Privacy Canada is community-supported. We may earn a commission when make a purchase through one of our links. Learn more.

List of the biggest data breaches since 1990


Ludovic Rembert —

Last Updated on

Finding privacy on the internet can be hard to do. Websites, companies, and advertisers are all desperate for data and using every tactic possible to monetize your online activity. Even when you think you’ve found a trustworthy enterprise, your private information is only as safe as that organization’s hardware and software is secure.

Data breaches have become a recurring topic in news headlines. It feels like every week a new company or social network is declaring that a major database has been exposed to cybercriminals.

In this article, we’ll recap the ten largest data breaches that have occurred since the internet’s coming-of-age in 1990. These events are ranked according to the number of accounts hacked.

1. Yahoo (2013)

yahoohack

Yahoo was one of the dominating forces at the dawn of the internet age, offering users a one-stop shop for email, news, and a solid search engine. Although Google quickly surpassed Yahoo in popularity, the company retained a large userbase thanks to its diverse set of features and products.

But security issues have tarnished Yahoo’s reputation forever, with the company appearing twice on this list of largest data breaches. A specific incident which occurred in August 2013 included all three billion of the accounts that Yahoo had living on its servers at the time.

Hackers managed to steal basic user information, including names, email addresses, phone numbers, and birthdays. Password data was also included in the breach, but it was secured with a hashing algorithm which provides a certain level of protection. Still, given that security standards have improved since 2013, there is a chance hackers were able to decode that data (You might want to change that 10-year old Yahoo mail password you’ve had).

Adding to the risk, Yahoo’s 2013 data breach included security question and answer information, some of which was unencrypted. This means that hackers may have been able to compromise entire accounts and accessed even more private information.

2. Marriott

Marriott data breach

As the largest hotel chain on the planet, Marriott relies on a huge infrastructure of technologies and systems to manage every step of their booking and billing process. In a 2018 public statement, the company admitted that they had been suffering an ongoing data breach since 2014.

During that time period, hackers had maintained unauthorized access to the Starwood database, which contains guest reservation data for a large segment of their brands. Marriott believes that the infiltrators were able to compromise 500 million customer records and copy that data to an outside system.

For customers who made a reservation for a Starwood property between 2014 and 2018, there is a chance that the breach included their name, email address, mailing address, phone number, and passport number. Credit card data was also likely included in the breach, although that information would have been encrypted and hard to decode.

Keep in mind that whenever you are using a web browser to perform a financial transaction or purchase, including hotel bookings, you should consider connecting to a virtual private network (VPN) service first. A good VPN will create a secure tunnel between your local network and the open internet, thereby reducing the risk that a hacker can intercept your web traffic and steal sensitive information. Take a quick look at our review for NordVPN or Surfshark to see the advantages.

3. Yahoo (2014)

data hack vectorA separate Yahoo data breach in 2014 was actually believed to be the largest in internet history until details of the 2013 incident were uncovered. In 2014, the company had systems infiltrated and 500 million user accounts exposed. Information stolen included names, email addresses, phone numbers, and security questions.

Security engineers within Yahoo believe that the 2014 data breach was executed by a foreign government looking to obtain personal information about users from across the globe. The incident was uncovered when Yahoo user data began to show up on dark web marketplaces where hackers exchange stolen information.

The two major data breaches not only dealt a major blow to Yahoo’s reputation, but it also complicated the company’s sale to Verizon.

4. AdultFriendFinder

The dating website AdultFriendFinder experienced a massive data breach in 2016 that exposed private data for 412 million user accounts. Site owners believe that hackers were able to retrieve information from two decades worth of activity.

adultfriendfinder management notice

AdultFriendFinder uses a standard SQL database architecture that hackers compromised, likely through a SQL injection attack. This would have provided them with read access to all database tables, where they could extract information like usernames, email addresses, and IP addresses.

AdultFriendFinder admitted that the stolen data included passwords that had been stored with the SHA-1 encryption hash method, which has been found to have vulnerabilities in recent years. That means there is a risk that the hackers would have been able to decode the passwords and use them on AdultFriendFinder or other sites where the user shared the same password.

To help improve your online security, consider investing in a password manager. These tools let you keep easy access to all of the passwords that you use online, and at the same time, they make it efficient to use randomized credentials for each site.

5. MySpace

Before Facebook and Twitter were on the scene, MySpace was the dominant social network in the early days of the world wide web. The platform allowed users to create their own custom homepage and connect with friends. MySpace was also a popular space for exploring music and bands.

The site suffered a major data breach between 2012 and 2013, although the incident was not uncovered until several years later. 360 million user accounts were believed be exposed, which included usernames, email addresses, and passwords with poor encryption. The company believes that a single hacker was responsible for the attack and later published some of the information in a dark web forum.

As an immediate security step, MySpace disabled any stored password that could have been included in the breach. Also, the company performed a platform upgrade in 2013 to defend against future attacks of this type.

6. Under Armour

myftpalbrch

Under Armour is primarily known as a clothing company that specializes in athletic apparel and shoes. However, the company also owns a digital platform known as MyFitnessPal that helps users track their exercise and dieting progress from web or mobile apps.

MyFitnessPal suffered a data breach in February of 2018 that affected 150 million users who were registered on the service. Hackers were able to pull usernames, email addresses, and hashed passwords from the MyFitnessPal database, although no credit card or financial information linked to Under Armour accounts was exposed.

Under Armour took quick steps to respond to the incident, instructing all affected users on the MyFitnessPal platform to change their password immediately. Even still, the Under Armour stock suffered a major loss as a result of the data breach.

7. Equifax

equifax data breach

Data breaches of any kind are concerning, but when a social network or entertainment website gets hacked, typically the only information at stake is your username and email address. Modern password cryptography makes it difficult for hackers to do any sort of decoding in databases.

But when a finance-related company gets hacked, customers need to be especially alarmed. Such was the case in the 2017 data breach of Equifax, which is one of the largest credit report companies in America. 145.5 million customer accounts were exposed in the cyberattack.

Equifax admitted that hackers had unauthorized database access to their systems for a period of about three months. During that time, they were able to steal names, birthdates, social security numbers, and drivers license numbers. This created an immediate risk of identity theft for any individuals who had their data exposed.

Equifax is being held liable for the incident and sent notifications to people in the mail if they were included in the data breach.

8. eBay

ebay data breach

Early internet users will remember how eBay brought about a marketplace where people could exchange almost anything online. The platform began as an auction website for users to bid on items, and now today its grown into a full global retail operation.

But in 2014, eBay suffered a devastating data breach that affected 145 million of its customers. Hackers were able to infiltrate one of the site’s primary databases that housed basic customer information like usernames and passwords.

In the immediate aftermath of the event, eBay did not find any evidence that cybercriminals used the exposed credentials to manipulate existing accounts. Also, no payment or credit card information was included in the breach.

The eBay incident came about as a result of simple social engineering. The hackers tricked a small set of eBay employees into providing their system credentials, which gave them full access to the company’s corporate network.

9. Target

For the last decade, Target has emerged as one of the leading retailers in America while adding a robust grocery and delivery service to its business. A major data breach in 2013, however, put a dent in Target’s reputation as 110 million customers had their credit card information at risk of being stolen.

In most data breaches, hackers seek to attack a database that contains customer information. But during the Target incident, the attackers actually infiltrated the company’s point of sale (POS) system and deployed malware onto the platform. As a result, when customers swiped credit cards at Target stores for a two-week period in 2013, their information was intercepted and sent directly to the hackers.

Target was held liable for the data breach and was ordered to pay $18.5 million in a settlement case. The incident is part of the reason why stores pushed for new chip technology to be added to credit cards, as this adds another layer of security to POS systems.

10. LinkedIn

analysis target data breach

Individuals around the world rely on the LinkedIn platform as their social network of choice for career activities. The site has expanded in recent years and is now one of the first places people go when they are looking to apply for a new job or connect with colleagues in their industry.

LinkedIn suffered a data breach in 2012 that, at the time, was believed to have involved 6.5 million encrypted passwords from one of their backend servers. However, information was later discovered to prove that actually 100 million customers had their data exposed as part of the breach.

It is believed that the attack was carried out by one notorious hacker who is responsible for some of the other breaches on this list. LinkedIn required all affected users to update their password, as the information that was stolen used some flawed encryption methods.

The Scary Bottom Line

By the time you add up all the numbers of hacked accounts on this top ten list, it would appear as if anyone who’s gone online has been hacked to some extent at one point in the past. Since it’s obvious the companies can’t be relied upon to protect your data, maybe it’s time to get serious about protecting it yourself.

There are always risks when downloading or even simply surfing the web. If a major company that has hundreds of millions of dollars invested in security has been hacked, then how vulnerable do you think is the average joe?

Do your due diligence. If you don’t have a VPN, get one right now. Getting the best free VPN may even work temporarily. If you’re not encrypting your passwords, get a password manager now (change your passwords into something more complex too, please. For the record, “ilovemywife1093does not count as a secure password).

If you also don’t have a home security system, it is also recommended that you get one as hackers infiltrate not only through online attacks, but also by obtaining online activity by physically being near the vicinity of a WiFi network (That means your home) and sniffing the data packets wirelessly transmitted from the device to the router.

These are small steps that can save you years of pain, so take action while you still can.