While every organization strives to patch all possible loopholes in their software, hackers won't stop exploiting vulnerabilities to expose new ones. And with the recent rampancy of data breach reports, it seems the menace won't stop any time soon.
These are some of the most shocking data breaches in history that are unforgettable, including government-related ones.
1. US Federal Government Serial Data Breach (2020)
In December 2020, the US government discovered a shocking major data breach initially thought to have affected a few organizations.
Not long after the discovery, it became clear that up to 200 prominent organizations, even outside the jurisdiction of the US, including NATO, and the European Parliament, had been perforated in a supply chain attack that works by hiding malicious code in updated software.
While brooding over the cause and source of this unprecedented data hack, it soon occurred that the attackers meant the deal and had coordinated the attack undetected for over eight months in what is called an Advanced Persistent Threat (APT).
The attackers leveraged loopholes in Microsoft's cloud infrastructure, VMware's software, and a government and military monitoring software update released by SolarWind Corps. Sources claimed that the breach was a nation-sponsored targeted attack aimed at leaking sensitive information belonging to various parastatals within the US, including its military.
To date, it's still one of the most seriously coordinated cyberattacks against the US and some of the world's major multinationals.
2. MyFitnessPal (2018)
Hackers will stop at nothing to bring popular apps on their knees. In 2018, attackers gained unauthorized access into the database of MyFitnessPal and obtained millions of users' information in the process.
According to Under Amour, the unprecedented breach affected approximately 150 million accounts. As a precautionary measure, security experts from the company notified users of the breach and asked that they change their passwords.
Although the company instantly reset all affected users' passwords, unfortunately, users' emails also got leaked. So this exposes them to possible phishing attacks and identity theft.
The consequence of this data breach would later become more disturbing after a year when the obtained information, including emails, usernames, and encrypted passwords, surfaced on the dark web. And this time, they were placed on sale for an estimated price of $20,000.
3. Swedish Transport Agency Data Breach (2017)
Although most data breaches involve deliberate hacking of a victim's software, this wasn't the case in the Swedish transport agency data breach. As a result of careless data handling, the country's transport agency was hit hard in 2017 by data leakage after outsourcing its IT infrastructure and database management to IBM.
The severity would've been minimal had it been limited to the thousands of drivers' license information that got exposed. But the government claimed that in addition to leaking information about national roads and bridges, the identity of undercover agents working with the intelligence unit and the military got exposed.
This event, however, resulted in the firing of Maria Ågren—the Director-General of the agency at the time. Ultimately, it was described by security affairs as the worst-known governmental data leak that ever affected the Swedish government.
4. Yahoo! (2013 and 2014)
Yahoo!'s announcement in 2016 that hackers gained unauthorized access into its database and stole the personal information of well-over 500 million users on its platform back in 2014 came as a shock.
Later that year, the internet space received the bombshell when the company revealed that there'd been an earlier separate breach of its database in 2013, affecting over one billion users.
It became glaring that Yahoo!'s security wall was heavily compromised when the company later confirmed in 2017 that the 2013 data breach affected all its three billion users.
The hackers in both cases had forged and used malicious browser cookies, which deceived Yahoo!'s security system, to gain unauthorized access into any user's account at any time without using a password.
Thus, unencrypted security questions, phone numbers, and emails got leaked during this raid, which to date is considered the worst security breach ever experienced on the internet.
Consequently, later in early 2017, Verizon—which had earlier offered to buy Yahoo! at the rate of $4.8 billion—priced down the platform to $350 million less than the agreed price. Yahoo! was forced to sell at this new price, with Mayer stepping down as CEO.
5. Facebook (2019)
Facebook has faced many criticisms for being insecure, with critics calling its users to delete the app. Moreover, the platform has been involved in a plethora of data breaches.
In 2019, the social media platform suffered a major security breach that resulted in the exposure of over 500 million users' personal information. Later that year, another database containing the personal information of 267 million users surfaced online. Speculations were that the database was freely available on the Dark Web for nearly two weeks.
These breaches happened only a year after Facebook suffered a separate data breach that affected approximately 50 million users.
Information stolen in both cases were Facebook IDs, Usernames, and phone numbers. According to Facebook, the breaches resulted from a security loophole it'd earlier patched that year.
6. Adult FriendFinder (2016)
AdultFriendFinder, one of the world's largest dating sites, soon after a 2015 security breach, rammed into another one in 2016. And this time, experts described it as the worst database hacking in the history of 2016.
During the 2015 security breach, over 3.5 million users' information was stolen and posted on the Dark Web in several CSV files. But the 2016 security breach affected well over 400 million users, including past users. They all had their information, including usernames, passwords, and emails stolen in a single sweep.
The vulnerability on AdultFriendFinder was surprising, as passwords found in the leaked data were either in plain texts or poorly encrypted. Later that year, a white-hat hacker exposed another local file inclusion loophole on the website.
7. Sony PlayStation Massive Data Breach (2011)
The 2011 Sony PlayStation Network saga is perhaps, the worst data breach in the history of the gaming industry. The hackers gained access to its database, obtaining various information belonging to 77 million users.
Although Sony didn't disclose this unfortunate event immediately, it shut down its network instantly, preventing people from accessing the online gaming platform. Data obtained included names, dates of birth, usernames, and passwords, among others.
It wasn't clear how the hackers accessed the company's server, but speculations were that they gained access by phishing one of Sony's system administrators. As a result of the unavoidable shutdown of its network, Sony would later lose up to $171 million to the breach.
8. National Archives and Records Administration (NARA) Breach (2009)
If you're fond of disposing of your hard drives without first formatting them, then the dramatic event that resulted in the breaching of the National Archives data will make you retrace your actions.
The agency, in 2009, was hit with a data breach that affected millions of information about US military personnel and White House staff.
A data breach might not have been painful if it was sudden and unavoidable. But the National Archives information leak resulted from a faulty hard disk sent to their repair partner.
After troubleshooting and seeing that the hard disk was spoilt, the repair company sent it for recycling without contacting NARA. They thought the information on the disk had been backed up and earlier formatted by NARA before sending it for repair.
So it was more a data loss than a breach. And it became more confusing when NARA filed a report about a missing hard disk containing several veteran military officials' information. Mistakenly, they hadn't formatted the spoilt disk and backed it up on a new one before sending it for repair. Unfortunately, the onus of securing their data wasn't on the repair company.
Although the agency wasn't sure if there'd been malicious use of the data, those concerned had to start watching out for impending identity theft. Indeed, it was one of the worst data security mishaps ever, resulting from carelessness on the part of a US public agency.
There's Always a Loophole
Although many software development pipelines follow provided security standards to maintain internet security, new vulnerabilities keep unfolding.
As you've seen, internet giants have suffered one data breach or the other, and even government-owned facilities have had their share. So, no tech product is immune to breaches—as long as it's accessible via the internet.