Welcome to the club, Yahoo: 10 other massive hacks

With hacking tools outpacing cybersecurity developments, breaches have become more common.

Alfred Ng
Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
4 min read

From a dating website to the Democratic National Committee, no one is safe from data breaches.

Yahoo's cybersecurity shortcoming lead to the worst hack ever, with more than 500 million accounts compromised, the company revealed on Thursday.

The massive leak is only the latest in a series of hacks that have plagued companies storing sensitive user information, with the number of users affected continuing to grow.

Ari Schwartz, the former senior director for cybersecurity under the Obama administration, speculates it's only going to get worse.

"It's easier to hack today than it ever has been." Schwartz, now the managing director of cybersecurity services at Venable, said. "It's easier to exploit than it is to defend."

Here's a look at several major hacks where cybersecurity failed.

MySpace: Before Yahoo's mega-leak, a hack of the social network revealed in May was considered one of the biggest breaches, with about 360 million accounts and 427 million passwords stolen. The website urged its users to change their password if they were on MySpace before 2013.

Ashley Madison: While not the largest leak in hacking history, it certainly was one of the most embarrassing for users. Hackers stole Ashley Madison's customer lists and corporate secrets, arguing they were taking the high ground against the dating website for cheaters in August 2015. The hackers held the sensitive information ransom, demanding the website shut down. When Ashley Madison stayed online, the hackers made good on their threat, outing its users, which included family rights advocate Josh Duggar, and up to 15,000 federal workers.


Ashley Madison users had their personal information leaked to the public after a hack in 2015.

Screenshot by Lance Whitney/CNET

DNC Leaks: The Democratic National Convention kicked off into chaos after WikiLeaks dumped a series of personal emails from the party's politicians. The day before the convention started in July, the leaked emails forced then-chairwoman of the DNC to resign from her position. It didn't turn out so well for Republicans either, as the party's candidate Donald Trump faced controversy for publicly asking the alleged Russian hackers to continue breaching his political rivals.

Morris Melvin / Retna Ltd. / Corbis

Trump Hotel: It was revealed in April hackers also hit Trump, targeting his luxury hotel chain and stealing credit card information from 70,000 customers. The Republican candidate's company will have to pay $50,000 in penalties, less than a dollar for every person's information stolen, and improve its cybersecurity services in a settlement with New York Attorney General Eric Schneiderman announced on Friday.

Wyndham: The punishment was much different for Wyndham Hotels and Resorts, which suffered a similar hack with 600,000 customers losing their information. In a 2015 settlement with the Federal Trade Commission, the chain agreed to government oversight for the next two decades. "It was the third time in three years, and the government said, 'this is systemic,'" Robert Cattanach, an attorney who specializes in cybersecurity law said.

Sony: The 2014 security breach on Sony Pictures ended up costing the company at least $15 million, and the fallout forced Sony co-chairman Amy Pascal to step down. Hackers released personal information, including Social Security numbers of more than 47,000 celebrities and Sony employees. The FBI traced the cyberattack to North Korea, which they believed was retaliation for Sony's release of the film "The Interview."

LinkedIn: The social network was hit from a 2012 leak that refused to fade away. More than 100 million members' emails and password combinations stolen in the breach were posted online, with a hacker offering to sell the information for about $2,200 in bitcoins in May. Since then, LinkedIn has pushed for stronger encryption and two-factor authentication.

Dropbox: The 2012 hack also struck Dropbox, with at least 68 million accounts on the cloud-storage service exposed. When the leak was first caught, Dropbox said it only contained users' emails. An update four years later, in late August, showed that the 68 million accounts included emails and encrypted passwords, prompting users to change their account settings.

Target: 2015 was not a good year for the retail giant's cybersecurity. Neither was 2014. Target's data was hacked two years in a row, with massive breaches affecting a combined 180 million customers, after hackers stole credit card information from the store's point-of-sale systems. The 2014 hack was first believed to have affected 40 million customers, but further investigation bumped up the number to 110 million. A year later, a flaw in Target's mobile app allowed hackers to get access to customers' address, phone numbers and personal information, hitting up to 70 million accounts. It has yet to be hacked in 2016.

Voter registration: Both Arizona's and Illinois' Board of Elections systems were hit by a breach believed to be from state-sponsored hackers in August. In Illinois, up to 200,000 of the state's voters had their personal data stolen. The cyberattack happened just weeks after hackers shook up the Democratic National Convention, prompting concerns over further disruptions leading up to the elections in November. Homeland Security Secretary Jeh Johnson urged the government to treat the election's data system as "critical infrastructure" following the attack.

Updated, 4:35 p.m. PT: to note that the passwords exposed in the Dropbox hack were encrypted passwords.