Equifax's data breach may be the most serious one, given that it covered 143 million consumers and involved reams of confidential information, but it wasn't the largest. Following are the biggest to date.
Yahoo has the dubious distinction of having the two largest data breaches in history. The first was disclosed in September 2016, affecting 500 million accounts. The second was made public only three months later when the company announced that there was a separate breach, believed to be committed by different actors, affecting 1 billion accounts. Making matters even worse? The first breach occurred in 2014, while the second happened in 2013. It's still unclear why Yahoo did not detect either intrusion until years after the fact.
Remember your MySpace page? Yeah, we don't either. And that's precisely the point. It's not clear when hackers stole 360 million names and passwords from the social media network, but the breach didn't come to light until a hacker tried to sell the data (which, at that point, was so old it was relatively useless).
EBay disclosed in May 2014 that thieves had stolen password information on 145 million account holders. That forced the company to alert customers that they'd need to reset their password. The thieves apparently accessed the data by stealing the credentials of three corporate employees. Unlike the Equifax case, however, customers did not have their financial data stolen.
It isn't just the eye-popping 143 million consumers affected by the Equifax breach, which was disclosed on Sept. 7, 2017, but also the sheer volume of what was stolen: birth dates, addresses, Social Security numbers. Unlike simply resetting your eBay password, the Equifax breach may mean customers have to put credit freezes on their account — something that could impact consumer lending.
Like others on this list, the details of LinkedIn's breach were disclosed in stages. But in this case, it happened years apart. When the breach was first announced in 2012, it was thought that just 6.5 million user names and passwords had been stolen. But four years later, the firm said that a Russian hacker called "Peace" was selling the emails and passwords of 117 million users from that 2012 hack.
Advisors and their clients are still angry about the Target breach, disclosed at the end of 2013. The retail giant first said that 40 million credit and debit card numbers had been stolen, then followed up shortly thereafter to reveal that contact information of 70 million had also been taken. It's not clear how much overlap there was between the two groups, if any.
Heartland Payment Systems
Payment processor Heartland Payment Systems saw more than 100 million credit and debit cards stolen by cyber criminals in 2008. In 2010, Albert Gonzalez was convicted of masterminding the attack and sentenced to 20 years in prison.
When all was said and done, hackers in 2011 made off with information on 100 million members of Sony's Playstation Now service, including gamers and those streaming music and video on the site. The service was even shut down for three weeks.
An ex-employee of America Online stole and sold information containing 92 million screen names and email addresses, leading to a lot of spam emails for unhappy customers. Jason Smathers was convicted in 2005 and sentenced to a year and three months in jail.
First revealed in August 2014, hackers gained access to the internal systems at JPMorgan Chase and made off with data on 83 million personal and small-business accounts. Three hackers were later convicted of 23 criminal counts, including hacking, securities fraud and identity theft.
Our list of Top 10 data breaches can’t officially include the hack of the SEC’s electronic filing system, EDGAR, because it doesn’t appear to have jeopardized personal financial data. Instead, there’s potential that the stolen information could have been used to rack up millions in illegal equity trades, the commission says. But it’s important to note the breach, regardless. Its extent raises questions about the federal agency’s ability to protect sensitive records and ensure the safety of financial markets. And the SEC is warning financial firms they must be on guard.
"Malicious attacks and intrusion efforts are continuous and evolving, and in certain cases they have been successful at the most robust institutions and at the SEC itself," said SEC Chairman Jay Clayton in a statement acknowledging the hack. "Cybersecurity efforts must include, in addition to assessment, prevention and mitigation, resilience and recovery."