You may remember the 2013 Target Stores data breach that put the credit-card numbers and personal information of millions of people into the hands of cybercriminals. Or you may have been asked to change your Yahoo password in 2016. Both were the results of huge data breaches — yet neither breach was the worst in history.
Here are the 10 biggest and worst verified data breaches that we know of — so far. (We're not including those that haven't been confirmed, such as the Vkontakte breach reported in 2016; had an unknown number of victims, such as the 2014 eBay breach; or didn't involve sensitive data, such as the 2014 JPMorgan Chase breach that exposed only contact information.)
1 billion user accounts compromised
In a truly remarkable turn of events, Yahoo in 2016 not only claimed the crown of Biggest Data Breach Ever with the September disclosure of a 2014 breach that affected 500 million users. It came back in December to disclose a breach from 2013 that compromised a whopping 1 billion user accounts. That's one for every seven or eight people on Earth.
The unidentified 2013 hackers, said to be unconnected to those behind the 2014 break-in, got the whole shebang: names, dates of birth, email addresses, security questions and answers and weakly protected passwords. (The passwords in the 2014 breach had better protection.)
You may be wondering why Yahoo took two or three years to discover these breaches. We wish we had an answer to that question.
500 million accounts compromised
The massive Yahoo breach revealed in late September 2016 not only capped a summer of huge data-breach disclosures, but was the biggest data breach on record until another Yahoo breach doubled it. Yahoo, in the middle of selling itself to Verizon, said "a state-sponsored actor" instead of a regular cybercriminal was likely behind the theft, said to have occurred in late 2014.
Compromised information included real names, email addresses, dates of birth and telephone numbers, helpful to spammers and identity thieves. The good news is that the "vast majority" of the passwords were hashed (run through a irreversible mathematical algorithm) using the so-far-uncrackable Bcrypt method.
412 million accounts compromised
Casual-hookup and adult-content websites are perfectly legal in most Western nations, but that doesn't prevent data breaches involving them from being any less embarrassing. The FriendFinder network, comprising Adult Friend Finder, Penthouse.com, Cams.com, iCams.com and Stripshow.com, was breached sometime in mid-October 2016, and details of user databases immediately began leaking out of cybercrime forums.
To add insult to injury, most of the passwords were protected by the weak SHA-1 hashing algorithm, with the result that 99 percent of them had been cracked by the time LeakedSource.com published its analysis of the entire data set on Nov. 14. As with the breach of the "Have an Affair" Ashley Madison dating service in 2015, a lot of people likely had some explaining to do.
360 million accounts compromised
MySpace dominated social media a decade ago, and it was kind of a chaotic mess. Users quickly found they could hack their own pages to embed any kind of content. Rather than fixing the flaw, MySpace's administrators embraced it, resulting in thousands of loud, ugly personal pages.
So it shouldn't be too surprising that stolen MySpace credentials turned up in the great data-breach wave of 2016, during which a Russian hacker calling himself "Peace" tried to sell off the contents of several old (and hence no longer valuable) data breaches.
What was surprising was the size of the MySpace breach: 360 million account records, including email addresses, usernames and weakly hashed passwords. A list of the most popular passwords in the MySpace breach included references to Michael Jordan and Blink-182, indicating the breach occurred in the mid-2000s.
165 million accounts compromised
The world's top business-networking website disclosed its 2012 data breach soon after it happened, but password-reset notifications at the time indicated that only 6.5 million user accounts had been affected. LinkedIn never confirmed the actual number, and in 2016, we learned why: A whopping 165 million user accounts had been compromised, including 117 million passwords that had been hashed but not "salted" with random data to make them harder to reverse.
That revelation prompted other services to comb the LinkedIn data and force their own users to change any passwords that matched. (Kudos to Netflix for taking the lead on this one.) Left unanswered is why LinkedIn did not further investigate the original breach, or to inform more than 100 million affected users, in the intervening four years.
130 million records compromised
In early 2009, this Princeton, New Jersey-based payment processor announced the largest data breach ever to affect an American company. Heartland's breach exposed information from approximately 130 million credit and debit cards to cybercriminals.
Malware planted on Heartland's network recorded card data as it arrived from retailers. Because the company processed payments for more than 250,000 businesses across the country, the impact was huge.
In 2010, Albert Gonzalez, the convicted mastermind behind the Heartland breach (as well as another huge breach), was sentenced to 20 years in prison — the longest sentence ever handed down for computer crime in a U.S. court.
110 million records compromised
In December 2013, retail giant Target confirmed that hackers had infected the company's payment-card readers, making off with approximately 40 million credit and debit card numbers that had been used at Target stores in the United States during the 2013 post-Thanksgiving shopping surge.
In January 2014, Target announced that the contact information — full names, addresses, email addresses and telephone numbers — of 70 million customers had also been compromised. Some of those customers probably also had credit-card data compromised in the earlier breach, but it's possible that as many as 110 million people were affected by the Target breaches.