This is a map of the biggest sources of data breaches on the internet, from June 2011 to today.
The data comes from Troy Hunt’s Am I Pwd? project (with minor adjustments), so you can click through to the site to see if you’re there. Each bubble represents a single breach, and as you scroll down you’ll see them get bigger and faster, until the sheer volume is overwhelming.
Crucially, they build on each other: If your favorite password wasn’t leaked during the Dropbox breach, hackers could have gotten it from LinkedIn, Yahoo, or hundreds of others. (This is why, as you probably know, you need a unique password for each service.)
This isn’t a comprehensive list of every breach in history — it’s a safe bet we don’t know of yet — but it’s a good overview of the credentials available on the web today. We’ve added a cumulative scale marker to give an idea of the full scope. We were a little surprised to find that the database contains more usernames than there are people on Earth. Sure, with over 500 separate breaches, there’s plenty of opportunity for people to duplicate leaked accounts, but the magnitude of the compromised information is still staggering.
We usually refer to breaches as isolated incidents, such as a single point of failure with a specific cause and effect. But from this point of view, the story is less about a single company, but more about the all-consuming entropy of online information. Something always breaks, a secret always slips out. The real job of cybersecurity is managing that entropy – building a set of stability in a system where eventually all credentials can be breached and all protections can eventually fail.
You can view the full interactive version here.