The 20 biggest data breaches in history
A data breach happens when someone who isn’t supposed to access certain information manages to get their hands on it. This information could be anything from personal data to financial records held by an organization. These breaches can spell trouble for both businesses and individuals. In this article, we will explore some of the biggest data breaches in history and discuss their impact on cybersecurity practices and public awareness.
Table of Contents
Table of Contents
1. Yahoo
- Year: 2013-2016
- Number of records affected: Over 3 billion user accounts
- Type: Unauthorized access
Breach details
In 2016, Yahoo disclosed that 3 billion user accounts had been compromised in a series of data breaches between 2013 and 2014. A group of Russian hackers infiltrated Yahoo’s database using backdoors, stolen backups, and access cookies. They managed to access all kinds of sensitive user information, including names, email addresses, phone numbers, birth dates, hashed passwords, and even some answers to security questions.
The aftermath
Initially, Yahoo reported that about 1 billion accounts had been compromised. However, after Verizon acquired Yahoo in 2017, it was revealed that around 3 billion accounts were actually affected. Yahoo not only responded slowly but also failed to disclose a 2014 incident to its users, leading to a $35 million fine and a total of 41 class-action lawsuits. These also affected the deal with Verizon, ultimately causing the sale price to drop by $350 million, down to $4.48 billion.
2. Equifax
- Year: 2017
- Number of records affected: Approximately 148 million records of U.S. citizens and 163 million records worldwide
- Type: Unauthorized access
Breach details
In 2017, Equifax, one of the largest credit reporting agencies, reported a massive data breach. Since the company handles extremely sensitive data, hackers got their hands on a lot of personal information, including Social Security numbers, birth dates, physical addresses, and, in some cases, driver’s license numbers.
To access this, hackers exploited a vulnerability in a third-party web portal, Apache Struts. Despite the vulnerability being known and patched, Equifax failed to update its internal servers, allowing intruders to remain undetected for 76 days.
Once inside the system, the hackers could easily move between servers because of weak network security and the network not being divided into separate sections. Equifax also let its Public Key Infrastructure (PKI) certificate expire, delaying the detection of unusual data movements. Additionally, the company had loose permissions policies, giving users broad access to sensitive information. Using the principle of least privilege (giving the users the minimum access they need to do their jobs) and regularly verifying users could have prevented many of these issues.
The aftermath
The breach, which affected the personal data of 148 million U.S. citizens, led to widespread outrage and scrutiny over Equifax’s handling of consumer data. The public learned about the breach over a month after Equifax discovered it. During that time, top executives sold their stock, leading to accusations of insider trading.
Equifax faced numerous lawsuits, congressional hearings, and regulatory fines. They invested over $1.4 billion to address the damages and enhance their data protection measures. In 2019, Equifax settled with the Federal Trade Commission (FTC) and other authorities for $575 million.
This incident showed that financial organizations must prioritize data breach prevention strategies, such as implementing robust encryption and conducting regular security audits, to safeguard sensitive information from unauthorized access.
3. Facebook
- Year: 2019
- Number of records affected: Approximately 533 million users worldwide
- Type: Unauthorized access and data scraping
Breach details
In 2019, a security researcher at the GDI Foundation discovered an unprotected server containing a database with information on more than 530 million Facebook users. This database, accessible to anyone, included phone numbers and Facebook IDs, locations, email addresses, and other user profile details, making it easier to find users’ names and other personal data. By April 2021, this data had been posted for free online on a hacking forum.
Although the owner of the server was not identified, the database was swiftly taken down after its discovery. Facebook suggested that the data might have been scraped before they disabled the feature that allowed users to search for others via phone numbers.
The aftermath
Facebook chose not to notify the over 530 million affected users whose data had been compromised before August 2019. The incident caused widespread concern and criticism of Facebook’s data protection practices.
4. First American Financial Corporation
- Year: 2019
- Number of records affected: Approximately 885 million records
- Type: Unauthorized access
Breach details
In May 2019, First American Financial Corporation, a prominent real estate title insurance company, experienced a significant data leak due to poor security measures and faulty website design.
This incident was categorized as a data leakage because, unlike a typical data breach, it didn’t involve hacking. Instead, a design flaw known as Insecure Direct Object Reference (IDOR) allowed unrestricted access to private information without verification or authentication. As a result, anyone with a link to the documents could view them, and users could easily change the number in the URL to access other customers’ data.
The exposed records, dating back to 2003, included sensitive documents such as bank account details, bank statements, mortgage payment documents, wire transfer receipts with Social Security numbers, and even driver’s licenses.
The aftermath
The exposure raised concerns about the security of online real estate transactions and led to regulatory investigations. The New York State Department of Financial Services (DFS) fined the company approximately $1 million for violating cybersecurity laws and ignoring red flags. The breach also led to lawsuits from affected individuals alleging negligence and failure to protect sensitive customer data.
5. Aadhaar
- Year: 2018
- Number of records affected: 1.1 billion Indian citizens
- Type: Data leakage and security issues
Breach details
In January 2018, it was revealed that malicious actors had infiltrated Aadhaar, the world’s largest biometric ID system. This breach exposed the personal and biometric information of over 1.1 billion Indian citizens. The compromised data included names, addresses, photos, phone numbers, emails, and sensitive biometric data like fingerprints and iris scans (a type of eye scan).
The breach happened through the website of Indane, a state-owned utility company. The website’s application programming interface (API), which didn’t have proper access controls, was connected to the Aadhaar database. Hackers exploited this vulnerability and sold access to the data for as little as $7 via a WhatsApp group. Despite warnings from security researchers and tech groups, it took Indian authorities until March 2018 to secure the vulnerable access point.
The aftermath
This incident sparked intense debates on data protection laws, with users calling for stricter regulations and better cybersecurity measures to secure sensitive biometric information.
6. MySpace
- Year: 2013
- Number of records affected: 360 million accounts
- Type: Unauthorized access
Breach details
In June 2013, a hacker accessed over 360 million user accounts on MySpace. Although the site had shifted its focus to music and band promotion, it still attracted millions of visitors. The stolen data, which included site usernames, email addresses, and dates of birth, was posted for sale on the dark web in 2016.
Before 2013, MySpace used a secure hash algorithm (SHA-1) to encrypt user passwords — a method that converts passwords into a fixed-length string of characters. Because of their fixed length, the passwords were easy to crack. In contrast, modern password authentication protocols use a salted hash algorithm, which adds a random string of characters to the end of each encryption for enhanced security.
The aftermath
Although MySpace was no longer the powerhouse it once was, the breach affected approximately 360 million accounts, causing significant concern among users. The stolen data was leaked onto LeakedSource.com and sold on the dark web for six bitcoins (around $3,000 at the time).
Fortunately, MySpace confirmed that all the stolen data was from before 2013, when the company updated its security measures. MySpace invalidated all stolen passwords and notified the affected users about the breach, prompting them to reset their passwords when they returned to the site.
7. LinkedIn
- Year: 2021
- Number of records affected: 700 million users
- Type: Data scraping
Breach details
In April 2021, hackers performed a massive data scrape of LinkedIn, exposing information on over 700 million users — more than 93% of LinkedIn’s user base at the time. Although most of the scraped data was publicly available, the act violated LinkedIn’s terms of service because it involved exploiting the site’s API. The exposed data included full names, phone numbers, email addresses, usernames, geolocation records, genders, and details of linked social media accounts.
The hacker, known as “God User,” initially released a dataset of 500 million users and later claimed to have a total of 700 million records for sale. This information was posted on a dark web forum in June 2021.
LinkedIn claimed that no sensitive, private personal data was exposed and categorized the incident as a violation of terms of service rather than a breach. However, the data leak posed significant security and privacy risks.
The aftermath
Following the leak, smaller hackers attempted to sell LinkedIn data on public forums, with one user offering the information for $7,000 worth of Bitcoin. The UK’s National Cyber Security Centre (NCSC) warned LinkedIn users that the detailed user data could lead to convincing social engineering attacks.
8. Friend Finder Networks
- Year: 2016
- Number of records affected: Approximately 412 million
- Type: Unauthorized access
Breach details
In November 2016, FriendFinder Networks, a popular adult entertainment company, suffered a massive data breach. The incident affected six of its main databases, including subsidiaries AdultFriendFinder and Penthouse.
The breach, which encompassed over 20 years’ worth of data, exposed sensitive information from approximately 412 million accounts. Of these accounts, 15 million had been deleted but not removed from the databases. The compromised data included usernames, email addresses (including those from government and military domains), user activity and transactions, membership details, IP addresses, and browser information.
The aftermath
In response to the breach, FriendFinder Networks implemented stronger security measures. The company also notified the affected users to change their passwords and review their online security practices.
This breach followed a similar incident in May 2015, which compromised another 3.5 million users. Despite these breaches, AdultFriendFinder continued to attract over 50 million visitors per month worldwide.
9. JPMorgan Chase
- Year: 2014
- Number of records affected: Approximately 76 million households and 7 million small businesses
- Type: Unauthorized access
Breach details
In June 2014, JPMorgan Chase, one of the largest financial institutions in the U.S., experienced a significant data breach. Cyberattackers compromised accounts belonging to over 76 million households and 7 million small businesses.
Initially believed to have affected only 1 million accounts, the breach was later found to be far more extensive, lasting from June to July 2014. Hackers gained access to sensitive customer information, including names, addresses, phone numbers, and email addresses. Fortunately, they didn’t access any financial data.
Further investigations revealed that the hackers breached JPMorgan servers by stealing the identity of a bank employee, resulting in gigabytes of sensitive data being stolen. The FBI linked the breach to a Russian attack. The hackers aimed to develop a “pump and dump” stock scheme as part of a larger criminal operation. The operation also involved hacking other banks, running an online casino, laundering money globally, and running an illegal Bitcoin exchange operation.
The aftermath
While no financial information was accessed, the exposure of personal information raised serious concerns about data protection. In response to the breach, JPMorgan Chase executives pledged to invest $250 million annually to improve their data security measures. The incident also highlighted the need for financial institutions to boost their cybersecurity measures to keep customer data safe.
In November 2015, three people involved in the hacking were charged, shedding light on the criminal network behind the attack.
10. Home Depot
- Year: 2014
- Number of records affected: Approximately 56 million credit and debit card numbers
- Type: Point-of-sale (POS) malware attack
Breach details
In April 2014, Home Depot, the popular home improvement store, experienced a significant data breach affecting its self-checkout terminals. Cybercriminals used custom-built malware to infiltrate the company’s POS systems, stealing over 56 million payment card records and 53 million email addresses. The malware remained undetected for five months, compromising millions of customers across the U.S. and Canada.
Investigations revealed that the hackers likely accessed Home Depot’s servers through a third-party supplier. Once inside, they installed the malware on the POS systems, allowing them to collect and upload payment card data to a separate server. This breach revealed the vulnerabilities in retail payment systems and the potential for significant data theft through POS malware attacks.
The aftermath
The incident resulted in numerous lawsuits and regulatory investigations, prompting Home Depot to improve its cybersecurity infrastructure. In 2016, the company agreed to pay at least $19.5 million to affected customers and committed to improving data security over a two-year period. By 2020, Home Depot had incurred approximately $180 million in damages, including payments to credit card companies and banks, court settlements, and customer payouts.
11. Target
- Year: 2013
- Number of records affected: Approximately 41 million payment card records and 70 million customer records
- Type: Point-of-sale (POS) malware attack
Breach details
In 2013, Target experienced a data breach during the holiday shopping season. Criminals exploited cybersecurity vulnerabilities in Target’s network, mainly through a third-party vendor portal, to install malware on the company’s POS systems. This breach allowed the hackers to steal over 41 million credit and debit card numbers, along with customer names, expiration dates, and CVV codes. Additionally, personal information from 70 million customer records was compromised.
The aftermath
The Target data breach had serious outcomes, including financial losses, legal repercussions, and harm to its reputation. In 2015, Target announced that it would pay $10 million to customers affected by the breach. The company’s total losses amounted to about $202 million ($292 million before insurance), which covered settlements, lawsuits, and payments to banks and credit card companies.
In response to the breach, Target upgraded its cybersecurity measures and information security policies. They started monitoring system activity more closely, improved the firewall, whitelisted POS systems, restricted access for employees and third parties, and segmented the network to prevent malware spread.
12. National Public Data
- Year: 2024
- Number of records affected: 2.7 billion records
- Type: Unauthorized access and data leakage
Breach details
The most recent major public data breach occurred in April 2024 but wasn’t discovered until the data was leaked in August of the same year. A hacker group called USDoD gained unauthorized access and stole records from National Public Data, a company that collects and sells personal information for background checks.
Initially, the threat actor claimed to have 2.9 billion sensitive records of citizens from the US, the UK, and Canada for sale, but the actual number of affected records is closer to 2.7 billion. The data was leaked by another hacker, a suspected member of the USDoD hacker group known as Fenice, on a forum in August.
Alongside leaked Social Security numbers, many other personal details were found, including names of people, all their known physical addresses, phone numbers, email addresses, and even possible aliases. It’s important to note that each individual could have multiple records, one for each address they are known to have lived at. The data, covering three decades, is not encrypted, making it especially vulnerable to misuse.
The aftermath
National Public Data faced significant backlash after the breach was made public, particularly because the company hesitated to confirm the breach until the data was leaked. In response, at least eight class-action lawsuits have been filed against the company for failing to protect people’s data, especially hacked Social Security numbers.
The company has pledged to cooperate with law enforcement and enhance its security measures to prevent future breaches.
Affected individuals are advised to monitor their credit reports and financial accounts for suspicious activity and to place fraud alerts with major credit bureaus. Because the leaked records also contained email addresses and phone numbers, people should also be cautious of phishing attempts and SMS texts designed to trick them into disclosing additional sensitive information.
13. Heartland Payment Systems
- Year: 2008-2009
- Number of records affected: Over 130 million payment card details
- Type: Payment card data breach
Breach details
In May 2008, Heartland Payment Systems, a payment processing company, experienced a significant data breach. The company processes about 100 million credit and debit card transactions per month for 175,000 merchants. Hackers infiltrated Heartland’s payment processing system through an SQL injection attack initiated in 2007. The infiltration allowed them to modify the web code and gain access to customer login credentials. As a result, over 130 million payment card details were compromised, making it one of the largest data breaches at the time.
Heartland did not detect the illegal activity until October 2008, when Visa and MasterCard reported suspicious transactions. An investigation revealed that the attackers had moved through Heartland’s systems unnoticed for months, creating fake credit cards with real magnetic strips. The breach was made public in January 2009.
The aftermath
Heartland paid over $110 million to credit card companies to settle claims related to the breach. The company suffered total losses exceeding $200 million, which included compensation to the affected financial institutions and cardholders.
The breach led to significant regulatory scrutiny and numerous lawsuits from affected parties. Within months of the incident, Heartland’s stock prices suffered a significant drop. In 2015, Heartland was acquired by Global Payments, a larger payment processor, for $4.3 billion.
14. Dubsmash
- Year: 2018
- Number of records affected: 162 million user accounts
- Type: Unauthorized access
Breach details
In December 2018, Dubsmash, a popular video-sharing app at the time, suffered a major data breach. Hackers infiltrated the app’s database and stole 162 million user records, including usernames, email addresses, hashed passwords, geolocations, and country information. This breach was part of a larger cyberattack that compromised over 617 million accounts across 16 different websites.
The aftermath
The stolen data was later put up for sale on the Dream Market dark web market in December 2019. Dubsmash acknowledged the breach and advised users to change their passwords but did not disclose the specific method of the attack or the exact number of affected users.
This incident also raised awareness about the broader issue of data breaches affecting various companies, including Under Armour/MyFitnessPal (151 million accounts), MyHeritage (92 million), Whitepages (18 million), Armor Games (11 million), and Coffee Meets Bagel (6 million). The collective impact of these breaches emphasized the necessity for stronger data security measures to protect user information across digital platforms.
15. Marriott International
- Year: 2014-2018
- Number of records affected: Approximately 383 million guest records
- Type: Unauthorized access
Breach details
In 2018, Marriott International reported a massive data breach involving its Starwood Preferred Guest reservation database. The breach, which went on from 2014 until 2018, compromised approximately 383 million guest records. Sensitive personal information was exposed, including names, addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest (SPG) account information, dates of birth, gender, reservation details, and payment card details.
The aftermath
In response to the breach, Marriott hired leading security experts and conducted an extensive investigation. The investigation revealed the company’s failure to update the old Starwood reservation system after acquiring Starwood in 2016. The outdated system is what made the company highly vulnerable to malware and data breaches.
Marriott was fined £18.4 million by the UK’s Information Commissioner’s Office (ICO) in 2020 for failing to secure customers’ personal data. Additionally, the New York Times attributed the attack to a Chinese intelligence group seeking to gather data on U.S. citizens.
16. Adobe
- Year: 2013
- Number of records affected: Approximately 153 million user records
- Type: Unauthorized access
Breach details
In October 2013, Adobe experienced a data breach that compromised approximately 153 million user records. Hackers gained unauthorized access to sensitive details, including Adobe user IDs, passwords, full names, credit and debit card information. The attackers also managed to steal product source codes for applications like Acrobat and ColdFusion. At first, the company thought the breach affected around 3 million users, but later confirmed that it impacted a much larger number.
The aftermath
Following the breach, Adobe faced criticism for using a single password encryption key for all affected users, which exposed shortcomings in its data protection strategies. The transition from selling desktop licenses to a cloud-based Software-as-a-Service (SaaS) model had left Adobe’s infrastructure vulnerable, contributing to the severity of the breach. In 2016, Adobe settled a lawsuit with 15 states for $1 million, addressing claims related to the compromise of customer data and unfair business practices.
This breach served as an important lesson and highlighted the need for all cloud services to focus on strong cybersecurity to protect user information from advanced cyber threats.
17. Capital One
- Year: 2019
- Number of records affected: Approximately 100 million user records
- Type: Unauthorized access
Breach details
In July 2019, Capital One fell victim to a significant data breach orchestrated by Paige Thompson, a former employee of Amazon Web Services (AWS). Exploiting a misconfigured firewall in Capital One’s cloud infrastructure, Thompson accessed and extracted sensitive personal information from over 100 million customer accounts and credit card applications dating back to 2005. The compromised data included names, physical addresses, credit scores, account balances, Social Security numbers, and Canadian Social Insurance numbers.
The aftermath
Capital One responded swiftly by strengthening its security measures and offering affected individuals credit monitoring and identity theft protection services. Despite the breach, Capital One assured the public that less than 1% of Social Security numbers were compromised, along with no credit card account numbers or login credentials.
Thompson’s ability to exploit a firewall misconfiguration highlighted gaps in Capital One’s cybersecurity practices. The company faced regulatory scrutiny and legal actions, having to settle a class-action lawsuit for $190 million in 2021. The incident also led to a new focus on enhancing security protocols across financial institutions.
18. Mother of All Breaches (MOAB)
- Year: Discovered in 2024
- Number of records affected: 26 billion user data records
- Type: Massive data aggregation
Breach details
In January 2024, security researcher Bob Diachenko of Security Discovery uncovered a massive data leak dubbed the “Mother of All Breaches” (MOAB). This incident is considered to be the biggest data leak in history and one of the most recent to date. It involved a massive collection of 12TB of user data, totaling 26 billion pieces of data from 3,876 different websites.
The data included sensitive information from numerous high-profile platforms such as Tencent QQ (1.4 billion records), Weibo (504 million records), MySpace (360 million records), Twitter (281 million records), LinkedIn (251 million records), Adobe (153 million records), and many others.
The dataset consisted of a mix of old, duplicated, and potentially new data from previous breaches, reindexed leaks, and databases sold privately. It was stored by the data breach search engine Leak-Lookup and became accessible due to a firewall misconfiguration.
The aftermath
While there is currently no direct proof of the stolen data being misused, the breach exposed sensitive personal data such as usernames, passwords, email addresses, IP addresses, and payment logs. This extensive collection of compromised data presents significant risks of identity theft, sophisticated phishing attempts, and targeted cyberattacks. Organizations and individuals affected by the MOAB breach were advised to enhance their security practices, including frequent password updates, monitoring for suspicious activity, and using multi-factor authentication.
The MOAB incident shows the urgent need for robust cybersecurity measures to combat the escalating threat of cybercrime. As the investigation continues, it remains crucial for companies to ensure their data protection protocols are stringent enough to prevent such massive data exposures in the future. The responsible party hasn’t been identified, but the scale and scope of the MOAB highlight the urgent necessity for stronger cybersecurity protocols.
19. Advanced Info Service
- Year: 2020
- Number of records affected: Approximately 8.3 billion records
- Type: Unsecured database exposure
Breach details
In May 2020, Advanced Info Service (AIS), Thailand’s largest mobile operator, faced a significant security lapse. Researchers discovered that one of AIS’s databases had been left unsecured, exposing approximately 4TB of data (a total of 8.3 billion records). While it did not include personal details such as names or phone numbers, the database contained information revealing the websites visited and apps used by users.
The aftermath
This data exposure prompted AIS to quickly address the issue. The company secured the exposed database and conducted a thorough investigation into the incident.
20. CAM4
- Year: 2020
- Number of records affected: Approximately 10 billion records
- Type: Unsecured database exposure
Breach details
In March 2020, CAM4, an adult streaming platform, experienced the largest data breach in its history when researchers discovered an unsecured database. A misconfiguration of the production server exposed a massive 7TB of data, totaling approximately 10.88 billion records. The compromised data included sensitive information such as full names, email addresses, payment logs, IP addresses, sexual preferences, chat transcripts, and hashed passwords.
The aftermath
Although CAM4 stated there was no evidence of malicious exploitation before securing the database, the breach exposed millions of users globally, potentially subjecting them to future privacy risks and phishing attempts.