The Marriott International data breach on Friday affected up to 500 million customers — larger than the entire U.S. population — but it’s not the latest large-scale hack to hit a corporation.
That distinction goes to Yahoo — now owned by Verizon — which experienced the largest data breach in history in 2013.
“[Marriott] is not the largest breach in terms of number of records and was not the worst in terms of identity theft potential, but it is easily in the top five for worst hacks that directly impact the general public,” Jim McCoy, creator of the Vektor home cybersecurity device and former tech lead of security tools and operations at Facebook, told ABC News.
The top five largest corporate hacks
1. Yahoo: 3 billion accounts in 2013
Yahoo, which is now owned by Verizon, admitted in 2017 that the previously reported data breach in 2013 actually affected all three billion accounts on its server, exposing the names, birth dates, phone numbers and passwords of users whose accounts were encrypted with what was ultimately weak security.
On Dec. 14, 2016, “Yahoo disclosed that more than one billion of the approximately three billion accounts existing in 2013 had likely been affected,” the company said in a 2017 press release. “The company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft.”
The hackers also obtained the security questions and backup email addresses used to reset lost passwords, which are key to hacking into government computers.
2. Yahoo: 500 million accounts in 2014
It’s a tie between this separate Yahoo breach and Marriott. Yahoo suffered a previous attack in December 2014 affecting at least 500 million users whose data included names, email addresses, telephone numbers, birth dates, encrypted passwords and, in some cases, security questions. The U.S. charged four Russians, including two Russian Federal Security Service (FSB) officers with the crime, according to the U.S. Department of Justice.
News of this breach was not revealed for two years, until, again, the company was in the process of a sale to Verizon. In 2018, the Securities and Exchange Commission fined Yahoo for its failure to disclose the news, according to an SEC press release.
3. Marriott/Starwood: 500 million guests in 2018
Marriott said in a statement Friday that an investigation recently revealed “unauthorized access” since 2014 to information relating to reservations at Marriott’s Starwood properties, and that a hacker had “copied and encrypted information.”
The compromised data includes names, mailing addresses, phone numbers, email addresses, passport numbers, dates of birth, gender, Starwood Preferred Guest loyalty program account information, arrival and departure times, and reservation dates.
4. Friend Finder Networks: 412 million accounts in 2016
The adult dating and entertainment company Friend Finder Network had a data breach of more than 412 million accounts, according to ZDNet.
Data was hacked from 339 million of the accounts from AdultFriendFinder.com, which the company boasted as the “world’s largest sex and swinger community.” The information gathered included usernames, e-mails, and passwords, according to ZDNet.
That breach also affected over 15 million “deleted” accounts that had not been purged from the databases. LeakedSource obtained the data, and said it included 20 years of information from the company’s sites. An additional 62 million accounts from Cams.com and seven million from Penthouse.com (the company was owned by Penthouse at the time) were stolen.
5. Equifax: 146 million accounts in 2017
Equifax revealed in a press release that a hack on its networks exposed names, birth dates, social security numbers, addresses and some driver’s license numbers.
The company added that 209,000 U.S. credit card numbers were exposed. Earlier this year, Equifax found an additional 2.4 million U.S. consumers whose names and partial driver’s license information were stolen.