{"id":23206,"date":"2024-08-27T14:00:33","date_gmt":"2024-08-27T10:00:33","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=23206"},"modified":"2024-08-27T14:00:33","modified_gmt":"2024-08-27T10:00:33","slug":"top-five-data-breaches-in-history","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/top-five-data-breaches-in-history\/23206\/","title":{"rendered":"RockYou2024 and the four other largest data breaches in history"},"content":{"rendered":"

Recent years have seen a steady rise<\/a> in the amount of compromised data out there. News reports about new leaks and hacks are an almost daily occurrence, and we at Kaspersky continue to use plenty of electronic ink to tell you about the need for robust protection<\/a>\u00a0\u2014 now more than ever.<\/p>\n

Today we take a dive into history and recall (with a shudder) the biggest and baddest data breaches (DBs) of all time. To find out how much and what kind of information was leaked, who was affected, and much more besides \u2014 read on\u2026<\/p>\n

1. RockYou2024<\/h2>\n

In brief:<\/strong> hackers collected data from past leaks, and rolled out the largest-ever compilation of real user passwords: 10 billion records!<\/p>\n

When:<\/strong> 2024.<\/p>\n

Who was affected: <\/strong>users worldwide without strong protection<\/a>.<\/p>\n

RockYou2024 is the king of leaks, and a thorn in the side of anyone who thought hackers weren\u2019t interested in them. In July 2024, cybercriminals leaked a gigantic collection of passwords on a hacking forum: 9,948,575,739 unique records in total. Despite being a compilation based on the old RockYou2021 leak, RockYou2024 still\u2026 rocks, so to speak.<\/p>\n

Our expert, Alexey Antonov, analyzed the breach, and found that 83% of the leaked passwords were crackable by a smart guessing algorithm in under an hour<\/strong>, with only 4% of them (328 million) able to be considered strong<\/strong>: requiring over a year to crack using a smart algorithm. For details on how smart algorithms work, see our password strength study<\/a>, which, analyzing real user passwords leaked on the dark web, shows that far too many of us are still shockingly blas\u00e9 about password security.<\/p>\n

In analyzing the latest leak, Alexey filtered out all non-relevant records, and worked with the remaining array of\u2026 8.2 billion passwords stored somewhere in plaintext!<\/em><\/p>\n

2. CAM4<\/h2>\n

In brief:<\/strong> a misconfigured server exposed 11 billion customer records to the public domain \u2014 sensitive information indeed given that CAM4 is\u2026 an adult site!<\/p>\n

When:<\/strong> 2020.<\/p>\n

Who was affected:<\/strong> users of the adult site CAM4.<\/p>\n

This story is of interest for two reasons: what information was leaked, and how. Among the \u201cstandard\u201d leaked details (first name, last name, email address, payment logs, etc.) was information of a far more intimate nature: gender preferences and sexual orientation. Users had to give this information at signup before they could enjoy the content of the adult streaming platform.<\/p>\n

The leak was caused by an insecure Elasticsearch database. However, it didn\u2019t end so badly \u2013 and embarrassingly: if we were to compile all the reports of leaks related to this DB<\/a> into a physical book, we\u2019d get quite a doorstop \u2014 within which the story of CAM4 would occupy a small but important chapter: \u201cThe largest data leak in history that never was\u201d. Fortunately, the database was shut down within half-an-hour after discovering the error, and later moved to an internal local network. Users\u2019 personal data was deleted.<\/p>\n

3. Yahoo<\/h2>\n

In brief: <\/strong>A hacker attack affected all three billion users of the platform \u2014 but Yahoo admitted this only three years later.<\/p>\n

When:<\/strong> 2012, 2013\u2026 or was it 2014? Even Yahoo doesn\u2019t know for sure.<\/p>\n

Who was affected: <\/strong>all Yahoo users.<\/p>\n

More than a decade ago now, Yahoo was hacked (it all started with a phishing email), leading to a series of news stories about a rumored data leak. Initial reports mentioned a couple of hundred million hacked accounts, then that rose to around 500 million<\/a>, then, in 2017, on the eve of the company\u2019s deal with Verizon, it turned out that all three billion accounts were affected. The hackers got hold of names, email addresses, dates of birth, and phone numbers. Even worse, they had access to the accounts of users who went years without changing their passwords. Now do you see why it\u2019s so important to change passwords regularly and delete old profiles<\/a>?<\/p>\n

This incident is yet further proof that even tech giants sometimes fail to store user data properly. In the case of Yahoo, attackers found a database of unencrypted security questions and answers, and some accounts had no two-factor authentication at all. So, the moral of the story is: don\u2019t rely on social networks or online platforms to secure your personal accounts. Make up or generate strong passwords<\/a> and store them in Kaspersky Password Manager<\/a>. And if you\u2019re worried your data may already have leaked, install any of our home security solutions<\/a>: Kaspersky Standard<\/a>\u00a0and Kaspersky Plus<\/a>\u00a0both let you specify all the email addresses that you and your family use to sign in to online services. The application regularly checks these addresses and reports any data breaches involving accounts linked to them.<\/p>\n

In Kaspersky Premium<\/a>, in addition to an email list, you can add phone numbers \u2014 these are usually used to identify users of more sensitive online services such as banking. Our application searches for these numbers and addresses in all fresh database leaks, and, if found, warns you and advises what to do (read more<\/a> about how we protect you against personal data leaks online or on the dark web).<\/p>\n

4. UIDAI (Aadhaar)<\/strong><\/h2>\n

In brief:<\/strong> the biometric data of almost all citizens and residents of India went up for sale.<\/p>\n

When:<\/strong> 2018.<\/p>\n

Who was affected: <\/strong>1.1 billion citizens and residents of India.<\/p>\n

The Unique Identification Authority of India (UIDAI) operates the largest bio-identification system in the world, storing the personal data, fingerprints, and iris photos of more than a billion folks in India.<\/p>\n

While many countries around the world are only planning to implement biometric identification, India has had such a system in place for over a decade already. UIDAI was set up so that every single resident of India would have a unique official state identity number, Aadhaar<\/a>.<\/p>\n

But in 2018, following a string of data leaks, cybercriminals not only got their hands on the database, but sold it for as little as 500 rupees<\/a> (about US$6 at today\u2019s exchange rate). Another massive data breach occurred in 2023, this time impacting<\/a> 815 million Indians.<\/p>\n

Banks and law enforcement agencies continue to advise victims of the leaks to disable biometric authentication for financial services. But that\u2019s no guarantee of security, since their names, passport numbers, photos, fingerprints, and other information are likely in cybercriminal hands.<\/p>\n

5. Facebook<\/h2>\n

In brief:<\/strong> the company failed to notify users about a data breach it had known about for a full two years.<\/p>\n

When:<\/strong> 2019.<\/p>\n

Who was affected: <\/strong>533 million Facebook users.<\/p>\n

No one is surprised anymore at seeing the words \u201cFacebook\u201d and \u201cleak\u201d side by side. The platform regularly falls victim to hacker attacks and internal leaks. This particular breach \u2014 the largest in the company\u2019s history \u2014 saw the names, phone numbers, and location data of 533 million users fall into the clutches of cybercriminals. They then posted the data on a hacking forum where anyone could download it all for free. And not only regular users\u2019 account data, but that of public figures<\/a>, including EU Justice Commissioner Didier Reynders, and then-Prime Minister (now Foreign Minister) Xavier Bettel of Luxembourg.<\/p>\n

If you suspect that you too may have been hit by the Facebook data leak, use our Password Checker<\/a> tool to find out whether your password was compromised in this or other leaks.<\/p>\n

The leaked data was current for 2018\u20132019, although information about it appeared only in 2021. How did that happen? The fact is that hackers exploited the vulnerability in 2019, which Facebook patched<\/a> straight away, but then forgot (or preferred not) to inform users of the incident. As a result, Meta faced more heavy criticism, plus a hefty \u20ac265 million fine<\/a> (~US$276 million in 2021).<\/p>\n

What do these leaks teach us?<\/strong><\/h2>\n

The common thread linking all these stories is: \u201cBig Tech helps those who help themselves\u201d. In other words, we are primarily responsible for the security of our data; not Facebook, not Yahoo, not even governments. Look after<\/a>\u00a0your accounts yourself, make up or generate strong passwords, store them in a secure password manager<\/a>, and take special care when it comes to biometric data.<\/p>\n