The 5 biggest data breaches of the 21st century & takeaways
Data breaches happen – people and businesses want it or not. This year, as a result of the global pandemic, not only did the number of breaches increase but so did the financial damage. In 2021, the average cost of a data breach rose to USD 4.24 million.
For businesses to strive in the post-pandemic world, thorough preparation against cyber-attacks should become a priority. For that, it is wise to learn from other people’s mistakes.
Let’s discuss the five biggest data breaches of the 21st century – what happened, why, and what you can learn from them.
5th place. eBay
When: May 2014
Records exposed: 145 million
Before the attack, eBay was already criticized for the poor implementation of the password-renewal process. In May 2014, eBay reported a cyberattack that exposed the personal data of 145 million users. The data included names, addresses, dates of birth, and encrypted passwords. Hackers accessed the network by using the login details of three eBay employees and stayed logged into the internal system for 229 days.
Takeaway: the significant part of cyber-attacks happen due to human errors. It is crucial to ensure all employees understand the risks that poorly managed credentials bring. For that, periodical employees training is mandatory in any security-focused company.
4th place. Adult Friend Finder
When: October 2016
Records exposed: 412 million
Another company that appeared as a victim among the biggest data breaches of the 21st century was the FriendFinder – a network consisting of adult-oriented websites. The hackers obtained 20 years-worth customers’ databases that included email addresses, names, and passwords.
Most passwords were hashed using a weak SHA-1 algorithm. After the leak, 99% of passwords were immediately cracked and exposed.
Takeaway: avoid reusing passwords. Typically, after such data breaches, hackers reuse stolen data to log in to other sensitive accounts. If you reuse the same credentials, there is a high chance of success. Avoiding reusing the same password on different websites can protect you from such brute force attacks.
3rd place. Mariott International
When: 2014-2018
Records exposed: 383 – 500 million (number differs on various sources)
Marriott International (known for Starwood Hotels and Sheraton Hotels and Resorts) disclosed a data breach that started back in 2014. At first, the Starwood guest reservation system was compromised. For four years, the attackers were hiding in the system. Only in 2018, after Mariott International obtained Starwood, an attack was discovered. The Mariott security team noticed an unusual database query.
Yet, it was too late. The data of at least 383 million people were disclosed. The data included sensitive personal information such as contact details, credit card numbers, and passport numbers. In total, the Mariott hotel chain experienced damages of hundreds of millions of dollars.
Takeaway: as a business owner, always prioritize and invest in the cybersecurity infrastructure. Prepare a defense strategy against cyber threats, hire cybersecurity experts to evaluate your current situation. The investment in cybersecurity pays off.
2nd place: LinkedIn
When: June 2021
Records exposed: 700 million
In the summer of 2021, the private personal data of 700 million LinkedIn users were posted in a dark web forum. The hacker exploited data scraping techniques by using the API. He revealed such personal information as email addresses, phone numbers, genders, and other personal details, retrieved from the social networking site.
Because all this data was publically available, it was considered a violation of LinkedIn Terms of Service – not a cyber attack. And yet, the fact that the records of 90% of LinkedIn users were available on the dark web raises serious security concerns.
Takeaway: a collection of personal data about a user is commercially valuable for social engineering attacks. Cybercriminals can use such databases to manipulate and deceive users. They might use your personal data to obtain other information – bank account logins, passwords to enterprise systems, etc. Therefore, if a random person calls you impersonating a bank representative and “knows” your data, he might just be reading information from the Linkedin database. Always remain skeptical before you trust someone. Educate yourself about social engineering attacks.
1st place of the biggest data breaches of the 21st century – Yahoo.
When: 2013 – 2016
Records exposed: 3 billion
More than eight years have passed, and the “winner” remains the same – the Yahoo data breach. In 2014, Yahoo officially stated that email addresses, passwords, phone numbers, real names, and birth dates of 500 million users were compromised in an attack.
Only a few years have passed, and Yahoo mentioned another data attack that happened back in 2013. The number of affected accounts during both breaches reached a mind-boggling record of 3 billion.
Takeaway: as a user, always keep in mind that affected companies might not announce the data breach immediately. Always protect your data – use complex passwords and never reuse them on multiple platforms.
The biggest data breaches of the 21st century revealed the weakest points that you as an individual user or a responsible company representative should beware of. Understanding them is the first step towards preparing a defense strategy and mitigating the risk of the breach. You can also check out this article with 11 steps how to protect yourself online.
Learn from other people’s mistakes – do not wait for your turn.
