HomeHacker Files50 major cyber incidents and how attackers got in
Hacker Files
December 9, 2025

50 major cyber incidents and how attackers got in

By Katrina Boydon

Attackers do not target your most secure systems. They attack whatever you forgot about. Unfortunately, small oversights can have big consequences.

Most cyberattacks do not start with elite zero-day research or advanced tradecraft. They start with the weakest part of a network: a contractor’s VPN account no one disabled, a cloud role with permissions no one reviewed, a file transfer appliance past retirement, a build server excluded from MFA, or a help desk process that trusted the wrong voice.

These cases show that even the largest organisations are not immune to simple oversights.

1. Target (2013)

Type: POS malware
Category: Stolen or abused credentials
How they got in: Attackers used stolen HVAC vendor VPN credentials to gain network access and pivot into POS systems.
Consequences: About 40 million cards and 70 million personal records were exposed.
Source: Krebs on Security

2. Home Depot (2014)

Type: POS RAM scraper
Category: Stolen or abused credentials
How they got in: Stolen third-party vendor credentials enabled access to systems on which RAM-scraping malware was deployed.
Consequences: About 56 million cards compromised.
Source: SEC

3. JPMorgan Chase (2014)

Type: Server compromise
Category: Misconfiguration or access control failure
How they got in: One internet-facing server lacked MFA, allowing attackers to authenticate with stolen credentials.
Consequences: Data on about 83 million households and small businesses exposed.
Source: The Register

4. Sony Pictures (2014)

Type: Destructive breach
Category: Social engineering
How they got in: Spearphishing emails delivered malware that stole employee credentials.
Consequences: Destruction of internal systems and leaks of sensitive emails and unreleased films.
Source: FBI

5. Anthem (2015)

Type: Data warehouse breach
Category: Vulnerability exploitation
How they got in: Attackers exploited an externally facing system via SQL injection.
Consequences: About 78 million records stolen.
Source: U.S. HHS

6. OPM (2015)

Type: Government personnel data breach
Category: Stolen or abused credentials
How they got in: Stolen contractor credentials were used to access OPM systems.
Consequences: About 21.5 million personnel files exposed, including fingerprints.
Source: Oversight Committee

7. Uber AWS breach (2016)

Type: Cloud key compromise
Category: Misconfiguration or access control failure
How they got in: GitHub credentials exposed AWS keys, unlocking sensitive S3 buckets.
Consequences: Data for 57 million riders and drivers taken.
Source: FTC

8. Yahoo (2013 to 2014, disclosed 2016)

Type: Account token forgery breach
Category: Social engineering
How they got in: Spearphishing of Yahoo staff granted attackers access to internal tools used to forge authentication cookies.
Consequences: All 3 billion Yahoo accounts affected.
Source: U.S. DOJ

9. Equifax (2017)

Type: Public-facing application exploit
Category: Vulnerability exploitation
How they got in: Unpatched Apache Struts vulnerability CVE 2017 5638 allowed remote code execution.
Consequences: About 147 million records stolen and hundreds of millions in settlements.
Source: Equifax

10. NotPetya (2017)

Type: Supply chain wiper
Category: Supply chain or third-party compromise
How they got in: Malicious update delivered through Ukrainian accounting software M.E.Doc.
Consequences: About 10 billion dollars in global losses.
Source: Wired

11. WannaCry (2017)

Type: Ransomworm
Category: Vulnerability exploitation
How they got in: The WannaCry ransomware worm used the EternalBlue exploit to target unpatched SMBv1 services.
Consequences: About 200,000 systems infected worldwide.
Source: U.K. NHS

12. Marriott Starwood (2014 to 2018)

Type: Multi-year credential-based breach
Category: Stolen or abused credentials
How they got in: Starwood networks were already compromised; attackers maintained access with stolen credentials.
Consequences: Up to 500 million guest records exposed.
Source: FTC

13. Capital One (2019)

Type: Cloud SSRF attack
Category: Misconfiguration or access control failure
How they got in: SSRF attack on a misconfigured AWS WAF exposed IAM credentials.
Consequences: About 106 million applications and accounts accessed.
Source: U.S. Courts

14. Microsoft Exchange Hafnium (2021)

Type: Email server zero days
Category: Vulnerability exploitation
How they got in: Multiple zero-day vulnerabilities allowed attackers to achieve remote code execution and web shell persistence.
Consequences: Tens of thousands of organizations compromised.
Source: Microsoft

15. Colonial Pipeline (2021)

Type: Ransomware attack
Category: Stolen or abused credentials
How they got in: Attackers used a deactivated VPN account with no MFA.
Consequences: Pipeline shutdown and regional fuel shortages.
Source: NetworkTigers

16. Kaseya VSA (2021)

Type: Supply chain ransomware
Category: Supply chain or third-party compromise
How they got in: Zero-day authentication bypass let attackers push malicious updates.
Consequences: About 1500 downstream businesses hit.
Source: Cyberlaw CCDCOE

17. T-Mobile (2021)

Type: Telecom data breach
Category: Vulnerability exploitation
How they got in: Attackers accessed an exposed test environment and brute-forced SSH credentials.
Consequences: Data for about 54 million people stolen.
Source: T-mobile

18. Twilio (2022)

Type: Employee account compromise
Category: Social engineering
How they got in: SMS phishing led employees to a fake login page to capture passcodes.
Consequences: Attackers accessed internal systems and customer data.
Source: Bitdefender

19. Cisco (2022)

Type: Identity breach
Category: Stolen or abused credentials
How they got in: Corporate credentials were synced to a personal Google account; MFA fatigue was used to gain access.
Consequences: Limited internal data theft.
Source: Cisco

20. LastPass (2022 to 2023)

Type: Cloud environment compromise
Category: Misconfiguration or access control failure
How they got in: Compromised developer workstation exposed keys and backups.
Consequences: Customer vault backups stolen.
Source: LastPass

21. Caesars Entertainment (2023)

Type: Data theft via vendor
Category: Social engineering
How they got in: Attackers tricked an outsourced IT support provider into granting access.
Consequences: Loyalty program database copied.
Source: SEC

22. MGM Resorts (2023)

Type: Enterprise-wide disruption
Category: Social engineering
How they got in: Attackers impersonated employees and convinced help desk staff to reset credentials.
Consequences: Casino, hotel and digital systems offline for days.
Source: CISA

23. Reddit (2023)

Type: Credential and token theft
Category: Social engineering
How they got in: Targeted phishing site replicated internal login flow.
Consequences: Access to internal documents and code.
Source: Reddit

24. 23andMe (2023)

Type: Account takeover
Category: Stolen or abused credentials
How they got in: Credential stuffing used reused passwords from other breaches.
Consequences: DNA Relatives feature exposed data linked to about 6.9 million users.
Source: 23andme

25. Change Healthcare (2024)

Type: Ransomware Category: Misconfiguration or access control failure
How they got in: Attackers used compromised credentials to access a Citrix remote access portal without MFA enabled.
Consequences: About 100 million Americans affected; $2.87 billion in costs; nationwide disruption of medical billing and pharmacy transactions lasting months.
Source: U.S. HHS

26. Cloudflare Thanksgiving Incident (2023 disclosed 2024)

Type: Internal system access
Category: Stolen or abused credentials
How they got in: Unrotated service tokens from a prior Okta breach were used to access internal Atlassian systems.
Consequences: Limited internal code and documentation exposure.
Source: Cloudflare

27. Okta/Sitel (2022)

Type: Identity and admin access compromise
Category: Supply chain or third-party compromise
How they got in: Attackers gained remote access to a support engineer’s laptop with an active Okta admin session.
Consequences: Some customer data accessed.
Source: Okta

28. Slack GitHub Token Incident (2022)

Type: Developer token theft
Category: Stolen or abused credentials
How they got in: Stolen employee GitHub tokens allowed access to private repos.
Consequences: Internal code accessed.
Source: Slack

29. Latitude Financial (2023)

Type: Document system breach
Category: Supply chain or third-party compromise
How they got in: Stolen vendor credentials allowed internal access to customer document systems.
Consequences: Millions of identity documents exposed.
Source: Latitude Financial

30. British Airways Magecart (2018)

Type: Web skimmer
Category: Supply chain or third-party compromise
How they got in: Compromised third-party script injected a payment skimmer.
Consequences: About 380,000 payment records stolen.
Source: GDPR Register

31. Saks Fifth Avenue / Lord and Taylor (2018)

Type: Magecart card theft
Category: Supply chain or third-party compromise
How they got in: Attackers modified checkout JavaScript to capture card data.
Consequences: About 5 million cards stolen.
Source: GTSC

32. Accellion FTA (2020 to 2021)

Type: Legacy file transfer zero day
Category: Vulnerability exploitation
How they got in: Multiple zero days in the file transfer appliance enabled web shell installation.
Consequences: Dozens of organizations had sensitive files stolen.
Source: CISA

33. SolarWinds Orion (2020)

Type: Compromised vendor update
Category: Supply chain or third-party compromise
How they got in: Attackers tampered with the Orion build process to insert SUNBURST backdoor code.
Consequences: Broad compromise of US government and private sector networks.
Source: NetworkTigers

34. MOVEit Transfer (2023)

Type: Zero-day SQL injection
Category: Vulnerability exploitation
How they got in: SQL injection flaw CVE 2023 34362 allowed web shell installation.
Consequences: More than a thousand organizations affected.
Source: CISA

35. Neiman Marcus (2013)

Type: POS malware
Category: Vulnerability exploitation
How they got in: Attackers infiltrated POS systems and deployed malware to scrape card data.
Consequences: About 350,000 cards compromised.
Source: Security Week

36. Codecov Bash Uploader (2021)

Type: Compromised CI script
Category: Supply chain or third-party compromise
How they got in: Attackers modified Codecov’s Bash Uploader script and stole environment variables.
Consequences: Secrets of numerous organizations exposed.
Source: Codecov

37. CircleCI (2023)

Type: Compromised encryption key
Category: Misconfiguration or access control failure
How they got in: Attackers accessed an encrypted database and used a compromised key to decrypt customer secrets.
Consequences: Industry-wide token rotation.
Source: CircleCI

38. 3CX Supply Chain (2023)

Type: Trojanized desktop application
Category: Supply chain or third-party compromise
How they got in: Compromised X Trader dependency led to a poisoned build of 3CX Desktop App.
Consequences: Malware distributed to 3CX customers.
Source: Google Cloud

39. PayPal Crypto Employee Phishing (2022)

Type: Internal credential breach
Category: Social engineering
How they got in: Phishing attack harvested employee credentials.
Consequences: Data notifications issued to thousands of PayPal users.
Source: The Review Hive

40. CNA Financial (2021)

Type: Ransomware
Category: Social engineering
How they got in: Employee ran a fake browser update that installed Phoenix CryptoLocker.
Consequences: Broad business disruption and reported ransom payment.
Source: Malwarebytes

41. RSA SecurID (2011)

Type: Attack on authentication vendor
Category: Social engineering
How they got in: Phishing email with Flash zero-day exploit opened remote access.
Consequences: Theft of SecurID token information and downstream breaches.
Source: Wired

42. Adobe (2013)

Type: Password database breach
Category: Vulnerability exploitation
How they got in: Attackers breached Adobe systems and stole encrypted passwords and hints.
Consequences: About 153 million accounts exposed.
Source: Huntress

43. LinkedIn (2012)

Type: Password hash theft
Category: Vulnerability exploitation
How they got in: Attackers exploited flaws that enabled the theft of unsalted SHA-1 password hashes.
Consequences: About 165 million credentials leaked.
Source: Have I Been Pwned

44. Sony PlayStation Network (2011)

Type: Platform compromise
Category: Vulnerability exploitation
How they got in: Attackers exploited multiple weaknesses in PSN’s infrastructure.
Consequences: About 77 million accounts exposed and PSN offline for weeks.
Source: Secureworks

45. Log4Shell / Log4j (2021 to 2022)

Type: Code execution vulnerability
Category: Vulnerability exploitation
How they got in: Applications logging attacker provided input triggered CVE 2021 44228 and executed attacker-controlled code.
Consequences: Widespread exploitation and emergency patching globally.
Source: Apache

46. Dropbox Sign (2022)

Type: GitHub credential breach
Category: Stolen or abused credentials
How they got in: Attackers used stolen GitHub credentials to access code and secrets.
Consequences: Customer metadata exposed.
Source: Dropbox

47. GitHub OAuth Token Theft (2022)

Type: OAuth token compromise
Category: Supply chain or third-party compromise
How they got in: Stolen OAuth tokens from Heroku and Travis CI integrations allowed cloning of private repos.
Consequences: Private code exposed across multiple organizations.
Source: GitHub

48. Robinhood (2021)

Type: Internal tool access
Category: Social engineering
How they got in: Support staff were socially engineered into providing access to internal systems.
Consequences: About 7 million user records exposed.
Source: Huntress

49. Flagstar Bank (2021)

Type: File transfer appliance breach
Category: Vulnerability exploitation
How they got in: Accellion FTA zero days enabled attackers to steal stored documents.
Consequences: More than a million identity records exposed.
Source: PurpleSec

50. Twitter Internal Admin Tool Hijack (2020)

Type: Internal account takeover
Category: Social engineering
How they got in: Attackers phished employees with access to administrative tools using voice calls and fake authentication pages.
Consequences: High-profile takeover of celebrity and corporate accounts.
Source: X Blog

Overlooked weak points result in the largest breaches

These attackers did not choose the hardest path. They chose the weakest identity, the least maintained server, the oldest appliance, the most trusted vendor, or the one system no one thought mattered.

The only consistent defense is treating every reachable asset and every credential as part of the attack surface. If it can move laterally, it is a risk. If it can authenticate, it must be protected. If it can be reached, it can be broken. If there is a gap, no matter how small, an attacker will find it.

About NetworkTigers

NetworkTigers is the leader in the secondary market for Grade A, seller-refurbished networking equipment. Founded in January 1996 as Andover Consulting Group, which built and re-architected data centers for Fortune 500 firms, NetworkTigers provides consulting and network equipment to global governmental agencies, Fortune 2000, and healthcare companies. www.networktigers.com.

Katrina Boydon
Katrina Boydon
Katrina Boydon is a veteran technology writer and editor known for turning complex ideas into clear, readable insights. She embraces AI as a helpful tool but keeps the editing, and the skepticism, firmly human.
Major cyber incidents

Popular Articles