10. County Ventures
Size: 200 million personal records
Date: October 2013
Court Ventures fell victim to a hacker selling credit card numbers and social security numbers from this breach. A subsidiary of Experian, the hacker gained access to the Court Ventures database by posing as a private investigator from Singapore. Lessons were ot learned, and Experian was again breached in 2020 through deception.
9. Twitter
Size: 330 million users
Date: May 2018
Twitter blamed a ‘bug’ or ‘glitch’ for the fact it left all of its users’ passwords unmasked for months in an internal log. While Twitter has said that there was no breach or misuse of this information, only time will tell. In July 2020, hackers took over high-profile Twitter accounts in a bitcoin scam, with the likes of Elon Musk, Bill Gates and Barack Obama all targeted.
8. Marriott International
Size: 500 million guests
Date: November 2018
Talk about playing the long game. Hospitality giant Marriott International announced that hackers had stolen data on 500 million Starwood hotel guests in November 2018, but the hackers had entered the Starwood system (in 2014) before it was even acquired by Marriott (in 2016). As well as the usual contact information, credit and debit card details were also included in the hack.
7. Yahoo
Size: 500 million accounts
Date: 2014
This is not the only time you will see internet pioneer Yahoo on this list. This time around, ‘just’ 500 million accounts were compromised by what Yahoo called a ‘state-sponsored actor’. Personal data included names, emails, phone numbers, dates of birth, security questions and answers. Yahoo only acknowledged this breach in 2016.
6. Facebook
Size: 533 million users
Date: April 2019 (and April 2021)
Two third-party app datasets were the weak link here that saw more than 500 million Facebook users having their likes, reactions and Facebook data exposed. That anxiety intensified when that same information was made available on the Dark Web for free in April 2021. This particularly exposed phone numbers associated with Facebook accounts.
5. LinkedIn
Size: 700 million users
Date: June 2021
Let’s be careful with the terminology here. LinkedIn claims this megahack of 92% of its users was not in fact a data breach but a violation of their terms and services through prohibited data scraping. Thai data included email addresses, names, phone numbers, usernames, geolocations. The hacker scraped the data by exploiting LinkedIn’s API. While much of the information is indeed in the public domain, those email addresses are not usually made public.
4. Verifications.io
Size: 763 million users (or is it 2 billion?)
Date: February 2019
Verifications.io is a company that proves or verifies email addresses for marketing activity. The breach here does not just include those unique email addresses – it can also include names, phone numbers, and other sensitive data too. The damage could be even higher, with some later estimates putting the leak as high as 2 billion records.
3. First American Financial Corporation
Size: 885 million
Date: May 2019
You know it’s bad news when a journalist reveals your bank has exposed personal information for more than 15 years amounting to more than 800 million records. First American is the second largest mortgage title and settlement company in the US, handling personal and financial documents. In June 2021, First American finally faced the music, with the Securities and Exchange Commission fining the company less than US$500,000.
2. Aadhaar
Size: 1.1 billion people
Date: March 2018
There may be attacks that affect more accounts on this list, but to impact more than 1 billion people really is staggering. That is the unwanted record that India’s state-owned utility company Aadhaar has to contend with, with the biometric and personal details (name, photographs, fingerprints, bank details) all available to the highest bidder on the net. The price for this wealth of information? Just US$7.50.
1. Yahoo
Size: 3 billion accounts
Date: October 2013 & October 2017
Don’t be fooled by the two dates, this is the same breach but reported on two separate occasions by victims Yahoo. The original attack, where Yahoo claimed hackers had compromised a billion, happened in 2013 but was only reported three years later while the internet giant was in negotiations with Verizon for a sale. Then Yahoo later came out and admitted the actual figure was closer to 3 billion compromised accounts.
One of the original internet pioneers, and the most visit site on the web back in the day, Yahoo’s steady but relentless fall from grace saw it turn down the chance to buy Google (US$2bn) and Facebook (US$1bn) before finally being acquired by Verizon for US$4.5bn in 2017 – around a tenth of its value at the height of the dot.com bubble.