For those of you too young to remember, the word 'hack' wasn't always associated with online crime. It used to be applied- somewhat unfairly, I think- to the noble journalistic profession. Yet in the space of a few short years, the word hack has entered our lexicon as a by-word for any sort of data theft, online attacks, or break-and-entry to online computer systems. Our lives - and personal data - are becoming progressively more digitized year on year, either by us personally or by the third parties we trust with our personal information. Unfortunately, we know the risks associated with uploading such information are increasing too; with a higher volume of information comes more potential for the leakage of such data to have catastrophic effects. With the constant reports of leaks, hacks and data breaches occurring, it seems that the hackers are often more tech-savvy than those who are trying to encrypt and protect our data. From Wikileaks to Snapchat almost every significant database seems to have leaked or been leaked - and more often than not, the criminals remain undetected, a clandestine group seemingly above or at least outside the law.
Our top ten biggest online data breaches demonstrate the potential damage that can befall companies who fail to adequately secure their users data. Equally, it's a learning curve for potential victims - on how to prevent themselves from being the next hacker headline, or at least how to publicly manage a data breach when it occurs. While we're looking exclusively at data breaches on websites, keep in mind that data breaches in the digital age extend far past this: There have been enormous, high-profile data breaches of Apps, government databases and media bodies that have caused ripple effects all over the world. Online data breaches, though, are often the most personal attacks; when websites to which we voluntarily surrender endless personal information are attacked by hackers, the potential consequences can be devastating. From simple carelessness on the website’s part to some serious high-flying hackers, this list gives a run-down of the biggest hacks ever to take place online, with consumer’s usernames and passwords sold on the black market to the highest bidder. For all of you who use the same username and password for every online account you possess, let this list serve as a gentle warning.
10 Auction.co.kr: 18 Million Accounts Attacked
Auction.co.kr may not be familiar to us in the English-speaking world but this site is, in fact, a serious name in e-commerce. This is South Korea’s number one online store, a site similar to Amazon or E-Bay. The nature of this 2008 data theft was as shocking as the quantity of data that was stolen: Auction was, essentially, held to ransom over the phone. Think Die Hard for hackers. How, you ask? In 2008, somewhere in China, an ambitious hacker attacked Auction’s database of buyers and sellers. The hacker stole their personal data as well as a volume of private financial information. Then the hacker called Auction’s head office, demanding a ransom in exchange for the return of the data. The website seemingly refused to negotiate and the data was lost. Auction waited almost a day before informing Koreans of the hack and received serious criticism in the national press as a result. While this theft was largely unreported outside of the Far East, it is an interesting look at hijacking in the digital age.
9 AOL: 20 Million Accounts Leaked, 2006
Aol were one of the earliest leading players of the digital age and so in many ways it's unusual that such a large, well-known corporation could leak the data of 20 million of its users. It is particularly baffling in this case because there was no ransom, no hack and no breach of security: Aol, to all intents and purposes, voluntarily gave this data away. The discussion of data-sensitivity and privacy on the internet really kicked off in the mid-noughties with a number of multinational online corporations - including Microsoft, Google and Aol -struggling to secure their increasingly mammoth quantities of private data. Aol seemed to have particular difficulty with this phenomenon. In a bizarre move, in 2006 the site effectively allowed anonymous users to query data on millions of people. The result was that 658,000 queries led to data on the complete search engine entries of 2o million users being leaked. Needless to say the internet was struck by both hilarity at the ineptitude of the leak and outrage at such a high-level gap in security. While the usernames of the leaked accounts were released in a numbered form, rather than the true name, the browser history and additional account information that accompanied this made users easily publicly identifiable. Needless to say, more than a few potentially embarrassing search terms cropped up.
8 Yahoo! Japan: 22 Million User’s Data Leaked
While the size of this data leak is certainly remarkable, it's not quite as dramatic as our previous entries. In May 2013, Yahoo! Japan reported that the usernames of approximately 22 million users in the nation had been leaked, as the result of an attempt by hackers to access the administrative system on the site. To put that number into context, 22 million represents about one tenth of Yahoo! Japan’s membership. While the scale of the leak raised concerns about the security of online accounts, its content was relatively minimal: no passwords or personal information was leaked. As soon as the hack was spotted, Yahoo! went offline entirely to prevent any further information from being stolen. A relatively painless defence against a potentially disastrous data breach for 'Yahoo!'
7 Zappos: 24 Million Accounts Hacked
In 2012 Zappos - a subsidiary of online giants Amazon - fell foul to the cyber criminals of the world in an attack which attempted to steal the personal details and credit card numbers of the websites users. While the personal details of customers were leaked, - including their email and home addresses and phone numbers - Zappos assured its users that their credit card details had not been revealed. Hackers only got a glimpse of the last four digits of the card, meaning that while these 24 million unlucky people may be subject to a lifetime of spamming, they won’t lose any cash over it. In what serves as a warning to internet users everywhere Zappos advised those whose accounts had been compromised to change their usernames and passwords on Zappos and on any other online accounts they may have - as lots of people recycle these details on new accounts. Don’t say you haven’t been warned!
6 Tianya: 28 Million Accounts Hacked
In 2011 Tianya, the popular Chinese blogging site, became a victim of its own succes. The higher your star rises in the internet stratosphere, the further you have to fall; so when Tianya's huge data base was hacked, passwords and email addresses as well as other personal details from 28 million users were leaked. The accounts of a further 12 million users were compromised, too. The accounts hacked were mainly those of users who registered for the site before 2009. Although the leak was a result of a number of different hacking attempts, the website was criticised for failing to encrypt or destroy information relating to old or inactive users. At the time of the hack, Tianya was one of the most popular blogging sites in China and was ranked as the number 12 most popular site overall in the country. While the site still remains popular, usership has declined since then - demonstrating the damage such a data leak can do to even the most powerful of enterprises.
5 RockYou: 32 Million User’s Data Leaked
In a breach similar to that of Tianya, 'RockYou' - the online gaming and social apps site -demonstrated those who are tech-savvy are not always security-savvy. In 2008, it was revealed that the accounts of 32 million users had been compromised. RockYou, like Tianya before them, had been storing users' data - including their usernames and passwords - in plain text rather than in encrypted forms. It doesn’t take a tech guru to realise that's not a smart move. What's even less smart, however, is trying to cover your tracks when you realise your site has been compromised: RockYou declined to inform users that their personal data was accessed. The hacker, who himself is clearly not the shy and retiring type, published a section of the dataset he had access to. He revealed the plain text passwords, along with links to users' other social networking sites like Bebo, Facebook and MySpace - in effect showing up RockYou's attempt to downplay the incident. Hacker one: RockYou: nil.
4 Steam: 35 Million Credit Cards Hacked
Steam is an internationally popular gaming platform that allows users to download the latest and greatest PC games and interact with fellow gamers. Steam is another example, though, of a company that proved itself to be less security-conscious than its user would have expected. In 2011, Steam - owned by gaming giants Valve Corporation - had the account details of 35 million of their users hacked via the site’s online discussion forum. In an enormous security breach, credit card details were among the information compromised by the hackers and Steam took the forums offline as soon as the hack was discovered. Steam had the good sense to encrypt their users' credit card details. meaning that while their personal information had been leaked, their financial details remained in an encrypted and secure form. Steam may have suffered a loss of confidence among users but luckily for the 35 million gamers, there were no financial implications to this enormous online security breach.
3 Evernote: 50 Million Accounts Hacked
Evernote, the online note-taking and general detail-storing system is the most recent of our online victims to see their user’s data stolen from under their noses. 50 million was the total number of Evernote users in 2013, when the attack occurred, and every customer’s account was compromised. What's perhaps most interesting about this story is the degree to which Evernote’s security systems performed successfully when faced with a hacker - indicating the change that has taken place in online security since the earlier data thefts listed here. Thanks to their security systems none of Evernote’s business clients or financial datasets were compromised in the attack - so although personal information around usernames and email addresses were stolen, vital passwords and higher level personal information such as credit card details remained encrypted to the hackers. Unlike previous entries on this list - who were criticised for their slow reaction time, or for their reluctance to admit the extent of data thefts to their users - Evernote kept at the top of their marketing and communications game and ensured minimal damage to the reputation of this California-based enterprise.
2 Living Social: 50 Million Accounts Hacked
In 2013 the online shopping deals website LivingSocial was the target of some major-league hackers. The hack, which took place last April, was so big it affected all but four countries in which the website operates. LivingSocial chose not to go offline to fix the problem; users were instead contacted by email advising them to change their usernames and passwords. Although top-level personal information was stolen, thanks to encryption the users' financial information was not compromised. This incident demonstrates the potential scale of a data breach, and it's surely an allegory about the value of encryption; without the encryption, credit card details and identities of 50 million people could have been stolen in this attack.
1 AOL: 92 Million Accounts Hacked, 2004
An embarrassing AOL blunder cropped up earlier on our list, and AOL is also the website that fell victim to the single largest online data breach of all time to date. 92 million users worldwide were affected by this hack - nearly twice the amount of our runners-up LivingSocial and Evernote, with 50 million each. To be fair to AOL this was a genuine data hack rather than the bizarre error of data protection that occurred with the 2006 leak. Instead, and in a sinister twist, this was an inside job perpetrated by one of AOL’s own software engineers. In 2004, 25 year old Jason Smathers stole the screen names and email addresses of 92 million users and sold the information to spammers. The result was an astounding 7 billion spam emails, and a fifteen month prison sentence for Smathers. We'd like to report that that after such a high-level data breach, AOL were considerably more careful after the incident... But the subsequent data leak two years later tell another story. And as for Smathers? After his release from prison, the software engineer trained as a Baptist minister. He's now Pastor of a church in Arizona, and performs some IT consultancy on the side!