IT-Consulting · Soft- & Hardware Engineering & Development · IoT · AI · Green-/Boat-/Navi-/Fin-Tech
Top 20 Security Breaches
1. Twitter (2022)
Data Stolen
5.4 million user records, including phone numbers and emails.
Details
Data exposed due to a vulnerability in the API.
Impact
Widespread phishing and account takeover risks.
Method
Hackers exploited an API flaw allowing unauthorized access to user data by linking emails and phone numbers to accounts. The breach highlighted gaps in Twitter's API validation and monitoring. Despite initial reports in January 2022, the data was publicly sold later in the year.
40 million customer records, including SSNs and IDs.
Details
Breach impacted prospective and existing customers.
Impact
Identity theft and lawsuits with over $350 million in settlements.
Method
Hackers exploited poorly secured T-Mobile servers, using brute force and privilege escalation to exfiltrate unencrypted sensitive data. The attack revealed the need for better encryption and real-time anomaly detection.
540 million user records, including account details and interactions.
Details
Data left exposed by third-party app developers.
Impact
Trust erosion and increased user caution on third-party apps.
Method
Third-party developers stored sensitive user data in unsecured cloud servers without encryption. Attackers exploited these misconfigured databases to access vast quantities of Facebook data.
Sources
wired.com/story/facebook-data-leak-amazon-servers
4. Marriott (2018)
Data Stolen
383 million guest records, including passport numbers and payment data.
Details
Data breach lasted four years before discovery.
Impact
Loss of customer trust and a $123 million fine under GDPR.
Method
Hackers infiltrated Marriott's Starwood database using compromised credentials, deploying malware for long-term surveillance. The breach exposed weak database monitoring and slow incident response.
Sources
reuters.com/article/marriott-breach
5. Equifax (2017)
Data Stolen
147.9 million records, including SSNs, dates of birth, and financial data.
Details
Affected nearly half the U.S. population.
Impact
$700 million in fines and loss of consumer trust.
Method
Attackers exploited an unpatched Apache Struts vulnerability to infiltrate Equifax’s systems. The attackers accessed sensitive data over several months before detection. The breach highlighted the importance of timely patch management.
57 million user and driver records, including license details.
Details
Covered up for a year before disclosure.
Impact
$148 million in settlements and loss of consumer trust.
Method
Hackers accessed Uber’s GitHub repository containing hardcoded AWS credentials. They used these credentials to access cloud databases storing sensitive user data. The breach exposed poor key management and lack of database access controls.
Credential-stuffing attacks on LinkedIn users and beyond.
Method
SQL injection vulnerabilities allowed attackers to access LinkedIn’s database in 2012. Weak encryption algorithms (SHA-1) made the data vulnerable to decryption years later. The incident emphasized the importance of encryption updates.
78.8 million records, including medical data and SSNs.
Details
One of the largest healthcare data breaches in history.
Impact
Healthcare fraud and $115 million settlement.
Method
Attackers infiltrated Anthem’s systems using spear-phishing emails targeting employees. Once inside, they moved laterally to exfiltrate unencrypted sensitive records. Anthem faced criticism for failing to encrypt critical data.
Sources
healthcareitnews.com/anthem-hack-2015
9. Sony Pictures (2014)
Data Stolen
Corporate emails, unreleased films, and employee data.
Details
Politically motivated attack tied to North Korea.
Impact
Reputational damage, with over $15 million in direct costs.
Method
Spear-phishing emails delivered malicious links to employees, leading to malware installation. Privilege escalation allowed attackers to compromise internal servers and exfiltrate data.
Sources
nytimes.com/2014/12/18/us/north-korea-sony-hack
10. Target (2013)
Data Stolen
110 million records, including payment card data and personal details.
Details
Breach exploited third-party vendor access.
Impact
Over $200 million in costs and 90+ lawsuits.
Method
Hackers accessed Target’s network using credentials stolen from a third-party HVAC vendor. They deployed POS malware to capture transaction data in real-time. Insufficient network segmentation allowed attackers to move freely within the system.
Sources
reuters.com/article/us-target-breach
11. eBay (2014)
Data Stolen
145 million accounts, including encrypted passwords.
Details
Employee credentials used to access sensitive data.
Impact
Global account compromise risks and loss of user trust.
Method
Hackers gained access by stealing employee credentials through phishing attacks. Weak internal access controls allowed unauthorized entry to customer databases. Though passwords were encrypted, the lack of robust hashing algorithms made them susceptible to brute-force attacks.
Sources
bbc.com/news/technology-27539797
12. Adobe (2013)
Data Stolen
153 million user records, including emails and hashed passwords.
Details
Data exposed on dark web marketplaces.
Impact
Risk of account compromise due to weak password security.
Method
SQL injection vulnerabilities were exploited to access Adobe’s databases. Passwords were stored using inadequate encryption techniques, making decryption feasible for attackers. Adobe’s delayed response exacerbated the breach’s impact.
77 million accounts, including payment information.
Details
Network taken offline for 23 days.
Impact
$171 million in costs and extensive reputational damage.
Method
Hackers exploited poor authentication mechanisms and weak firewalls to access sensitive payment information. The lack of encryption for stored data further worsened the breach's scope. The attack exposed significant gaps in Sony's cybersecurity protocols.
Major costs incurred for token replacements and system overhauls.
Method
Spear-phishing emails sent to employees deployed zero-day malware. Attackers gained access to the internal network and extracted sensitive authentication token data. The breach emphasized the risks of email-borne threats and inadequate endpoint security.
Breach uncovered during routine checks by payment processors.
Impact
Largest payment system breach of its time, with financial fraud extending to millions of users.
Method
SQL injection attacks enabled attackers to access the payment processing systems. Malware was deployed to intercept data in transit, revealing the lack of encrypted communication for transaction data.
Breach lasted for 18 months, affecting millions globally.
Impact
Fraudulent transactions and over $250 million in costs.
Method
Hackers exploited weak encryption on TJX’s wireless network to intercept transaction data. Poorly secured systems allowed attackers to collect payment card information for extended periods without detection.
24 million accounts, including partial credit card data.
Details
Customer data exposed, leading to phishing attempts.
Impact
Reputational damage and increased scrutiny of e-commerce security.
Method
Attackers exploited vulnerabilities in Zappos’ customer service system to access user accounts. Poor data segregation and lack of multi-factor authentication allowed lateral movement within the network.
Sources
reuters.com/article/us-zappos-breach
18. MySpace (2013, revealed in 2016)
Data Stolen
360 million accounts, including plaintext passwords.
Details
Legacy systems left unprotected, exposing user data.
Impact
Credential-stuffing attacks on MySpace and linked accounts.
Method
Hackers exploited aging infrastructure that stored passwords in plaintext. Lack of modern encryption and proper system decommissioning practices contributed to the breach.
3 billion accounts, including emails, passwords, and security questions.
Details
Largest single data breach in history.
Impact
Massive financial and reputational losses; delayed disclosure worsened consequences.
Method
Attackers used forged cookies and spear-phishing techniques to access Yahoo's systems. Poor encryption and internal security policies allowed the breach to go undetected for years.
Sources
nytimes.com/2016/12/15/technology/yahoo-hack
20. Ashley Madison (2015)
Data Stolen
32 million records, including user identities and personal preferences.
Details
Sensitive user data publicly exposed, leading to significant personal fallout.
Impact
Several lawsuits and loss of user trust.
Method
Hackers breached Ashley Madison’s systems by exploiting weak database configurations. Inadequate encryption and insufficient internal controls allowed attackers to exfiltrate user data. The incident highlighted the importance of securing sensitive personal information.