The 1988 Morris worm was the first internet-scale incident built on exactly this bug class, exploiting a stack overflow in fingerd, and CVEs exploiting gets()/strcpy() misuse still appear in CVE databases today. This is why modern glibc emits link-time warnings against gets() and why -fstack-protector-strong is on by default in most distro toolchains.