From the Emmy Awards to the Olympics, world records were set and broken throughout 2016. However, none were as impressive as those in the cybersecurity world. Previously, 2014 held the record for largest number of records compromised or stolen in a single year, but 2016 broke that number, and then some. From the Yahoo breaches that were discovered to the Democratic National Convention hack that, ultimately, may have influenced the 2016 U.S. Presidential election, last year boasted not only some of the biggest data breaches on record, but also most important on a global scale. We took a look at the top five data breaches, and how they stack up.
5. Global Email Providers
In 2016, while monitoring the Dark Web, Hold Security discovered a repository of 1.2 billion email credentials for sale by an “underground Russian cyber gang.” The database actually listed 4.5 billion records, but after acquiring it, the firm discovered only 1.2 billion unique email addresses listed, belonging to approximately 272.3 million users.
The emails were acquired by hackers who targeted less secure websites where these credentials were used to log in, and traced them back to the originating accounts. The database included 57 million Mail.ru accounts, 40 million Yahoo accounts, 33 million Hotmail accounts, and 24 million Gmail accounts, among others. Amazingly Hold Security was able to “purchase” the entire database for free – simply by providing a positive review for the seller on the marketplace.
Though long defunct, many former users discovered that their MySpace accounts were coming back to haunt them in 2016. In May, it was discovered that a password dump dating back to 2013 has surfaced online from the former social network. The passwords, which has been stored by MySpace in the then popular but now discredited SHA1 hash system, accounted for approximately every account on the site at the time, about 360 million. Though experts are unsure of how the site had originally been compromised, it was clear that the hackers had targeted user credentials.
Furthermore, this hack delivers, at the time, the largest data breach ever recorded to the spotlight. But that record didn’t last long…
One of the biggest, and most scandalous, hacks of 2015 was the Ashley Madison attack, but 2016 beat that record, as well the one set just a few months before it by MySpace when hackers leaked account details for 412 million AdultFriendFinder.com accounts online. The network of adult websites still has not confirmed the data breach, only that there was a vulnerability in their system, but since November, not only login credentials but VIP member status, browser information, past purchases and last login IP address locations have leaked. This breach was about 13 times the size of the Ashley Madison breach, which led to some high-profile users being “outed.”
The record for largest number of records compromised was once again broken shortly after when a 2014 breach at Yahoo! was revealed. The internet giant announced that approximately 500 million user accounts had been compromised, but the best was still to come. While investigating the 2014 breach the company discovered an even larger attack in 2013 that had gone unnoticed. Yahoo! broke the world record twice, for a total of 1.5 billion user credentials compromised. That number later swelled to 3 billion, which was all of Yahoo’s users. In fact, the total breach accounted for more than the entirety of reported breaches in 2014, often referred to as “the year of mega breaches.”
1. Democratic Party
Sheer size isn’t the only key factor in considering a data breach, however. When looking at the last year of cyberattacks, it’s impossible to ignore the magnitude of the several data breaches that compromised the United States Democratic Party.
In July, a collection of sensitive emails between members of the Democratic National Committee (DNC) were published by WikiLeaks that indicated a large internal conspiracy to undermine the campaign of Bernie Sanders and elevate Hillary Clinton as the Democratic nominee for President. The 19,000-plus emails also included financial and donor information, as well as correspondence that led to the resignations of several key DNC members, including then-chair Debbie Wasserman Schultz.
Following the DNC breach, it was revealed that the Democratic Congressional Campaign Committee’s email servers had also been targeted. The private information, including home phone numbers and addresses, of numerous democratic congressmen and women. This massive breach of privacy led to police being stationed to the homes of House Democrats, and many were forced to change their personal cellphone numbers and email address to avoid harassment.
Finally, the Clinton Campaign itself was compromised when the email account of John Podesta, Clinton’s campaign manager, was breached. Reports show that Podesta received a phishing email, which he flagged and asked staff IT to review. A typo in the response, stating that the email was “legitimate” instead of “illegitimate,” led Podesta to click on the link and give the hackers full access to his account. The resulting leak of more than 20,000 pages of emails included details on the inner workings of the campaign, emails between Podesta and President Obama, excerpts from Clinton’s paid Wall Street speeches, and more.
Perhaps the most impactful point of the Democratic Party’s breach is its attribution to the Russian government. Following numerous investigations into the incidents, the FBI and CIA concluded that the Democratic party was targeted by the Russian government in an effort to undermine its campaigns during 2016, and reduce the chances of Sanders or Clinton winning the election. Though these conclusions are still unconfirmed, there is an ongoing investigation into Russia’s involvement in swaying the presidential election in favor of Donald Trump.
Data breaches are going to continue to increase in both size and impact unless we change how we approach security and user authentication. If you don’t want to be one of the top breaches of 2017, you need to act fast to secure your data, employees, and customers with biometric authentication.
UPDATE: In October 2017, news sources revealed that Yahoo’s 2013 breach actually affected all 3 billion of its users. This post has been updated to reflect this new information.