At least 500 million user accounts have been stolen from Yahoo, the company confirmed on Thursday.
The data breach is the largest from a single site in history, according to a database of other hacking incidents. In August, hackers were discovered trying to sell 200 million Yahoo accounts, which would have been the second-largest single breach.
Recode reported on Thursday morning that the company was poised to confirm the compromised data, and that it was even worse than originally believed. The data, which was stolen in late 2014 by what the company called a “state-sponsored actor,” may include names, emails, telephone numbers, dates of birth, hashed passwords, and security questions and answers, but not financial information, according to the company.
Russian hackers pulled off what seems like a much bigger haul of 1.2 billion users in 2014, but that data was stolen from hundreds of thousands of sites and combined into a single collection.
The total numbers around cyberattacks are sometimes contested, but here’s a rundown of the some of the biggest data breaches, according to a database maintained by Privacy Rights Clearinghouse:
1.2 billion accounts
After several months of research, cyber security firm Hold Securitydiscovered that an unnamed Russian gang had amassed more than 4.5 billion credentials from websites across the web. About 1.2 billion of those were unique.
That amazing feat of online thievery was accomplished by buying a smaller set of credentials and using those to attack sites. They also used compromised accounts to search the web for other vulnerable sites, eventually robbing over 420,000 sites of all sizes.
360 million MySpace users
Sometime before June 2013, the once-popular social networking site MySpace was attacked. It wasn’t until May 2016 that the company (then owned by Time) reported that 360 million accounts, with user names, passwords and emails, were for sale in an online hacker forum.
MySpace reacted by invalidating the passwords of accounts that were known to be included in the leak. Even so, users frequently use similar passwords on different sites, so stolen passwords can be used to gain access to other sites as well.
The hack was attributed to the Russian hacker “Peace,” who also posted the original offer to sell the 200 million Yahoo accounts for $1,800 earlier this year.
167 million LinkedIn users
“Peace” was also found trying to sell 167 million LinkedIn user accounts — 117 million of which had both emails and encrypted passwords — in 2016. The stolen data originated in a hack of the social network in 2012, during which 6.5 million passwords were reported as stolen.
Hundreds of millions of users not only had to change their LinkedInpasswords, but also had to worry about hackers using their information on other sites. For the full database for sale on the dark web marketplace, “Peace” was asking for only $2,200 in bitcoin.
145 million eBay users
Three months after its system was compromised using stolen login credentials from several employees, eBay announced that 145 million users would have to change their passwords. Financial information in the related PayPal money transfer service was not compromised, and the company said that no financial fraud was detected.
The hackers gained access to customer names, encrypted passwords, email addresses, physical addresses, phone number and dates of birth. Security experts said that criminals would be able to use that information for more old fashioned scams over the phone.
130 million Heartland credit cards
The 2008 attack on credit card processing company Heartland is the smallest and oldest on our list, but arguably caused more damage than larger hacks. Attackers spent months installing malware in a system that gave them access to credit card data.
Visa and MasterCard noticed suspicious activity and alerted the company. Heartland eventually paid about $140 million in fines and penalties for the data breach, and an American hacker was sentenced to 20 years in prison for his role in the attack.