image

CNBC

How Yahoo’s one billion account breach stacks up with the biggest hacks ever

Yahoo’s big one billion account hack sits high up in an analysis of the many high-profile breaches reported over the years

PUBLISHED : Friday, 16 December, 2016, 2:45pm
UPDATED : Friday, 16 December, 2016, 2:46pm

More than a billion Yahoo user accounts were hacked in 2013.

That comes in addition to the 500 million user accounts that were stolen in 2014, a breach that was announced in September. At the time, that attack was regarded as the largest-ever single-source data hack in history. Then on Wednesday, the company announced a second hack that more than doubled the record.

In recent years, high-profile hacks have been bigger and more frequent. Some of that trend stems from greater use of online storage and social media. Some is linked to more sophisticated tools being deployed to get your personal information. Theft of portable devices like laptops and unintended disclosures used to account for much more of the data breaches that happened, according to a database of reported breaches.

This year has seen an increase in reports of massive hacks, some of them dating back years.

Information in the newly announced Yahoo hack could include names, email addresses, telephone numbers, dates of birth, passwords and unencrypted security questions and answers, the company said in a statement.

It’s hard to pin down how many users are affected by any given hack, but the scale of records made vulnerable in any such intrusion can be massive. One billion accounts is far and away the biggest data breach yet reported from a single source. Below is a rundown of some of the biggest data breaches, according to the database maintained by the Privacy Rights Clearinghouse.

It’s unclear how many of the 1 billion accounts were also part of the earlier attack.

The compromised accounts came to light after an unidentified third party gave law enforcement officials data files they claimed contained Yahoo user information. Based on an analysis by outside forensic experts, Yahoo made the announcement Wednesday that the user data came from a previous-undisclosed hack dating from August 2013.

Yahoo hasn’t identified the source of the attacks, but said the billion-account attack is connected “to the same state-sponsored actor believed to be responsible for the data theft the company disclosed on September 22, 2016.”

After several months of research, cybersecurity firm Hold Security discovered that an unnamed Russian gang had amassed more than 4.5 billion credentials from websites across the web. About 1.2 billion of those were unique. While technically bigger than the Yahoo breach in aggregate, the 1.2 billion accounts came from across many different sites, not just one source.

The amazing feat of online thievery was accomplished by buying a smaller set of credentials and using those to attack sites. They also used compromised accounts to search the web for other vulnerable sites, eventually robbing over 420,000 sites of all sizes.

Back in September, Yahoo disclosed a hack that compromised half a billion accounts. At the time, that was the biggest single-source hack in history. The data, which was stolen by what the company called a “state-sponsored actor,” may have included names, passwords, emails, telephone numbers, dates of birth and security questions and answers, the company said, but not financial information.

The breach dated to 2014 and was discovered in August when a group of hackers was discovered trying to sell information for 200 million accounts on the internet.

Sometime before June 2013, the once-popular social networking site MySpace was attacked. It wasn’t until May 2016 that the company (then owned by Time) reported that 360 million accounts, with user names, passwords and emails, were for sale in an online hacker forum.

MySpace reacted by invalidating the passwords of accounts that were known to be included in the leak. Even so, users frequently use similar passwords on different sites, so stolen passwords can be used to gain access to other sites as well.

The hack was attributed to the Russian hacker “Peace,” who also posted the original offer to sell the 200 million Yahoo accounts for US$1,800 earlier this year.

“Peace” was also found trying to sell 167 million LinkedIn user accounts — 117 million of which had both emails and encrypted passwords — in 2016. The stolen data originated in a hack of the social network in 2012, during which 6.5 million passwords were reported as stolen.

Hundreds of millions of users not only had to change their LinkedIn passwords, but also had to worry about hackers using their information on other sites. For the full database for sale on the dark web marketplace, “Peace” was asking for only US$2,200 in bitcoin.

Three months after its system was compromised using stolen log-in credentials from several employees, eBay announced that 145 million users would have to change their passwords. Financial information in the related PayPal money transfer service was not compromised, and the company said that no financial fraud was detected.

The hackers gained access to customer names, encrypted passwords, email addresses, physical addresses, phone number and dates of birth. Security experts said that criminals would be able to use that information for more old fashioned scams over the phone.

The 2008 attack on credit card processing company Heartland is the smallest and oldest on our list, but arguably caused more damage than larger hacks. Attackers spent months installing malware in a system that gave them access to credit card data.

Visa and MasterCard noticed suspicious activity and alerted the company. Heartland eventually paid about US$140 million in fines and penalties for the data breach, and an American hacker was sentenced to 20 years in prison for his role in the attack.

Correction: This story was revised to correct the day of Yahoo’s announcement. It was Wednesday.