Few things elicit the same kind of wide-eyed terror as hearing “we’ve been hacked” – at work, home, school, or anywhere else for that matter.
Who did it? Why? What data did they get? What’s the damage and potential fallout? How do we recover?
You might feel scared, angry, worried, anxious, victimized, puzzled, or any combination thereof. You could be a humble blogger, a new startup, an established business, or a Fortune 500 company. Hackers play no favorites.
In fact, it’s estimated that 30,000 websites are hacked and infected every single day, and they run the full spectrum of small, medium, and enterprise-level.
Who you are and what you do doesn’t matter. There are no safe zones.
To give you some idea of what an epidemic it is, consider some these facts.
To embed ‘Hacking Statistics’ on your site, copy and paste the code below:
It’s enough to make your head spin. The internet, it would seem, is a dark, scary place full of nefarious individuals looking to profit from your mistakes and ignorance about online security.
Don’t become a statistic.
Now, it would be misleading to suggest that all hackers are evil. Many of them are harmless hobbyists and/or security consultants.
But heinous hackers do exist that put their considerable skill to use in order to profit financially, damage someone’s reputation, exact revenge, or simply enjoy the thrill of it.
As with classic cowboy movies, there are white hat hackers (the good guys) and black hat hackers (the not-so-good guys).
And then there are the grey hats. Good, bad, heroes, villains… it just depends on who you ask. Perhaps the most well-known example is the hacktivist group known collectively as Anonymous.
Hackers and hacks abound. Just last year we witnessed the very controversial hacking of the DNC and the Hillary Clinton campaign by Russia in the lead-up to the U.S. presidential election.
“Hardware is easy to protect: lock it in a room, chain it to a desk, or buy a spare. Information poses more of a problem. It can exist in more than one place; be transported halfway across the planet in seconds, and be stolen without your knowledge.”
– Bruce Schneier, a security technologist, and author
Hacks and data leaks have affected many major players in recent years, including Dropbox (nearly 69 million accounts), eBay (145 million), Myspace (164 million), Evernote (50 million), Tumblr (65 million), and LinkedIn (117 million), as well as household brands like Target (70 million) and Home Depot (56 million).
Those were bad. But not the worst. The most notorious hacks in history? They’re subject to debate, but these 12 would certainly be strong candidates for the title.
In the early days of the internet, Russian computer programmer Vladimir Levin managed to steal $10 million – but not by going online. He hacked into the Citibank telephone system and stole account credentials (passwords and account numbers) from customers when they said them aloud to service reps.
Levin then used those credentials to electronically transfer millions to various accounts around the globe. He was eventually caught, sentenced to three years in prison, and all but $400,000 was recovered.
This was one of the first high-profile and public electronic thefts from a financial institution.
Sounds innocent enough, right?
Created by David L. Smith and perpetrated in 1999 (a lifetime ago in tech terms), this simple virus disguised itself as a Microsoft Word attachment to an email.
Once clicked, though, it replicated itself and sent out copies to the first 50 names in the victim’s contact list. It’s estimated that 20% of the world’s computers at the time were infected. That’s 1 in 5.
No sensitive information was stolen, but many businesses were disrupted for days while IT personnel tried to wipe the pesky virus from their systems.
Smith was arrested, charged with causing $80 million in damages (primarily lost productivity costs), and served 20 months.
It’s a contender for the crown because of its place in hacker history (the largest infection of its time), and the fact that even unaffected companies severed their internet connection for days out of fear.
And why was it called Melissa? Smith named it after a Miami stripper.
The DDoS attack – a deliberate attempt to overwhelm a website or server with traffic, making it impossible for others to access it – has been a popular choice amongst hackers for years.
A 15-year-old hacker known as MafiaBoy – real name Michael Calce – aimed a powerful DDoS attack at some of the biggest sites on the net in 2000. He successfully took down CNN, Yahoo, Amazon, eBay, Dell, and eTrade before being stopped.
He started as a precocious 9-year-old, hacking into AOL to extend his 30-day free pass (remember those?).
The DDoS attacks in 2000 weren’t for financial gain, revenge, or any other evil intent. He just wanted to impress the online hacker community.
Mission accomplished. He not only gained notoriety within that group but also captured the attention of the President of the United States and the Attorney General.
He was eventually caught, arrested, and served 8 months in a youth group home. Calce works today as a cybersecurity consultant – strictly white hat only.
As Fox Mulder from the X-Files would say, the truth is out there. And Scottish hacker Gary McKinnon was on a mission to find it.
In 2001-2002, he gained access to 97 different U.S. military systems at the Pentagon and NASA. His quest? To find evidence to prove the existence of UFOs.
McKinnon left taunting messages like “Your security system is crap. I am a Solo. I will continue to disrupt at the highest levels.” on the military systems he infiltrated, and military authorities claim they spent well over $800,000 recovering from the damage.
What’s most memorable about the whole thing is the ease with which McKinnon waltzed in and started poking around highly confidential government servers and his somewhat laughable reason for doing so.
U.S. lawyers called it the biggest military computer hack of all time and accused him of stealing passwords and deleting files (an accusation he adamantly denies). They consider him an electronic terrorist.
McKinnon fought extradition to the U.S. to face charges for a solid decade, and finally won the battle in 2012. A few months later, it was announced he would not face similar charges in the United Kingdom.
This one is kind of hard to wrap your head around. It’s got a lot of moving parts and players. It’s been called the largest hacking scheme ever detected in U.S. history.
Starting in 2005, various brands, chains, and systems – including 7-Eleven and JC Penney – were targeted by a Russian hacker group.
Over the course of seven or eight years, they managed to steal 160 million credit and debit card numbers, and infiltrate 800,000 bank accounts. It’s believed that they were either directly or indirectly responsible for at least $300 million in worldwide losses.
Some of the information was sold (credit card numbers went for $10-50 each on black market forums), while other data was used to steal cash directly from accounts (they apparently got away with about $9 million using fake ATM cards at Citibank and PNC Bank).
Why does it deserve a place on this list? Just look at those numbers again.
“Cybercriminals are determined to prey not only on individual accounts but on the financial system itself. But would-be cyberthieves should take note…our ability to unmask and prosecute the anonymous perpetrators of cybercrimes…has never been stronger.”
– Preet Bharara, Manhattan U.S. Attorney
Max Ray Butler – better known by his online name, Iceman – has a long history with computers, cybersecurity, and hacking.
He worked as a computer security consultant in the 1990s, got into black hat hacking in the early 2000s (he hacked the Pentagon and served 18 months in jail), then started stealing financial account numbers and associating with other cybercriminals upon his release.
In 2006, he hacked several carder forums – online marketplaces where individuals could buy and sell stolen data, fake IDs, and other services – and absorbed their databases into his own portal called CardersMarket.
He was arrested in 2007 and found guilty of stealing nearly 2 million credit card numbers, amounting to roughly $86.4 million in fraudulent charges.
Sentenced to 13 years – the second-longest punishment for hacking in American history – Butler is due for release in 2019. He hopes to return to the consultancy when he gets out.
The credit card payment processor is one of the world’s largest, processing about 100 million transactions per month for Visa, Mastercard, American Express, and Discover.
Its system was compromised in 2008 and an estimated 130 million customer accounts were accessed, making it one of the largest credit card hacks in history.
Albert Gonzalez and two Russian hackers placed sniffer programs within the Heartland system. These sniffers intercepted credit card credentials in real-time and relayed the data back to them.
The sniffers remained undetected for six months or so. Gonzalez was already in police custody for two other hacks (Dave & Buster’s, and TJX) when the sniffer programs were discovered and the Heartland investigation began.
All told, he was found guilty in 2010 and sentenced to an unprecedented 20 years in prison.
What makes his crime even more incredible is the fact that Gonzalez had actually been cooperating with government officials – including the Secret Service – as an informant since 2003.
He hacked and stole in excess of 180 million credit and debit card accounts right under the noses of those authorities tasked with preventing cybercrime.
Originating in 2008, this virus continues to infect up to a million computers worldwide each year. It replicates itself and infects other computers, and can either turn your device into a zombie bot for spamming and DDoS attacks or secretly log and steal confidential information like passwords and financial accounts via keyloggers.
The origin and author of the Conficker worm remain unknown to this day.
It’s included here for its sheer tenacity, and for being the largest worm infection since Welchia in 2003.
In late 2010, there was a Russian attempt to hack the Nasdaq. The FBI was the first to notice, and their monitoring pointed to possible malware on the Nasdaq servers themselves.
No one had ever successfully compromised such a target, and an NSA analysis of the malware confirmed it was likely designed and executed by a foreign intelligence agency and not just some computer whiz with too much time on his hands.
It was eventually traced back to Russian software engineering and was attempting to steal $11 billion from the New York Stock Exchange. If successful, it would have caused havoc within the system and hobbled the U.S. economy.
It was obviously prevented, but it does highlight the vulnerabilities of the stock exchange and financial institutions in general.
As impressive as the Mafiaboy attacks may have been to his peers, they don’t hold the record for the largest DDoS attack in history. That “award” goes to the Spamhaus – an anti-spam service – attack of 2013.
The biggest in internet history – with up to 300Gbps directed at Spamhaus’ servers – it slowed the entire internet, and even managed to shut down parts of it for hours at a time.
Suspects later arrested for the attack included a 17-year London boy (he avoided jail time and received only community service), and another in Spain (rumored to be the leader of Cyberbunker).
The issue was apparently bad feelings towards Spamhaus acting as judge, jury, and executioner with their blacklist of sites, services, and providers that promote spam. Cyberbunker decided to send them a message and knock them down a peg or two.
It was the highest traffic DDoS attack in history until it was surpassed by the 500Gbps attacks against pro-democracy sites during the Hong Kong protests in 2014.
Poor Yahoo. At one time the king of search engines, it’s fallen on hard times lately. People are abandoning it in droves for the likes of Google, Bing, and others. Its cause wasn’t helped much when in 2016, it revealed major hacks that had occurred years before.
Over one billion (yes, billion) Yahoo accounts were compromised in 2013, including names, DOB, security questions, contact details, and passwords.
A further 500 million accounts were hacked in 2014. It is not known how many of those accounts overlap with the first hack, so the true number of affected accounts is unclear. But it’s a lot.
It’s the largest hack of a single entity in internet history. That’s not a great claim to fame for a company trying to woo users back to its flock.
And although Yahoo is much less relevant than it used to be, the tendency of people to reuse passwords and security questions has serious implications. If you had a Yahoo email account back in 2009, but then switched to Gmail with the same password, the hack means someone could access your current email account.
Perhaps you even used the same password or security questions for your online banking or e-commerce accounts, or while paying your taxes online. See the problem?
It’s believed that either China or – you guessed it – Russia may have been behind the breaches.
“My message for companies that think they haven’t been attacked is: ‘You’re not looking hard enough’.”
– James Snook, Deputy Director of OCSIA
Last but not least, we have Celebrate.
Accounts – including many A-list celebrities like Jennifer Lawrence and Kate Upton – were accessed on the Apple cloud storage platform in 2014.
Hackers used a combination of brute-force guessing and phishing schemes to gain entry. They sent official looking emails to account owners with instructions to log in and change their security credentials. Anyone who did give the hackers everything they needed to get in and copy files.
Private – and in many cases nude – photos and videos were subsequently released online over the next few weeks.
Several (seemingly) unconnected individuals were investigated over the next few months, and at least two were found guilty and sentenced to between 9-18 months in late 2016 and early 2017 for crimes related to the hack.
The dreaded hack. It can happen to anyone, anywhere, anytime. When will the next “most notorious hack” happen? Probably sooner than you think.
Phishing schemes. DDoS attacks. Brute-force attacks.
Check out some of the biggest data breaches in history with this interactive graphic from Information is Beautiful. And if you want to know more about the seedier elements of the hacker community, browse the Top Ten Most Notorious Hackers according to Kaspersky Lab.
Tips to protect yourself, your company, and your accounts include better passwords, 2FA, using a VPN, and a full-service solution like Indusface’s AppTrana.
Don’t make an appearance on the next edition of hacker history. Be smart. Be proactive. Be safe and secure.
What other notorious hacks do you know about that you could add to this list? Let us know in the comments below.
Founder & Chief Marketing Officer, Indusface
Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in the security industry and had held various mgmt/leadership roles in Product Development, Professional Services, and Sales @Entrust.