proprietor of 123RF) assured that no monetary info was accessed within the breach and that each one person passwords had been encrypted.
Nonetheless, information breach investigators BleepingComputer managed to efficiently convert the hashed passwords of quite a few accounts to plain-text utilizing on-line MD5 cracking instruments.
Although this breach didn’t instantly expose monetary info, if compromised customers recycled their Paypal passwords when signing as much as 123RF, they’re at a excessive danger of struggling monetary theft.
54. Twitch Knowledge Breach
Date: October 2021
Affect: 7 million customers (probably)
Twitch, an Amazon-owned firm, suffered a breach of virtually its whole code base. The precise influence of the incidents hasn’t been confirmed, however given its depth of compromise, it has the potential of impacting all of Twitch’s customers.
125GB of delicate information was posted through a torrent hyperlink on the nameless discussion board 4chan.
The delicate information leaks embody:
The whole lot of Twitch’s supply code.Three years of payout stories for creators (together with high-profile creators.All of Twitch’s properties (together with IGDB and CurseForge).Code associated to proprietary SDKs and inside AWS providers utilized by Twitch.The id of an unreleased steam competitor from Amazon Recreation Studios – “Vapor”Twitch’s inside ‘red teaming tools’, utilized by inside safety groups for cyberattack coaching workout routines.
Although Twitch admitted in its assertion {that a} subset of creator payout information was additionally accessed, the corporate assures that bank card quantity and financial institution info was not compromised.
The safety vulnerability that made the breach attainable was a server configuration change allowing unauthorized entry by third events. This has now been remediated.
Most cybercriminals put up stolen information on the market after a breach, however the unidentified cybercriminal – who was doubtless utilizing a proxy server – was not excited about financial acquire. As a substitute, their goal was to name a mass disruption to punch Twitch for fostering a poisonous neighborhood of customers.
55. Marriott Knowledge Breach
Date: March 2020
Affect: 5.2 million visitors
Marriott has as soon as once more fallen sufferer to yet one more visitor file breach. On March 31, the corporate introduced that as much as 5.2 million information had been compromised. A few of the information accessed embody
Whereas the precise record of information breached is but to be conformed, it’s believed that the next visitor information had been compromised:
Electronic mail handle Mail addressesPhone numbersCompany namesGenderBirth datesAccommodation preferencesLanguage preferencesLinked airline loyalty packages and numbers
Marriott said in its press launch that the breach shouldn’t be believed to have uncovered pin numbers, fee card info, nationwide IDs, drivers license numbers or loyalty card passwords.
By multiplying its inside login authentications and repeatedly scanning for information breaches, Marriott may mitigate, or fully forestall future cyber assaults.
56. Neiman Marcus Knowledge Breach
Date: September2021
Affect: 4.8 million prospects
US-based retailer, Neiman Marcus, has confirmed in a press release that an “unauthorized party” can entry to delicate buyer info together with:
Usernames.Passwords.Safety questionsFinancial info.
The breach impacted nearly 3.1 million fee and digital present playing cards, of which greater than 85% had been both expired or now not legitimate.
After studying of the incident, Neiman Marcus Group contacted impacted prospects that had not modified their password since Might 2020, urging them to instantly achieve this.
The incident highlights the hazard of utilizing the identical password throughout totally different registrations. If this cybersecurity finest observe isn’t adopted, a single compromise may end in a sufferer struggling a number of breaches.
57. MeetMindful Knowledge Breach
Date: January 2021
Affect: 2.28 million customers.
MeetiMindful, a courting app specializing in the conscious neighborhood, was breached by a widely known hacker by the identify of ShinyHunters.
ShinyHunter posted the exfiltrated information at no cost on a hacker discussion board on the darkish internet – Supply: ZD Web
Breached MeetMindful information dumped on darkish internet hacker discussion board – Supply: ZDNet
Private messaged between customers was not compromised, however the next personal info was uncovered:
IP addressesReal namesEmail addressesCity, state, and ZIP detailsFacebook person IDsFacebook authentication tokensDating preferencesMarital statusBirth datesBcrypt-hashed account passwords58. Pixlr Knowledge Breach
Date: January 2021
Affect: 1.9 million customers
A database of 1.9 million person information belonging to on-line photo-editor Pixlr was dumped on a darkish internet hacker discussion board by infamous cybercriminal ShinyHunters.
Pixlr breached database dumped in hacker discussion board by ShinyHunters – Supply: bleepingcomputer.com
Uncovered information included:
UsernamesEmail addressesCountryHashed passwords
The info was stolen when the 123RF information breach occurred.
59. Deal with Warehouse LLC, Working Warehouse LLC, Tennis Warehouse LLC, and SkateWarehouse LLC Knowledge Breaches
Date: October 2021 (disclosed December 2021)
Affect: 1.8 million folks
4 on-line sports activities shops fell sufferer to a cyberattack ensuing within the theft of highly-sensitive buyer info together with bank card information.
The info breach was disclosed in December 2021 by a legislation agency representing every sports activities retailer. The info breach was found by the impacted web sites on October 15.
The next web sites had been impacted:
The particular safety vulnerabilities and assault strategies that facilitated the breach haven’t been disclosed, however it’s speculated that entry was achieved through a database breach.
The next information was compromised within the cyberattack:
Buyer namesCredit card numbers (with CVV)Debit card numbers (with CVV)Web site account passwords
On the time of scripting this, it’s unknown whether or not the compromised bank card numbers had been full or hashed. Even when hashed, they might nonetheless be unencrypted with subtle brute pressure strategies.
Whoever is at fault for this breach will doubtless undergo powerful monetary regulatory penalties for his or her safety negligence.
60. Harbour Plaza Lodge Administration Knowledge Breach
Date: February 2022
Affect: 1.2 million information
Harbour Plaza Lodge Administration, a hospitality administration firm in Hong Kong, suffered a breach of its lodging reservation databases, impacting roughly 1.2 million prospects.
In accordance with the FAQs associated to the incident, Harbour Plaza is but to verify whether or not cybercriminals managed to decrypt encrypted bank card information included within the breach.
61. Graff Knowledge Breach
Date: November 2021
Affect: 1.1 million information
Unique UK Jeweller, Gaff, suffered a knowledge breach that compromised lots of its well-known shoppers. The Russian cybercriminal group, Conti, was liable for the assault which concerned the deployment of ransomware (ransom software program).
After stealing Gaff’s delicate information and encrypting their inside methods, Conti began publishing among the stolen information on the darkish internet, promising to solely cease of their ransom of as much as ten tens of millions of kilos is paid.
To show they weren’t bluffing, Conti revealed 11,000 information on the darkish internet, which in line with the Russian cybercriminals, represents simply 1% of the full information that had been stolen.
The stolen information embody consumer names, addresses, invoices, receipts and credit score notes.
A few of the high-profile prospects reportedly impacted by this breach embody:
Donald TrumpDavid BeckhamOprah WinfreyAlec BaldwinSir Philip GreenGhislaine MaxwellSaudi Crown Prince Mohammed bin SalmanSheikh Mohammed bin Rashid Al Maktoum62. Los Angeles Unified Faculty District (LAUSD)
Date: September 2022
Affect: 1000 faculties / 600,000 college students / 500GB of information
In one of many greatest information breaches of all time within the training trade, the Los Angeles Unified Faculty District (LAUSD) was attacked by Vice Society, a Russian felony hacking group. The assault affected over 1000 faculties and 600,000 college students within the second-largest faculty district in the USA. The ransomware assault occurred over Labor Day weekend, and prevented LAUSD officers from accessing vital information, together with:
Private info (names, bodily addresses, telephone numbers)Electronic mail addressesComputer methods and applicationsPassport detailsEmployee social safety numbersEmployee account login informationTax formsContracts and authorized documentsFinancial reportsBanking detailsHealth info (together with COVID-19 vaccination information)Background checks and conviction reportsStudent psychological assessmentsVPN credentials
After consulting with CISA and the FBI, LAUSD launched a press release saying they’d not be paying the ransom that Vice Society had demanded. Consequently, Vice Society launched the stolen information on their darkish internet discussion board. Though the lasting influence of the assault has but to be decided, there may very well be potential litigations within the coming years on account of negligence and mishandling of delicate information. Previous to the assault, LAUSD was instructed of potential vulnerabilities of their methods however the faculty district did not act to remediate the problems.
63. Zoom Knowledge Breach
Date: April 2020
Affect: 500,000 customers.
When Zoom signal ups had been nearing their pandemic peak in April of 2020, hackers breached 500,000 accounts and both offered or freely revealed them on the darkish internet.
Observe provide chain dangers with this free pandemic questionnaire template >
Hackers initially canvassed darkish internet databases of beforehand compromised login credentials courting again to 2013. As a result of passwords are often recycled, this gave them instantaneous entry to a swathe of lively Zoom accounts.
A sequence of credential stuffing assaults was then launched to compromise the remaining accounts.
Recipients of compromised Zoom accounts had been in a position to log into stay streaming conferences.
64. Slickwraps Knowledge Breach
Date: Feb 2020
Affect: 370,000 prospects
Slickwraps, a producer of vinyl skins for telephones and tablets, suffered a breach impacting 370,000 of its prospects.
This breach may have been averted if Slickwraps listened to the warnings of a white hat hacker highlighting the corporate’s horrible cybersecurity. After being ignored, the hacker echoed his live shows in a medium put up.
Slickwraps nonetheless ignored the warnings.
Earlier than the medium put up was deleted, a second hacker learn it and determined to additionally attempt to persuade Slickwraps however with a barely extra impactful strategy.
Let’s hope SlickWraps lastly strengthens their cybersecurity framework after such a tumultuous historical past.
Slickwraps electronic mail asserting breach65. Magellan Well being Knowledge Breach
Date: Apr 2020
Affect: 365,000 sufferers
Magellan Well being, a Fortune 500 firm has been the sufferer of a complicated ransomware assault the place over 365,000 affected person information had been breached.
Worker login info was first accessed from malware that was put in internally. Then, by posing as a Magellan consumer in a phishing assault, the hackers gained entry to a single company server and carried out their ransomware.
Included within the breached information was affected person social safety numbers, W-2 info and worker ID numbers.
66. Nintendo Knowledge Breach
Date: April 2020
Affect: 300,000 accounts.
300,000 Nintendo accounts had been compromised and used to make unsolicited digital purchases. The quantity affected accounts was nearly doubled from the initially said 140,000 upon additional investigation.
The next info was uncovered:
Account passwordsAccount proprietor nameDOBEmail addressesCountry of residence
Whereas it isn’t clear how hackers gained entry to accounts, it’s speculated that weak passwords are responsible. To forestall additional breaches, Nintendo posted a tweet asking members to allow 2-step authentication.
67. Mailfire Knowledge Breach
Date: September 2020
Affect: 100,000 customers
The breach occurred by way of Mailfire’s unsecured Elasticsearch server. Onced breached, the hacker had entry to over 320 million information from notifications being pushed out to Mailfire shoppers.
The information uncovered included personal conversations between grownup courting website members in addition to the next Personally Identifiable Info:
Identify AgeDOBGenderLocation of message sendersIP addressesMember profile picturesMember bio descriptions
Moreover the non-public info of web site members, this information breach additionally uncovered many rip-off courting web sites with fabricated feminine profiles..
68. Antheus Tecnologia Knowledge Breach
Date: March 2020
Affect: 76,000 fingerprints
Antheus Tecnologia, a Brazilian biometrics firm specializing within the improvement of fingerprint identification methods, suffered a breach to its server which may probably expose 76,000 distinctive fingerprint information.
The info accessed consists of two.3 tens of millions information factors which may very well be reverse engineered to recreate every authentic fingerprint.
69. SolarWinds Knowledge Breach
Date: March 2020
Affect: 18,000 companies
In March 2020, nation-state hackers believed to be from Russian, compromised a DLL file linked to software program replace for the Orion platform by SolarWinds. The provision chain assault impacted as much as 18,000 SolarWinds prospects together with six U.S Authorities departments. The assault wasn’t found till December 2020.
This incident was the impetus to Joe Biden’s Cybersecurity Government Order that now enforces all organizations to strengthen their provide chain safety efforts
The extremely subtle hackers are believed to even be liable for the FireEye cyberattack ensuing within the theft of its Pink Crew Evaluation instruments – a set of instruments developed by FireEye to find cyberattack vulnerabilities inside any organizations.
On condition that FireEye’s clientbase contains authorities entities, it’s additional speculated that these Pink Crew Evaluation instruments made the U.S. Authorities information breach attainable – an assault labeled by cyber safety specialists as the largest breach within the nation’s safety historical past.
The record of victims continues to develop. To test should you’ve been impacted, you must carry out an intensive danger evaluation for every vendor.
70. Pegasus Airline Knowledge Breach
Date: March 2022
Affect: 6.5 Terabytes of information
A misconfigured AWS bucket led to the compromise of 23 million recordsdata belonging to the Turkish airline firm Pegasus Airways. The safety publicity was found by the safety firm Security Detectives.
The info was linked to the airline’s EFB software program, an answer requiring entry to take off, touchdown, and refueling information and delicate flight crew info.
The AWS bucket misconfiguration meant that anybody had free entry to this database, together with practically 400 recordsdata with plain textual content passwords and secret keys.
When the publicity was reported, Pegasus Airways didn’t discover proof of information compromise. Nonetheless, whereas the AWS bucket remained misconfigured, cybercriminals might have clandestinely exfiltrated the uncovered information.
71. Philippines COMELEC Knowledge Breach
Date: January 2022
Affect: 60 GB of information
A hacker group breached the safety methods of the Fee on Elections (COMELEC) for the Republic of the Philippines, compromising 60 gigabytes of delicate voter info.
The depth of this info may enable the cybercriminals to probably map the entire inside operations of the election system within the Philippines, paving the highway to extra devastating follow-up assaults at a nationwide safety degree.
The compromised information included usernames and PINS for vote-counting machines (VCM).
72. MailChimp Knowledge Breach
Date: Apr 2022
Affect: 100 shoppers
How did the info breach happen?
Mailchimp fell sufferer to a knowledge breach after cybercriminals gained entry to a instrument utilized by inside buyer help and account administration groups following a profitable social engineering assault. Nonetheless, this preliminary breach was simply the preliminary stage of all the cyber assault plan.
The phishing electronic mail despatched to Trezor prospects – supply: Bleeping Laptop
When clicked, this hyperlink directed customers to a malicious web site nearly indistinguishable from Trezor’s web site. To entry the fraudulent app, customers wanted to submit their restoration seed – an inventory of ordered phrases used to get well entry to a crypto pockets.
What information was compromised?
What’s confirmed, at this level, is that roughly 100 Mailchimp consumer accounts had been compromised within the preliminary section of the cyberattack.
Study from this breach
This cyber incident highlights the scary sophistication some phishing attackers are able to.
