As more and more financial data is digitised or contained in the insecure Cloud, the danger of its being hacked is growing rapidly. In this article the online security experts at vpnMentor outline the worst thefts and exposures of personal data ever.

The most egregious of the hacks occurred on the systems of Yahoo in 2013-14, when three billion accounts were compromised. Yahoo stated that stolen user account information might have contained names, email addresses, telephone numbers, dates of birth, hashed passwords and, in some cases, security questions and answers. Hackers used forged cookies to gain access to users' accounts without passwords. Nobody knows who the hackers were or what malware they used but the company believes that the hacks in that time-period were connected and that the 'breaches' (a catch-all term that describes illegal incidents involving data) were 'state-sponsored.' Yahoo took action by telling all users who had been affected to change their passwords.

Next, weighing in at 1.4 billion compromised accounts, comes River City Media. This email spam group made a copy of its database of email accounts, including some personal details such as names and addresses, and in January last year accidentally left the data open to be 'lifted' by anyone. The spam group left the database copy unsecured and the authorities used it to identify spam techniques and issue a 'blacklist' containing the group's strategy. Their technique, however, dispensed with any need for usernames or passwords, so criminals might have found it and used it. People at Apple, the security experts at an organisation called Salted Hash and a team of spam experts at Spamhaus used the information to improve security, but anyone else could have downloaded it.

Friend Finder Networks come next, with 412 million accounts compromised in October 2016. Six FFN databases (Adult Friend Finder, Penthouse and various porno sites) included usernames, email addresses and passwords stored either in plain text or hashed using the weak SHA1 algorithm, which is notoriously easy to break. Nobody knows who the hackers were. They allegedly hacked the site using a local file inclusion exploint, which allowed them to access the parent company's portfolio of websites. The parent company immediately issued a statement in which it said it had taken "several steps to review the situation and bring in the right external partners to support our investigation." It then said that it had repaired a weakeness that it had identified.

The Equifax hack of May-July last year, which compromised 143 million accounts, was based primarily in the United States. It included names, social security numbers, dates of birth, addresses and, in some cases, credit card details and the information on drivers' licences. The data retrieved may include information on up to 44 million residents of the United Kingdom. According to the now-departed CEO Richard Smith, a solitary individual responsible for communicating a patch to the Equifax systems failed to do so and created a weakness that acted as the source of the hack. Nobody knows who the group of hackers was or the malware they used, although some have suggested that it was a state-sponsored attack, perhaps by the Government of China. Equifax is still trying to resolve the situation six months on.

Next, with 117 million accounts ravaged, comes the Linkedin hack of 2012. The compromised data included emails and passwords. The company only discovered the hack four years after it had occurred. Nobody knows who the hackers were, but the data is on sale on a black-market website called 'the Real Deal.' Linkedin added on more security features and made its users change their passwords.

Dailymotion was hacked on 20 October 2016, with 85.2 million accounts affected. The data includes unique email addresses and usernames, and in the cases of around 18 million users, also the hashed passwords, which are still secured to some extent. Nobody knows who the hackers were or what malware they were using. It is also unknown how the hack occurred, but only a few hashed passwords were leaked and they are still protected by 'bcrypt' security and are therefore difficult to crack. Because they remain relatively secure, Dailymotion has taken no further action so far.

JP Morgan Chase provided the venue for the largest hack of a bank, with 76 million accounts compromised in June 2014. Reports suggest that the information included names, addresses, telephone numbers and emails of JP Morgan account holders. The hackers appear to have gained a list of the programmes used internally at the bank, which they used to seek out weaknesses across the board, the better to gain entry to systems. Some believe that the Russian Government might be responsible. JP Morgan intends to spend some US$250 million on digital security each year as a response to this.

Eighth on the list is Dropbox, a hack of 68.7 million accounts which occurred in July 2012. The data included email addresses and passwords. Nobody knows who the hackers were. They used the password of a Dropbox employee to gain access to internal documents. The full scale of the hack remained unknown for several years. Dropbox now offers two-factor authentication and has added automated systems to monitor suspicious activity.

Next comes Tumblr. The hack, in 2013, spanned 65.4 million accounts and included email addresses and salted and hashed passwords. Nobody knows how the system was hacked, but Tumblr only mentioned the incident in public three years after it occurred and it published very few details of it at first. The data was in the possession of a single hacker named 'Peace' who was selling it on 'the Real Deal,' the aforementioned black-market website. In response to the hack, Tumblr required users who might have been affected to change their passwords.

The Uber cyber attack occurred in October 2016 and compromised 57 million accounts. The data in question was personal data including names, email addresses, telephone numbers and 7 million US drivers' licence numbers. Uber did not make the cyber attack public until more than a year later. Instead of informing the authorities, Uber hid the attack from the public eye and paid the hackers US$100,000 to keep it quiet. Uber is not divulging their identities. In November last year it dismissed its chief security officer and one of his deputies for their part in keeping the hack hidden. Uber has admitted fault in putting off the unpleasant job of informing the people whose personal data was affected.

Ashley Madison, the dating website, weighs in at number 11 with a total of 'only' 10.9 million accounts compromised in July 2015. Data was lost which included the personal details of users of the website, including names, home addresses, search history, credit-card transaction records and passwords. The group of attackers called 'the Impact Team' accessed the database and copied it into a compressed archive, which they then posted on a Dark Web site and made available through torrenting. No reports have emerged of the group being apprehended. Because of questionable practices and misleading statements made by Ashley Madison and its parent company, Avid Life Media, people whose data was released took it to court in a class action. Two dozen cases reached settlement in July last year for US$11.2 million.