Robinhood data breach is bad, but we've seen much worse
Robinhood, Facebook, Equifax and beyond. Here's our roundup of some of the biggest data blunders in recent history.
Shelby BrownEditor II
Shelby Brown (she/her/hers) is an editor for CNET's services team. She covers tips and tricks for apps, operating systems and devices, as well as mobile gaming and Apple Arcade news. Shelby also oversees Tech Tips coverage. Before joining CNET, she covered app news for Download.com and served as a freelancer for Louisville.com.
She received the Renau Writing Scholarship in 2016 from the University of Louisville's communication department.
If you weren't one of the millions affected by the Robinhood breach, chances are your data's been spilled in another hack at some point. The more our lives become digital and we rely on technology daily, the more our information is at risk to some degree to hacks, scams and breaches. Hackers can take advantage of any vulnerability -- a health crisis, loopholes in institutions' servers and features, or flawed security protections -- to steal your personal and sensitive information like credit card numbers, Social Security data, birthdates, email addresses and more. Compromised data can leave you vulnerable to larger problems like identity theft.
Here are some, though not all, of the biggest data breaches, hacks, scrapes and fumbles the US has experienced in recent history.
When: Nov. 3, 2021
Number of people affected: 7 million customers had their personal information exposed, with varying amounts and types of data leaked. Robinhood says most affected users had their email addresses and/or names exposed. Only about 300 users had their names, dates of birth and ZIP codes leaked. "More extensive account details" were compromised for about 10 customers.
Whathappened: Robinhood released a statement saying Nov. 8 saying there had been a data breach Nov. 3 that had since been contained. The statement also mentioned that the party responsible had demanded payment in an extortion attempt.
"As a Safety First company, we owe it to our customers to be transparent and act with integrity," said Caleb Sima, Robinhood's chief security officer.
When: April 2021
Number of people affected: Data reportedly scraped from 500 million profiles; an additional 2 million records were leaked as proof
Whathappened: Malicious actors put an archive of data up for sale containing scraped information from 500 million LinkedIn profiles, according to a report from Cyber News. An additional 2 million records were leaked as proof. Information in the archive included users' full names, email addresses, phone numbers, workplace information and more.
"This was not a LinkedIn data breach, and no private member account data from LinkedIn was included in what we've been able to review," LinkedIn said in a statement on April 8. In the post, the company said that the data set was "an aggregation of data from a number of websites and companies" and that it included publicly viewable member profile data apparently scraped from LinkedIn.
When: Posted to low-level hacking forum April 3, 2021
Number of people affected: Over 9 million customers
What happened: EasyJet, an airline based in the UK, reported that email addresses and travel information for more than 9 million customers were compromised in a "highly sophisticated" cyberattack. Hackers also gained access to the credit card information of 2,208 customers. EasyJet said it's working on contacting customers whose information was exposed in the breach.
The airline said it took immediate action after it learned of the attack by notifying the National Cyber Security Centre and the ICO, the UK's data protection watchdog. The ICO will investigate whether EasyJet should be fined under Europe's General Data Protection Regulation (GDPR).
When: Disclosed by Marriott International on March 2020
Number of people affected: Approximately 5.2 million guests
What happened: Marriott international said that at the end of February it realized an "unexpected amount" of guest information may have been accessed with the login credentials of two employees at a franchise property. The exposed information may include names, addresses, emails, phone numbers and birthdays. Loyalty account details and information like room preferences may also have been breached. This is the second major incident to impact the hotel in the last two year years.
When: Disclosed to public early February 2020
Number of peopleaffected: More than 10.7 million guests
What happened: CNET's sister site ZDNet reported that the personal information of over 10 million former MGM resort guests was published on a hacking forum. The information shared came from a security incident last year, MGM security team members told ZDNet. The leaked info included details like customers full names, home addresses, phone numbers, email addresses and birthdates.
MGM told ZDNet that it was confident no financial, payment card or password data was involved. The hotel chain reportedly notified all affected guests and has since improved its network security.
MGM's hotels include the Bellagio, Aria, MGM Grand, Mandalay Bay, Park MGM, Mirage, New York New York, Luxor and Excalibur in Las Vegas.
Number of peopleaffected: More than 200 million players
What happened: A hacker accessed more than 218 million Words With Friends player accounts before Sept. 2. The database that the hacker, Gnosticplayers, accessed included data from Android and iOS players who'd installed the game prior to Sept. 2. Gnosticplayers accessed information like players' names, email addresses, login IDs and more. On Sept. 12, the game's publisher, Zynga, confirmed a data breach for Draw Something and Words with Friends players had occurred. In an announcement, the publisher said the investigation is ongoing and it has taken steps to protect accounts.
When: Sept. 26, 2019
Number of peopleaffected: 4.9 million customers, drivers and merchants
An investigation into the breach determined that information like names, email addresses, delivery addresses, order history, phone numbers and passwords was accessed. The company said that the last four digits of some consumers' credit cards and bank account numbers were also accessed.
The food delivery company said it became aware of suspicious activity with a third-party service provider earlier this month. The investigation discovered that an unauthorized third party accessed some user data in early May.
When: Aug. 20, 2019
Number of peopleaffected: Tens of thousands of users and more than 160 million records
What happened: A report from cybersecurity company SpiderSilk, obtained by TechCrunch, found that 160 million MoviePass records were left unencrypted. Because the company's database wasn't password-protected, it left customers' credit card numbers and credit card details exposed. The database remained online until Tuesday. MoviePass didn't immediately respond to a request for comment.
This isn't the first time MoviePass has landed in hot water. Earlier, the service faced criticism for changing passwords to keep users from ordering tickets. The company has also been accused of spiking prices at peak times. Last year, the company was said to be reactivating accounts and asking former customers to opt out of being subscribed again.
When: July 30, 2019
Number of people affected: 100 million people
What happened: Financial corporation Capital One suffered a data breach that affected 100 million credit card applications, 140,000 Social Security numbers and 80,000 bank account numbers. If you applied for a card in the US between 2005 and 2019, you're likely part of the breach, according to the bank.
Capital One said that no credit card account numbers or login credentials were exposed. The breach still affected names, addresses, ZIP codes, phone numbers, email addresses and birth dates. The FBI arrested Paige A. Thompson, a tech worker who goes by the nickname "erratic." Thompson was charged with computer fraud and abuse for the hack.
Number of people affected: About 143 million people
What happened: Hackers stole customer names, Social Security numbers, birthdates and addresses in a hack that stretched for three months. In addition, hackers nabbed 209,000 credit card numbers and 182,000 documents containing personal information. It's unclear what the hackers did with the data during that time. The company estimates that half of the US population was affected, but that doesn't include victims outside the country. It was the biggest known leak of 2017.
What happened: Malware infected the security systems of Starwood Hotels -- which includes Sheraton, W Hotels, Westin, Le Meridien, Four Points by Sheraton, Aloft and St. Regis -- in 2014, and the Marriott hotel group then acquired Starwood in 2016. In November 2018, Marriott discovered and revealed a four-year hacking campaign that attacked Starwood's reservation database. Lawmakers demanded data privacy and security protections going forward.
What happened: Yahoo users were urged to change their passwords after hackers stole personal information associated with about half a billion email accounts. At the time, the numbers made it the biggest data breach in history. Initially, the casualties were reported at 500 million, still making the hack the biggest in history. Yahoo slowly raised the number but reported in 2017 that none of its 3 billion accounts had gone unscathed in the original breach. That's 3 billion names, email addresses, telephone numbers, dates of birth, encrypted passwords and unencrypted security questions.
Correction, Sept. 27, 2019: An earlier version of this story incorrectly stated the extent of the DoorDash security issue. The company became aware of suspicious activity this month, leading to the discovery of a single breach in May.
Watch this: Capital One data breach: Here's what to do