Scary Cyberattacks that Hacked Millions of Users

Big data breaches keep providing new reasons for consumers to be wary of forking over their personal information, despite companies spending millions to bolster security (and settling lawsuits when the security proves to have gaps). Hackers' targets have included well-known companies, such as Target, Home Depot, and T-Mobile, as well as the federal government.

Related: Cheap Ways to Protect Yourself From Thieves

Last summer, T-Mobile users were the target of a cyberattack that resulted in personal data, including social security numbers, being stolen. Since the mobile-communications giant first disclosed information about the attack, a class-action lawsuit has been filed against it, and T-Mobile has agreed to pay $350 million to affected customers.

Related: These Companies Had to Pay Massive Sums to Settle Lawsuits Against Them

Though cybercriminals stole LinkedIn passwords in 2012, it wasn't until 2016 that the scale of the breach was truly known. That's when hackers started selling 117 million user passwords online. The incident cost LinkedIn at least $1 million to investigate the and up to $3 million more for security improvements, according to ZDNet, but no system is perfect — and another breach occurred in June 2021.

Or did it? The information of 700 million users, or 92% of users on LinkedIn, was taken and posted for sale in a Dark Web forum by the hacker “god user,” but the Microsoft-owned company said it wasn't a breach — merely data scraping in violation of its terms of service.

In a seeming nightmare for millions of users conducting their private lives via webcam, the adult-video streaming website CAM4 was breached to the tune of 10.9 billion records in 2020. The stolen data included first and last names, email addresses, usernames, conversation transcripts, gender preferences and sexual orientations, and pay logs, including credit card type. The theft could’ve exposed users around the world to potential blackmail attempts and identity theft — though ultimately it was determined that only about 1,000 people had their “full names, credit card types and amounts paid to view explicit content on the website” revealed, according to Security Boulevard.

Though hackers undertook this exploit in 2019, the goods from the theft — 533 million records including account names, Facebook IDs, and comments — didn't show up on the Dark Web until April 2019. “If you have a Facebook account, it is extremely likely the phone number used for the account was leaked,” said Alon Gal, of the Under the Breach security firm.

Capital One and the Justice Department say that Paige Thompson broke into a Capital One server and stole 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers, and 80,000 bank account numbers. She also tried to share the information online, according to a criminal complaint. The bank said in 2019 that the breach could cost the company $100 million to $150 million

Servers operated by Exactis, a Palm Coast, Florida-based data aggregator and marking firm, were left unprotected June 27, 2018, Wired magazine reported, in what was once quaintly considered the biggest breach of personal data in the U.S. — exposing personal data on 230 million consumers and 110 million businesses. The breach was first discovered by a web security consultant, who alerted Exactis and the FBI. Initial reports indicated that the data included home addresses, email addresses, phone numbers, even personal information such as ages or whether someone owns a pet (but not credit card and Social Security data).

For more of these stories, sign up for our free newsletters.

Equifax, one of the three major credit reporting agencies, made consumers' blood run cold when it announced that the personal data of 143 million consumers in the U.S., Canada, and the U.K. had been hacked. The breach included highly sensitive information including birthdates, credit-card numbers, and even Social Security numbers. Equifax reached a $700 million settlement following the hack.

In a black mark for Uncle Sam, the U.S. Office of Personnel Management revealed in 2015 that very detailed information on current and previous employees had been compromised as early as 2012. Hacked data included highly sensitive background information used for security clearances. All told, the breach could cost ultimately more than $1 billion in credit monitoring and other expenses, experts have said.

Hackers exposed the personal data of more than 37 million users of Ashley Madison, a now-infamous website aimed at helping married people begin an affair, in July 2015. Email addresses of account users made their way around their web, allowing suspicious spouses to check up on their significant others. In July 2017, the site's owner settled a class-action suit for $11.2 million, the New York Post reported.

The nation's largest health insurer was targeted by a hacker in early 2015 who accessed the personal information of roughly 79 million customers. Compromised data included birthdays, addresses, Social Security numbers, and even employer and income information. Anthem settled breach-related suits for a painful $115 million in July 2017, NBC reports. The company announced plans to change its name to Elevance Health in March.

The malware attack on Sony at the end of 2014 had all the intrigue of a major motion picture: Hackers, allegedly sponsored by North Korea, claimed to have stolen 100 terabytes of data, including sensitive emails between employees. While Sony disclosed losses of at least $35 million, experts said that direct and hidden costs of this breach could end up closer to a staggering $1 billion.

In the summer of 2014, hackers exploited a security vulnerability in one of JPMorgan Chase’s servers to compromise account data including addresses, phone numbers, and email addresses for 83 million household and small-business users. The bank later said it would spend an eye-popping $250 million every year to beef up its cybersecurity.

Home-improvement giant Home Depot reported in fall 2014 that hackers had infiltrated its payment systems, accessing 56 million credit- and debit-card numbers. Total costs for the retailer: At least $179 million, according to court filings, which included millions in settlements with credit-card companies, banks, and consumers.

In two disclosures in 2016, Yahoo said a staggering 1 billion and 500 million total user accounts had been compromised in 2013 and 2014, respectively. The massive security breaches came with a very real price tag when Verizon agreed to acquire Yahoo: The cellular giant lopped $350 million off the price of the deal because of the hacks.

The 2013 holiday shopping rush wasn't so jolly at Target, when a breach of the retailer's point-of-sales systems exposed credit-card and/or personal data for more than 100 million customers, according to Adaware, a company that provides antivirus and anti-spyware software. Target saw a big dip in sales and had to pony up millions in settlements with banks and credit-card issuers. The total cost? About $300 million, experts have said.

Hackers managed to access a range of data for more than 77 million Sony PlayStation gaming network accounts in April 2011, including credit-card numbers. Sony says the breach cost the company at least $171 million, and it later settled a class-action lawsuit over the hack for $15 million in 2014, ZDNet reported.

The Epsilon name might not be familiar, but the marketing company's clients — including Best Buy, JPMorgan, Target, and Disney — surely are. The company disclosed in March 2011 that hackers had stolen names and emails from up to 75 of Epsilon's partners, according to cyber analysis and intelligence firm CyberFactors. The number of affected email addresses was about 60 million, experts have estimated; the total cost could end up being $3 billion to $4 billion, they say.

Credit-card payment processor Heartland revealed in 2008 that 130 million customers' debit- and credit-card numbers had been compromised by hackers. It cost the company at least $110 million to settle claims with Visa, MasterCard, and American Express, according to CNN Money.

TJX, parent company of stores including TJ Maxx, Marshall's, and Home Goods, announced in 2007 that at least 46 million customers' credit-card numbers had been stolen, but court filings later revealed the number to be more than double that. It cost the retailer at least $256 million, though experts have said the ultimate price tag was likely to be higher.

A laptop stolen from a VA employee's home in 2006 contained unencrypted personal information on 26.5 million veterans, military personnel, and spouses. Though the laptop was recovered and the data appeared to have been uncompromised, the VA still had to pay $20 million to settle a class-action lawsuit stemming from the theft, according to the Associated Press.