The Worst Data Breaches Of All Time

In the digital era, our online information is more vulnerable than ever. Data breaches are happening daily, and whilst some are minor and go unnoticed, others are so major they can put a whole company at risk. In January 2019 alone, exactly, 1,769,185,063 user records were leaked!

Below we take a look at some of the biggest security breaches of all time...

The worst data breaches of all time

Yahoo – 2013

Yahoo shocked the world when it experienced one of the biggest data breaches in history. Three billion of their customer accounts were compromised. The attack dated back to 2013, even though it was only revealed in 2016 while in negotiations to sell itself to Verizon.

Originally it was said that only 1 billion of their customers were impacted. However, an investigation uncovered that the breach went much further than originally thought. A press release highlighted this where it was said “The company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft.”.

Information exposed included the real names, birthdays, email addresses, phone numbers, passwords and security questions of customers.

Yahoo also experienced another attack in 2014, which affected at least 500 million users. Because of these breaches, Verizon trimmed its purchase price for Yahoo by $350 million. 

Interested in cyber security and how you can protect your business? Download our FREE White Paper >>

Download our Cyber Security White Paper

Marriott International – 2018

In 2018, Marriott International revealed that it had discovered a breach that started as far back as 2014. The breach began when the systems were still being operated by Starwood, and carried on when they were acquired by Marriott in 2016.

The names, addresses, phone numbers, birthdays, email addresses and encrypted credit card details of 500 million hotel customers were stolen. In addition to this, a smaller group of customers had their travel histories and passport numbers stolen.

According to reports from a cyber-security firm, the data has not appeared on the dark web which suggests the attackers weren’t looking to sell the data they took. James A. Lewis, a cyber-security expert at the Centre for Strategic Studies in Washington said “Usually when stolen data doesn’t appear, it’s a state actor collecting it for intelligence purposes”.

Equifax – 2017

Equifax, one of the three major consumer credit reporting agencies revealed that hackers exploited a vulnerability in an open-source software, Apache Struts, to access its servers in 2017. 147.9 million customers were impacted and vital information such as names, street addresses, drivers licence numbers, birthdays and even social security numbers were taken.

Customers were urged to keep watch on their credit reports after the attack happened. Although it has been named as one of the most damaging data breaches in history, Equifax as a company hasn’t faced many consequences and lawmakers are still waiting for some action to be taken against them.

FriendFinder Networks – 2016

The FriendFinder network is an adult dating and entertainment company who operate several websites. The breach included six databases:,,,, and an unknown domain. When the servers were breached in 2016, 412 million customers were impacted, with names, email addresses, IP addresses and passwords being taken. It has been said that the breach was particularly troubling for users who worked in public positions or who were married, and left them open to potential extortion schemes.

LeakedSource obtained the data and said it included 20 years of information from the company’s sites. They also found that passwords were stored in plain visible text or using the weak SHA1 hashed algorithm. The hacked data once again showed that many people are still using simple, easy-to-guess passwords. If you’re struggling to create strong passwords, check out our blog which goes through how to make a password that doesn’t SUCK.

Heartland Payment Systems – 2008

At the time of the breach in 2008, Heartland Payment Systems were processing 100 million payments for major credit card networks such as Visa and MasterCard. Their systems were compromised by malware and affected 134 million accounts.

After the attack, Heartland were found to be in violation of security standards so were barred from processing credit card payments for several months following the incident. They also had to pay out around $150 million in compensation.

Albert Gonzalez was the brains behind the attack, and was sentenced to 20 years in prison in 2010. He had also been responsible for the TJX hack.

eBay – 2014

In 2014, hackers got into the eBay company network by using the credentials of three corporate employees. They then had complete access for 229 days before it was discovered.

The breach gave hackers access to the names, email addresses, birthdays and encrypted passwords of 145 million users. Fortunately, financial details such as credit card numbers were stored separately, so were not affected. A report claimed that there was “no evidence of the compromise resulting in unauthorized activity for eBay users, and no evidence of any unauthorized access to financial or credit card information, which is stored separately in encrypted formats”.

Despite eBay advising users to change their passwords immediately upon the breach being discovered, it was widely-criticised for the way it handled the breach. Many security experts commented that there was a lack of email communications informing users of the incident, while others said that the password renewal process was poorly implemented.

Data breaches are showing no sign of slowing at any time soon and protecting your personal information has never been more critical.  If you’re interested in learning about cyber security best practices, download our FREE White Paper >>

Download our Cyber Security White Paper

Subscribe Here!

Recent Posts

Posts by Tag

See all