Today, the vast majority of successful organizations invest a great deal of time, money and resources in their security. With the endless media coverage of the latest data breaches, targeting even the most elite of organizations, it is no surprise.
The constant evolution of threats and vulnerabilities leaves no business completely immune. Today, we highlight the financial and brand impacts caused by some of the most significant breaches to date. The following list is organized by the total number of impacted users, in ascending order.
eBay Data Breach: 145 million users impacted
Between the months of February and March 2014, eBay found itself the unfortunate victim of a data breach of encrypted passwords. Ultimately, the resulting impact led eBay to require it’s 145 million users to reset their passwords. Threat actors involved had allegedly used a set of staff credentials to gain entry to a proverbial mountain of user data. The information stolen included encrypted passwords and personal information, including names, email addresses, home addresses, phone numbers and dates of birth. Details of the breach were released in May 2014, after a month-long investigation by eBay.
Equifax Data Breach: 148 million users impacted
September 2017, Equifax, one of the three largest consumer credit reporting agencies in the United States of America, publicized that their systems had been breached, compromising the personal data of 148 million Americans. The data compromised included names, addresses, telephone numbers, dates of birth, social security numbers, and driver’s license numbers. In addition, credit card information of nearly 209,000 customers was also exposed in this data breach. To this date, the sensitivity of the information processed by Equifax sets a new precedent for the impact a breach can have on the organization and its customers.
My FitnessPal Data Breach: 150 million users impacted
Today, the connectivity of every facet of our lives seems to land on the internet. To keep fit, millions of fitness fanatics the world over log their journey through the MyFitnessPal, diet and exercise, application. In February of 2018, MyFitnessPal endured a massive data breach. Among the exposed details includes: email addresses, IP addresses, login credentials and more. What made this breach so sinister is that, in 2019, much of this sensitive data landed on the darkweb, and began circulating, ultimately landing on the information security website “Have I Been Pwned.”
LinkedIn Data Breach 2012: 165 million users impacted
Back in June of 2012, a professional networking platform, LinkedIn made the grim announcement that they had suffered a data breach, with the initial indication of 6.5 million users impacted. We did not learn of the true reach of the impacts until 2016, when it was announced that a massive 165 million users’ accounts had been compromised, including over 117 million hashed passwords.
As a result of the data breach, other service providers, including Netflix, forced their own users to change all passwords that shared likeness to their LinkedIn password. To date, it is still not clear as to exactly why LinkedIn did not pursue further investigation in to the original breach in 2012.
Twitter Breach 2012: 330 million users impacted
May 2018, the social media giant Twitter advised all users that they had identified a glitch that stored unmasked passwords in an internal log, granting all user passwords access to the internal network, a glitch that went undiscovered for months. Though twitter did not disclose the number of users impacted, they indicated it was significant, advising all 330 million users to change their passwords as a precaution.
Marriot Data Breach: 500 million users impacted
November 2018, in line with PIPEDA, Marriott International made the grim announcement that threat actors had stolen the collective personal data of 500 million Starwood hotel customers. As discussed in previous Packetlabs blogs, a persistent threat actor will not always act immediately. During the process of investigation, it was discovered that the hackers had gained access in 2014, remaining active during Marriott’s acquisition of Starwood in 2016.
The information that was exposed included contact information, names, passport details, travel information and other personal data. The New York Times declared the breach the work of Chinese intelligence, seeking to data on US citizens. To date, if this holds true, it would be one of the largest breaches involving personal data by a nation-state threat actor.
Yahoo Data Breach 2014: 500 million users impacted
Speaking of state-actors, Yahoo disclosed they had reason to believe they were responsible for a cyber-attack the organization endured in 2014. Among the compromised data was full names, email address, phone numbers, hashed password, birth dates and more. Ultimately failing to investigate the breach, it was not until 2016 that Yahoo publicly announced the breach follows an incident in which a stolen database made its way to the dark web.
Facebook Breach: 540 million users impacted
It is no secret that North Americans love their social media, with most individuals logging in daily to keep up with the latest in social news and media. In April of 2019, a cyber risk team UpGuard, revealed that two third-party Facebook application datasets had been wide-open to the public internet. The most significant of the two, Cultura Colectiva, contained records of 540 million, detailing account names, passwords, likes, comments and more!
Yahoo Data Breach 2017: 3 billion users impacted
August 2013, Yahoo disclosed the details of a data breach they endured at the hands of a group of hackers. Of the exposed data, included security passwords and answers which greatly increase the risk of identity theft of Yahoo users. In December of 2016, in final negotiations to self to Verizon, Yahoo forced all of its users to change their passwords and re-enter security questions, encrypting those not already protected. Perhaps unsurprisingly, in October of 2017, Yahoo revised their previous estimate to a massive 3 billion user accounts. To date, this remains one of the most impactful breaches in history.
Data breaches are here to stay and they’re happening now more than ever. Regardless of the size, industry or maturity of your organization, it is recommended that all businesses remain on top of their security. To maximize security, Packetlabs recommends, at minimum, annual penetration testing as well as additional testing when any significant changes are completed. If you would like to learn more about what Packetlabs can do for your organization, contact us today!
10 January - Blog
Your Guide to Objective-Based Penetration Testing
14 December - Blog
2022 in Review and Our Predictions for 2023: Cyber-Threat Landscape
05 December - Blog
Choosing a Penetration Testing Company: Methodology & Certifications