Although it had lengthy stopped being the powerhouse that it as soon as was, social media website MySpace hit the headlines in 2016 after 360 million person accounts have been leaked onto each LeakedSource.com and put up on the market on darkish internet market The Actual Cope with an asking value of 6 bitcoin (round $3,000 on the time).
In line with the corporate, misplaced knowledge included e-mail addresses, passwords and usernames for “a portion of accounts that have been created previous to June 11, 2013, on the previous Myspace platform. With a purpose to shield our customers, we’ve invalidated all person passwords for the affected accounts created previous to June 11, 2013, on the previous Myspace platform. These customers returning to Myspace will probably be prompted to authenticate their account and to reset their password by following directions.”
It’s believed that the passwords have been saved as SHA-1 hashes of the primary 10 characters of the password transformed to lowercase.
13. NetEase
Date: October 2015
Impression: 235 million person accounts
NetEase, a supplier of mailbox providers by means of the likes of 163.com and 126.com, reportedly suffered a breach in October 2015 when e-mail addresses and plaintext passwords referring to 235 million accounts have been being bought by darkish internet market vendor DoubleFlag. NetEase has maintained that no knowledge breach occurred and to this day HIBP states: “While there may be proof that the info itself is respectable (a number of HIBP subscribers confirmed a password they use is within the knowledge), because of the issue of emphatically verifying the Chinese language breach it has been flagged as “unverified.”
14. Court docket Ventures (Experian)
Date: October 2013
Impression: 200 million private information
Experian subsidiary Court docket Ventures fell sufferer in 2013 when a Vietnamese man tricked it into giving him entry to a database containing 200 million private information by posing as a personal investigator from Singapore. The small print of Hieu Minh Ngo’s exploits solely got here to mild following his arrest for promoting private info of US residents (together with bank card numbers and Social Safety numbers) to cybercriminals the world over, one thing he had been doing since 2007. In March 2014, he pleaded responsible to a number of fees together with identification fraud within the US District Court docket for the District of New Hampshire. The DoJ acknowledged on the time that Ngo had made a complete of $2 million from promoting private knowledge.
15. LinkedIn
Date: June 2012
Impression: 165 million customers
With its second look on this listing is LinkedIn, this time in reference to a breach it suffered in 2012 when it introduced that 6.5 million unassociated passwords (unsalted SHA-1 hashes) had been stolen by attackers and posted onto a Russian hacker discussion board. Nonetheless, it wasn’t till 2016 that the total extent of the incident was revealed. The identical hacker promoting MySpace’s knowledge was discovered to offer the e-mail addresses and passwords of round 165 million LinkedIn customers for simply 5 bitcoins (round $2,000 on the time). LinkedIn acknowledged that it had been made conscious of the breach, and stated it had reset the passwords of affected accounts.
16. Dubsmash
Date: December 2018
Impression: 162 million person accounts
In December 2018, New York-based video messaging service Dubsmash had 162 million e-mail addresses, usernames, PBKDF2 password hashes, and different private knowledge equivalent to dates of start stolen, all of which was then put up on the market on the Dream Market darkish internet market the next December. The data was being bought as a part of a collected dump additionally together with the likes of MyFitnessPal (extra on that under), MyHeritage (92 million), ShareThis, Armor Video games, and relationship app CoffeeMeetsBagel.
Dubsmash acknowledged the breach and sale of knowledge had occurred and offered recommendation round password altering. Nonetheless, it didn’t state how the attackers bought in or verify what number of customers have been affected.
17. Adobe
Date: October 2013
Impression: 153 million person information
In early October 2013, Adobe reported that hackers had stolen nearly three million encrypted buyer bank card information and login knowledge for an undetermined variety of person accounts. Days later, Adobe elevated that estimate to incorporate IDs and encrypted passwords for 38 million “lively customers.” Safety blogger Brian Krebs then reported {that a} file posted simply days earlier “seems to incorporate greater than 150 million username and hashed password pairs taken from Adobe.” Weeks of analysis confirmed that the hack had additionally uncovered buyer names, password, and debit and bank card info. An settlement in August 2015 referred to as for Adobe to pay $1.1 million in authorized charges and an undisclosed quantity to customers to settle claims of violating the Buyer Information Act and unfair enterprise practices. In November 2016, the quantity paid to prospects was reported to be $1 million.
18. Nationwide Public Knowledge
Date: December 2023
Impression: 270 million folks
A breach of background checking agency Nationwide Public Knowledge uncovered the info of a whole bunch of thousands and thousands of individuals by means of the disclosure of an estimated 2.9 billion information. Because of the December 2023 hack, stolen knowledge was up on the market of on the darkish internet by hacking group USDoD in April 2024. A lot of the stolen knowledge was leaked and made freely out there in a 4TB dump onto a cybercrime discussion board July 2024.
The incident, which solely grew to become public information after a category motion was filed in August 2024, uncovered social safety numbers, names, mailing addresses, emails, and cellphone numbers of 270 million folks, largely US residents. A lot of the info, which additionally contains info pertaining to Canadian and British residents, seems to be outdated or inaccurate however the affect of the publicity of a lot private info is nonetheless extreme. An estimated 70 million rows of information cowl US felony information.
The mechanism of the preliminary breach stays unconfirmed however investigative reporter Brian Krebs studies that up till early August 2024 an NPD property, recordscheck.web, contained the usernames and password for the positioning’s administrator in a plain textual content archive.
In a assertion, Jericho Footage (which trades as Nationwide Public Knowledge) suggested folks to carefully monitor their monetary accounts for unauthorised exercise. Nationwide Public Knowledge stated it was working with legislation enforcement and governmental investigators including that it’s reviewing doubtlessly affected information to know the scope of the breach. It would “attempt to notify” affected events if there are “additional vital developments”.
Specialists advise shoppers to think about freezing credit score with the three main bureaus (Equifax, Experian, and TransUnion) and utilizing identification theft safety providers as potential precautions.
19. Equifax
Date: 2017
Impression: 159 million information
Credit score reference company Equifax suffered a knowledge breach in 2017 that affected 147 million US residents and 15 million Britons. Names, social safety numbers, start dates, addresses in addition to driver’s licenses of greater than 10 million have been uncovered after attackers took benefit of a internet safety vulnerability to interrupt into Equifax’s techniques. The breach additionally uncovered the bank card knowledge of a smaller group of 209,000 folks.
Attackers broke into Equifax’s techniques between Might and July 2017 by profiting from an unpatched Apache Struts vulnerability to hack into the credit score reference company’s dispute decision portal. Patches for the exploited vulnerability had been out there since March 2017, months earlier than the assault. Struts is a well-liked framework for creating Java-based internet functions.
Cybercriminals moved laterally by means of their ingress factors earlier than stealing credentials that allowed them to question its databases, systematically siphoning off stolen knowledge. US authorities charged 4 named members of the Chinese language army with masterminding the hack. Chinese language authorities have denied any involvement within the assault.
Equifax confronted quite a few lawsuits and authorities investigations within the wake of the breach. The credit score reference company was left an estimated $1.7 billion out of pocket due to the breach with out considering the impact on its inventory value. Equifax spent an estimated $337 million on enhancing its know-how and knowledge safety, authorized and pc forensic charges and different direct prices alone.
20. eBay
Date: 2014
Impression: 145 million information
A breach on on-line market eBay between late February and early March 2014 uncovered delicate private info of an estimated 145 million person accounts. Cybercriminals gained entry to eBay’s techniques after compromising a small variety of worker login credentials.
The hack allowed miscreants entry to delicate info together with encrypted passwords, e-mail addresses, mailing addresses, cellphone numbers and dates of start. Monetary info, together with knowledge on PayPal accounts, was saved on separate system and subsequently not affected by the breach. In response to the incident, eBay utilized a compelled reset to person passwords.
