Take a walk back to dial-up tones and “Netiquette” signatures. The cyber attack landscape of the 90s and 2000s was about as high-tech as a stolen modems and a phone booth, yet some of its vulnerabilities would be laughably simple for us today. The more things change, the more they stay the same.
Having built and run systems across both eras, I found myself recently diving into the history of internet security failures — and what struck me most wasn’t how bad things were back then, but how many patterns have recycled themselves with new technology wrapped around them.
The Wild West: Internet Security in the 90s
The 90s didn’t have a cybersecurity industry. They had people who knew computers and occasionally found they could get in where they weren’t wanted. This wasn’t criminal enterprise — it was exploration, ego, and often just finding out if you could.
The Morris Worm (1988) was the watershed moment. Robert Tappan Morris, a Cornell graduate student, released a self-replicating program to “measure the size of the internet” — and it infected an estimated 6,000 of the 60,000 machines connected at the time. His intent was educational; his bug caused it to re-infect systems already caught. Roughly 10% of the early internet was down. The Computer Fraud and Abuse Act was already on the books, and Morris became the first person convicted under it.
Then came the real showstoppers:
Lovnet worm (1988) — a variant that hit Soviet military computers, including what was suspected to be nuclear command systems. It was designed as a backdoor for the KGB. (Or it wasn’t — we still debate its true origin.) Either way, it showed that early networked infrastructure was fragile enough that a single worm could reach places it shouldn’t.
Mega Man and the “Global Hell” defacers (1999-2000) — a UK student named Gary McKinnon — later known as “Solo” — somehow hacked into 97 US military and NASA computers over fifteen months. His stated purpose: finding evidence of UFOs and the US government’s cover-up. He accessed systems at the Pentagon, the Space Shuttle missions, the Royal Observatory Edinburgh, and NASA. It was the most sustained single intruder breach in history. He was finally arrested in 2002 and extradited — though the extradition fight dragged on for years and was finally blocked by the UK government in 2012 because his schizophrenia made detention inhumane.
But the truly iconic hack of the late 90s came from two students, Barukha Levy and Yair Taitelman, who defaced 1,600 websites including Boeing, IBM, the US Senate, and the White House. They called it the “L33t Crack Team.” The White House had no security department to speak of. They’d literally never been targeted.
The Era of WannaBee: 2000-2009
The new millennium brought new threats, and they came in a torrent:
Code Red (2001) hit Microsoft IIS servers en masse, exploiting a buffer overflow that allowed remote code execution. Within 14 hours of its release, 359,000 servers worldwide were infected. It defaced the websites it couldn’t exploit with a message in Chinese: “Hacked by Chinese Student.” (Whether it was actually Chinese or just a signature is debatable.)
Mafiaboy (2000) — 15-year-old Canadian Michael Calce used compromised router configurations to launch DDoS attacks that brought down Yahoo!, eBay, CNN, Amazon, and E*Trade. He was trying to “show people that the Internet is not safe.” He was right, and his message was delivered to the world’s most valuable companies from a teenager’s bedroom.
SQL Slammer (2003) was a particularly instructive case. This worm exploited a buffer overflow in Microsoft SQL Server 2000. Unlike most worms of the era that took days or weeks to spread, Slammer propagated in under 10 minutes — infecting 75,000 systems in that timeframe. It caused a 10-20% degradation of all US internet traffic as it consumed bandwidth on every major ISP. AT&T experienced such severe congestion that some international traffic was completely blocked.
And the Conficker worm (2008) — one of the most sophisticated and widespread malware outbreaks ever. It compromised an estimated 9 million computers across 200 countries. It used multiple infection vectors, rootkit techniques, and even a domain generation algorithm to evade shutdown attempts. It wasn’t until a major international law enforcement operation that its infrastructure was dismantled. Even then, remnants are believed to still exist.
The Missing Ingredients
What made all of these eras remarkable wasn’t just the number of hacks — though the figures are astonishing by modern standards — but that the fundamental security postures of the organisations and systems involved were essentially non-existent:
- No patch discipline: If an operating system had a flaw, it stayed unpatched indefinitely. Code Red exploited a vulnerability that Microsoft had patched for months. SQL Slammer’s vulnerability had a patch for 6 months and it was deployed on roughly 3-4% of affected systems.
- Default credentials: Admin/admin, user/user, or just “password” — these weren’t jokes. Many systems shipped with default credentials and the concept of “change your password” hadn’t caught on. The Morris worm spread via poorly-secured Unix accounts.
- No incident response: When a breach happened, most organisations didn’t have anyone to call. There was no SOC, no CSIRT, no playbook. The White House didn’t even have a dedicated cybersecurity position in 1999.
- Firewalls were rare: Many organisations had no perimeter defence at all. If you put a server on the internet, it stayed open — and anyone could reach it.
- Security was an afterthought: There was no “security by design.” Software was built quickly without consideration for authentication, encryption, or input validation. The OWASP Top Ten — the definitive list of web application vulnerabilities — wasn’t even created until 2003 and listed what we now consider basic security concepts.
Today’s Landscape: The Same Problems, Different Wrappers
If you strip away the technology, what we’re seeing today is a strangely recursive situation where the types of vulnerabilities and attacks remain remarkably similar, but the scale, sophistication, and economic motivations have shifted dramatically.
The Unsurprising Truths
Default credentials are still a thing. Every security researcher knows about the billions of IoT devices with “admin/admin” or “password” as credentials. In 2016, the Mirai botnet compromised over 100,000 internet-connected devices using default passwords — cameras, routers, DVRs, and even medical equipment — to launch one of the largest DDoS attacks in history. Sound familiar? It should. We’ve been telling people to change default passwords since at least 1988.
Unpatched systems are still a mass vulnerability. In 2017, the Equifax breach — the defining modern data breach — was caused by a vulnerability in Apache Struts that Equifax should have patched 6 weeks earlier. Over 147 million Americans had their social security numbers, credit card numbers, and other sensitive data exposed. The vulnerability had been known to the US Department of Homeland Security for months. Patch discipline, 29 years on, remains the fundamental weak link.
DDoS attacks still break infrastructure. The Mafiaboy DDoS in 2000 took down the biggest companies of the dot-com era. Today’s DDoS attacks are bigger, automated by botnets, and used for extortion rather than statement-making. The 2025 landscape, according to IBM’s X-Force report, shows AI-assisted automation making DDoS attacks faster and more difficult to distinguish from legitimate traffic. The technology changes, but the principle is identical.
The New Dangers
But there are also genuinely novel threats that didn’t exist in the 90s:
Supply chain attacks have become the dominant threat vector. We’re seeing attackers target software libraries, CI/CD pipelines, and third-party vendors to reach their actual targets. The SolarWinds compromise (2020) injected backdoors into legitimate software updates, giving the attackers access to US government agencies and Fortune 500 companies through a single trusted channel. The Mirai IoT botnet of 2016 was itself a supply chain attack — targeting the firmware update mechanisms of IoT device manufacturers.
AI-generated attacks are the biggest new wildcard. In 2025-2026, we’re seeing AI-assisted phishing at an industrial scale, automated vulnerability discovery, and deepfake identity spoofing. The 2026 Ivanti State of Cybersecurity report found that nearly three-quarters of organisations reported rising cybersecurity risks across 2025, with AI-assisted automation being named as a primary acceleration factor. CEOs are now more concerned about cyber-enabled fraud than ransomware — a shift that wouldn’t make sense a decade ago.
Zero-day markets have matured from academic curiosities into a multi-billion dollar underground economy. A single zero-day exploit for a popular browser or operating system can command $1-2 million. These are then sold to governments, criminal organisations, or hacked themselves, creating a market where vulnerability research can accelerate both defence and offence simultaneously. In the 90s, you found a vulnerability and maybe posted about it in a forum. Today, you might sell it to the highest bidder and disappear.
What Actually Changed
So what has improved over the decades?
Encryption is everywhere. HTTPS is now the default for almost every service. SSL/TLS is handled transparently by browsers and infrastructure. In the 90s, email passed in plain text, FTP was unencrypted (and so was the password), and anyone monitoring network traffic could see everything. TLS 1.3 has effectively eliminated casual network sniffing as a threat vector — though not sophisticated interception.
Two-factor authentication has become standard. MFA is now expected for essentially any meaningful account. The 90s had nothing equivalent — your password was your everything. Today’s password spray attacks are a different game, but at least there’s a second layer.
Security awareness has genuinely improved. Phishing training, password managers, and basic hygiene are now part of most corporate onboarding. The user is no longer the completely unwitting victim — though they’re still the easiest attack vector.
Incident response has evolved from “who do we call?” to structured playbooks, automated monitoring, and 24/7 SOC operations. The Equifax breach, while catastrophic, prompted sweeping changes in how large organisations handle incidents.
The Uncomfortable Conclusion
What emerges from comparing the eras is a paradox: the internet is technically more secure than ever, and yet the security situation feels worse than ever.
Part of that is genuinely the scale of expansion — in 1995, there were maybe 16 million internet users. Today, over 5 billion. Every single one of those billions represents at least one attack surface. The global cyber security market is projected to reach $500 billion by 2030 — up from roughly $30 billion in 2010. That’s a 16x expansion in a single decade, and it’s not because systems are safer — it’s because the problem has gotten exponentially worse.
The fundamental insight that connects 1988 to 2026 is this: security is not a technology problem — it’s a discipline problem. The Morris worm could have been stopped with a single code check. Code Red could have been prevented with patch management. SQL Slammer would have been negligible on 4% of systems — which means we still aren’t doing it. Equifax’s breach was preventable with a patch that was available for six weeks.
Today’s AI-driven attacks require AI-driven responses. The 90s had hackers; the 2000s had criminals; today we face state-sponsored cyber warfare arms races that can shut down power grids and banking infrastructure. The stakes have never been higher, but the fundamental lesson hasn’t changed: you can build all the technology you want, but if you’re not paying attention, if your discipline isn’t there, if you’re relying on someone else to watch the gates, someone is coming through.
Maybe the one thing that has actually improved is that we’re now talking about it. In the 90s, when the Pentagon’s computers were being penetrated, the response was usually denial. Today, when a vulnerability is discovered — even from the deepest 90s archives — it gets discussed, analysed, and debated. That’s not nothing.