It is crucial to recognize that every company, regardless of its size, is susceptible to a data breach or cyber attack. Hackers and cybercriminals constantly devise new methods to pilfer sensitive information or personal data, which they can exploit for financial gain through sale or ransom.
A recent report released by the Identity Theft Resource Center (ITRC) reveals a staggering 1862 data breaches in the United States in 2021, surpassing the previous record of 1506 breaches set in 2017. This represents a significant 68% increase compared to the 1108 breaches recorded in 2020. Sectors such as healthcare, finance, business, and retail are frequently targeted, impacting millions of Americans annually.
Experts in the field of cybersecurity predict that this number will continue to rise beyond 2023. To provide you with a comprehensive understanding of the current landscape of data breaches, here are the most significant data breaches in the history of the United States.
Top 23 Biggest Data Breaches in US History
The exposure of sensitive data can occur when a data breach takes place, resulting in the theft and sale of such information on the dark web or to unauthorized third parties. Below, we present a compilation of the most significant data breaches in history, which have resulted in the compromise of millions of user records.
1. Yahoo!
Date: 2013-2016
Impact: Over 3 billion user accounts exposed
The cyberattack on Yahoo stands out as one of the most notorious and severe data breaches, with a record-breaking number of individuals impacted. Commencing in 2013, the initial breach was followed by numerous subsequent attacks over the course of three years.
Utilizing backdoors, pilfered backups, and access cookies, a group of Russian hackers specifically aimed at Yahoo’s database to pilfer personal records from all user accounts, encompassing sensitive personally identifiable information (PII).
- Names
- Email addresses
- Phone numbers
- Birth dates
- Passwords
- Calendars
- Security questions
In the beginning, Yahoo disclosed that data from approximately 1 billion accounts had been stolen. Nevertheless, following Verizon’s acquisition of Yahoo in 2017, it was revealed that the actual number of affected records amounted to around 3 billion accounts. Yahoo’s response to the breach was not only sluggish, but the company also neglected to inform users about a 2014 incident, leading to a $35 million penalty and a total of 41 class-action lawsuits.
The Top Trend On TikTok (January 2024)
2. Microsoft
Date: January 2021
Impact: 30,000 US companies (60,000 companies worldwide)
Over 30,000 US businesses fell victim to a massive cyberattack, marking one of the largest in the country’s history. The target of this attack was the Microsoft Exchange email servers, which are among the largest in the world. Exploiting four distinct zero-day vulnerabilities, the hackers successfully gained unauthorized access to emails ranging from small businesses to local governments.
For a duration of three months, the hackers skillfully capitalized on a handful of coding errors, enabling them to seize control of susceptible systems. They merely required two specific conditions to breach the email servers of each targeted company.
- Connection to the Internet
- On-premises, locally managed systems
Once inside the system, unauthorized individuals had the ability to request access to sensitive data, deploy harmful software, utilize hidden entry points to infiltrate other systems, and ultimately gain control over the servers. Due to the fact that these requests appeared to originate from the Exchange servers themselves, many individuals mistakenly believed them to be legitimate and granted approval.
Although Microsoft was able to address the vulnerabilities through patches, if the owners of the individual servers failed to update their systems, attackers could exploit the system flaw once again. Since the systems were not hosted on the cloud, Microsoft was unable to immediately distribute a patch to resolve the issues.
In July 2021, the Biden administration, in collaboration with the FBI, attributed the data breach to China. Microsoft also followed suit and identified a Chinese state-sponsored hacker group named Hafnium as the responsible party behind the attack.
Blox Fruits 2024 Tier List: The Best Fruits For Each Playstyle
3. First American Financial Corp.
Date: May 2019
Impact: 885 million file records leaked
In 2019, First American Financial Corp. experienced a significant data leak as a consequence of inadequate data security measures and flawed website design. Despite being categorized as a data leak rather than a breach, as there was no hacking involved, this incident highlights the alarming ease with which sensitive information can end up in the wrong hands.
The data leak occurred due to a website design flaw known as Insecure Direct Object Reference (IDOR), which allowed unrestricted access to private information without the need for verification or authentication procedures. Consequently, anyone possessing a link to the documents could freely view them. Moreover, because First American organized their records in a sequential manner, users could simply modify the number in the URL to access other customer records.
Approximately 885 million files were exposed, including:
- Bank account numbers
- Bank statements
- Mortgage payments documents
- Wire transfer receipts with social security numbers
- Drivers’ licenses
Thankfully, there was no compromise or exploitation of any data. As a result of First American’s disregard for red flags in 2018 and other administrative mistakes, they were ultimately penalized approximately $500,000 by the Securities and Exchange Commission (SEC) for violating cybersecurity laws.
Top 10 Roblox Anime Simulator Games
4. Facebook
Date: April 2021
Impact: 530 million users exposed
Despite being one of the largest companies globally, Facebook has been plagued by data leaks and controversies. Since its initial public offering in 2012, the social media giant has consistently grappled with security breaches involving user data.
One of the most significant data breaches occurred in April 2021, when Facebook exposed the personal information of over 530 million individuals. This breach divulged names, phone numbers, account names, and passwords to the public. Facebook attributed the issue to hackers exploiting a vulnerability in the platform’s contact synchronization tool, allowing them to scrape user profiles for customer data.
Although Facebook claimed that no data had been compromised or misused, it remains impossible to verify this assertion due to the brief period during which the information was publicly accessible. This situation creates an opportunity for hackers or scammers to exploit unsuspecting users using only their names, phone numbers, and emails.
Since 2013, Facebook has encountered numerous significant data breaches, encompassing:
In March 2019, it was revealed that Facebook employees had the ability to access more than 600 million user accounts, with both Facebook and Instagram account IDs and passwords being stored in plaintext files. Despite Facebook’s assurance that no sensitive information was compromised, this incident added to the growing list of security concerns.
Moving forward to April 2019, the Cyber Risk team at UpGuard made a startling discovery of 540 million unsecured Facebook user data records on publicly accessible Amazon S3 cloud servers. The responsibility for this breach fell on a third-party app developer and a Mexican media company called Cultura Colectiva, as they failed to protect their entire dataset with a password, allowing anyone to freely access and download the information.
Although Facebook was not directly at fault for this particular incident, it drew attention to the way the social network managed third-party access to its database. In response to a series of previous data leaks, Facebook finally implemented stricter regulations on third-party developers.
Just a few months later, additional exposed records were uncovered on a foreign server located on the dark web. Further investigation revealed that a hacker group in Vietnam potentially exploited Facebook’s API and scraped the site for user IDs, names, and phone numbers. This breach impacted over 300 million users.
ALSO READ:-Blox Fruits 2024 Tier List: The Best Fruits For Each Playstyle
Facebook / Cambridge Analytica
Date: April 2018
Impact: 50-90 million users exposed
In one of the most notable cases in recent memory, a British consulting firm called Cambridge Analytica stole and sold data from 50-90 million user accounts on Facebook in 2018. This breach occurred when Cambridge Analytica’s security researcher, Aleksandr Kogan, exploited a loophole in Facebook’s API, allowing him to gather data from individuals who downloaded a third-party quiz app and their entire network of friends.
Despite violating Facebook’s terms and conditions, Cambridge Analytica continued to illegally sell the data due to a lack of rule enforcement. It was later revealed that Facebook had been aware of this issue since 2015 but failed to take action until Christopher Wylie, an employee of Cambridge Analytica, exposed the situation.
The situation reached its climax when the Federal Trade Commission (FTC) imposed a historic $5 billion fine on Facebook for its continuous disregard for data security and inadequate data protection practices. As part of the settlement, the FTC required a complete restructuring of Facebook’s management to enhance privacy compliance oversight. Additionally, the FTC filed a lawsuit against Cambridge Analytica, resulting in the resignation of CEO Alexander Nix.
5. LinkedIn
Date: April 2021
Impact: Over 700 million user records
In 2021, the number of users on LinkedIn reached approximately 750 million. However, hackers managed to disclose the user identities of around 700 million individuals, which accounts for over 93% of the total user base. This breach occurred as a result of conducting a data scrape on the LinkedIn website. It is important to note that while a significant portion of the information was already publicly accessible, the act of performing a data scrape through the exploitation of LinkedIn’s API was a violation of the platform’s terms of service.
The scraped data included:
- Full names
- Phone numbers
- Email addresses (not publicly available)
- Usernames
- Geolocation records
- Genders
- Details of linked social media accounts
Any breach that results in the exposure of email addresses can pose a risk of ransomware or phishing attacks. Even though the data was publicly accessible, it has raised concerns regarding information security and the potential utilization of that information by third parties to compile open-source intelligence (OSINT) databases.
Furthermore, this situation presents an opportunity for malicious individuals to target prominent individuals or executives within companies. As an illustration, smaller hackers swiftly attempted to exploit this incident. In fact, a user even offered to sell a fresh batch of LinkedIn data on a public forum in exchange for $7000 worth of Bitcoin.
Top 10 Roblox Anime Simulator Games
6. JPMorgan Chase
Date: June 2014
Impact: 76 million households & 7 million small businesses
In September 2014, JPMorgan Chase, one of the largest banks in the United States, made public that cyberattacks had compromised the accounts of more than 76 million households and 7 million small businesses. Initially, it was believed that only 1 million accounts had been affected, but subsequent investigations revealed that the extent of the attack was far worse, lasting for an entire month from June to July.
Fortunately, JPMorgan Chase customers did not experience any financial fraud as a result of the data breach. The breach was limited to the exposure of names, emails, and phone numbers. However, further investigations uncovered that the hackers had also gained access to JPMorgan servers by exploiting the identity of a bank employee. Gigabytes of sensitive data were stolen, and the FBI later attributed the attack to Russian hackers. In response to this incident, JPMorgan executives made a commitment to allocate $250 million annually to enhance the security of their data.
The Benefits Of Craigslist Medford: Your Comprehensive Guide
7. Home Depot
Date: April 2014
Impact: 56 million payment card numbers & 53 million email addresses
In 2014, a group of hackers successfully stole more than 56 million payment card records from Home Depot by utilizing specially designed malicious software. This cyber attack persisted for a period of five months before it was eventually detected and eradicated from the networks of the renowned home improvement store. Unfortunately, the attack had already impacted a vast number of customers across the United States and Canada.
Upon thorough investigation, cybersecurity experts determined that the cybercriminals likely gained unauthorized access to the servers through a third-party supplier. Once they infiltrated the networks, the hackers managed to implant malware into the point-of-sale (POS) systems. This allowed them to gather payment card information and transmit it to a separate server.
This incident shed light on the insufficient investment many large retailers make in cybersecurity measures to safeguard sensitive data. Despite significant enhancements to its payment system protection by 2020, Home Depot still incurred approximately $180 million in losses. These losses primarily consisted of payments made to credit card companies and banks, settlements reached in court, and compensations provided to affected customers.
Blooket Code 2024: List Of All Working Blooket Codes
8. MySpace
Date: June 2013
Impact: Over 360 million accounts
MySpace, although no longer the prominent social networking site it once was, continues to draw in millions of visitors to its primarily music and band promotion platform. In 2016, it was revealed that a hacker had gained access to 360 million user logins, names, and dates of birth, and subsequently offered them for sale on the dark web, marking one of the largest data breaches in history.
Prior to 2013, MySpace utilized an unsalted hash algorithm to encrypt user passwords. The fixed length of the older SHA-1 algorithm made it susceptible to easy cracking. However, newer password authentication protocols employ a salted hash algorithm, which appends a random string of characters to each encryption.
Fortunately, MySpace has confirmed that all of the compromised data originated from before 2013 when the company implemented enhanced security measures. They were able to render all stolen passwords invalid and promptly inform the affected users about the breach.
Now.Gg Roblox: How To Play Roblox Games In Your Browser, Explained
9. FriendFinder Networks
Date: November 2016
Impact: 412 million accounts
In 2016, FriendFinder Networks, a renowned adult entertainment company, encountered a significant data breach. During this breach, six of its primary databases, including its prominent subsidiaries AdultFriendFinder and Penthouse, were hacked. The breach resulted in the theft of over 20 years’ worth of data, comprising approximately 412 million accounts. Shockingly, even 15 million deleted accounts that were supposed to be removed from the databases were compromised. The breach exposed highly sensitive information, posing a severe threat to the privacy and security of the affected individuals.
- Usernames and passwords
- Email addresses (including government and military)
- User activity and transactions
- Membership details
- IP addresses
- Browser information
LeakedSource has reported that FriendFinder Networks utilized the unsalted hash algorithm SHA-1 to secure their passwords, and stored user data in plaintext files. Additionally, a white-hat hacker named Revolver exposed a vulnerability known as Local File Inclusion (LFI) that affected photos shared on social media. This posed a significant security concern for the adult entertainment company, especially considering that it had already experienced a major hack in May 2015, compromising 3.5 million users. Despite these data breaches, AdultFriendFinder continues to attract a staggering number of visitors, with over 50 million per month worldwide.
The Top Trend On TikTok (January 2024)
10. Marriott International
Date: September 2018
Impact: 500 million guests
Marriott International issued a statement on November 19, 2018, acknowledging a breach in their Starwood reservation database by an unidentified third party. This database contained reservations made at renowned hotel chains such as Westin, Sheraton, Four Points, St. Regis, and W Hotels, all falling under the Marriott umbrella.
After conducting a thorough investigation, Marriott’s team discovered that guest data had been illicitly accessed, copied, encrypted, and duplicated, dating back to 2014. The impact of this breach was extensive, affecting approximately 500 million guests. Among these, the hackers managed to pilfer information from around 327 million guests, compromising their personal details.
- Names
- Home addresses
- Email addresses
- Phone numbers
- Passport numbers
- Starwood Preferred Guest (SPG) account information
- Date of birth
- Genders
- Reservation details
- Credit card information
The stolen information, which included names, addresses, and emails, only affected the guests who were still present. This occurrence brought attention to the inadequate data protection measures in the hospitality sector. When Marriott purchased Starwood in 2016, they neglected to update the outdated reservation system, making it susceptible to malware and data breaches. Numerous cybersecurity specialists speculate that the Chinese government orchestrated this assault in order to obtain valuable data. As a consequence of their failure to meet cybersecurity requirements, Marriott was fined nearly $24 million by the UK Information Commissioner’s Office (ICO) in 2019.
The Top Trend On TikTok (January 2024)
11. Adobe
Date: October 2013
Impact: 38 million credit card numbers
Adobe suffered a severe data breach in the 21st century, which is considered one of the most significant breaches of this era. Approximately 38 million accounts had their sensitive payment card information exposed on the dark web. Initially, it was believed that only 3 million accounts were affected, but Brad Arkin, Adobe’s director of security, later revealed that the actual number was significantly higher. The attackers successfully gained unauthorized access to various types of information.
- Adobe user IDs and passwords
- Full names
- Credit/debit card information
- Product source codes (Acrobat, ColdFusion, ColdFusion Builder)
Adobe faced a significant challenge in transitioning from a traditional desktop license model to becoming a cloud-based SaaS company. This shift exposed them to vulnerabilities in their IT security, spanning from their servers to the overall infrastructure. Furthermore, Adobe’s data protection practices were deemed inadequate as they utilized a single password encryption key for all 38 million impacted users. As a result, Adobe reached a settlement of only $1 million in 2016 to resolve a lawsuit filed by 15 states.
Blox Fruits 2024 Tier List: The Best Fruits For Each Playstyle
12. eBay
Date: March 2014
Impact: 145 million users
In the year 2014, eBay, a renowned global retailer and auction site, experienced a significant data breach that resulted in the theft of passwords belonging to 145 million users. The hackers managed to gain entry into the primary network by acquiring the login credentials of only a handful of eBay employees. Fortunately, the financial data was stored on a distinct server, thereby restricting the extent of the attack to a specific range.
- Full names
- Home addresses
- Email addresses
- Phone numbers
- Date of birth
eBay promptly initiated the process of informing their customers to modify their passwords as a precautionary measure against any potential harm. While no instances of financial fraud were reported, it is crucial to acknowledge that a significant number of individuals tend to reuse their passwords, increasing the probability of other services being compromised.
Blox Fruits 2024 Tier List: The Best Fruits For Each Playstyle
13. Equifax
Date: September 2017
Impact: 148 million Americans (163 million worldwide)
Equifax, a prominent credit reporting agency among the three major ones in the US (TransUnion, Experian, Equifax), disclosed a significant data breach in 2017. This breach had a profound impact on the personal information of 148 million American citizens. Given its responsibility in handling highly sensitive data, Equifax faced severe criticism for its negligence and inadequate security measures.
- The initial breach occurred when a third-party web portal, Apache Struts, exploited a known vulnerability in the backend. Despite patching the vulnerability, Equifax neglected to update its internal servers, enabling the intruders to remain active for a period of 76 days.
- Once the hackers gained access to the system, they were able to navigate easily between servers due to Equifax’s lack of proper network security and segmentation.
- Equifax allowed its Public Key Infrastructure (PKI) certificate to expire, a routine renewal task that could have detected abnormal data movements much earlier.
- Equifax granted users extensive permissions, granting them access to highly sensitive information beyond what was necessary. Many corporations follow the principle of least privilege within a zero-trust model as a common security practice. Implementing these approaches would have required authentication processes that could have mitigated numerous issues.
- The public only became aware of the breach over a month after Equifax had discovered it. By that time, company executives had already begun selling their stock, leading to allegations of insider trading.
Equifax ultimately invested more than $1.4 billion to clean up the damages and rebuild its data protection defence. Two years later, they settled with the FTC, various states and territories, and other authorities for $575 million.
Top 10 Roblox Anime Simulator Games
14. River City Media
Date: March 2017
Impact: 1.4 billion file records leaked
River City Media, one of the largest email spam operations in the world, experienced a massive database leak from 2016 to 2017, making it one of the largest in US history. This breach resulted in the exposure of personal information belonging to nearly 1.4 billion individuals, along with a plethora of internal company documents. Although the majority of the compromised data consisted of email addresses, numerous records also included IP addresses, full names, and physical addresses.
The Portland-based company’s downfall stemmed from its failure to implement password protection while configuring backup servers for its MySQL database. This oversight allowed the entire company to be laid bare. Astonishingly, this simple mistake went unnoticed for nearly three months, leaving over a billion people vulnerable to potential hackers. Throughout this period, all 1.4 billion accounts were openly accessible on the internet for anyone to peruse.
In the end, River City Media’s illicit activities were brought to the attention of Spamhaus, an international cybersecurity organization, which promptly blacklisted the spam operation. Despite vehemently denying their server’s vulnerability, the negative publicity surrounding the incident led to the swift collapse of RCM.
Top 10 Roblox Anime Simulator Games
15. Target
Date: November 2013
Impact: 41 million payment card records & 70 million customer records
During the busy shopping day of Black Friday in 2013, Target fell victim to a data breach caused by a third party. Despite having a security system in place, any organization that relies on vulnerable third parties is at a high risk of experiencing a cyber-attack or data breach. In this particular case, Target had a portal that allowed third-party vendors to access their data, inadvertently creating a vulnerability that allowed these vendors to access Target’s own network.
This significant data breach resulted in the theft of over 41 million credit and debit card records, as well as 70 million customer records. It highlights the importance of managing third-party risk as a crucial aspect of any company’s cybersecurity practices. All it takes is one compromised third party to infiltrate the entire network.
Furthermore, Target lacked a segmented network and sufficient firewall, which would have significantly limited the impact of the cyber attack. Once the hackers gained access, they utilized a Trojan to target Target’s point of sale (POS) system, enabling them to obtain payment card information.
As a result, Target suffered losses amounting to approximately $202 million ($292 million before insurance). This included a settlement payout of $18.5 million, a $10 million class-action lawsuit, and $127.5 million paid to banks and credit card companies. Additionally, Target had to allocate a substantial amount of funds towards enhancing their cybersecurity practices, as detailed on their corporate page.
Top 10 Roblox Anime Simulator Games
- Improved monitoring of system activity
- Improved firewall
- Whitelisting POS systems
- Adding network segmentation
- Limiting third-party access
- Reduced employee access privileges
16. Heartland Payment Systems
Date: May 2008
Impact: Over 100 million payment card records
Heartland Payment Systems, a company specializing in payment, POS, and payroll systems, experienced a data breach in 2008. During this breach, attackers managed to steal more than 100 million payment card records. However, the company’s poor security management led to a delayed realization of any illegal activity. It wasn’t until October 2008, when Visa and MasterCard reported suspicious transactions from Heartland accounts, that the company became aware of the breach.
To investigate the incident, Heartland enlisted the help of a cybersecurity forensic team. The team discovered that their systems had been targeted by an SQL injection attack in 2007. This attack allowed the hackers to manipulate web code and gain unauthorized access to logins. Exploiting this vulnerability, the attackers were able to freely navigate Heartland’s systems for several months and even produce counterfeit credit cards with authentic magnetic strips.
Although the culprits were eventually apprehended, Heartland suffered severe and irreversible consequences. They lost a significant number of customers and had to pay out over $200 million in compensation. As a result, their stock prices plummeted by 77% within a few months of the breach. In 2015, Heartland was acquired by a larger payment processor, Global Payments, for a staggering $4.3 billion.
GenYouTube Download Photos And Videos Step-By-Step Tutorial 2024
17. Exactis
Date: June 2018
Impact: 340 million people
A database containing 340 million individual records was reportedly exposed by Exactis, a marketing firm based in Florida. Security researcher Vinny Troia discovered the entire Exactis database on a public network that was completely unsecured and accessible to everyone. Upon discovering this, Troia promptly notified the FBI, who conducted their own investigation. Based on their findings, the FBI believed that the database contained information on nearly all US citizens and millions of businesses. The exposed database contained sensitive data, including but not limited to:
- Full names (including children)
- Age
- Gender
- Physical addresses
- Email addresses
- Religious affiliations
- Political affiliations
- Smoking habits
- Pets
- Income
- Credit rating
- Education level
The compilation of data was exceptionally comprehensive, making it readily accessible to anyone. This valuable information could potentially be exploited by scammers and cybercriminals to carry out large-scale social engineering attacks, specifically targeting individuals and businesses lacking adequate security measures.
Despite being removed from the public domain shortly after its discovery, the FBI suspects that the database remained accessible online for a considerable duration. While Exactis has chosen not to comment on the matter, they are currently confronted with numerous class-action lawsuits.
GenYouTube Download Photos And Videos Step-By-Step Tutorial 2024
17. Capital One
Date: July 2019
Impact: 100 million user records
In the year 2019, Paige Thompson, a previous employee of Amazon Web Services (AWS), successfully breached the servers of Capital One. This unauthorized access allowed her to obtain more than 100 million customer account records and credit card applications, dating back to 2005. Among these records were:
- Bank account numbers
- Names
- Addresses
- Credit scores
- Account balances
- Social Security numbers
- Canadian Social Insurance numbers
Capital One’s failure to implement adequate security measures resulted in Thompson exploiting a vulnerability in the cloud firewall configuration. This allowed her to carry out various commands on the company’s servers, gain administrator credentials to bypass the firewall, and access and copy data from the data buckets and folders. Thompson then proceeded to post the stolen data on GitHub, leaving a digital trail that ultimately led to her arrest.
Had Capital One implemented segmented network security or restricted user access privileges, it could have significantly hindered Thompson’s unauthorized access. Such measures would have necessitated multiple verification processes for each layer of data, making it much more challenging for her to carry out her actions.
As more businesses transition to cloud-hosted servers, it becomes crucial to establish cybersecurity solutions that effectively monitor the potential attack surface posed by third parties. Capital One, in particular, faced the consequences of their security shortcomings, as they settled a class-action lawsuit in 2021, paying a substantial amount of $190 million.
18. Dubsmash
Date: December 2018
Impact: 162 million user records
In December 2018, a significant data breach occurred, impacting 16 distinct websites and compromising more than 617 million stolen accounts. Among the affected platforms, Dubsmash suffered the most severe consequences, with over 162 million user records compromised and made available on the dark web. The stolen data encompassed various types of information.
- Usernames
- Passwords
- Email addresses
- Geolocations
- Country
Numerous global companies were also victims of substantial data breaches during this identical assault, encompassing:
- Under Armour / MyFitnessPal (151 million)
- MyHeritage (92 million)
- Whitepages (18 million)
- Armor Games (11 million)
- Coffee Meets Bagel (6 million)
19. Deep Root Analytics
Date: June 2017
Impact: 198 million US citizens
In June 2017, the personal details of nearly 200 million registered voters were exposed. This valuable data belonged to Deep Root Analytics, a Republican data analysis group. The cyber threat analysis team at UpGuard was the first to uncover this massive breach, marking it as the most significant disclosure of sensitive voter information ever recorded.
The data contained:
- Names
- Addresses
- Emails
- Phone numbers
- Birthdates
- Internet browsing history
- Voter ID numbers
- Political affiliations
- Religions & ethnicities
With the availability of this information, political parties from both factions have the potential to utilize it for the purpose of manipulating voter conduct. This dataset encompasses numerous prominent and influential figures, as well as organizations. Despite the Republican National Committee (RNC) severing its association with Deep Root Analytics immediately following the breach, they reinstated their collaboration with the data organization in 2020 to make preparations for Donald Trump’s reelection campaign.
20. Zynga
Date: September 2019
Impact: 218 million users
In September 2019, Zynga, a renowned online gaming company, disclosed a security incident involving a breach of passwords that impacted more than 200 million users. By exploiting vulnerabilities in popular mobile games like Words With Friends, Farmville, and Draw Something, a hacker named Gnosticplayers managed to infiltrate the system and pilfer usernames and passwords.
Despite acknowledging the breach, Zynga failed to promptly notify its users. While no financial data was compromised in this particular incident, the breach poses a significant risk as hackers can exploit the stolen information to orchestrate phishing attacks or scams. If the compromised data finds its way onto the dark web, individuals may become vulnerable to cyberattacks.
21. Plex
Date: August 2022
Impact: 30 million users
On August 24th, 2022, Plex, a media streaming platform, took action by sending password-reset notices to almost all of its 30 million users. This action was prompted by the discovery that an unauthorized party had gained access to certain data, including emails, usernames, and encrypted passwords. While the passwords were encrypted using a hashing algorithm to minimize the risk of criminals hijacking accounts, the breach exposed a vulnerability in Plex’s systems that had not been patched.
Moreover, the widespread password changes overwhelmed Plex’s internal servers, resulting in additional error messages and failed attempts to change passwords. Despite the encryption of passwords, malicious actors can still employ brute-force encryption-cracking software to exploit weak passwords that are commonly used.
Fortunately, since Plex did not store any payment information on its servers and promptly responded to the incident, there were no penalties or instances of stolen information. This incident serves as a reminder of the significance of creating robust passwords to safeguard against potential attacks.
22. Los Angeles Unified School District (LAUSD)
Date: September 2022
Impact: 1000 schools / 600,000 students / 500GB of data
During the Labor Day weekend, the Los Angeles Unified School District (LAUSD) experienced one of the largest data breaches in the education industry. A Russian criminal group known as Vice Society targeted LAUSD, impacting more than 1000 schools and 600,000 students. The attack involved the deployment of ransomware, which effectively blocked LAUSD officials from accessing vital information and data.
- Personal information (names, physical addresses, phone numbers)
- Email addresses
- Computer systems and applications
- Passport details
- Employee social security numbers
- Employee account login information
- Tax forms
- Contracts and legal documents
- Financial reports
- Banking details
- Health information (including COVID-19 vaccination data)
- Background checks and conviction reports
- Student psychological assessments
- VPN credentials
LAUSD made an official announcement stating their decision not to comply with the ransom demand, in line with the advice of cybersecurity experts and law enforcement. Consequently, Vice Society proceeded to disclose the stolen data on its dark web forum.
The long-term consequences of this attack are still uncertain, but there is a possibility of facing lawsuits if instances of fraud or identity theft become widespread. It is worth mentioning that LAUSD had been alerted about potential vulnerabilities before the attack occurred, but they failed to address or rectify the issues, which may lead to additional penalties or fines following an investigation.
23. Cash App
Date: April 2022
Impact: 8.2 million users
In April 2022, a former dissatisfied employee obtained data from more than 8 million users via Cash App Investing, a stock trading functionality accessible within CashApp’s platform. It is crucial to highlight that the information stored in Cash App Investing is distinct from Cash App’s primary offering, which is a person-to-person payment service.
Information that was stolen included:
- Customer names
- Brokerage account numbers
- Stock trading portfolios
- Stock trading activity
Cash App is currently facing several class-action lawsuits due to its failure in implementing adequate security measures to safeguard user data, following the unauthorized acquisition of sensitive information. Although no other personally identifiable information (PII) was compromised,
the data breach posed a significant security risk, highlighting the absence of effective access control policies, particularly for a former employee. Furthermore, the breach persisted for a duration of four months, during which Cash App failed to detect or respond to the ongoing attack on its data.