RockYou2024 and the four other largest data breaches in history

A breakdown of the most high-profile data leaks ever: from Yahoo to RockYou2024.

Top-5 leaks of all time

Recent years have seen a steady rise in the amount of compromised data out there. News reports about new leaks and hacks are an almost daily occurrence, and we at Kaspersky continue to use plenty of electronic ink to tell you about the need for robust protection — now more than ever.

Today we take a dive into history and recall (with a shudder) the biggest and baddest data breaches (DBs) of all time. To find out how much and what kind of information was leaked, who was affected, and much more besides — read on…

1. RockYou2024

In brief: hackers collected data from past leaks, and rolled out the largest-ever compilation of real user passwords: 10 billion records!

When: 2024.

Who was affected: users worldwide without strong protection.

RockYou2024 is the king of leaks, and a thorn in the side of anyone who thought hackers weren’t interested in them. In July 2024, cybercriminals leaked a gigantic collection of passwords on a hacking forum: 9,948,575,739 unique records in total. Despite being a compilation based on the old RockYou2021 leak, RockYou2024 still… rocks, so to speak.

Our expert, Alexey Antonov, analyzed the breach, and found that 83% of the leaked passwords were crackable by a smart guessing algorithm in under an hour, with only 4% of them (328 million) able to be considered strong: requiring over a year to crack using a smart algorithm. For details on how smart algorithms work, see our password strength study, which, analyzing real user passwords leaked on the dark web, shows that far too many of us are still shockingly blasé about password security.

In analyzing the latest leak, Alexey filtered out all non-relevant records, and worked with the remaining array of… 8.2 billion passwords stored somewhere in plaintext!

2. CAM4

In brief: a misconfigured server exposed 11 billion customer records to the public domain — sensitive information indeed given that CAM4 is… an adult site!

When: 2020.

Who was affected: users of the adult site CAM4.

This story is of interest for two reasons: what information was leaked, and how. Among the “standard” leaked details (first name, last name, email address, payment logs, etc.) was information of a far more intimate nature: gender preferences and sexual orientation. Users had to give this information at signup before they could enjoy the content of the adult streaming platform.

The leak was caused by an insecure Elasticsearch database. However, it didn’t end so badly – and embarrassingly: if we were to compile all the reports of leaks related to this DB into a physical book, we’d get quite a doorstop — within which the story of CAM4 would occupy a small but important chapter: “The largest data leak in history that never was”. Fortunately, the database was shut down within half-an-hour after discovering the error, and later moved to an internal local network. Users’ personal data was deleted.

3. Yahoo

In brief: A hacker attack affected all three billion users of the platform — but Yahoo admitted this only three years later.

When: 2012, 2013… or was it 2014? Even Yahoo doesn’t know for sure.

Who was affected: all Yahoo users.

More than a decade ago now, Yahoo was hacked (it all started with a phishing email), leading to a series of news stories about a rumored data leak. Initial reports mentioned a couple of hundred million hacked accounts, then that rose to around 500 million, then, in 2017, on the eve of the company’s deal with Verizon, it turned out that all three billion accounts were affected. The hackers got hold of names, email addresses, dates of birth, and phone numbers. Even worse, they had access to the accounts of users who went years without changing their passwords. Now do you see why it’s so important to change passwords regularly and delete old profiles?

This incident is yet further proof that even tech giants sometimes fail to store user data properly. In the case of Yahoo, attackers found a database of unencrypted security questions and answers, and some accounts had no two-factor authentication at all. So, the moral of the story is: don’t rely on social networks or online platforms to secure your personal accounts. Make up or generate strong passwords and store them in Kaspersky Password Manager. And if you’re worried your data may already have leaked, install any of our home security solutions: Kaspersky Standard and Kaspersky Plus both let you specify all the email addresses that you and your family use to sign in to online services. The application regularly checks these addresses and reports any data breaches involving accounts linked to them.

In Kaspersky Premium, in addition to an email list, you can add phone numbers — these are usually used to identify users of more sensitive online services such as banking. Our application searches for these numbers and addresses in all fresh database leaks, and, if found, warns you and advises what to do (read more about how we protect you against personal data leaks online or on the dark web).

4. UIDAI (Aadhaar)

In brief: the biometric data of almost all citizens and residents of India went up for sale.

When: 2018.

Who was affected: 1.1 billion citizens and residents of India.

The Unique Identification Authority of India (UIDAI) operates the largest bio-identification system in the world, storing the personal data, fingerprints, and iris photos of more than a billion folks in India.

While many countries around the world are only planning to implement biometric identification, India has had such a system in place for over a decade already. UIDAI was set up so that every single resident of India would have a unique official state identity number, Aadhaar.

But in 2018, following a string of data leaks, cybercriminals not only got their hands on the database, but sold it for as little as 500 rupees (about US$6 at today’s exchange rate). Another massive data breach occurred in 2023, this time impacting 815 million Indians.

Banks and law enforcement agencies continue to advise victims of the leaks to disable biometric authentication for financial services. But that’s no guarantee of security, since their names, passport numbers, photos, fingerprints, and other information are likely in cybercriminal hands.

5. Facebook

In brief: the company failed to notify users about a data breach it had known about for a full two years.

When: 2019.

Who was affected: 533 million Facebook users.

No one is surprised anymore at seeing the words “Facebook” and “leak” side by side. The platform regularly falls victim to hacker attacks and internal leaks. This particular breach — the largest in the company’s history — saw the names, phone numbers, and location data of 533 million users fall into the clutches of cybercriminals. They then posted the data on a hacking forum where anyone could download it all for free. And not only regular users’ account data, but that of public figures, including EU Justice Commissioner Didier Reynders, and then-Prime Minister (now Foreign Minister) Xavier Bettel of Luxembourg.

If you suspect that you too may have been hit by the Facebook data leak, use our Password Checker tool to find out whether your password was compromised in this or other leaks.

The leaked data was current for 2018–2019, although information about it appeared only in 2021. How did that happen? The fact is that hackers exploited the vulnerability in 2019, which Facebook patched straight away, but then forgot (or preferred not) to inform users of the incident. As a result, Meta faced more heavy criticism, plus a hefty €265 million fine (~US$276 million in 2021).

What do these leaks teach us?

The common thread linking all these stories is: “Big Tech helps those who help themselves”. In other words, we are primarily responsible for the security of our data; not Facebook, not Yahoo, not even governments. Look after your accounts yourself, make up or generate strong passwords, store them in a secure password manager, and take special care when it comes to biometric data.

  • Do not reuse passwords. If you’re a “one password for all occasions” kind of person and have been using the internet for at least a few years, we’ve some bad news for you (in the link).
  • Check if your passwords have been compromised. If you have our protection, you can use our Data Leak Checker tool to enter a list of email addresses and check your user accounts. Kaspersky Premium users also have the option to check phone numbers using the Identify Theft Protection feature. The applications automatically check this information for exposure in new leaks. And in our password manager, just select Password Check from the menu, or click the key icon on the taskbar, and all stored passwords are checked for strength, uniqueness, and leaks. Everyone else can use our free Password Checker
  • Use two-factor authentication (2FA) wherever possible.
  • Do not store passwords in browsers. Use a password manager to generate unique, cryptographically strong passwords for all important accounts, and then you only need think up and remember just one — main — password that serves as the master key to all other passwords. This protects and encrypts your password vault and other vital data.
Tips