The Dual EC DRBG Juniper Networks hack should qualify.
- It needs to be a true cryptographic break, stemming from mathematical cryptanalysis
In 1997 Adam L. Young and Moti Yung presented a paper at Eurocrypt detailing a "kleptographic" covert key generator that introduced a mathematical backdoor into Diffie Hellman key exchanges.
The Dual EC DRBG generator was proposed a few years later, with construction almost identical to the Diffie Hellman backdoor.
- The break must have actually been executed in the real world
In the early 2000s the Dual EC DRBG standard was heavily promoted by the NSA, and was included in cryptographic standards ANSI X9.82 and ISO/IEC 18031:2005. RSA adopted it in their BSAFE library as their default random number generator.
Despite the protests of mathematicians who had analyzed the algorithm and identified some flaws in it, it was eventually published in NIST SP 800-90A in 2006 -- flaws still present.
In 2007 Dan Shumow and Niels Ferguson demonstrated an implementation of the Dual EC DRBG algorithm containing a backdoor they'd constructed by using their own Dual EC constant. http://rump2007.cr.yp.to/15-shumow.pdf
In 2008 Juniper Networks implemented Dual EC DRBG as the PRNG used by their ScreenOS operating system, used in their enterprise class NetScreen Firewall systems.
In 2012, NIST updated SP 800-90A, and the Dual EC DRBG was still recommended.
In 2013 Reuters published information from Snowden's leak asserting that NSA had paid RSA $10 million dollars to implement Dual EC DRBG as their default PRNG.
In 2015, NIST withdrew SP 800-90A, superseding it with SP 800-90A Rev. 1, which finally removed Dual_EC_DRBG as a recommended PRNG.
In 2016 Juniper Networks removed Dual EC DRBG from ScreenOS. At that time they revealed that unknown hackers had infiltrated their systems as far back as at least 2012, and had modified the source code to ScreenOS replacing the NIST-specified Dual EC constant with a constant of unknown origin.
- The algorithm must have been widely used
RSA adopted it in their BSAFE library as the default random number generator; it was included in ANSI X9.82, ISO/IEC 18031:2005, and NIST SP 800-90A. At one time it was estimated that one-third of all SSL traffic was using keys generated by the Dual EC DRBG [citation needed].
The alleged deal with the NSA ended up delivering a fatal impact to RSA's business. In 2017-2018 RSA abruptly announced the termination of their popular RSA Key Manager and Data Protection Manager product, which had approximately 70% of the market share for cryptographic key servers. Key servers are used by web service providers, banks, financial institutions, and other large companies to protect everything from web server keys, to bank transfers, to the keys used to encrypt credit card PINs. Support for the line was completely dropped, no replacement product was ever released, and no explanation was given. RSA went from a world leader to essentially dead as a cryptography company.