Though it had long stopped being the powerhouse that it once was, social media site MySpace hit the headlines in 2016 after 360 million user accounts were leaked onto both LeakedSource.com and put up for sale on dark web market The Real Deal with an asking price of 6 bitcoin (around $3,000 at the time).
According to the company, lost data included email addresses, passwords and usernames for “a portion of accounts that were created prior to June 11, 2013, on the old Myspace platform. In order to protect our users, we have invalidated all user passwords for the affected accounts created prior to June 11, 2013, on the old Myspace platform. These users returning to Myspace will be prompted to authenticate their account and to reset their password by following instructions.”
It’s believed that the passwords were stored as SHA-1 hashes of the first 10 characters of the password converted to lowercase.
13. NetEase
Date: October 2015
Impact: 235 million user accounts
NetEase, a provider of mailbox services through the likes of 163.com and 126.com, reportedly suffered a breach in October 2015 when email addresses and plaintext passwords relating to 235 million accounts were being sold by dark web marketplace vendor DoubleFlag. NetEase has maintained that no data breach occurred and to this day HIBP states: “Whilst there is evidence that the data itself is legitimate (multiple HIBP subscribers confirmed a password they use is in the data), due to the difficulty of emphatically verifying the Chinese breach it has been flagged as “unverified.”
14. Court Ventures (Experian)
Date: October 2013
Impact: 200 million personal records
Experian subsidiary Court Ventures fell victim in 2013 when a Vietnamese man tricked it into giving him access to a database containing 200 million personal records by posing as a private investigator from Singapore. The details of Hieu Minh Ngo’s exploits only came to light following his arrest for selling personal information of US residents (including credit card numbers and Social Security numbers) to cybercriminals across the world, something he had been doing since 2007. In March 2014, he pleaded guilty to multiple charges including identity fraud in the US District Court for the District of New Hampshire. The DoJ stated at the time that Ngo had made a total of $2 million from selling personal data.
15. LinkedIn
Date: June 2012
Impact: 165 million users
With its second appearance on this list is LinkedIn, this time in reference to a breach it suffered in 2012 when it announced that 6.5 million unassociated passwords (unsalted SHA-1 hashes) had been stolen by attackers and posted onto a Russian hacker forum. However, it wasn’t until 2016 that the full extent of the incident was revealed. The same hacker selling MySpace’s data was found to be offering the email addresses and passwords of around 165 million LinkedIn users for just 5 bitcoins (around $2,000 at the time). LinkedIn acknowledged that it had been made aware of the breach, and said it had reset the passwords of affected accounts.
16. Dubsmash
Date: December 2018
Impact: 162 million user accounts
In December 2018, New York-based video messaging service Dubsmash had 162 million email addresses, usernames, PBKDF2 password hashes, and other personal data such as dates of birth stolen, all of which was then put up for sale on the Dream Market dark web market the following December. The information was being sold as part of a collected dump also including the likes of MyFitnessPal (more on that below), MyHeritage (92 million), ShareThis, Armor Games, and dating app CoffeeMeetsBagel.
Dubsmash acknowledged the breach and sale of information had occurred and provided advice around password changing. However, it failed to state how the attackers got in or confirm how many users were affected.
17. Adobe
Date: October 2013
Impact: 153 million user records
In early October 2013, Adobe reported that hackers had stolen almost three million encrypted customer credit card records and login data for an undetermined number of user accounts. Days later, Adobe increased that estimate to include IDs and encrypted passwords for 38 million “active users.” Security blogger Brian Krebs then reported that a file posted just days earlier “appears to include more than 150 million username and hashed password pairs taken from Adobe.” Weeks of research showed that the hack had also exposed customer names, password, and debit and credit card information. An agreement in August 2015 called for Adobe to pay $1.1 million in legal fees and an undisclosed amount to users to settle claims of violating the Customer Records Act and unfair business practices. In November 2016, the amount paid to customers was reported to be $1 million.
18. National Public Data
Date: December 2023
Impact: 270 million people
A breach of background checking firm National Public Data exposed the data of hundreds of millions of people through the disclosure of an estimated 2.9 billion records. As a result of the December 2023 hack, stolen data was up for sale of on the dark web by hacking group USDoD in April 2024. Much of the stolen data was leaked and made freely available in a 4TB dump onto a cybercrime forum July 2024.
The incident, which only became public knowledge after a class action was filed in August 2024, exposed social security numbers, names, mailing addresses, emails, and phone numbers of 270 million people, mostly US citizens. Much of the data, which also includes information pertaining to Canadian and British residents, appears to be outdated or inaccurate but the impact of the exposure of so much personal information is nonetheless severe. An estimated 70 million rows of records cover US criminal records.
The mechanism of the initial breach remains unconfirmed but investigative reporter Brian Krebs reports that up until early August 2024 an NPD property, recordscheck.net, contained the usernames and password for the site’s administrator in a plain text archive.
In a statement, Jericho Pictures (which trades as National Public Data) advised people to closely monitor their financial accounts for unauthorised activity. National Public Data said it was working with law enforcement and governmental investigators adding that it is reviewing potentially affected records to understand the scope of the breach. It will “try to notify” affected parties if there are “further significant developments”.
Experts advise consumers to consider freezing credit with the three major bureaus (Equifax, Experian, and TransUnion) and using identity theft protection services as potential precautions.
19. Equifax
Date: 2017
Impact: 159 million records
Credit reference agency Equifax suffered a data breach in 2017 that affected 147 million US citizens and 15 million Britons. Names, social security numbers, birth dates, addresses as well as driver’s licenses of more than 10 million were exposed after attackers took advantage of a web security vulnerability to break into Equifax’s systems. The breach also exposed the credit card data of a smaller group of 209,000 people.
Attackers broke into Equifax’s systems between May and July 2017 by taking advantage of an unpatched Apache Struts vulnerability to hack into the credit reference agency’s dispute resolution portal. Patches for the exploited vulnerability had been available since March 2017, months before the attack. Struts is a popular framework for creating Java-based web applications.
Cybercriminals moved laterally through their ingress points before stealing credentials that allowed them to query its databases, systematically siphoning off stolen data. US authorities charged four named members of the Chinese military with masterminding the hack. Chinese authorities have denied any involvement in the attack.
Equifax faced numerous lawsuits and government investigations in the wake of the breach. The credit reference agency was left an estimated $1.7 billion out of pocket because of the breach without taking into account the effect on its stock price. Equifax spent an estimated $337 million on improving its technology and data security, legal and computer forensic fees and other direct costs alone.
20. eBay
Date: 2014
Impact: 145 million records
A breach on online marketplace eBay between late February and early March 2014 exposed sensitive personal information of an estimated 145 million user accounts. Cybercriminals gained access to eBay’s systems after compromising a small number of employee login credentials.
The hack allowed miscreants access to sensitive information including encrypted passwords, email addresses, mailing addresses, phone numbers and dates of birth. Financial information, including data on PayPal accounts, was stored on separate system and therefore not affected by the breach. In response to the incident, eBay applied a forced reset to user passwords.
