May 13, 2025
What is AppSec? | Application Security Explained
What is AppSec? | Application Security Explained
Omar
New Update: Our new blog is updated.
Free download
A cybersecurity breach occurs when someone gets into a computer system or network without permission. This unauthorized access can put confidential information at risk, mess up how things work, and lead to money loss or damage to a company's reputation.
Breaches occur in different ways, including malware, fake emails to trick people, attacks that lock up your files, or when private information is stolen. These attacks can have serious effects on individuals, businesses, and even countries.
As we use digital technology more, there's a lot more data moving around. Along with this increase, data breaches have also grown. Attackers are taking advantage of how much we rely on data in our daily lives.
We can only guess how big future cyberattacks might be, but as the list of major data breaches in the 2000s shows, they are already very large.
To maintain transparency, this list was put together based on how many people were affected, how many records were exposed, or how many accounts were impacted. We have also separated attacks where data was actually taken or shared with bad intentions from cases where a company accidentally left data unprotected, but there's no strong proof it was used improperly.
We have intentionally not included the accidental cases in this list.
Date: August 2013
Affected Users: 3 billion accounts
This happened nearly seven years ago, and it's been twelve years since we learned the real number of records that were exposed. Yahoo first told the public about this incident in December 2016, saying it happened in 2013. At that time, Verizon was buying Yahoo. Yahoo estimated that a group of hackers had gotten access to the account information of over a billion of its customers.
Not even a year later, Yahoo announced that the true number of user accounts affected was actually 3 billion. Yahoo explained that this updated number didn't mean there was a new security problem. They also said they were sending emails to all the extra user accounts that were affected.
Even though the attack happened, the agreement with Verizon still went through, but for a lower price. At that time, Verizon's head of security, Chandra McMahon, stated:
"Verizon is dedicated to being very responsible and open. We actively work to keep our users and systems safe and secure as online threats change. Our support for Yahoo is helping their team make big improvements to their security. They are also getting help from Verizon's knowledge and resources.”
After looking into it, it was found that although the attackers got hold of account details like security questions and their answers, they did not steal passwords, payment card details, or bank information.
Date: January 2018
Affected Users: Information about the identity and unique physical traits of 1.1 billion people in India was revealed.
In early 2018, it became known that hackers had gotten into Aadhaar, the world's biggest identity system. This exposed details for over 1.1 billion people in India, including their names, addresses, pictures, phone numbers, and email addresses, as well as unique physical information like fingerprints and eye scans.
Because the database, created by the Unique Identification Authority of India (UIDAI) in 2009, also contained details about bank accounts linked to unique 12-digit numbers, it also became a breach of financial information. This happened even though the UIDAI first said that the database did not contain this kind of information.
The people who accessed the Aadhaar database did so through the website of Indane, a company owned by the government. This company was connected to the government database using a special link that lets different computer programs share information.
Unfortunately, the way Indane's system connected to the database had no security checks, which made the information easily accessible. People who illegally accessed the data sold it for as little as $7 through a messaging group. Even though security experts and technology groups alerted them, it took Indian officials until March 23, 2018, to close this weak access point.
Date: June 2021
Affected Users: 700 million people
In June 2021, information about 700 million users from the professional networking website LinkedIn appeared on a hidden online forum. This affected over 90% of their users. A hacker known as "God User" collected this data by using automated tools to gather information through the website's (and others') systems. First, they released a set of data for about 500 million users. Later, they claimed they were selling the complete database of 700 million users.
LinkedIn stated that this event was a violation of their rules, not a data breach, because sensitive private information wasn't exposed. However, a sample of the collected data shared by God User included details like email addresses, phone numbers, locations, genders, and links to other social media.
As the UK's NCSC warned, this kind of information gives attackers a lot to work with to create believable attacks that trick people after the data was leaked.
Date: March 2020
Affected Users: 538 million accounts
Sina Weibo is a major social media site in China with more than 600 million users. In March 2020, the company shared that someone illegally got hold of a section of their database. This affected 538 million Weibo users.
The information taken included their real names, usernames on the site, gender, location, and phone numbers. Reports say the person who took the data then sold it on the dark web for $250.
Following the incident, China's Ministry of Industry and Information Technology (MIIT) told Weibo to improve how it protects data to keep personal information safer. They also said Weibo must inform users and the government when data security problems happen.
In response, Sina Weibo stated that someone collected information that was already publicly available. They said this was done by using a tool designed to help people find friends' Weibo accounts by entering their phone numbers. Weibo also said that no user passwords were compromised in this incident.
However, the company did admit that if users used the same password for their Weibo account and other online accounts, the exposed information could potentially help link those accounts to their passwords.
Weibo stated that it has made its security approach stronger and has shared the details of the incident with the proper authorities.
Date: April 2019
Affected Users: 533 million users
In April 2019, it became known that information from two sets of data from Facebook apps was available on the public internet. This information belonged to over 530 million Facebook users and contained phone numbers, account names, and Facebook IDs. However, two years later, in April 2021, this data was shared for free online, showing a new and serious criminal purpose behind making the data available.
Because so many phone numbers were affected and could be found easily online after this event, a security expert named Troy Hunt added a feature to his website, HaveIBeenPwned (HIBP). This website helps people check if their information has been stolen. The new feature lets users see if their phone numbers were part of the data that was made public.
"I never planned to let people search using phone numbers," Hunt explained in a blog post.
"I thought it wasn't a good idea for several reasons. But the Facebook data changed my mind. There are more than 500 million phone numbers in the data, but only a few million email addresses. This meant that over 99% of people wouldn't find out if their information was in the data if they only searched by email, even though it was there."
Date: September 2018
Affected Users: 500 million customers
Marriott International announced that private information for half a million guests who stayed at Starwood hotels was exposed after their computer systems were attacked in September 2018. In a public statement in November of that year, the large hotel company said:
"On September 8, 2018, Marriott got a warning from one of their security tools about someone trying to get into the Starwood guest booking database. Marriott quickly hired top security experts to help figure out what happened."
During their investigation, Marriott found out that someone had been improperly accessing the Starwood computer network since 2014. Marriott stated:
"Marriott recently found out that an unauthorized person had copied and scrambled information and was trying to take it. On November 19, 2018, Marriott was able to unscramble the information and found that it came from the Starwood guest booking database."
The information that was copied included guest names, home addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account details, birth dates, gender, check-in and check-out dates, booking dates, and how guests prefer to be contacted.
For some guests, the information also included credit card numbers and when they expire. However, these payment details were reportedly scrambled to protect them.
After the security issue, Marriott conducted an investigation with help from security professionals. As a result, they announced they would gradually stop using the Starwood computer systems and improve security measures on their network more quickly.
In 2020, the Information Commissioner’s Office (ICO), the UK's data protection authority, fined the company £18.4 million (originally £99 million) because they did not properly protect customers' personal information. According to an article in the New York Times, the attack was believed to be carried out by a Chinese spy group trying to collect information on people from the United States.
Date: October 2016
Affected Users: 412.2 million accounts
In October 2016, cybercriminals stole user information collected over 20 years from six databases belonging to The FriendFinder Network. This company runs social media sites for adults, including Adult Friend Finder, Penthouse.com, and Stripshow.com, which offer sensitive content.
The theft of data from over 414 million accounts, including names, email addresses, and passwords, could have serious consequences for the people affected due to the private nature of the services.
Most of the stolen passwords were protected using an old and weak method called SHA-1. By the time the website LeakedSource.com examined this data on November 14, 2016, it was estimated that about 99% of these passwords had been easily figured out.
