10 biggest data breaches in history, and how to prevent them
Did you know the biggest data breach in history exposed a whopping 3 billion records? Learn more about the largest data breaches and get advice on how to prevent similar attacks.
Data breaches occur for many reasons, as evidenced in this list of the biggest data breaches in history. From an outdated, vulnerable network to an employee clicking a phishing email, data breaches can be detrimental to a business and its reputation.
A number of lessons can be learned from looking at past data breaches. In fact, some of the most damaging breaches listed here could have been prevented if organizations had followed simple cybersecurity hygiene best practices.
Learn more about the biggest data breaches, based on number of records compromised, and get advice on how to prevent a similar breach at your organization.
1. Yahoo
Records compromised: 3 billion
Breach date: August 2013
Disclosure date: December 2016
Yahoo originally announced in 2016 that its 2013 breach only affected 1 billion accounts. After Verizon acquired Yahoo in 2017, news broke that the figure was actually 3 billion. The breach affected Yahoo email accounts and other company services, including Tumblr, Flickr, Yahoo Fantasy Sports and Yahoo Finance.
This article is part of
What is data security? The ultimate guide
Malicious hackers obtained users' names, dates of birth, phone numbers and passwords, as well as security questions and email addresses used to reset passwords. No financial data -- such as credit card numbers or bank account details -- was exposed. Yahoo announced in its initial disclosure that it forced password resets for all accounts that had been changed since 2013 and invalidated old security questions and accounts. To date, the cause of the breach has not been disclosed.
How to prevent this type of attack:
- Conduct continuous security monitoring and testing.
- Perform regular vulnerability and penetration testing to enable security teams to repair gaps before cybercriminals can take advantage of them.
2. Aadhaar
Records compromised: 1.1 billion
Breach date: Unknown
Disclosure date: January 2018
The records of 1.1 billion Indian citizens were exposed after a breach of Aadhaar, the country's government ID database. While it's not mandatory for citizens to register with the database, it is required for those who want access to certain government resources or assistance.
The Tribune reported the breach after reporters paid someone on WhatsApp 500 Indian rupees (approximately $8 in 2018) for a code that enabled unauthorized access to names, birthdates, email addresses, phone numbers and postal codes from the database. The seller offered reporters -- for an additional Rs 300 (approximately $5 in 2018) -- software that would enable them to print unique ID cards.
The seller was part of a group that gained access to the database through former Aadhaar employees, according to The Tribune. ZDNet later reported the leak was on a system run by a state-owned utility company that had access to the database via an unsecured API used to verify customers' identities.
How to prevent this type of attack:
- Follow API security testing best practices.
- Use API security tools to mitigate risk.
- Adhere to identity and access management best practices.
- Enforce policies to detect and prevent insider threats.
3. First American Financial
Records compromised: 885 million
Breach date: Unknown
Disclosure date: May 2019
In May 2019, security researcher Brian Krebs reported 885 million of First American Financials' files were leaked on the insurance company's website. The records, which dated back to 2003, included bank account info, Social Security numbers, mortgage records, tax documents and photocopies of driver's licenses. The website didn't require a password to access the files.
First American said it had "learned of a design defect in an application that made possible unauthorized access to customer data." The design error, known as insecure direct object reference (IDOR), is an access control vulnerability where a link meant for a specific viewer is made but does not verify the viewer's identity to allow access.
How to prevent this kind of attack:
4. Onliner spambot
Records compromised: 711 million
Breach date: Unknown
Disclosure date: August 2017
In 2017 security researcher Troy Hunt reported that Benkow, a Paris-based security researcher, discovered an exposed spam server known as Onliner. Benkow gave Hunt the spambot's list of 711 million exposed records, which included email addresses and passwords.
Onliner spread via a data-stealing Trojan horse for at least a year before its detection.
How to prevent this kind of attack:
- Require employees to change their passwords after a suspected breach.
- Enforce an enterprise password policy.
- Avoid reusing passwords.
- Follow password security hygiene best practices.
5. Facebook
Records compromised: 533 million
Breach date: Unknown
Disclosure date: April 2021
A 2021 data breach at Facebook was reported after a leaked database containing the sensitive data of 533 million users was posted on a hacking forum page. Facebook said malicious actors obtained its users' phone numbers, names, locations and email addresses by scraping, not hacking, its systems. Scraping is a process that enables users and bots to pull data from publicly available websites.
Facebook said it believed the threat actors scraped the data using a feature designed to help users find friends by connecting their account with their contact lists. The company changed the feature in September 2019, after it found out it was being used maliciously, to prevent future scraping.
How to prevent this kind of attack:
6. Yahoo
Records compromised: 500 million
Breach date: November/December 2014
Disclosure date: September 2016
Yahoo has the unique distinction of not only topping our list of the biggest data breaches, but also making the list for two separate events.
Yahoo announced in 2016 that 500 million of its accounts were compromised in a 2014 state-sponsored attack. Yahoo said the stolen information may have included names, email addresses, birthdates, phone numbers and hashed passwords. In 2018, Karim Baratov received a five-year prison sentence for the breach after he was found guilty of helping Russian intelligence officers access the accounts of "individuals of interest."
Yahoo attributed the attack to a spear phishing email following an internal investigation.
How to prevent this kind of attack:
7. FriendFinder Networks
Records compromised: 412 million
Breach date: Unknown
Disclosure date: November 2016
A 2016 breach exposed 412 million users' accounts of the adult data and entertainment company, FriendFinder Networks. The leak included 20 years' worth of usernames, email addresses, passwords and other sensitive information, as well as 15 million deleted accounts that were still in its systems.
Researchers found source code from the company's production environment and leaked public and private key pairs online. The company confirmed to ZDNet that it fixed an injection vulnerability that enabled access to source code.
How to prevent this kind of attack:
8. Marriott International
Records compromised: 383 million
Breach date: 2014
Disclosure date: November 2018
Hospitality provider Marriott International announced in 2018 that attackers accessed its Starwood guest database starting four years prior. Exposed records included names, phone numbers, passport details, mailing and email addresses, guests' arrival and departure information and, in some cases, encrypted credit card numbers.
The breach was discovered following an alert from its internal security systems. Attackers had infiltrated the database and encrypted and exfiltrated sensitive data. Marriott originally believed the breach exposed the information of 500 million guests, but, after further internal investigation, the company announced the breach affected approximately 383 million guests. The cause of the breach, however, remains unknown. Marriott acquired Starwood in 2016, but as of 2018 hadn't migrated it to Marriott's systems; the Starwood database continued to use legacy IT infrastructure.
How to prevent this kind of attack:
- Regularly update IT infrastructures.
- Implement a patch management program.
- Involve CISOs in mergers and acquisitions planning.
9. Twitter
Number of records: 330 million
Breach date: Unknown
Disclosure date: May 2018
Twitter recommended its more than 330 million users change their passwords following a glitch in 2018 that caused some passwords to be stored in plaintext in an internal logging system. The company said it discovered the bug itself and had since removed the unhashed passwords, putting measures in place to prevent future glitches.
It remains unclear how long the passwords were exposed for and how many users were affected. The social network said it has no evidence the passwords were accessed maliciously.
How to prevent this kind of attack:
- Follow patch management best practices.
- Consider creating an enterprise bug bounty program.
10. Microsoft
Records compromised: 250 million
Breach date: December 2019
Disclosure date: January 2020
Microsoft disclosed in 2020 that 250 million customer service and support records spanning a 14-year period were leaked online. The company said personal data was redacted from the records before being stored, but some plaintext email and IP addresses were exposed. Microsoft said it found no signs of malicious use of the records, which were exposed for just under a month.
Microsoft attributed the breach to the misconfiguration of an internal database's security rules.
How to prevent this kind of attack: