Last Updated:

Top 7 Biggest data breaches of the 21st century 

Adobe
Date: October 2013.
Leaked: 153 million user records.
Details: As reported in early October 2013 by security blogger Brian Krebs, Adobe reported after discovering a data breach that hackers had stolen nearly 3 million encrypted customer credit card records, transaction details, and login credentials for an unspecified number of users. ...

Later that month, Adobe raised that estimate to include identifiers and encrypted passwords for 38 million “active users”. Krebs said the file, released just a few days earlier, contains over "150 million pairs of usernames and hashed passwords from Adobe." An investigation into the incident revealed that the hack also revealed customer names, IDs, passwords, and debit and credit card information.

In an agreement signed in August 2015, Adobe is required to pay $ 1.1 million in legal fees and an undisclosed amount to users to resolve claims for violation of the Customer Records Act and unfair business practices. In November 2016, the amount paid to customers was $ 1 million.

Canva
Date: May 2019
Leaked: 137 million user accounts
Details: In May 2019, the Australian graphic design tools website Canva was attacked, which leaked email addresses, usernames, names, cities of residence, and also about 61 million bcrypt logins and hashed passwords (for non-social media users). After investigation, the figure has increased to 137 million unique user identifiers.

Canva says that "hackers were able to locate and view, but not steal, files with partial credit card and billing information."

The suspected perpetrators, known as the hacker group Gnosticplayers, contacted ZDNet to brag about the incident, saying Canva had detected their attack and shut down its data breach server. The attackers also claimed to have obtained OAuth login tokens for users who signed in through Google.

The company confirmed the incident and subsequently notified users, prompting them to change passwords and reset OAuth tokens. However, according to a later post by Canva , a list of Canva 's roughly 4 million accounts containing stolen user passwords was later decrypted and published online, which led the company to revoke unchanged passwords and notify users with unencrypted passwords on the list.

eBay
Date: May 2014
Leaked: 145 million users
Details: eBay reported that in May 2014, an attack exposed its entire list of 145 million user accounts , including names, addresses, dates of birth and encrypted passwords. The online auction giant said the hackers used the credentials of three corporate employees to access its network and had full access for 229 days - more than enough time to hack into a user database.

The company asked customers to change their passwords. Financial information such as credit card numbers were kept separate and not compromised. At the time, the company was criticized for its lack of communication with its users and poor implementation of the password update process.

Equifax
Date: July 29, 2017
Leak: 147.9 million customer data.
Details: Equifax, one of the largest credit bureaus in the US, announced on September 7, 2017 that an application vulnerability on one of their websites resulted in a data breach that leaked $ 147.9 million of information. clients. The breach was discovered on July 29, but the company said the invasion likely began in mid-May. The hack has compromised personal information (including social security numbers, dates of birth, addresses and, in some cases, driver's license numbers) of 143 million customers. including credit card details of 209,000 customers. The final figure in October 2017 increased to 147.9 million.

Equifax was found guilty of a number of security and response violations. Chief among them was that an application vulnerability that allowed attackers to gain access was not fixed. "Inadequate" segmentation of the system made it easier for attackers to navigate the structure of the system.

Dubsmash
Date: December 2018
Leaked: 162 million user accounts
Details: In December 2018, New York-based Dubsmash video messaging service lost 162 million email addresses, usernames, PBKDF2 password hashes and other personal information such as stolen birth dates.

The stolen information was put up for sale on the Dark Web Dream Market in December of the following year. The information was sold as part of a collected dump, including the likes of MyFitnessPal, MyHeritage (92 million), ShareThis, Armor Games and the dating app CoffeeMeetsBagel.

Dubsmash acknowledged that there was a leak and sale of information and gave advice on changing the password, but was unable to say how the attackers got inside, or confirm how many users were ultimately affected.

LinkedIn
Date: 2012 and 2016
Leaked: 165 million user accounts
Details: As the main social network for business professionals, LinkedIn has become an attractive "achievement" for attackers seeking to conduct attacks and improve social engineering skills . However, it has also been the victim of user data breaches in the past.

In 2012, the company announced that 6.5 million unlinked passwords (unsalted SHA-1 hashes) had been stolen by attackers and posted on a Russian hacker forum. However, it was only in 2016 that the full scale of the incident was revealed. The same hacker selling MySpace data was found to offer email addresses and passwords to about 165 million LinkedIn users for just 5 bitcoins (about $ 2,000 at the time). LinkedIn acknowledged that it became aware of the hack and said it had reset the passwords of the affected accounts.

Yahoo
Date: 2013-14
Leak: 3 Billion User Accounts
Details: Yahoo announced in September 2016 that it was the victim of the largest data breach in history in 2014 . The attackers, which the company deemed "state-sponsored contributors," hacked the real names, email addresses, dates of birth and phone numbers of 500 million users. Yahoo stated that most of the cracked passwords were hashed.

Then, in December 2016, Yahoo exposed another breach in 2013 by another attacker that compromised names, dates of birth, email addresses and passwords, as well as security questions and answers from 1 billion user accounts. Yahoo revised this estimate in October 2017 to include all 3 billion user accounts .

The initial announcement of the hack was unfortunate as Yahoo was in the process of acquiring Verizon, which ultimately paid $ 4.48 billion for Yahoo's main internet business. These violations are estimated to have lowered the company's value by $ 350 million.