What is the largest password breach in history?

The 2013 Yahoo breach affected all 3 billion accounts. It was not disclosed until 2016 and caused Verizon to reduce its acquisition offer by $350 million.

How can I check if my password has been leaked?

Enter your email at Have I Been Pwned (haveibeenpwned.com) to check for free whether it appears in past breaches. If found, change the password for that service and every other service where you used the same password.

What is password "salt" and why does it matter?

A salt is a random string added to a password before hashing. Without salt, identical passwords produce identical hashes, making them vulnerable to rainbow table attacks. The LinkedIn breach is a prime example of the danger of unsalted hashes.

Password Breaches That Changed History - Lessons from Yahoo's 3 Billion Account Leak

About 12 min read

Billions of passwords have been exposed in massive data breaches over the past two decades. These incidents reshaped how companies handle user data and how we think about password security. This article revisits five landmark breaches, unpacks the technical failures behind each, and distills lessons you can apply today.

The Bottom Line - What Breaches Teach Us

All five breaches share one root cause: passwords were stored poorly. Plaintext storage, unsalted hashes, flawed encryption modes - all were avoidable mistakes even by the standards of their time. The lesson for users is simple: stop reusing passwords, set a unique strong password for every service, and enable two-factor authentication. These two steps alone dramatically reduce the damage from any breach.

Yahoo (2013-2014) - 3 Billion Accounts and a $350 Million Acquisition Discount

The largest password breach in history struck Yahoo. The 2013 attack affected all 3 billion accounts, and a separate 2014 attack exposed another 500 million. Remarkably, the 2013 breach was not disclosed until 2016 - it went undetected for three years. Yahoo hashed passwords with bcrypt, but some accounts still used legacy MD5 hashes. The famous backstory is the impact on Verizon's acquisition: the original $4.8 billion deal was reduced by $350 million to $4.48 billion after the breaches came to light. Poor password management literally cost billions.

LinkedIn (2012) - The Shock of Unsalted SHA-1

In 2012, 6.5 million LinkedIn password hashes appeared on a Russian hacking forum. The real shock was the method: LinkedIn stored passwords as SHA-1 hashes without salt. Without salt, identical passwords produce identical hashes, making them trivially crackable with rainbow tables. The story took a darker turn in 2016 when the full dataset - 117 million credentials - surfaced on dark web marketplaces for about $2,200 in Bitcoin. Four years after the breach, stolen data was still being monetized. This incident became a textbook example of why salted hashing (and ideally bcrypt or Argon2) is non-negotiable. For more on how leaked credentials circulate, see how passwords end up on the dark web.

Adobe (2013) - Encryption Cracked Like a Crossword Puzzle

The Adobe breach is notable not just for its scale of 153 million records, but for its fascinating technical failure. Instead of hashing passwords, Adobe encrypted them using 3DES in ECB (Electronic Codebook) mode. The fatal flaw of ECB mode is that identical plaintext always produces identical ciphertext - meaning every user with "123456" had the exact same encrypted value. Security researchers combined ciphertext frequency analysis with password hints (stored in plaintext!) to identify passwords like solving a crossword puzzle. The webcomic XKCD famously satirized the situation, bringing widespread attention to the absurdity.

Collection #1 and RockYou - Aggregated Leaks and Plaintext Storage

In January 2019, security researcher Troy Hunt discovered Collection #1 - a massive aggregation of 773 million email addresses and 21 million unique passwords compiled from thousands of separate breaches. It was not a single hack but a compilation, highlighting how password reuse turns one breach into a skeleton key for multiple accounts. If you used the same password on a small forum and your bank, Collection #1 connected those dots. Going further back, the 2009 RockYou breach exposed 32 million passwords stored in complete plaintext - no hashing, no encryption, nothing. The irony is that this dataset became the gold standard for security research. The "rockyou.txt" wordlist is bundled with penetration testing tools like Kali Linux and is used worldwide to test password strength. A company's security failure became the benchmark for the entire industry.

Technical Lessons from Five Breaches

Lining up these incidents reveals password storage best practices. First, never store passwords in plaintext (RockYou's lesson). Second, always add a salt when hashing (LinkedIn's lesson). Third, when using encryption, avoid ECB mode and choose secure modes like CBC or GCM (Adobe's lesson). Today's best practice is to use "slow" hash functions like bcrypt, scrypt, or Argon2. These intentionally increase computational cost, making brute-force attacks impractical.

To deepen your understanding of password security fundamentals, information security books (Amazon)can be a helpful resource.

How to Check If Your Email Has Been Compromised

Think you are safe? Have I Been Pwned (HIBP), run by Troy Hunt mentioned earlier, is a free service that checks whether your email appears in past breaches. As of 2024, over 14 billion compromised accounts are indexed, and many people are surprised to find their address listed. If a breach is confirmed, change that service's password immediately and update every other service where you reused the same password. For detailed steps after a breach, see the data breach response guide.

Three Actions You Can Take Right Now

Check your email on Have I Been Pwned. If it appears in any breach, change that password immediately and stop reusing it elsewhere. See how to defend against credential stuffing for why reuse is so dangerous
Generate a unique, strong password for every account using Passtsuku.com. Aim for 16 characters or more with high entropy. Refer to the secure password creation guide for best practices
Enable two-factor authentication on all important accounts. Even if your password leaks, a second factor blocks unauthorized access

Frequently Asked Questions

What is the largest password breach in history?: The 2013 Yahoo breach affected all 3 billion accounts. It was not disclosed until 2016 and caused Verizon to reduce its acquisition offer by $350 million.
How can I check if my password has been leaked?: Enter your email at Have I Been Pwned (haveibeenpwned.com) to check for free whether it appears in past breaches. If found, change the password for that service and every other service where you used the same password.
What is password "salt" and why does it matter?: A salt is a random string added to a password before hashing. Without salt, identical passwords produce identical hashes, making them vulnerable to rainbow table attacks. The LinkedIn breach is a prime example of the danger of unsalted hashes.

Generate passwords →