While you may see large data breaches in the news from time to time, you may not realize the sheer amount of information that has been compromised over the years. Most of these are infamous and well known, but if you are just realizing you have an account with one of these companies, it may not be too late to change you password. Here’s a list of the biggest data breaches of all time.
Number of accounts compromised: 3 Billion
There’s no easy way to put this: This data breach is hands down the biggest blunder on this list. Hackers gained access to names, emails, addresses, passwords, and security questions for every single Yahoo account. Yahoo originally believed that only 1 billion accounts were compromised, but after Verizon acquired the company in 2013, Verizon sent out a press release indicating all 3 billion accounts were included in the breach.
“In connection with the December 2016 announcement, Yahoo took action to protect users beyond those identified at that time as potentially affected. Specifically:
We are continuing to work closely with law enforcement, and continue to enhance our safeguards and systems that detect and prevent unauthorized access to user accounts.”
Number of accounts compromised: 500 Million
Unfortunately, lighting can strike twice, and Yahoo has the top two spots on this list. Hackers gained access to names, emails, and addresses, but passwords were properly secured. A second data breach in such a short amount of time destroyed any faith users had left in Yahoo’s security practices.
Yahoo is notifying potentially affected users and has taken steps to secure their accounts. These steps include invalidating unencrypted security questions and answers so that they cannot be used to access an account and asking potentially affected users to change their passwords. Yahoo is also recommending that users who haven’t changed their passwords since 2014 do so.
Number of accounts compromised: 360 Million
The former king of social media was not immune from data breaches. A hacker by the name of “Peace” attempted to sell the contact information and passwords of 360 million MySpace users. While many users had fled MySpace for other social media platforms at that point, users frequently keep their username and password as similar as possible wherever they go. Any users who were at risk were asked to create a new password the next time they logged in.
“As part of the major site re-launch in the summer of 2013, Myspace took significant steps to strengthen account security. The compromised data is related to the period before those measures were implemented. We are currently utilizing advanced protocols including double salted hashes (random data that is used as an additional input to a one-way function that “hashes” a password or passphrase) to store passwords. Myspace has taken additional security steps in light of the recent report.”
Number of accounts compromised: 117 Million
Originally believed to be only 6.5 Million accounts compromised, but after finding the data (from the hacker “Peace” again), 167 million accounts were found with 117 million of them featuring both email addresses and passwords.
“We take the safety and security of our members’ accounts seriously. For several years, we have hashed and salted every password in our database, and we have offered protection tools such as email challenges and dual factor authentication. We encourage our members to visit our safety center to learn about enabling two-step verification, and to use strong passwords in order to keep their accounts as safe as possible.”
Number of accounts compromised: 145 Million
This breach may not be the largest breach on this list, but it is certainly the most important. Hackers were able to gain names, birth dates, addresses, and (most importantly) Social Security numbers for each account. This allowed the hackers to sell the information to identity thieves who could apply for loans, credit cards, and even mortgages under any of the users names.
“As soon as Equifax discovered the unauthorized access, Equifax acted immediately to stop the intrusion. The company promptly engaged a leading, independent cybersecurity firm which has been conducting a comprehensive forensic review to determine the scope of the intrusion, including the specific data impacted. Because this incident involves a substantial amount of personal identifying information, the investigation has been complex and time-consuming. As soon as we had enough information to begin notification, we took appropriate steps to do so.”