Why are data breaches bad?

The 5 biggest data breaches in history and why they matter

Companies need to do more to protect users' private information.

Take Action

Today, companies collect a lot of data about customers, and many of them sell it to others. These practices make us vulnerable to data breaches, which have serious consequences for consumers. 

What is a data breach?

A data breach is the intentional or unintentional release of people’s sensitive, private, or confidential information, typically from a database held by a company or government entity. Data breaches often expose highly personal information, including Social Security numbers and passwords. These events, which are a form of cyberattack, enable unauthorized parties access personal details that they can use to potentially harm consumers.

How do data breaches happen?

Data breaches occur when malicious actors take advantage of weaknesses in an organization’s data protection systems, such as how websites encrypt information. Hackers target entities through a variety of mechanisms, including phishing or malware attacks. In these cases, hackers trick employees into handing over login credentials or downloading harmful software. 

One reason data breaches happen is because many companies are in the business of harvesting and selling consumer data. Often the companies buying and selling your data don’t have up-to-date security protocols. The more companies that hold your data, the more likely it will be exposed in a breach or a hack. The odds that a breach exposes your data will only grow until we take action to regulate how companies gather and sell our data.

Why are data breaches bad?

When companies gather unnecessary data about us and sell it to others, they put us at greater risk of identity theft, fraud and scams. The more companies that hold your data, the more likely a breach or hack could expose it. From there your data can end up in the wrong hands and result in damage to your credit score or identity theft. Cyber criminals may sell Social Security numbers, login credentials, and demographic information to scammers or other bad actors.  

In recent years, cybersecurity attacks like data breaches have become increasingly common and caused serious harm. 

The 5 largest data breaches in history:

yahoo logo

Photo by MIH83 via Pixabay | Pixabay.com

  1. Yahoo 

Date: August 2013 

Number of compromised accounts: 3 billion 

What happened?

In 2016, Yahoo revealed that a 2013 data breach compromised one billion user accounts. Almost a year later, in 2017, the company came forward and admitted that the attack actually affected all three billion customers. 

Hackers allegedly gained access to users’ names, birth dates, phone numbers and passwords. The breach compromised customers’ security questions and backup email addresses, leaving users vulnerable to fraud. A comprehensive investigation, however, revealed that users’ plaintext passwords, payment cards, and bank data were not accessed during the breach. 

Investigators also believe the attackers were potentially associated with the Russian government. Yahoo allegedly weakly encrypted user information, making it susceptible to an attack. 

Yahoo’s disclosure of the true astonishing impact of the attack coincided with its acquisition by Verizon. At the time, Verizon was in the process of purchasing Yahoo for $4.48 billion. As a result of the breach, $350 million was cut from Verizon’s original offer. 

  1. First American Financial 

Date: May 2019

Number of compromised records: 885 million

What happened? 

Brian Krebs, a security researcher, reported more than 885 million sensitive documents were available online from First American Financial, an insurance company. 

Exposed information included customers’ bank numbers, bank statements, mortgage records, tax documents, wire transfer receipts, Social Security numbers, and photos of driver’s licenses. These sensitive documents are reported to have dated back as far back as 2003. 

This information allegedly leaked as a result of a common website design error, known as Insecure Direct Object Reference (IDOR). In this case, a webpage link to sensitive information is created without any way to verify the identity of who is viewing the link. As a result, anyone who comes across the link can access the information. 

While it is possible that bots carried out the attack, Krebs notes that even a “novice attacker” could have facilitated the leak. 

Although it is unclear how many First American customers endured repercussions from the leak, it is obvious that the insurance company did not do enough to safeguard consumers’ private information. 

LinkedIn logo

Photo by BedexpStock via Pixabay | Pixabay.com

  1. LinkedIn 

Date: June 2021

Number of compromised accounts: 700 million 

What happened? 

In 2021, the personal information of 700 million LinkedIn users appeared for sale on a dark web forum. The published sample included email addresses, full names, phone numbers, physical addresses, gender, geolocation records, personal and professional background, and usernames of other social media accounts.

A third party allegedly used LinkedIn’s API to gain access to the slew of data. A statement published by LinkedIn holds that the incident “was not a data breach” and that the stolen information included only “publicly viewable member profile data that appears to have been scraped from LinkedIn.”

To prevent data scraping, companies like LinkedIn should be taking every possible precaution to prevent illicit data harvesting, such as embedding code that can identify web crawlers. Websites should also limit the amount of personal information publicly available to minimize attention from malicious actors. 

Photo by Simon via Pixabay | Pixabay.com

  1. Facebook 

Date: April 2019

Number of compromised accounts: 533 million 

What happened? 

In April 2021, information scraped from a Facebook database in 2019 surfaced on a  hacking forum. The leak compromised personal data of over 533 million users across 106 countries, including individuals’ full names, locations, phone numbers, and birthdates. 

Hackers allegedly had originally collected the data in 2019 due to a faulty feature that allowed users to search for each other via phone number. Facebook reported that this vulnerability had been patched back in August 2019. 

Though the leak compromised millions of users’ information, Facebook did not individually notify affected individuals. 

Photo by Simon via Pixabay | Pixabay.com

  1. Yahoo (again) 

Date: 2014 

Number of compromised accounts: 500 million

What happened? 

It took Yahoo almost two years to report that data belonging to around 500 million users had been compromised and was circulating on the dark web. In 2016, the internet giant reported that users’ names, email addresses, phone numbers, birthdates, encrypted passwords, and security questions were compromised by Russian actors back in 2014.

Following the announcement of the breach, Yahoo later paid a $35 million settlement to the Securities and Exchange Commission (SEC) due to improper investigation and disclosure of the incident. 

Yahoo reports that the 2014 breach is unrelated to the one from 2013 (see #1 on this list). The company’s inability to protect and communicate with users illustrates how customer privacy is not a priority in the organization’s business model.  

Protecting yourself from data breaches

Companies should not collect excessive amounts of user data and should do more to protect the information they do collect. In practice, organizations should only gather the information that is absolutely necessary for the customer to get the service they expect. Companies should only use your data for that purpose, and absolutely not sell or share it with other companies. The more companies that hold your data – and the more data they have – the more likely it is to be exposed in a breach or a hack.  

In the meantime, however, there are some steps you can take to protect yourself and your data.

  1. Read the privacy policies of the websites, apps, and services you use. Avoid any that sell user data.
  2. Don’t automatically hit “accept” on cookie pop-ups. This stops secret companies from harvesting your data in the background while you scroll.
  3. Take the necessary steps to protect yourself from fraud and identity theft
  4. Adjust the settings on your phone and social media apps to maximize your privacy and limit data collection
  5. Put a freeze on your credit – even if you’ve yet to be a victim of a data breach.

Bess Pierre

Intern, Don't Sell My Data campaign

Bess is an intern on the Don't Sell My Data campaign.

R.J. Cross

Director, Don't Sell My Data Campaign, PIRG

R.J. focuses on data privacy issues and the commercialization of personal data in the digital age. Her work ranges from consumer harms like scams and data breaches, to manipulative targeted advertising, to keeping kids safe online. In her work at Frontier Group, she has authored research reports on government transparency, consumer debt and predatory auto lending, and has testified before Congress. Her work has appeared in WIRED magazine, CBS Mornings and USA Today, among other outlets. When she’s not protecting the public interest, she is an avid reader, fiction writer and birder. Though she lives in Boston, she will always consider herself a Kansan at heart.

Find Out More