17 Scary Cyberattacks that Hacked Millions of Users

The bank company Capital One announced that an Amazon Web Services employee gained access to more than 100 million accounts and credit card applications earlier this year. And customers affected by the Yahoo data breaches between 2013 and 2016 may soon be eligible for a $358 payout. They're just the latest incidents in a long line of prominent breaches that have left people wary of forking over their personal information, and companies spending millions to bolster security and settle lawsuits. The hackers' targets have ranged from major retailers to the federal government and even the online dating site Ashley Madison.

Related: 20 Cheap Ways to Protect Yourself From Thieves

Capital One and the Justice Department say that Paige Thompson broke into a Capital One server and stole 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers and 80,000 bank account numbers. She also tried to share the information online, according to a criminal complaint. The bank said the breach could cost the company $100 million to $150 million this year.

On June 27, 2018, Wired magazine reported what could be the biggest breach of personal data in the U.S. to date if confirmed. Servers operated by Exactis, a Florida-based data aggregator and marking firm, were left unprotected, exposing personal data on 230 million consumers and 110 million businesses in the U.S. The breach was first discovered by a web security consultant, who alerted Exactis and the FBI. 

Initial reports indicate that the data includes home addresses, email addresses, phone numbers, even personal information like ages or whether someone owns a pet (but not credit card and Social Security data). Officials say they do not know whether hackers or other people were able to access the servers before the company was able to secure them.

Equifax, one of the three major credit reporting agencies, made consumers' blood run cold this month when it announced that personal data of 143 million people in the U.S., Canada, and U.K. had been hacked. The breach included highly sensitive information including birth dates, credit-card numbers, and even Social Security numbers. This summer, Equifax reached a $700 million settlement following the hack.

In a black mark for Uncle Sam, the U.S. Office of Personnel Management revealed in 2015 that very detailed information on current and previous employees had been compromised as early as 2012. Hacked data included highly sensitive background information used for security clearances. All told, the breach could cost ultimately more than $1 billion in credit monitoring and other expenses, experts have said.

Hackers exposed the personal data of more than 37 million users of Ashley Madison, a now-infamous website aimed at helping married people begin an affair, in July 2015. Email addresses of account users made their way around their web, allowing suspicious spouses to check up on their significant others. In July 2017, the site's owner settled a class-action suit for $11.2 million, the New York Post reports.

The nation's largest health insurer was targeted by a hacker in early 2015 who accessed the personal information of roughly 79 million people. Compromised data included birthdays, addresses, Social Security numbers, and even employer and income information. Anthem settled breach-related suits for a painful $115 million in July 2017, NBC reports.

The malware attack on Sony at the end of 2014 had all the intrigue of a major motion picture: Hackers, allegedly sponsored by North Korea, claimed to have stolen 100 terabytes of data, including sensitive emails between employees. While Sony disclosed losses of at least $35 million, experts have said that direct and hidden costs of this breach could end up closer to a staggering $1 billion.

In the summer of 2014, hackers exploited a security vulnerability in one of JP Morgan Chase's servers to compromise account data including addresses, phone numbers, and email addresses for 83 million household and small-business users. The bank later announced it would spend an eye-popping $250 million every year to beef up its cybersecurity.

Home-improvement giant Home Depot reported in fall 2014 that hackers had infiltrated its payment systems, accessing 56 million credit- and debit-card numbers. Total costs for the retailer: At least $179 million, according to court filings. That included millions in settlements with credit-card companies, banks, and consumers.

In two separate disclosures in 2016, Yahoo said a staggering 1 billion and 500 million total user accounts had been compromised in 2013 and 2014, respectively. The massive security breaches also came with a very real price tag when Verizon agreed to acquire Yahoo: The cellular giant lopped $350 million off the price of the deal because of the hacks.

The 2013 holiday shopping rush wasn't so jolly at Target, when a breach of the retailer's point-of-sales systems exposed credit-card and/or personal data for more than 100 million customers, according to Adaware, a company that provides antivirus and anti-spyware software. Target saw a big dip in sales and had to pony up millions in settlements with banks and credit-card issuers. The total cost? Somewhere in the neighborhood of $300 million, experts have said.

Though cyber criminals stole LinkedIn passwords in 2012, it wasn't until 2016 that the scale of the breach was truly known. That's when hackers started selling 117 million user passwords online. The incident cost LinkedIn at least $1 million to investigate the incident and up to $3 million more for security improvements, according to ZDNet.

Hackers managed to access a range of data for more than 77 million Sony PlayStation gaming network accounts in April 2011, including credit-card numbers. Sony says the breach cost the company at least $171 million, and it later settled a class-action lawsuit over the hack for $15 million in 2014, ZDNet reports.

The Epsilon name might not be familiar, but the marketing company's clients -- including Best Buy, JPMorgan, Target, and Disney — surely are. The company disclosed in March 2011 that hackers had stolen names and emails from up to 75 of Epsilon's partners, according to cyber analysis and intelligence firm CyberFactors. The number of affected email addresses was around 60 million, experts have estimated; the total cost could end up around $3 billion to $4 billion, they say.

Credit-card payment processor Heartland revealed in 2008 that 130 million customers' debit- and credit-card numbers had been compromised by hackers. It cost the company at least $110 million to settle claims with Visa, MasterCard, and American Express, according to CNN Money.

TJX, parent company of stores including TJ Maxx, Marshall's, and Home Goods, announced in 2007 that at least 46 million customers' credit-card numbers had been stolen. Unfortunately, court filings later revealed the number to be more than double that. It cost the retailer at least $256 million, though experts have said the ultimate price tag was likely to be higher.

A laptop stolen from a VA employee's home in 2006 contained unencrypted personal information on 26.5 million veterans, military personnel, and spouses. While the laptop was recovered and the data appeared to have been uncompromised, the VA still had to pay $20 million to settle a class-action lawsuit stemming from the theft, according to the Associated Press.