Top 5 biggest hacker attacks

The number of data leaks has been steadily increasing over the past few years. News of new data breaches and hacks are appearing daily. Today, we look back and take a look at 5 of the biggest and worst data breaches in history.

1. RockYou2024

RockYou2024 is the pinnacle of data breaches and a warning to those who think hackers don't care. In July 2024, attackers published a large number of passwords on a hacker forum. This collection is based on the old RockYou2021 data leak, but RockYou2024 is still quite relevant. 83% of passwords can be cracked within an hour using a special matching algorithm, and only 4% (328 million) can be categorized as secure. In other words, it will take more than a year to crack them using advanced algorithms. 

2. Yahoo

More than a decade ago, Yahoo was hacked by a phishing email, leading to a series of reports of alleged data breaches. Initial reports suggested hundreds of millions of accounts, but this figure was later revised upwards to around 500 million. In 2017, shortly after the company's upcoming deal with Verizon, it was revealed that all three billion accounts were affected. Hackers were able to access names, email addresses, birth dates, and phone numbers. Even worse, they were able to access accounts of users who hadn't changed their passwords in years. That's why it's so important to change passwords regularly and delete old profiles.

This incident is further proof that even large tech companies can fail to properly store user data. In the case of Yahoo, attackers discovered an unencrypted Q&A database, and some accounts lacked two-factor authentication altogether. The lesson from this incident is that you should not rely on social media or online platforms to protect your personal accounts. You need to create or generate strong passwords.

3. UIDAI (Aadhar)

The Unique Identification Authority of India (UIDAI) manages the world's largest biometric identification system, which stores the personal data of over one billion people in India, as well as biometric information such as fingerprints and iris images. While many countries around the world are currently planning to introduce biometric identification, India has had such a system in place for over a decade. UIDAI was created to provide a unique official 'Aadhar' identification number to all residents of India.

In 2018, after a series of data breaches, cybercriminals not only gained access to the database but also sold it for just Rs. 500 crores (about $6 at current exchange rates). In 2023, there was another major data breach affecting 815 million people in India. Banks and law enforcement agencies are still advising data leak victims to disable biometrics in financial services. However, this does not guarantee security, as names, passport numbers, photos, fingerprints and other information can fall into the hands of cybercriminals.

4. Facebook

The combination of the words “Facebook” and “data leak” will not surprise anyone. The platform is regularly attacked by hackers and internal data breaches. This time, in the largest leak in the company's history, attackers took possession of the names, phone numbers and location data of 533 million users. They then published this data on hacker forums where anyone could download it for free. The data included not only the accounts of ordinary users, but also famous personalities such as EU Justice Commissioner Didier Rendels and the then Prime Minister of Luxembourg (now Foreign Minister) Xavier Bettel.

The data leak occurred between 2018 and 2019, but was first reported in 2021. Why it happened. In fact, hackers exploited a security vulnerability in 2019, which Facebook quickly patched but then forgot (or intentionally failed to notify users of the incident). As a result, Meta was heavily criticized and fined $265 million.

5. CAM4

This incident is interesting for two reasons. The information accessed and the manner in which it was accessed. In addition to 'standard' data such as name, email address, payment history, more private information was provided. This included gender preferences and sexual orientation. Users were required to provide this information when registering before accessing content on the adult platform. The source of the data leak was an insecure Elasticsearch database. However, the worst-case scenario was not realized and there were no unpleasant consequences. If all the reports of these 5 data leaks were compiled into a book, it would be quite thick, but the CAM4 story would take up a small but important chapter, “The Biggest Data Leak in History That Didn't Happen.” Fortunately, the database was shut down and moved to the company's local network within 30 minutes of discovering the bug.

What can we learn from these data breach cases?

The common theme of these cases is that big companies are not responsible for us. In other words, we are primarily responsible for the security of our data, not Facebook, Yahoo, or the government. Take control of your accounts, create or generate strong passwords, store them in a secure password manager, and be extra careful, especially when it comes to biometric data.