Data breaches have been happening since the internet went mainstream, but the scale and impact have grown dramatically. Each major breach taught us something about how passwords fail and what protects us. Here's a look at the most significant ones.
RockYou (2009) — 32 million passwords, plaintext
The breach that changed password security discussions. RockYou, a social gaming company, stored 32 million user passwords in plaintext — no hashing at all. When attackers got in, they got every password directly. The leaked list became the foundation of password cracking wordlists used to this day. Lesson: services must hash passwords. Users must not reuse passwords across sites.
LinkedIn (2012) — 117 million passwords, unsalted SHA-1
LinkedIn hashed passwords with SHA-1 but didn't use salts — meaning identical passwords produced identical hashes, and a single cracked hash revealed every account using that password. Over 90% of the passwords were cracked within days of the data appearing online. Lesson: proper hashing requires salts. Fast algorithms like SHA-1 are inappropriate for passwords.
Adobe (2013) — 153 million records, encrypted (badly)
Adobe used 3DES encryption rather than hashing — a fundamental misunderstanding of password storage. Worse, they used the same encryption key for all passwords, so identical passwords produced identical ciphertext. Analysts cracked passwords using frequency analysis. Lesson: encryption is not hashing. Only slow, salted hashing algorithms (bcrypt, Argon2) are appropriate for passwords.
Yahoo (2013–2014) — 3 billion accounts
The largest breach in history by account count. Yahoo was breached in 2013 and 2014, but didn't disclose it until 2016. The 2013 breach involved MD5 hashed passwords (fast and crackable); the 2014 breach used bcrypt (much stronger). Lesson: disclosure delays leave users exposed for years. Algorithm choice matters enormously.
⚠️ These breaches are still active: Credentials from all of these breaches are still in circulation and used in credential stuffing attacks today. If you had accounts on any of these services and haven't changed those passwords (or reused them), they should be considered compromised.
What every breach teaches us
- You cannot control how services store your password — but you can limit the damage by never reusing passwords
- Fast hashing algorithms (MD5, SHA-1) are broken for password storage — check if your services use bcrypt or Argon2
- Breaches are often discovered and disclosed years after the fact — change old passwords proactively
- Credential stuffing works at scale — it's automated and costs attackers almost nothing
✅ Your defence: Unique passwords per site means any single breach gives attackers exactly one account — the one that was breached. Nothing else. A password manager makes this trivially easy to maintain. It's the one change that neutralises the impact of every breach on this list.