ProtonVPN has collated data to reveal the biggest data breaches in history and has shared advice from their experts on how you can protect yourself against future breaches.
As the world becomes more reliant on technology, the amount of sensitive data possessed by companies increases exponentially. This means that when an organization suffers a data breach, it can affect millions of people.
Many organizations work tirelessly to prevent breaches, using a mix of strong cybersecurity policies as well as employing techniques like data encryption to minimize the incentive for hackers to attack them.
However, no security system is foolproof against human error and plenty of cybercriminals have become adept at purchasing credentials and using social engineering to penetrate an organization’s network. In fact, research has confirmed that criminal hacking remains the top cause of data breaches, accounting for 45% of data breaches in 2020.
ProtonVPN has identified some of the biggest data breaches in history and researched how the companies responded to the damage and what it meant for their customers.
Yahoo! (August 2013)
In 2013, Yahoo! fell victim to a now-notorious data breach that impacted over 3 billion user accounts including email, Tumblr, Fantasy, and Flickr. After initially claiming in 2016 that only 1 billion accounts had been compromised, Yahoo! released a statement in 2017 with new intelligence revealing the full scope of the breach. This updated intel showed that all Yahoo! accounts that existed in August 2013 were likely to have been affected by Russian hackers, totaling 3 billion accounts all in all.
It was widely reported at the time that Yahoo relied on outdated, easy-to-crack encryption, giving the attackers a relatively easy time gaining access to the accounts. In Yahoo!’s statement they revealed that names, hashed passwords, and email addresses were among the stolen information, but claimed bank details and passwords in clear text were not. In the wake of the attack, the company took precautions to further protect their customers’ data by un-encrypting security questions and implementing better account security including 2FA (two-factor authentication).
Aadhaar (2018)
India’s national ID database, Aadhaar, which contains information about more than 1.1 billion registered citizens, was hit by a major security lapse in 2018. The database contains personal information on Indian citizens, including headshots, biometric information, fingerprints, and iris scans.
A report in The Tribune newspaper confirmed that the newspaper had gained access to the database via WhatsApp communication with an anonymous seller who posed as an “agent.” The paper paid Rs 500 (around £5) for unrestricted access to details on any of the over one billion unique Aadhaar numbers.
UIDAI (Unique identification Authority of India) officials expressed sheer shock over the data being accessed and immediately notified their technical team. However, Aadhaar profusely denied any data breach and even filed a case against The Tribune alleging that they misreported the incident.
First American Financial Corporation (May 2019)
First American is a leading provider of insurance and settlement services in the mortgage and real estate industry. Brian Krebs, a noted cybersecurity journalist, reported in 2019 that First American had suffered an insidious breach when a developer notified KrebsOnSecurity that millions of records were available to anyone with the correct URL link. No further authentication was required to gain complete access to the information.
KrebsOnSecurity confirmed these findings and reported that a portion of the website (firstam.com) was leaking millions of records due to a design error in the site. Over 800 million images containing sensitive, personal information — including bank account information and social security numbers — were accessible. The earliest document available was from a transaction in 2003. There is no evidence to suggest that hackers actually retrieved any data, however it is completely possible that they could have discovered it prior to First American resolving the technical error.
Upon investigation, it became evident that First American employees were aware of this error months prior to Kreb’s report but failed to act upon it. As a consequence, the company had to pay a penalty of nearly $500,000 to the U.S. Securities and Exchange Commission.
Alibaba (November 2019)
Alibaba is a Chinese multinational technology company specializing in e-commerce, retail, and technology. Their shopping website, Taobao, one of China’s most-visited online retail stores, was trawled for eight months in 2019 by a software developer. Over this period the developer used web-crawling software to gather 1.1 billion pieces of user information including mobile phone numbers and customer comments.
Alibaba eventually noticed the scraping of data and immediately notified authorities. The developer and his employee were later sentenced to three years in federal prison and fined for “infringement on citizen’s personal information.”
Cam4 (March 2020)
Cam4, an explicit adult video streaming site, saw the biggest personal information data breach ever recorded in March 2020 when 10.88 billion records were exposed. The data breach was first reported by researchers who discovered that part of the website was leaking data into mainstream software. The breach exposed an enormous 7 TB of information (for perspective, just 1 TB can store 500 hours of films or 6.5 million document pages). The leaked data included names, geolocation records, chat transcripts, hashed passwords, and payment information.
The database was immediately taken down by Cam4’s parent company, Granity Entertainment. However, it is unknown if any of the breached data has been (or will be) weaponized against the victims. Data breaches from adult-only sites often result in blackmail or defamation attempts that become financial and reputation nightmares for victims.
Sina Weibo (Mid 2019)
In 2019, a hacker proclaimed on the dark web that they breached Weibo, a Chinese microblogging website, and took a huge amount of its data. Although initially skeptical, ZDNet reported on the incident and confirmed the hacker’s claims, yet alleged that the hacker didn’t have access to passwords. This explains why the data was only being sold for $250. However, personal details, including gender, location, and phone numbers of 538 million users, were among the information being sold.
Weibo responded, stating engineers had identified accounts uploading large batches of contacts in late 2018 and had attempted to match them with phone numbers held in the database. They said this information became available due to credential surfing attacks but was fixed at the time. They then claimed that users had nothing to worry about as no new breach had occurred. However, Chinese security experts quickly pointed out technical irregularities with this response, such as how the hacker gained access to private information including gender. Weibo notified the authorities and police began investigating the incident in an attempt to track down the hacker. Meanwhile, China’s industry and regulator summoned Weibo representatives and ordered them to enhance their data security immediately.
LinkedIn (June 2021)
The company that fell victim to the most recent large scale data breach was professional networking site LinkedIn during the summer of 2021. Over 700 million profiles were affected by the breach, in which full names, email addresses, locations, hashed passwords, birthdays, and URL links were stolen.
LinkedIn released a statement in response to a photograph circulating on the internet showing users’ information being sold on the dark web. It said “this was not a LinkedIn data breach, and no private member account data from LinkedIn was included in what we’ve been able to review.” The company claims that all the information being sold was from public profiles and already available for anyone to see.
Despite the circulated information being public, such data scraping still violates LinkedIn’s terms and conditions. Hackers would still be in possession of enough useful information to use for phishing attacks and social engineering. Although this was not a direct data breach, the withheld information still carries the same power as any other attack.
Facebook (2019)
Earlier this year, Facebook made headlines when it was revealed that a 2019 breach — which the company previously confirmed was the result of a data scraping leak — had impacted 533 million profiles. Usernames, full names, birthdays, and profile activity were all scraped and stolen by cyber criminals who exploited a vulnerability on Facebook’s platform. The vulnerability was fixed in August 2019, but the scraped data remained available online.
This was not, however, the first time Facebook has been victim to a data breach or scandal. In July 2019 Facebook was ordered to pay a $5 billion settlement fee to the Federal Trade Commission for failing to secure its users’ profiles properly and to implement “change to Facebook’s entire privacy culture to decrease the likelihood of continued violations.” Facebook is now under a new corporate structure which has introduced new policies to hold executives accountable for how they handle customer privacy and data.
One of Facebook’s most notorious data scandals was the now infamous Cambridge Analytica scandal. Cambridge Analytica was a consulting firm that created a seemingly innocuous online quiz, which Facebook then allowed to collect data from both the people who answered it as well as their friends. The result was that Cambridge Analytica was able to collect information on millions of unknowing people without their consent. This data was then notoriously used to target individuals with specific advertising during elections.
How to protect yourself against data breaches and cyber criminals
Although it is the organization’s responsibility to protect and handle the personal data they are trusted with, there are further steps that users can take to minimize the effect of a data breach, should you ever be the victim of one.
Is the website safe?
To minimize your chance of being victim to a data breach, make sure you only entrust your data with organizations that have a good track record of protecting user information. If a site seems suspicious, or is asking for unnecessary information, don’t trust it. Truly trustworthy sites will only ask for some rudimentary data.
Use different passwords
If you regularly use the same password for multiple accounts, you are putting a huge portion of your online life at risk if that single password is exposed in a data breach. Hackers routinely discover that access to a person’s password from one site will easily give them access to others and in turn provide reams of data.
It is therefore essential to use strong, unique passwords for each platform you use. This way, even if a password is exposed in a data breach, it cannot be used to access any of your other accounts. Using a password manager is the best way to store all your different passwords to ensure that you remember all your different, novel logins.
Do not overshare
If you share your full name, address, geolocation, or other personal information with an organization, that information will be at risk if it ever suffers a data breach. Look for organizations that only collect data strictly necessary to deliver its service to you. When giving information to an organization, only fill in the required fields and be very cautious about sharing any unnecessary information. This will reduce the overall impact on yourself of any future breach.
Activate two-factor authentication
If a hacker does retrieve your login information in a breach, two-factor authentication (2FA) can still prevent them from accessing your account. When you use 2FA you are required to provide your username, password, and an additional verification (usually a one-time code generated on your smartphone) to gain access to your account. This helps keep your account safe even in the event of a breach as the hacker will not have access to all these systems.