×

How the Yahoo hack stacks up to previous data breaches

  • The company's new disclosure that 3 billion accounts were affected makes it the biggest data breach ever reported.
  • Hacks make up more than half of reported data breaches so far in 2017.

With the announcement Tuesday that all three billion accounts were affected by a 2013 hack, Verizon-owned Yahoo became the victim of the biggest overall data breach by a long shot, according to a CNBC analysis of a database of reported breaches.

In recent years, high-profile hacks have been bigger and more frequent. Part of that trend is due to greater use of online storage and social media, as well as the massive amounts of personal data now stored in the cloud. Some is linked to more sophisticated tools being deployed to illicitly access personal information. Theft of portable devices like laptops and unintended disclosures used to account for much more of the data breaches that happened, according to data maintained by the Privacy Rights Clearinghouse.

So far this year, hacks have made up more than half of the reported data breaches, more than any year in the past decade.

It's often hard to pin down how many users are affected by any given hack, but the scale of records made vulnerable in any such intrusion can be massive. Three billion accounts is far and away the biggest data breach yet reported. Below is a rundown of some of the biggest data breaches, according to the database maintained by the Privacy Rights Clearinghouse.

3 billion Yahoo accounts

Last year, Yahoo announced that more than a billion accounts had likely been affected by the hack, which occurred in 2013. The compromised accounts came to light after an unidentified third party gave law enforcement officials data files they claimed contained Yahoo user information, the company said in December. In the breach, attackers accessed email addresses, passwords, birth dates and other bits of personal information.

On Tuesday, the company said it had "recently obtained new intelligence" showing that all users' accounts had been affected. The company already faced 41 consumer class-action lawsuits in the U.S., a figure that could rise with the fresh disclosure, according to Reuters. Yahoo was acquired by Verizon and the deal was finalized in June.

1.2 billion accounts (from multiple sites)

After several months of research, cybersecurity firm Hold Security discovered in 2014 that an unnamed Russian gang had amassed more than 4.5 billion credentials from websites across the web. About 1.2 billion of those were unique. The 1.2 billion accounts came from across many different sites, not just one source.

The amazing feat of online thievery was accomplished by buying a smaller set of credentials and using those to attack sites. They also used compromised accounts to search the web for other vulnerable sites, eventually robbing over 420,000 sites of all sizes.

412 million FriendFinder accounts

In November 2016, a website called LeakedSource reported that hackers have stolen user information of 412 million accounts from online hookup and dating company FriendFinder. The information reportedly included usernames, passwords, email addresses and join dates. About 340 million of the accounts were to AdultFriendFinder.com, which advertises itself as the "world's largest sex & swinger community."

Some of the passwords were cryptographically hashed to protect them while others were not, according to Wired. Those that were protected were easily cracked, the site reported.

360 million MySpace users

Sometime before June 2013, the once-popular social networking site MySpace was attacked. It wasn't until May 2016 that the company (then owned by Time) reported that 360 million accounts, with user names, passwords and emails, were for sale in an online hacker forum.

MySpace reacted by invalidating the passwords of accounts that were known to be included in the leak. Even so, users frequently use similar passwords on different sites, so stolen passwords can be used to gain access to other sites as well.

The hack was attributed to the Russian hacker "Peace," who also posted the original offer to sell the 200 million Yahoo accounts for $1,800 earlier this year.

198 million registered voters

Deep Root Analytics, a marketing firm working with the Republican National Committee accidentally leaked personal information on nearly 200 million registered voters in June. The information was amassed from a number of sources, including data scraped from the social media site Reddit. The data included names, addresses, birth dates, registered party and demographic information, in addition to likely political preferences on a number of issues like abortion, gun control and stem cell research.

A cyber risk analyst found the data exposed on an amazon server which could be accessed by anyone with the URL. He was able to download 1.1 terabytes of unsecured data. Deep Root said at the time that it believed only the analyst had accessed the database.

167 million LinkedIn users

In addition to MySpace accounts, "Peace" was also found trying to sell 167 million LinkedIn user accounts — 117 million of which had both emails and encrypted passwords — in 2016. The stolen data originated in a hack of the social network in 2012, during which 6.5 million passwords were reported as stolen.

Hundreds of millions of users not only had to change their LinkedIn passwords, but also had to worry about hackers using their information on other sites. For the full database for sale on the dark web marketplace, "Peace" was asking for only $2,200 in bitcoin.

145 million U.S. consumers

Equifax, one of the 'big three' credit reporting companies, said in September that a data breach had affected at least 145 million consumers in the U.S. Cyber criminals had exploited a public vulnerability to gain access to the Equifax system and stolen information including names, birth dates, Social Security numbers, addresses and some driver's license numbers.

Three Equifax executives, including then-CEO Richard Smith sold $1.8 million in shares just days after the company learned about the hack. The company has said that the timing was coincidence, but the Equifax board is now investigating the stock sales, according to Reuters.

The breach sparked investigations at both the state and federal levels. Smith stepped down shortly after the breach was disclosed and agreed to appear before Congress.

145 million eBay users

Three months after its system was compromised using stolen login credentials from several employees, eBay announced that 145 million users would have to change their passwords. Financial information in the related PayPal money transfer service was not compromised, and the company said that no financial fraud was detected.

The hackers gained access to customer names, encrypted passwords, email addresses, physical addresses, phone number and dates of birth. Security experts said that criminals would be able to use that information for more old fashioned scams over the phone.

130 million Heartland credit cards

The 2008 attack on credit card processing company Heartland is the smallest and oldest on our list, but arguably caused more damage than larger hacks. Attackers spent months installing malware in a system that gave them access to credit card data.

Visa and MasterCard noticed suspicious activity and alerted the company. Heartland eventually paid about $140 million in fines and penalties for the data breach, and an American hacker was sentenced to 20 years in prison for his role in the attack.