You may have received a data breach notification from one of the companies or brands you’ve done business with, but you’re unsure what to make of it. We got you.
At the end of this article, you should know what steps to take to protect yourself from the consequences of a data breach.
We searched the web for the most famous data breaches in recent years. ID thieves are constantly developing new ways of stealing personal information, so it's important to know the latest ones. We also sought expert tips on protecting yourself after a data breach.
Read until the end to discover the best defense you can have after a data breach. Don’t miss out on crucial tips; otherwise, you’ll leave yourself vulnerable to crimes like ID theft.
What are the biggest data breaches?
Hackers target large companies because of the massive amount of information they can collect and exploit. In this section, we’ll provide data breach examples—the biggest ones, to show you that almost everyone’s information is at risk, so you need to protect yourself.
1. Yahoo
Yahoo’s security breach, which happened in late 2014, is one of the top data breaches in recent years.
Yahoo believes that a “state-sponsored actor” was behind this cybersecurity issue, but until now, the culprit has not been arrested. People knew of the breach when a hacker known as “Peace” claimed to be selling information from 200 million Yahoo users.
Yahoo stated that it was investigating the matter, but after a few months, it turned out that almost 500 million user accounts were compromised. The number was bigger than the first rumored 200 million.
But after a few years, the New York Times reported that the breach affected all three billion Yahoo accounts. Although the company encrypted the passwords, it used the MD5 algorithm, which hackers can easily decrypt.
The company released a statement informing the users what records were leaked, which included:
- Names
- Email addresses
- Telephone numbers
- Birthdates
- Hashed passwords
- Security questions and answers
The incident affected not only individuals but also companies who use Yahoo as their email service provider.
Due to the breach, Yahoo spent $16 million on investigations and legal costs. The company also faced inquiries from government agencies, such as the Federal Trade Commission (FTC) and the Securities and Exchange Commission (SEC).
2. LinkedIn
One of the recent data breaches involves LinkedIn, an online professional network.
Cybernews reported that a popular hacker forum announced the sale of information from almost 700 million LinkedIn profiles. The cybercriminal who breached LinkedIn’s database initially provided 2 million records as proof for the buyers.
However, LinkedIn denied the breach and insisted that the hackers gathered information from other websites. On the other hand, the hacker claims that the data was from the said company.
Cybernews’ investigation team confirmed the hacker’s claims, but it’s unclear whether the records contain updated LinkedIn profiles. Still, the fact remains that there was unauthorized access to users’ sensitive details.
Here’s a list of information leaked due to the breach:
- Names
- Email addresses
- Phone numbers
- LinkedIn profiles
- Social media profiles
- Work-related data
So what happens when scammers have access to these pieces of information?
They can carry out targeted phishing attacks because they know your email address and phone numbers. It allows them to send malicious links containing malware that can collect your financial details.
Since they also have links to your LinkedIn and social media profiles, they can execute brute-force attacks on your accounts. So if you haven’t enabled two-factor authentication, you might not even know that fraudsters are trying to guess your password.
3. Marriott Hotels (Starwood)
In November 2018, Marriott Hotels disclosed that the data breach of Starwood’s database compromised the information of up to 500 million people. But the breach started in 2014, so the hackers have long been accessing the guests’ details.
Marriott discovered the incident when it received an alert from an internal security tool that someone attempted to access the database. In its investigation, the company found out that an unauthorized party had copied sensitive information.
As a result, the UK’s Information Commissioner's Office (ICO) fined Marriott £18.4m.
Here are the details that hackers have access to:
- Names
- Phone numbers
- Mailing addresses
- Email addresses
- Arrival and departure information
- Preferred contact method
Aside from these pieces of information, NBC News reported that hackers collected the guests’ passport numbers and credit card details.
Once scammers have the said data, they can impersonate you or make fraudulent purchases using your card.
It seems that criminals keep targeting Marriott because the hotel was also a victim of data theft in 2020. This time, the hacker entered the system using the login credentials of two employees.
It wasn’t as massive as the first one, but it still leaked the information of more than five million people.
4. Facebook
Facebook has always been a famous target for hackers. But in 2021, news emerged that the tech giant’s security was compromised, affecting 533 million Facebook users.
Due to the number of compromised accounts, we consider this incident as one of the top three cybercrime hacks in recent years. Business Insider reported the extent of this data breach. According to the site, it affected users from 106 countries.
| United States | 32 million |
| United Kingdom | 11 million |
| India | 6 million |
Ireland's Data Protection Commission (DPC) fined Facebook €17 million for violating the General Data Protection Regulation (GDPR). According to the commission, Facebook failed to place appropriate technical and organizational measures.
Here’s the list of leaked information:
- Names
- Phone numbers
- Locations
- Birthdates
- Email addresses
- Links to Facebook profiles
When fraudsters have the said information, they can easily send spam messages containing viruses and malware to gather financial details.
They can also create fake online accounts since they have your location, birthdate, phone number, and the link to your real profile.
It’s not Facebook's first involvement in a security breach controversy. In 2016, Cambridge Analytica misused Facebook users’ data to target voters with political ads. In fact, the consulting company compromised the personal data of 87 million people.
5. Equifax
Equifax is a major credit reporting agency that collects individual credit information. Lending companies and banks rely on their reports to decide about granting loans and applications.
But did you know that even Equifax experienced a data breach?
In 2017, the information of almost 143 million customers was compromised. According to Equifax, the breach happened because security officials failed to download a software upgrade.
The update was intended to prevent hackers from accessing sensitive information in Equifax’s system. But it didn’t serve its purpose since the employees failed to install it.
Instead, Equifax announced that hackers accessed the following details:
- Social Security Numbers (SSNs)
- Addresses
- Birthdates
Unfortunately, when scammers know your SSN, they can:
- Open new credit lines
- File taxes and claim refunds
- Apply for jobs
- Get legal documents
- Open bank accounts
The Equifax breach is deeply concerning because when you suspect that someone’s using your information, experts recommend checking your credit reports. But what would happen when Equifax itself had security issues?
Millions of individuals may have inaccurate credit files. Financial institutions will also question such information, affecting their decisions regarding granting loans and credit cards.
6. Cash App
Almost everyone uses digital wallets with investment opportunities, so we thought you might want to know about this security breach.
The incident affected over 8 million Cash App Investing customers. Block, Inc., its parent company, clarified that it’s not the peer-to-peer (P2P) payment product that was affected but the Cash App Investing.
So how did the security breach happen?
According to the Securities and Exchange Commission (SEC) filing, a former employee accessed the customers’ full names and brokerage account numbers. The said number shows users’ stock activity on the platform. Also, the hacker compromised the brokerage portfolio and stock trading activity.
Once fraudsters know your brokerage account number, it allows them to identify you and collect other details that can be used to commit fraudulent acts.
Fortunately, the leaked information didn’t include usernames, passwords, card details, SSNs, and birthdates. Still, it’s alarming that a former employee illegally gathered Cash App Investing’s information.
Companies often warn their employees about external cybersecurity risks, but internal ones can also become devastating. In this case, 8.2 million users were at risk for targeted ID theft.
7. Alibaba
One of the biggest data breaches in 2022 involves Alibaba Cloud, China's largest public cloud service provider.
This incident doesn’t involve the shopping site but the China police database hosted by Alibaba Cloud. As a result, almost 1 billion citizens' information was at risk.
The hacker posted a sample of 750,000 entries and demanded 10 bitcoins or $200,000 for the entire database.
So how did the breach happen?
According to cybersecurity experts, the database had been open online for over a year. Worse, it didn’t have any passwords because of the outdated system. So it was easy for hackers to copy the sensitive details it contained.
The massive data leak showed the importance of using updated security systems, especially for cloud hosting services. Surprisingly, the said database was left open for almost anyone to access.
Here’s a list of the records that the hacker collected:
- Names
- Phone numbers
- Addresses
- Government ID numbers
- Birthdates
- Police reports
As you might notice, the criminals even have access to the victims’ government ID numbers and police reports. They can use these details to launch several counts of ID theft.
Due to the leak, Chinese authorities have called the attention of Alibaba Group Holding Ltd.’s executives.
8. Twitter
Twitter was involved in a data breach in 2018, compromising the data of almost 330 million users.
This is one of the accidental data breach examples because according to the company, the security bug left passwords “unmasked.” So instead of an encrypted set of characters, users’ real passwords were revealed.
Leaked passwords pose several dangers to users, especially those who only use one password for all their accounts. For example, scammers can open your financial accounts if you use the same passcode for your Twitter and mobile banking accounts.
Due to the incident, Twitter asked its users to change their passwords. Although the company said no one collected the information, it still pays to be cautious.
But it’s not the end of data breaches for Twitter. In 2022, Twitter employees provided access to the system willingly. They leaked the details of more than 5.4 million users in exchange for $30,000.
The hackers sent spam messages to Twitter users. Some of them claimed to give $2,000 for investing $1,000. It’s the classic form of an investment scam. Even Bill Gates and Barack Obama received such messages.
It only means that no one is safe once a security breach happens.
9. eBay
In 2014, hackers accessed eBay’s database, compromising 145 million records. But the company said that there’s no evidence of impact on customers. It’s an unusual way of responding to a data breach, and people have criticized eBay for its behavior.
Somehow, it also denied that the hacking happened since eBay spokeswoman Amanda Miller told Reuters that the company didn’t believe hackers could decrypt the customers’ passwords.
According to eBay, the hackers obtained the login credentials of “a small number” of employees. It allowed them to access the company’s network, which contained the customers’ information.
Here’s the list of information leaked due to eBay’s breach:
- Names
- Passwords
- Email addresses
- Mailing addresses
- Birthdates
eBay stated that the hackers didn’t access credit card numbers and financial data. Still, the company advised customers to change their passwords immediately.
When criminals know your email address, they can send targeted phishing messages. A leaked name and mailing address also allows fraudsters to change your address and reroute your mail.
You can also be vulnerable due to leaked passwords, especially if you only use one for all of your accounts. Fraudsters can also use your birth date to answer security questions.
10. Macy's
Most people shop online because of the convenience that e-commerce sites offer. But it’s not an entirely safe way to purchase products.
In 2018, Macy’s website was hacked, compromising customers’ names, credit card numbers, and expiration dates. CBS News reported that hackers gathered usernames and passwords from other sites and used them to execute the attack.
The company notified the affected individuals and provided free consumer protection services.
But in 2019, Macy’s website was compromised again. The hackers collected sensitive information, such as:
- Names
- Addresses
- Phone numbers
- Email addresses
- Credit card numbers
- Security codes
If scammers know your credit card number and security code, they can make fraudulent purchases using your card.
Since they collect the names and addresses of customers, they can even answer banks’ security questions. They can also send spam messages to customers’ phone numbers and email addresses.
That’s why criminals target e-commerce sites—they can get financial information to commit financial identity theft and other types of fraud.
11. MyFitnessPal / UnderArmour
Have you used weight loss apps?
You might think that scammers don’t attack such platforms, but in 2018, hackers targeted MyFitnessPal and affected 150 million accounts.
On March 25, 2018, UnderArmour discovered unauthorized access to MyFitnessPal’s system. However, the incident happened in February, which means customers were unaware of the situation for almost a month.
The hackers collected usernames, passwords, and email addresses. Fortunately, they didn’t access payment information, SSNs, and driver’s license numbers.
UnderArmour told the users to change their passwords immediately. This way, the scammers won’t be able to open their accounts. The problem arises when people use the same password for all their accounts, including mobile banking ones.
But how did they access MyFitnessPal?
The company disclosed that they use bcrypt to secure most of the passwords on their system. But UnderArmour admitted that the leaked passwords were only protected by SHA-1, a weak cryptographic hash function.
12. Adult Friend Finder
In 2016, the hook-up site Adult Friend Finder got hacked, affecting the information of almost 400 million members.
The parent company, Friend Finder Networks (FFN), also owns sex-chatting services like Cams.com, iCams.com, and Stripshow.com. According to FFN, the login credentials on the said websites were also compromised.
Worse, the hacker accessed almost 20 years of sign-in credentials, including those from deleted accounts.
Here’s the list of compromised information:
- Usernames and passwords
- Email addresses
- Post codes
- Birthdates
- Sexual preferences
The said sensitive information allows scammers to access your other accounts if you reuse passwords. It will also help them execute targeted attacks since they have a list of valid email addresses.
Like the other companies, it’s not the first time that Adult Friend Finder was hacked. In May 2015, a hacker posted 3.5 million records of the site’s members.
*PayPal
We would also like to mention PayPal’s security issues, although it didn’t make the cut.
So how many times has PayPal been breached?
In 2017, the company admitted to a security breach that affected more than 1.6 million customers. But it didn’t provide further explanation. The company only stated that it was suspending operations. Prior to this, PayPal hasn’t experienced any data breach.
Among the incidents we mentioned, are you curious what was the biggest data breach ever? The answer: Yahoo’s data breach. It affected 3 billion accounts, including individuals and companies.
How to prevent data breaches?
After the failure of private businesses to detect major breaches, we saw the need to provide tips on safeguarding your information.
- Use different passwords for your accounts and refrain from using significant numbers, such as anniversaries, addresses, and birthdates.
- Review your credit files and financial statements for inaccurate details and suspicious transactions.
- Enable multi-factor authentication so you can get alerts whenever someone tries to open your accounts.
- Limit the amount of sensitive information you share on websites. If possible, don’t agree to store your credentials on a website. It might be inconvenient to enter them again, but it’s one way to protect your information.
- Don’t click suspicious URLs and attachments because scammers use them to collect your sensitive information.
- Update your devices to take advantage of new security measures. You might want to prevent what happened in the eBay data breach, where an outdated system enabled criminals to hack the company.
We’d also like to share the best defense you can have after a data breach: change all your passwords if the hackers have accessed your accounts, according to Boris Jabes, the Chief Executive Officer (CEO) of Census.
Be on the lookout for your information
The biggest data breaches taught us that no one’s safe from people who want to exploit your information. Even multi-national companies, such as Yahoo and Facebook, can be the targets of cyberattacks.
So if you want to guard your sensitive information, you must use a complex and unique password for each account. It’s also helpful to review your financial statements to recognize suspicious transactions.
Since data breaches mostly happen online, ensure you're only visiting official websites. You must refrain from clicking links and attachments from strangers.
Aidan has been writing about personal finance for over 6 years. Prior to this, he worked as a Corporate Finance Analyst where he specialized in Due Diligence, Company Valuations and more. He is a CFA charterholder.
