Although it has long been no longer the power it once was, the social media site MySpace was leaked on two LeakedSource.com in 2016 on 360 million user accounts and sold on the Dark Web market, which are six bitcoins (about $3,000 at the time).
According to the company, the lost data includes email addresses, passwords and usernames for “a portion of the accounts created before June 11, 2013 were created on the old Myspace platform. To protect our users, all user passwords we have created on June 11, 2013 on June 11, 2013 were invalid. These users returned my space to MySpace account on the old Myspace platform.
It is believed that passwords are stored as SHA-1 hash of the first 10 characters of the password, converted to lowercase.
13. Fat
date: October 2015
Influence: 235 million user accounts
Netease, an email service provider like 163.com and 126.com, reportedly suffered a breach in October 2015, when Dark Web Marketplace DoubleFlag sold email addresses and passwords related to 235 million accounts. NetEase insists that no data breach occurred, and to this day, HIBP noted: “While there is evidence that the data itself is legitimate (multiple HIBP subscribers have confirmed that the password they used is in the data), this is due to the difficulty of strongly verifying violations in China, it has been marked as “unverified.”
14. Court Adventure (Experian)
date: October 2013
Influence: 200 million personal records
The Experian subsidiary became a victim in 2013 when a Vietnamese deceived it and gave him access to a database that was accessed by working as a private investigator in Singapore to a database containing 200 million personal records. Details of the exploitation of Hieu Minh NGOs were arrested only after being arrested for selling personal information of U.S. residents to cybercriminals around the world, including credit card numbers and social security numbers, which he has been doing since 2007. In March 2014, he pleaded guilty, including multiple charges in the U.S. District Court in the New Hampshire District. The Justice Department said at the time that NGOs made $2 million by selling personal data.
15. LinkedIn
date: June 2012
Influence: 165 million users
The second appearance on this list is LinkedIn, this time it refers to the 2012 announcement that 6.5 million unrelated passwords (salt-free SHA-1 hashs) violations were stolen by the attacker and mailed to a Russian hacker forum. However, it was not until 2016 that the full scope of the incident was revealed. The same hacker who found selling MySpace data could provide email addresses and passwords for approximately 165 million LinkedIn users, offering only five bitcoins (about $2,000 at the time). LinkedIn acknowledged it was aware of the breach and said it had reset the password for the affected account.
16. dubsmash
date: December 2018
Influence: 162 million user accounts
In December 2018, Dubsmash, a New York-based video messaging service, had 162 million email addresses, usernames, PBKDF2 password hashings and other personal data, such as Date of Birth, all of which were subsequently sold on Dream Market Market in December of the following year. The information is sold as part of the collection dump, including MyFitnessPal (more below), Myheritage (92 million), Sharethis, Armor Games and Dating App Coffeemeetsbagel.
Dubsmash confirms that violations and sales information have occurred and provides advice on changing passwords. However, it fails to explain how the attacker entered or confirm how many users were affected.
17
date: October 2013
Influence: 153 million user records
In early October 2013, Adobe reported that hackers had stolen nearly 3 million encrypted customer credit card records and login data to determine the number of user accounts. A few days later, Adobe added that estimate, including IDs and encrypted passwords for 38 million “active users”. Security blogger Brian Krebs later reported that the file released a few days ago “appeared to include more than 150 million usernames and hashed password pairs, taken from Adobe.” Weeks of research have shown that the hacker also exposed customer names, passwords, and debit and credit card information. An August 2015 agreement requires Adobe to pay $1.1 million in legal fees and pay users an undisclosed amount to resolve claims that violate the Customer Records Act and unfair business practices. According to reports, in November 2016, the amount paid to customers was $1 million.
18. National Public Data
date: December 2023
Influence: 270 million people
Violation of background checks The company’s national public data revealed data from hundreds of millions of people by disclosing estimated 2.9 billion records. The stolen data has been sold on the Dark Network in April 2024 due to a hacker attack in December 2023. April 2024. Most of the stolen data was leaked and freely entered the July 2024 cybercrime forum in 4TB dump.
The incident became public knowledge only after a class action lawsuit was filed in August 2024, which exposed social security numbers, names, mailing addresses, emails and phone numbers of 270 million people, mainly U.S. citizens. Many of the data also include information related to Canadian and British residents, which seem to be outdated or inaccurate, but the impact of exposing so much personal information remains severe. An estimated 70 million rows of records cover U.S. criminal records.
The initial violation mechanism is still unproven, but investigative journalist Brian Krebs reported that until early August 2024, NPD property recordscheck.net, included the website administrator’s username and password in a plain text archive.
In a statement, Jericho Pictures, which is traded as state public data, advises people to closely monitor unauthorized activities of their financial accounts. National Public Data said it is working with law enforcement and government investigators, adding that it is reviewing affected records to understand the scope of the violation. If there is “further important development”, it will “try to notify” the affected parties.
Experts recommend that consumers consider freezing credit in three main bureaus (Equifax, Experian and Transunion) and use identity theft protection services as potential precautions.
19. Equifax
date: 2017
Influence: 159 million records
Credit reference agency Equifax suffered a data breach in 2017, affecting 147 million U.S. citizens and 15 million British people. After the attacker exploited a cybersecurity vulnerability to break into Equifax’s system, his name, social security number, date of birth, address, and driver’s licenses of more than 10 million were exposed. The violation also exposed the credit card data of a smaller 209,000 people.
Between May 2017 and July 2017, attackers broke into Equifax’s system and leveraged the vulnerability of un-dialed Apache Struts to hack its dispute resolution portal. Patches for exploited vulnerabilities have been provided since March 2017, months before the attack. Struts is a popular framework for creating Java-based web applications.
Cyber criminals move sideways before stealing credentials, allowing them to query their databases, thus systematically deleting stolen data. U.S. authorities accused four Chinese military members of the hack. Chinese authorities deny participating in the attack.
After the violation, Equifax faces many lawsuits and government investigations. Credit reference agencies estimate $1.7 billion in change, without taking into account the impact of their stock price due to violations. Equifax is estimated to spend $337 million on improving its technical and data security, legal and computer forensic costs, and other direct costs.
20. eBay
date: 2014
Influence: 145 million records
Between late February 2014 and early March 2014, online market eBay violated sensitive personal information of estimated 145 million user accounts. Cybercriminals can access eBay’s system after damaging a handful of employee login credentials.
The hacker allows misunderstanding of access to sensitive information, including encrypted passwords, email addresses, mailing addresses, phone numbers and dates of birth. Financial information (including data about PayPal accounts) is stored on a separate system and is therefore not affected by violations. In response to events, eBay will force reset to apply to user password.
