Cyber attacks are an unpleasant fact for modern business. They are mainly motivated by money, with cybercriminals looking for data they can use in identity fraud or the ability to hold their targets’ IT systems for ransom. The global cost of cybercrime is expected to reach $10.5 trillion by 2025.
But cyberattacks can also be politically motivated, and companies can find themselves caught in the crossfire between nation-states seeking to destroy or steal secrets from their geopolitical rivals.
Technical monitor looked at the number of affected users to compile this list of the five biggest cyberattacks in history. As the list reveals, massive amounts of customer data have been stolen over the past decade, causing both financial and reputational damage to the targeted companies.
1. RockYou2021: Biggest Password Leak Ever – 2021
The largest collection of stolen passwords of all time leaked 8.4 billion passwords.
The password hacker published a 100GB txt file containing 8.4 billion entered passwords along with previous data leaks.
The hacker announced that the list contained 82 billion passwords. However, the exact number is about ten times smaller. Security experts also say businesses and consumers are at risk.
Cybersecurity expert Troy Hunt explained on Twitter that RockYou2021 is not actually a list of 8.4 billion passwords. In fact, 100GB appears to be a compilation of leaked old passwords, possible and commonly used passwords, and word sheet. This still makes it the biggest leak to date, due to the actual number and weight of the data.
Content from our partners
2. Cyber attack against Yahoo – 2014
In 2016, web giant Yahoo Inc. disclosed that the personal data is related to at least 500 million accounts was stolen in 2014 by an actor believed to be state-sponsored.
Cybercriminals stole email addresses, passwords, phone numbers, dates of birth and names, Yahoo said. However, secure passwords, payment information, and bank account information do not appear to have been compromised.
The main hacker is named Aleksei Belan, who is a Latvian hacker employed by Russian agents. He was able to gain access to Yahoo’s user database and account management tool through a phishing campaign specifically targeting Yahoo employees.
There were financial, business and societal consequences. Even if the most valuable data was untouched, the attack on Yahoo was unprecedented in scale, causing economic losses, particularly around the company’s $4.83 billion cash sale of its Internet business to Verizon Communications Inc. Yahoo allegedly misled Verizon with false information and ultimately signed a stock settlement without disclosing the breach. That prompted Verizon to negotiate $350 million less for the Yahoo acquisition.
The day after the attack, Yahoo’s stock price fell 3% and lost $1.3 billion in market capitalization.
In March 2017, the Department of Justice charged four individuals with the attack. Two of them were Russian intelligence officers who gathered information to spy on a number of targets in the United States.
Yahoo was accused of negligence after taking two years to disclose the security breach to investors and the public. CEO Marissa Mayer opposed the idea of asking affected users to change their passwords, believing that Yahoo would lose customers that way.
Other financial implications include:
- Yahoo was fined $35 million by the Securities and Exchange Commission (SEC) as a penalty for misleading the public and failing to notify customers of the breach.
- Yahoo had to pay $85 million as part of the damages settlement fees and had to provide free credit monitoring services to more than 200 million customers.
- Yahoo had to pay $35 million in legal fees and another $16 million for their cyber incident,
- Yahoo paid another $11 million in legal fees, their investigations by five state and federal agencies, and 44 class-action lawsuits.
Because of the breach response, the SEC’s administrative order alleges that Yahoo violated Sections 17(a)(2) and (3) of the Securities Act of 1993 and Section 13(a) of the Securities Exchange Act of 1934 Mr.
3. Cyberattack on Marriott Hotels – 2014
The ICO explained that names, passport details, contact information and credit card information were compromised. The breach involved seven million guest records for people in the UK. This was made possible by another security failure on Marriot’s part: while the credit card numbers were stored in encrypted form, the encryption keys were stored on the same server. The same applies to passport numbers.
The first part of the cyberattack took place in 2014, also affecting the Starwood Hotels group, which Marriott bought in 2016. However, the problem was not noticed until 2018. This meant that for four years the attackers continued to have access to all affected data.
The ICO’s investigation showed that there were failures by Marriott to put in place appropriate technical or organizational measures to protect the personal data processed on its systems as required by the General Data Protection Regulation (GDPR).
4. Sony’s PlayStation Network Attack – 2011
In 2011, Sony revealed that the names, addresses and other personal data of around 77 million users of its PlayStation Network (PSN) had been stolen.
Gamer accounts were blocked and locked from the network for a week as the system was shut down to avoid more data breaches. An “illegal and unauthorized person” gained access to the data, including names, addresses, email addresses, usernames, passwords, security questions and in some cases even payment details.
This stolen data may also include information about children.
Sony’s PSN is one of the biggest holders of credit card data, and the breach may be the biggest leak of credit card information ever. However, Sony said at the time that it had found no evidence that credit card information had been stolen, although it still advised users to be vigilant.
A few weeks after the attack, Sony announced a “welcome back” program for its affected customers, as well as issued a press release. In this program, Sony promised to include 30 days of free PlayStation Plus membership for all PSN members, while existing PlayStation Plus members received an additional 30 days on their subscription.
Over 12,000 credit card numbers, albeit in encrypted form, from non-US cardholders and additional information was available from 27.4 million accounts. Sony also sent a letter to the US House of Representatives announcing that they will provide $1 million in identity theft insurance policies per PlayStation Network user. among other things.
About a month after the attack, Sony said the cost of the outage amounted to 171 million dollars.
The UK Information Commissioner’s Office has fined Sony £250,000 for breaching the UK Data Protection Act. Then on April 27, 2011, a lawsuit was published by Christopher Johns of Alabama on behalf of all PlayStation users, alleging that Sony “failed to encrypt data and create adequate firewalls to handle a case of server intrusion’.
Another lawsuit from Canada against Sony USA, Sony Canada and Sony Japan is seeking up to C$1 billion in damages.
5. Uber Data Breach – 2016
Just this weekUber admits to a huge cover-up data breach this happened in 2016. The company as early as 2016 failed to notify individuals and regulators as well as the public. The attack exposed the confidential data of 57 million customers and drivers.
Hackers used stolen credentials to gain access to a private source code repository and obtain a proprietary access key, which then allowed them to access and copy large amounts of data related to Uber users and drivers, such as data on 600,000 driving license numbers.
The company admitted it paid the hackers $100,000 to delete the information and keep the cyberattack quiet, as Bloomberg reported. Because of Bloomberg’s damning report, Uber CEO Dara Khosrowshahi wrote public statement on behalf of the company. “None of this should have happened and I will not make excuses for it,” she said, “while I cannot erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. “
Uber admitted to the breach as part of an agreement with the US Department of Justice to avoid prosecution. According to the settlement, the CEO and his team reported the breach to affected people a year after it happened. Drivers, the public and state authorities decided not to pursue Uber because of its decision to disclose, as well as an agreement with the Federal Trade Commission in 2018 to report any future cyberattack to state regulators. The settlement also acknowledges that Uber paid $148 million to settle a civil dispute related to the data breach.
Uber’s chief security officer at the time, Joe Sullivan, was also complicit in the cover-up that led to his firing by Khosrowshahi in 2017. Sullivan was subsequently charged with obstruction of justice for experience yes hiding a data breach from FTC and Uber management. His case is due to be heard in September 2022.
6. Adobe Cyber Attack – 2013
Software maker Adobe was the victim of a cyber attack which compromised around 38 million active users. The company initially announced that 2.9 million accounts were affected.
The attackers also accessed data from an unspecified number of accounts that were unused or disabled.
Hackers have stolen not only user data, but also part of the source code of popular photo editing software Photoshop, as well as Acrobat PDF Editor.
In May of that year, Adobe moved several of its products to a subscription model. Its users now have to register an account and provide their payment card details.
The consequences of this cyberattack were relatively minor. Adobe only had to pay $1 million to settle a lawsuit brought by 15 attorneys general. Additionally, the hacker – a 39-year-old man from the Netherlands – also avoided prison.
Read more: The Biggest Cryptocurrency Hacks of All Time