In many ways, forces were already in motion to make 2016 the biggest year of corporate and government hacks yet. Company breaches have been on the rise for a decade, and an election year always invites drama. The reality of what hackers---both state-sponsored and independent---delivered in 2016, though, still managed to exceed expectations.
Not all of the hacks on this list took place in the last 12 months, but all were disclosed in 2016. And each expanded the scale and scope of what the average person expects from digital meddling in practice. A handful of corporate breaches included half a billion records, and one was a full billion. Meanwhile on the political side, Russian state-sponsored hackers used leaks, probes, and disinformation campaigns to undermine and destabilize campaign discourse leading up to the US presidential election.
In short, there was a lot going on, so here’s WIRED’s look back at the biggest hacks in 2016.
In terms of sheer magnitude the second Yahoo breach, committed in fall 2013 and disclosed earlier this month, is the biggest hack of 2016 (and all time) impacting one billion accounts. Yahoo says it doesn't yet know who committed this intrusion, which compromised data like names, email addresses, phone numbers, birthdays, hashed passwords, and a mix of encrypted and unencrypted security questions and answers. The breach doesn't include unencrypted passwords, credit card numbers, or bank account information. Yahoo is working with law enforcement and a third-party security firm to analyze the breach.
But wasn't there also a Yahoo hack announcement back in September? Great question! Yes. Yahoo announced this fall that it was hacked in late 2014 by an as-yet unnamed "state-sponsored actor," which accessed 500 million user accounts. When it disclosed the other hack a few weeks ago, Yahoo said that the two incidents are most likely separate and not part of an over-arching operation...which is kinda worse in the sense that the company got devastatingly owned two separate times by two different attackers. There is probably substantial overlap between the one billion records accessed in the 2013 breach and the 500 million compromised in 2014, but regardless this is a staggering amount of user data that Yahoo lost control of. There are only a few other tech companies that even have a billion user accounts to lose.
While the Yahoo hack was the biggest in scope, Russia's hack of various Democratic Party correspondences had the largest impact of any breach this year. The release of private emails through Wikileaks gave Hillary Clinton's presidential campaign numerous distractions (and occasional embarrassments) in the final stretch of the 2016 election, and more importantly, signals an emboldened Russia that may attempt similarly disruptive efforts in upcoming European elections as well. Similar initiatives have already wreaked havoc in other elections, like Ukraine's 2014 presidential race.
The ghosts of breaches past rose again this year. While obtained through separate hacks, credentials from years-old MySpace, LinkedIn, and Tumblr accounts started circulating in data sale forums at the same time in 2016 thanks to the hacker known as “Peace_of_mind” or just "Peace." With top ratings on his or her dark web storefront, Peace has hundreds of millions of credentials for sale, some dating back as far as 2012 breaches. He or shetold WIRED in June, "Well, [the] main use is for spamming. There is a lot of money to be made there, as [well as] in selling to private buyers looking for specific targets. As well, password reuse---as seen in recent headlines of account takeovers of high profile people." Data from the old breaches was successfully used to take over accounts of celebrities like Lana Del Rey, Mark Zuckerberg, and Biz Stone.
A breach of the hookup and dating firm FriendFinder exposed 412 million user accounts when they were released this fall and published by the breach notification service LeakedSource. 339 million accounts came from AdultFriendFinder.com, which describes itself as the “the world’s largest sex & swinger community,” and tens of millions came from Penthouse.com and Stripshow.com. A problematic aspect of this breach was that even people who made an account on one of the sites and then deleted it were still at risk, because a trove of accounts that were marked to be removed was also compromised. Overall, data impacted by the hack included usernames, passwords, and email addresses. Details about the users of sex sites can be especially upsetting or damaging for people when released, and the FriendFinder hack was unfortunately nearly 13 times the size of last year's devastating Ashley Madison breach.
In August, a group calling itself the Shadow Brokers claimed to have breached the operation known as the Equation Group, a cyber espionage team with NSA links. The Shadow Brokers released a sample of stolen zero-day exploits (undisclosed software bugs that haven't been patched) that Equation Group allegedly used to break into and surveil international targets. The Shadow Brokers also promised that more exploits were in an encrypted file that they put up for sale in a (poorly attended) bitcoin auction. The sample exploits were real, though, and caused problems for companies like Cisco, Juniper, and Fortigate whose software was affected.
The Shadow Brokers leak served as a reminder of the complicated balance between the need for government intelligence gathering and the danger of hoarding exploits for many years instead of notifying software makers and allowing them to fix the bugs. It is also unclear who the Shadow Brokers are and how they infiltrated the NSA. Officials thought they had a lead when they discovered that a Booz Allen Hamilton employee Harold Martin, who worked at the agency for years and had top secret clearance, had pilfered 50 terabytes of classified data during his tenure and was stockpiling it at his home. Investigators have so far been unable to link Martin to the Shadow Brokers, though. He has been charged with mishandling classified data and stealing government documents, and will face additional charges under the Espionage Act.
Another old hack with new repercussions. In 2012, intruders compromised Dropbox and obtained credentials---including email addresses and their associated salted and hashed passwords---of over 68 million accounts. The good news is the passwords all had a layer of protection, and Dropbox automatically made users reset theirs. The bad news? That's a lot of years in the open, and a lot of users exposed during that intervening time.
