100+ Biggest Data and Security Breaches You Must Know About

In an increasingly digital world, more of our time is spent online than ever before. From the growth of social media to the rise of remote work, the internet is rapidly changing how human beings interact. and how business is conducted.

But as more and more private data gets stored online, the threat of cybersecurity breaches is rapidly becoming more pervasive. The pressure on businesses to protect user data has never been higher. The consequences of failing to implement comprehensive and effective security measures can be catastrophic.

And sadly, you don’t need to look very hard to find examples of what can happen when things go wrong! Data breaches have become an all-too-common occurrence.

In this article, we’re going to break down over 100 of the biggest data and security breaches in history. These businesses learned the hard way about what can happen when hackers, leakers, and data thieves manage to breach their defenses. Take notes and try to avoid their mistakes.

PRO TIP: Save time & money with the complete compliance bundle trusted by over 150,000 businesses and create essential legal policies personalized to your needs in minutes.

10 Biggest Data & Security Breaches in History

Let’s begin by looking at the top 10 worst breaches in history. The scale of these is massive and sometimes shocking considering how many people may have been affected.

1. Yahoo!

Yahoo!

Number of records lost: 3,000,000,000

Nearly a decade after its occurrence, the staggering Yahoo data breach remains the single biggest of all time – that we know about!

In 2017, it was revealed that an eye-watering 3 billion accounts were compromised. Every single person who had a Yahoo account in August 2013 was likely affected by the astonishing attack.

Hackers stole information such as names, email addresses, phone numbers, birth dates, and even hashed passwords. Although it was reported that critical payment data such as credit card numbers and bank account numbers remained secure, the sheer scale of this monstrous data breach illustrates just how widespread the threat is.

2. River City Media

River City Media

Number of records lost: 1,370,000,000

In 2017, one of the world’s largest spam email operators leaked its entire database of 1.37 billion email addresses. And it didn’t stop at emails. In some cases, real names, IP addresses, and even physical addresses were disclosed in the leak.

It was all thanks to a faulty backup that was published without password protection. This case illustrates how it isn’t always hackers that are responsible for data breaches. Sometimes, information gets leaked simply because a company makes a mistake and fails to secure it.

3. Aadhaar

Aadhaar

Number of records lost: 1,100,000,000

Aadhaar is the name of the Indian government’s biometric ID database. It contains information like fingerprints and iris scans on more than 1.1 billion registered Indian citizens. Enrolling in the massive database is practically a necessity for Indian citizens, who rely on it to access basic government and business services.

Unfortunately, Aadhaar was breached in March 2018 because of a data leak on a system operated by a state-owned utility company called Indane. The leak made it possible for anyone to access private information on Aadhaar holders, such as names, ID numbers, and even bank details.

4. First American Corporation

First American Corporation

Number of records lost: 885,000,000

Nearly 1 billion records were exposed in this massive leak discovered in May 2019, including bank and mortgage account details, driver’s licenses, social security numbers, and wire transactions. Due to a reported “design defect” in one of the company’s production applications, files were accessible through the company’s website without any kind of authentication.

5. Spambot

Spambot

Number of records lost: 711,000,000

A shocking 711 million records were exposed when an erroneously configured spambot revealed the email addresses (and even some passwords) of its internal database. However, it’s important to keep in mind that in this case, a number of the records were not actually linked to real accounts, as many of the email addresses were fake, repeated, or erroneously collected.

The data was exposed when Spambot failed to secure one of its servers, enabling visitors to access user information without needing to enter security credentials.

6. Facebook

Facebook

Number of records lost: 540,000,000

According to a cybersecurity research firm, over half a billion Facebook users had their account details publicly leaked on Amazon’s cloud computing service. The nearly 150 gigabytes of Facebook user data included user IDs, comments, reactions, and account names.

7. Marriott International

Marriott International

Number of records lost: 500,000,000

In 2018, hotel giant Marriott International revealed that the private details of up to 500 million customers were exposed to hackers over a four-year timespan. The hackers were able to breach the company’s reservation system for several of its hotel chains.

The information stolen included names, addresses, credit card numbers, and in some cases, passport numbers, travel locations, and arrival/departure dates.

Whether the data was targeted by nation-states seeking to conduct international espionage or merely profit-seeking criminals, the leaked info was exceptionally valuable due to its intimate nature.

8. Yahoo!

Yahoo!

Number of records lost: 500,000,000

Appearing for the second time in our top 10, Yahoo has been the subject of multiple security breaches in recent years.

The company blamed the intrusion on state-sponsored hackers and reported that the stolen data potentially included names, email addresses, phone numbers, dates of birth, security Q&As, and encrypted passwords.

9. Myspace

Myspace

Number of records lost: 427,000,000

In 2016, a hacker attempted to sell nearly half a billion Myspace passwords for $2800 on a paid search engine for hacked data. The hacker, known as Peace, had recently been trying to sell the data of more than 160 million LinkedIn users on the same platform.

According to the site, each record contained “an email address, a username, one password and in some cases a second password.” At the time the story was reported, it was unclear who was originally responsible for the breach, or how this person (or group) was able to gain unauthorized access.

10. Friend Finder Networks

Friend Finder Networks

Number of records lost: 412,214,295

Over 412 million account details were leaked to online criminal marketplaces after attackers gained access to the company’s network of sites, including AdultFriendFinder, Cams.com, Penthouse, Stripshow, and iCams.

The hack also revealed that the company had retained information on 15 million accounts that had been previously “deleted” by users, calling the company’s data privacy practices into question.

Biggest Data & Security Breaches in 2022

1. Neopets

Neopets

Number of records lost: 69,000,000

Tech news site Bleeping Computer reported that 69 million Neopets users may have had their information stolen when a hacker breached their database. The intruder was reportedly trying to sell the treasure trove of data – which included names, birthdates, postcodes, gender and country data – for a sum of 4 bitcoins.

Neopets is a popular website where users can own virtual pets and buy virtual items for them. In response to the breach, the site issued a statement on its Twitter vowing to conduct an investigation and prompting users to change their passwords. Weeks later, the company followed up by confirming details of the hack and saying it had enhanced its security protocols.

2. SuperVPN, ChatVPN, GeckoVPN

SuperVPN

Number of records lost: 21,000,000

In 2022 a new warning was issued for Android users to check for the SuperVPN app. The app has over 100 million users and has previously been accused of concealing malicious spyware.

SuperVPN app is one of the most popular and dangerous VPNs on Google Play. If it’s on your phone, delete it immediately. SuperVPN and other related apps like ChatVPN and GeckoVPN have been implicated in a data security breach impacting millions of users.

The breach involved details of about 21 million users, with data that included names, email addresses, usernames, payment data, and even device details. It’s also worth mentioning that there are at least six other apps, like SuperVPN, which have identical descriptions and logos from different creators on the Google Play store.

3. Singtel Optus Pty Limited

Singtel Optus Pty Limited

Number of records lost: 9,800,000

In September 2022, Singtel Optus Pty Limited, an Australian telco, suffered a data breach in which 9.8 million records containing the personal information of current and former customers were exposed. The hacker stated on a forum that access to the data was gained through an “unauthenticated” or open API.

It’s reported that this may be the worst data breach in Australia’s history. The legal compliance questions for Optus under Australian privacy laws include whether it held personal information for longer than it needed to, whether it took reasonable steps to protect the personal information it held, and whether it met its legal obligations regarding data management, notification, implications and remedies of the data breach.

The commercial damage to Optus will be far-reaching, including investigation and containment costs, external audit, legal bills, dealing with regulators, communication and compensation to affected stakeholders, and damage to reputation and brand value, customer relationships, and share price.

4. Cash App Data Breach

Cash App

Number of records lost: 8,200,000

A data breach at Cash App Investing, a parent company of Block Inc’s product, potentially impacted more than 8 million customers. The company revealed in a regulatory filing that a former employee had downloaded internal reports without permission, compromising customers’ personal data.

The data accessed included customers’ full names, brokerage account numbers, and personal identification numbers associated with a customer’s stock activity on the platform. For some customers, the data accessed also included the value and holdings of the brokerage portfolio, as well as some trading activity.

The company reached out to impacted customers and launched an investigation with the help of a leading forensics firm. They also stated that they’re reviewing and strengthening administrative and technical safeguards to protect the information in the future.

5. Twitter

Twitter

Number of records lost: 5,400,000 million

The private profile information of 5.4 million Twitter users was just made public due to a data leak. Phone numbers, email addresses, and other user information were all released for free on a dark web forum. The information is thought to have been accessed using a flaw in Twitter’s API that let attackers link account names with phone numbers.

Since then, Twitter has rectified the flaw and is attempting to resolve the problem. It’s crucial to understand that this leak was caused by malevolent actors using a flaw in the platform’s API rather than a hack or other system breach at Twitter.

Users are urged to adjust their Twitter privacy settings to better safeguard their personal information and to be alert for any suspicious behaviour or messages.

6. Medibank

Medibank

Number of records lost: 3,900,000

Medibank, a major Australian health insurer, experienced a cyber attack that exposed personal information belonging to 3.9 million customers. The breach was detected in late January 2022, after which the company launched an investigation to understand the full extent of the incident. The data breach has raised concerns about the security of personal information in the healthcare industry.

According to the company, the exposed data included “names, addresses, birth dates, Medicare numbers, policy numbers, phone contacts, and some claims data.” However, Medibank informed its customers that their banking information, including credit card numbers and bank account numbers were safe.

To mitigate the damage, they reached out to victims and offered free credit monitoring and identity protection services. Medibank also took steps to strengthen its security measures against future cyber attacks.

According to Medibank’s investor announcement, the estimated cost of preventive measures is anywhere between AU$ 25 million and AU$ 35 million.

Medibank also informed the relevant authorities, including the Australian Cyber Security Centre, about the incident, and investigations are ongoing. Once completed, the investigations will confirm whether the breach resulted from a cyber-attack or a human error.

7. FlexBooker

FlexBooker

Number of records lost: 3,700,000

FlexBooker, a scheduling software company, recently disclosed a data breach that impacted over 3.7 million accounts. The company stated that the breach occurred on June 8th, and they were made aware of the incident on June 10th, 2022.

The data accessed includes customers’ names, email addresses, and hashed passwords. No financial information or sensitive personal information is believed to have been accessed.

FlexBooker has stated that they have taken measures to secure their systems and are working with third-party cybersecurity experts to investigate the incident. They also sent out notifications to customers impacted by the breach and advised them to reset their passwords.

This data breach highlights the importance of companies having robust security measures to protect customers’ information and the need for prompt notification during a data breach.

8. Nelnet Servicing LLC

Nelnet Servicing LLC

Number of records lost: 2,500,000

In the Summer of 2022, a data breach at Nelnet Servicing LLC exposed the personal data of about 2.5 million student loan applicants across different states in the US.

Unknown people got into accounts, and a forensics investigation found that the following information was affected: phone numbers, full names, addresses, and Social Security numbers of people who have taken out loans with EdFinancial or the Oklahoma Student Loan Authority (OSLA).

Nelnet, the largest federal student loan servicer, discovered the breach on August 17th, and the unknown party had access to accounts starting in June. On July 21st, Nelnet notified impacted student loan servicers about the incident.

Due to the breach’s severity and the time the company took to notify potential victims, Nelnet Servicing LLC faces a lawsuit alleging wrongdoing.

9. Shields Health Care Group

Shields Health Care Group

Number of records lost: 2,000,000

In the Summer of 2022, Shields Health Care Group, a leading provider of diagnostic imaging services in New England, announced that they had suffered a cyber-attack on their systems. The attackers were able to gain unauthorized access to the personal information of approximately 2 million individuals, including their names, addresses, dates of birth, and Social Security numbers.

Some patients’ medical information, such as the type of exam or procedure performed, was also accessed.

Shields Health Care Group stated that they have no evidence to suggest that the information accessed had been misused. Still, as a precaution, they offered identity protection services to impacted individuals. The company also implemented additional security measures to prevent future breaches.

The incident is forthwithunder investigation by the FBI and other law enforcement agencies. The company has also reported the incident to the HHS (Department of Health and Human Services) and state attorneys general, as required by law.

This data breach highlights the importance of healthcare organizations’ robust security measures to protect patient information. The healthcare sector is a key prey for cybercriminals due to the sensitive nature of the information they hold. With more and more healthcare companies going digital, they must stay vigilant and take proactive measures to protect patient data.

10. Texas Department of Insurance

Texas Department of Insurance

Number of records lost: 1,800,000

An audit conducted by the Texas State Auditor’s office has revealed that the personal information of 1.8 million Texans who had filed insurance claims with the Texas Department of Insurance (TDI) was exposed for years.

The information, which included names, addresses, Social Security numbers, and other sensitive data, was reportedly stored on a publicly accessible server that was not properly secured.

The audit found that the TDI had failed to implement adequate security measures to protect the data and had not properly trained staff on data security.

The TDI has since taken steps to secure the data and improve its data security practices, but the incident has raised concerns about the state’s ability to protect sensitive information.

Significantly, the incident also emphasizes the importance of useful data security protocols and the need for organizations to regularly review and update their security measures to ensure they’re effective in protecting sensitive information.

11. Toyota

Toyota

Number of records lost: 300,000

Toyota has disclosed that 300,000 drivers may have been affected by the five-year exposure of the source code for the proprietary software used in its vehicles.

The software used in the car’s telematics systems, which manage features like navigation, remote starting, and the ability to lock and unlock the car, had some of its code exposed.

The business claimed that there was no safety risk to its customers and that no current Toyota vehicles utilised the disclosed code. It did acknowledge, though, that the disclosure of the code might provide a stranger access to some optional telematics system features.

In addition to informing impacted customers, Toyota is also taking action to fix the problem, including tightening security and keeping an eye out for any unusual behaviour.

Customers have also been reminded by the business to take the required precautions to safeguard their personal data. This event emphasises how crucial it is to protect proprietary software as well as the possible repercussions of a data breach in the automobile sector.

12. North Face

The North Face

Number of records lost: 200,000

The North Face, a popular outdoor clothing and equipment company, announced that it had been the target of a credential stuffing attack, affecting nearly 200,000 customer accounts.

Credential stuffing is a type of cyberattack in which hackers use a list of stolen login credentials to gain access to other accounts. In this case, the hackers used a list of login information, likely obtained through previous data breaches, to gain access to North Face customer accounts.

The company discovered the attack in 2022 and immediately took steps to secure the affected accounts and notify customers of the incident. They also advised customers to change their passwords and monitor their accounts for suspicious activity.

North Face has also hired a leading cyber security firm to investigate the incident and help prevent future attacks. Despite this attack, the company reassured its customers that no financial or payment information had been compromised.

13. Omnicell, Inc.

Omnicell, Inc.

Number of records lost: 126,000

In 2022 Omnicell, a healthcare technology company, confirmed that they experienced a ransomware attack on their systems. The incident resulted in a disruption of their services and limited access to specific customer data. A sum of 126 000 customer records was affected by the ransomware.

The company has taken immediate action to contain the incident and is working with cybersecurity experts to investigate the matter. They have also reported the incident to law enforcement and cooperated with their investigations.

Omnicell has assured its customers that they’re taking all necessary steps to protect their data and prevent related happening in the future. The company has indicated that it’s working diligently to restore normal operations and minimize customer disruption. They also said there is no evidence that customer data has been exfiltrated or misused because of the attack.

14. GiveSendGo System

GiveSendGo System

Number of records lost: 93,000

The GiveSendGo, a Christian fundraising platform, suffered a data breach in 2022. This breach exposed users’ sensitive personal information, including names, addresses, email addresses, and phone numbers. A total of 93,000 user accounts suffered the data breach.

In addition, the hackers also accessed transaction data, including donation amounts, payment methods, and campaign details. The company confirmed that the hackers had gained access to the system through a vulnerability in third-party software.

The company immediately took action to secure the system and launched an investigation with the help of a leading cybersecurity firm. The GiveSendGo firm also informed the affected users and offered them a complimentary identity theft protection service.

The organization is a popular platform among Christians and churches, and the data breach has raised concerns about the security of personal information. The company has stated that they’re reviewing and strengthening administrative and technical safeguards to protect information.

15. Uber

Uber

Number of records lost: 77,000

In 2022, it was revealed that over 77,000 Uber employees’ personal information had been exposed due to a data breach. Names, email addresses, phone numbers, car plate numbers, and financial information were all contained in the data.

Uber allegedly used a third-party cloud-based service to store employee data where the information was taken. According to Uber, they are looking into the situation and taking measures to secure their systems.

The business has said that they don’t think any private data, including Social Security numbers, was exposed in the data incident. The incident is being looked into by the appropriate authorities.

Biggest Data & Security Breaches in 2021

1. Apple / Bluetoad

Apple

Number of records lost: 12,367,232

Bluetoad is the name of a small mobile publishing company that announced in 2012 that it had been the “victim of a cyber attack, which resulted in the theft of Apple UDIDs from [their] systems.”

UDID stands for Unique Device Identifier, a protocol that Apple strongly discouraged developers from utilizing due to privacy concerns. Due to the breach, millions of unique Apple device IDs were leaked onto the internet.

While hackers initially claimed the IDs were obtained from an FBI laptop, an independent security expert discovered that the leak actually arose from a breached BlueToad database.

2. T-Mobile

T-Mobile

Number of records lost: 45,000,000

T-Mobile confirmed in the summer of 2021 that they were investigating a data breach in which up to 58 million current, former or prospective customers had their information stolen.

The stolen data included critical personal information such as names, dates of birth, Social Security numbers, and driver’s license IDs: just the sort of information that criminals could potentially use to perpetrate identity theft.

Fortunately, T-Mobile maintained that “phone numbers, account numbers, PINs or passwords” all remained secured.

Biggest Data & Security Breaches in 2020

1. Wattpad

Wattpad

Number of records lost: 270,000,000

Wattpad is an online literature platform where users can read and write original stories, billed by its founders as a way for users to create social communities around stories, eliminating barriers between readers and writers.

But in 2020 it was discovered that a stolen database containing 270 million records were being offered for free on hacker forums. The records contained info like names, email addresses, and geographic locations of the site’s users.

2. Unknown

Number of records lost: 201,000,000

A US property and demographics database which contained over 200 million records was publicly exposed to the internet in 2020. The records contained detailed personal, demographic, and property information about American residents and their properties.

At the time the leak was discovered, researchers were unable to identify the owner(s) of the database, and it is unknown whether unauthorized parties accessed the data while it was still exposed.

3. Instagram

Instagram

Number of records lost: 200,000,000

200 million records scraped from Instagram profiles were left publicly available in this massive data breach from 2020. The data contained information such as profile names, full real names, profile photos, and account descriptions.

Researchers discovered that one in five records contained either a telephone number or email address.

4. Unknown Agency (believed to be tied to US Census Bureau)

Number of records lost: 200,000,000

An unsecured database, hosted on a Google Cloud server, was discovered by analysts at CyberNews. The database contained over 800GB of detailed personal records on 200 million American users.

Based on the contents of the accidentally published database, researchers believe that much of the information may have originated from the United States Census Bureau since it contained special codes used in the bureau’s classification system.

5. Tetrad

Tetrad

Number of records lost: 120,000,000

In this breach, a massive 747 gigabytes of data was leaked, exposing market information about millions of American households.

The customer data was taken from major retailers like Kate Spade & Co. and Beverages & More Inc. and was stored by Tetrad Computer Applications Inc., which held the information in an Amazon Web Services cloud container. The exposed information included customer locations and purchasing histories.

6. CheckPeople

CheckPeople

Number of records lost: 56,250,000

A Chinese IP address was discovered on the public internet which hosted a database containing the personal details of over 56 million US residents. The leaked information included names, home addresses, phone numbers, and ages.

A white-hat hacker discovered the database and tipped off the press. The hacker reported that metadata linked the source of the information to CheckPeople.com, which aggregated the data from public records.

7. Animal Jam

Animal Jam

Number of records lost: 46,000,000

Animal Jam, a popular game for children, ranked in the top five games for the 9-11 age category in Apple’s US App Store at the time of this data breach.

November 2020: WildWorks, the company that makes the game, released a detailed statement revealing that it recently discovered that a hacker stole 46 million Animal Jam Records in early October.

The company said the hacker was able to access one of its internal systems used by employees to communicate with each other. The stolen data was reportedly being circulated in at least one cybercrime forum.

8. TikTok

TikTok

Number of records lost: 42,000,000

In a massive data breach uncovered by a security research team at Comparitech, it was discovered that an unsecured database exposed a dataset that contained approximately 42 million TikTok users.

Comparitech noted that one in five records contained either a telephone number or email address, along with information such as profile names, real names, photos, and account descriptions.

9. View Media

View Media

Number of records lost: 38,000,000

An unsecured database containing records for close to 39 million US user records was discovered by a security research team working for the firm Cybernews.

The database, which was left on a publicly accessible Amazon Web Services (AWS) server, belonged to an online marketing company called View Media and contained information like full names, email and street addresses, phone numbers, and ZIP codes.

10. Wawa

Wawa

Number of records lost: 30,000,000

Wawa is the name of a convenience store chain located on the US east coast. In early 2020, the company announced that credit card data obtained from a security breach was being sold on a dark web marketplace called Joker’s Stash, at a rate of $17 to $210 per card.

Hackers were able to obtain credit card information for up to 30 million customers in the attack, making it the third-largest credit card breach in history at the time news of the breach first broke.

11. 500px

500px

Number of records lost: 14,870,304

500px (pronounced “five hundred pixels”) is a global online photo-sharing platform based in Toronto, Canada.

In July 2018, 1.5 GB of data was purportedly stolen by cyber criminals pertaining to private account details for nearly 15 million users. The detailed account records contain usernames, emails, encrypted passwords, and in many cases, birthdates, genders, and physical locations.

In 2019, media sources uncovered that information obtained from the breach was being sold on dark web marketplaces for approximately $780. In response, 500px mandated a system-wide password reset and promised to overhaul its security protocols.

Biggest Data & Security Breaches in 2019

1. First American Corporation

First American Corporation

Number of records lost: 885,000,000

Nearly 1 billion records were exposed in this massive leak, including bank and mortgage account details, driver’s licenses, social security numbers, and wire transactions.  Due to a reported “design defect” in one of the company’s production applications, files were accessible through the company’s website without any kind of authentication.

2. Facebook

Facebook

Number of records lost: 540,000,000

According to a cybersecurity research firm, over half a billion Facebook users had their account details publicly leaked on Amazon’s cloud computing service. The nearly 150 gigabytes of Facebook user data included user IDs, comments, reactions, and account names.

3. Airtel

Airtel

Number of records lost: 320,000,000

Names, birthdays, email addresses, and even physical addresses could all have been accessed by hackers for subscribers to India’s third-largest mobile network.

Although a spokesperson for the company insisted that “Airtel’s digital platforms are highly secure”, the data-exposing bug was discovered by an independent security researcher who claims he only took 15 minutes to uncover it.

In addition to the personal information, customers’ IMEI (International Mobile Equipment Identity) numbers were also accessible. IMEIs are unique numbers for identifying devices on mobile networks.

4. Truecaller

Truecaller

Number of records lost: 299,055,000

Truecaller is a popular smartphone app that features caller ID, call blocking, flash messaging, and call recording.

Unfortunately, in 2019 a cybersecurity analyst revealed that data from the app’s hundreds of millions of users was being sold on the dark web for up to 25000 euros. The leaked user data included system and location information, and even subscriber photos. Despite the discovery, the company denied any kind of data breach.

5. MongoDB

MongoDB

Number of records lost: 275,000,000

For more than two weeks, a massive database containing over 275 million records of Indian citizens was left unprotected on the Internet.

The publicly accessible MongoDB database was hosted on Amazon Web Services and contained critical information like names, dates of birth, education details, employment info, and even the current salary for many of the records.

According to a cybersecurity researcher, the data was collected from a large cache of resumes “as part of a massive scraping operation” conducted for unknown purposes.

6. Facebook

Facebook

Number of records lost: 267,000,000

Social media giant Facebook had a particularly bad year for data breaches in 2019. You’ll recall they appeared earlier in our list at number 6, for a data breach that occurred in April of that year.

But in December, a security researcher working for UK tech firm Comparitech discovered that an unprotected database containing personal records for over 267 million Facebook users was left open on the dark web for almost two weeks. Criminals in Vietnam were suspected of stealing user information, which included names, phone numbers, and email addresses.

7. Microsoft

Microsoft

Number of records lost: 250,000,000

Conversation logs between customers and Microsoft support personnel going as far back as 2005 were exposed to the internet due to a “misconfiguration” of one of the company’s internal databases.

Security researcher Bob Diachenko of Comparitech discovered the vulnerability in December 2019, but luckily, Microsoft was able to close the loophole only two days after they were notified, and the company indicated they found no evidence of “malicious use.” Had hackers been able to access the logs, they could have been used to impersonate Microsoft staff in a phishing operation.

8. MongoDB

MongoDB

Number of records lost: 202,000,000

By analyzing the data stream of BinaryEdge search engine, security researchers at bug bounty platform Hackenproof discovered that an 854 GB MongoDB database had been exposed to the public internet.

No username/password authentication was required to access the over 200 million resumes of Chinese job seekers. These resumes contained personal information like mobile phone numbers, emails, driver’s license numbers, and more.

Although the database was secured shortly after owners became aware of the leak, logs indicated that at least a dozen IPs may have accessed the information before it was taken offline.

9. Zynga

Zynga

Number of records lost: 173,000,000

According to a report published by security website Have I Been Pwned, 170 million users may have had their log-in and password details exposed for the online game company Zynga, which hosted over 67 million monthly active users at the time of the leak.

Zynga admitted that the hacker responsible for the breach may have accessed the login details for players of the games Draw Something and Words with Friends, but insisted that no financial information had been compromised.

10. Canva

Canva

Number of records lost: 140,000,000

In May 2019, the popular online graphic design and publishing tool Canva suffered a massive data breach exposing the personal details of nearly 140 million registered users.

Although Canva insisted that payment cards and other financial information remained secure, the stolen data included things like usernames, real names, location information, and email addresses. The company also maintained that passwords remained encrypted and thus “unreadable by third parties.”

11. ElasticSearch

ElasticSearch

Number of records lost: 108,000,000

In 2019, security researchers discovered that an online casino group leaked information on over 108 million bets through an ElasticSearch server that was left online without password protection.

ElasticSearch is a portable search engine that companies install to improve their internal search and indexing functions. Since it usually handles sensitive information, it typically isn’t meant to be left online where the public can access it. This particular ElasticSearch server contained data from an online betting portal, exposing account information like deposits and withdrawals.

12. Capital One

Capital One

Number of records lost: 106,000,000

In 2019, a lone hacker gained access to more than 100 million Capital One customer accounts and credit card applications.

The information accessed included 1 million Canadian Social Insurance numbers, 80,000 bank account numbers, 140,000 US Social Security numbers, and an undisclosed amount of personal data like names, credit scores, addresses, credit limits, and other sensitive information.

The hacker had previously worked as a software engineer for Amazon Web Services, the cloud hosting company that Capital One was using.

13. Justdial

Justdial

Number of records lost: 100,000,000

An independent security researcher reportedly uncovered that local search service JustDial exposed the personal data of more than 100 million users. The exposed information included names, emails, mobile numbers, dates of birth, gender, and addresses.

JustDial denied the breach, however, claiming that the vulnerability only affected a small fraction of users who were accessing an outdated version of the app.

14. LifeLabs

LifeLabs

Number of records lost: 15,000,000

LifeLabs is the name of Canada’s largest laboratory testing company, which in 2019 revealed that it made a payment to cyber criminals to recover the sensitive data of millions of customers after its systems were hacked.

The stolen information pertained to a total of about 15 million customers, located primarily in the provinces of Ontario and BC. According to LifeLabs president Charles Brown, the company agreed to pay the ransom “in collaboration with experts familiar with cyberattacks and negotiations with cybercriminals.” Score one for the bad guys.

15. Quest Diagnostics

Quest Diagnostics

Number of records lost: 11,900,000

In May 2019, Quest Diagnostics, an American clinical laboratory company, released information that an intruder had gained access to the personal information of nearly 12 million patients via a third-party billing collections vendor.

In response to the incident, Quest Diagnostics – one of the largest blood testing providers in the US – suspended sending collection requests to the third-party vendor, the American Medical Collection Agency (AMCA).

The leaked information included private medical details, Social Security numbers, and even financial data.

16. Desjardins

Desjardins

Number of records lost: 9,700,000

In a report issued in 2020, the Office of the Privacy Commissioner of Canada revealed that a Canadian financial service cooperative, the Desjardins Group, had its security safeguards breached between 2017 and 2019.

The breach ultimately affected close to 9.7 individuals in Canada and abroad. Compromised information ranged from names and birthdates to social insurance numbers and transaction histories.

Desjardins found that the breach had been committed by one of its employees, prompting government investigators to conclude that Desjardins had been in contravention of accountability standards contained in the Personal Information and Electronic Documents Act (“PIPEDA”).

Biggest Data & Security Breaches in 2018

1. Aadhaar

Aadhaar

Number of records lost: 1,100,000,000

Aadhaar is the name of the Indian government’s biometric ID database. It contains information like fingerprints and iris scans on more than 1.1 billion registered Indian citizens. Enrolling in the massive database is practically a necessity for Indian citizens, who rely on it to access basic government and business services.

Unfortunately, Aadhaar was breached in March 2018 because of a data leak on a system operated by a state-owned utility company called Indane. The leak made it possible for anyone to access private information on Aadhaar holders, such as names, ID numbers, and even bank details.

2. Marriott International

Marriott International

Number of records lost: 500,000,000

In 2018, hotel giant Marriott International revealed that the private details of up to 500 million customers were exposed to hackers over a four-year timespan. The hackers were able to breach the company’s reservation system for several of its hotel chains.

The information stolen included names, addresses, credit card numbers, and in some cases, passport numbers, travel locations, and arrival/departure dates.

Whether the data was targeted by nation-states seeking to conduct international espionage or merely profit-seeking criminals, the leaked info was exceptionally valuable due to its intimate nature.

3. Exactis

Exactis

Number of records lost: 340,000,000

In June of 2018, security researcher Vinny Troia discovered that a database containing close to 340 million personal records had been exposed on a publicly accessible server. The database belonged to a marketing and data aggregation firm known as Exactis.

According to Trola, founder of New York-based Night Lion Security, “it seems like this is a database with pretty much every US citizen in it.” The leaked information contained personal details ranging from demographic data to personal interests.

4. Dubsmash

Dubsmash

Number of records lost: 162,000,000

Dubsmash, a popular video messaging app headquartered in New York, reported in February of 2019 that 162 million user accounts were compromised in December of 2018.

Since the company failed to notify its customers of the breach, users were left to check for themselves if their data had been impacted by using third-party websites like HaveIBeenPwned. Information leaked in the breach included personally identifiable data like user locations, names, phone numbers, and even usernames and passwords.

5. Under Armour

Under Armour

Number of records lost: 150,000,000

MyFitnessPal is an app designed to help its users track their nutrition and exercise routines. The app is owned by US fitness brand Under Armour, and suffered a data breach in February 2019 which affected approximately 150 million users.

Fortunately, security researchers noted that the company performed its due diligence by promptly making public announcements and notifying impacted users. Further, the company insisted that the leaked passwords remained strongly encrypted.

6. Quora

Quora

Number of records lost: 100,000,000

The popular question-and-answer website revealed in 2018 that a “malicious third party” may have accessed the account information of approximately 100 million users.

The exposed information included email addresses and encrypted passwords, and even some private direct messages. It also included data from linked social media accounts on sites like Facebook and Twitter.

7. MyHeritage

MyHeritage

Number of records lost: 92,283,889

MyHeritage is a family genealogy and DNA testing site which helps its users track their family trees. In 2018, a security researcher uncovered an archive on a third-party server that contained the personal details of over 92 million MyHeritage users.

Luckily, the exposed passwords were encrypted, and MyHeritage reported that they only use third-party payment processors for transactions, which meant that payment data was never stored on its systems. As for the DNA test results, they were saved on separate servers which were not compromised.

8. US Postal Service

US Postal Service

Number of records lost: 60,000,000

A security weakness discovered on the USPS website enabled anyone who had an account with the site to access account details for approximately 60 million other users, and in some cases even modify account details on their behalf.

The USPS fixed the vulnerability after it was discovered by an anonymous security researcher who reported it to USPS as well as the press. The leak exposed up-to-date information about packages and mail being sent by customers, as well as detailed account information.

9. Facebook

Facebook

Number of records lost: 50,000,000

Up to 50 million Facebook users were affected by a security vulnerability that allowed attackers to directly take over user accounts.

By the time the social media giant reported the issue, the bugs which enabled the attack had already been patched and resolved, according to Facebook. As part of the resolution, Facebook automatically logged out 90 million users from their accounts.

10. HauteLook

HauteLook

Number of records lost: 28,517,244

HauteLook is an online fashion store. In 2019, it was disclosed that account details stolen from the retailer had been available for sale in a dark web marketplace for up to one year.

Drawing from 1.5 gigabytes of data taken during 2018, the stolen account records contain email addresses, hashed passwords, and names. When requested to comment, a spokesperson for the LA-based company did not respond.

11. Ticketfly (a subsidiary of Eventbrite)

Ticketfly

Number of records lost: 26,151,608

In 2018, a hacker managed to hijack the popular ticket distribution site Ticketfly, vandalizing its homepage and stealing customer data including email addresses, phone numbers, and billing addresses.

The cyber attack occurred after the site’s owners declined to respond to the hacker’s demands for a ransom of 1 Bitcoin in exchange for helping them fix the security vulnerability he uncovered. In response, the hacker vandalized the website and acquired access to the private data, which he later posted online.

12. Cathay Pacific Airways

Cathay Pacific Airways

Number of records lost: 9,400,000

The personal data of about 9.4 million passengers of Cathay and its unit Hong Kong Dragon Airlines had been accessed by cyber intruders, the company announced in October 2018.

In a statement released to the public, Cathay revealed that the breached data included passenger names, nationalities, birthdates, email and physical addresses, passport numbers, ID card numbers, and travel histories.

Biggest Data & Security Breaches in 2017

1. River City Media

River City Media

Number of records lost: 1,370,000,000

In 2017, one of the world’s largest spam email operators leaked its entire database of 1.37 billion email addresses. And it didn’t stop at emails. In some cases, real names, IP addresses, and even physical addresses were disclosed in the leak.

It was all thanks to a faulty backup that was published without password protection. This case illustrates how it isn’t always hackers that are responsible for data breaches. Sometimes, information gets leaked simply because a company makes a mistake and fails to secure it.

2. Spambot

Spambot

Number of records lost: 711,000,000

A shocking 711 million records were exposed when an erroneously configured spambot revealed the email addresses (and even some passwords) of its internal database. However, it’s important to keep in mind that in this case, a number of the records were not actually linked to real accounts, as many of the email addresses were fake, repeated, or erroneously collected.

The data was exposed when Spambot failed to secure one of its servers, enabling visitors to access user information without needing to enter security credentials.

3. Equifax

Equifax

Number of records lost: 163,119,000

According to a statement released by credit-reporting bureau Equifax, “criminals exploited a US website application vulnerability to gain access to certain files.”

Roughly half of the US population was affected by the data breach, which also affected people in the UK and Canada. Customer names, social security numbers, birthdates, and addresses were all stolen in the hack, which stretched from mid-May to July.

4. Uber

Uber

Number of records lost: 57,000,000

In 2017, Uber released a public statement indicating that, in late 2016, the popular ridesharing app “became aware that two individuals outside the company had inappropriately accessed user data stored on a third-party cloud-based service” used by the company.

The individuals were able to download the names and driver’s license numbers of around 600,000 Uber drivers in the United States, as well as the personal information of 57 million Uber users around the world, including names, email addresses, and mobile numbers.

5. Taringa!

Taringa!

Number of records lost: 28,722,877

Taringa is often referred to as “The Latin American Reddit.” The social network, geared toward Latin American users, hosts over 28 million users, who create and share countless daily posts on topics ranging from tutorials and recipes to stories and reviews.

Unfortunately, in 2017 it was revealed that a massive data breach may have compromised the login details for nearly all of its users. The breach was reported by LeakBase, who obtained a copy of the hacked database containing details including usernames, emails, and hashed passwords.

Even worse, the passwords were hashed using an outdated algorithm called MD5 which experts say can easily be cracked.

Biggest Data & Security Breaches in 2016

1. Yahoo!

Yahoo!

Number of records lost: 500,000,000

Appearing for the second time in our top 10, Yahoo has been the subject of multiple security breaches in recent years.

The company blamed the intrusion on state-sponsored hackers and reported that the stolen data potentially included names, email addresses, phone numbers, dates of birth, security Q&As, and encrypted passwords.

2. Myspace

Myspace

Number of records lost: 427,000,000

In 2016, a hacker attempted to sell nearly half a billion Myspace passwords for $2800 on a paid search engine for hacked data. The hacker, known as Peace, had recently been trying to sell the data of more than 160 million LinkedIn users on the same platform.

According to the site, each record contained “an email address, a username, one password and in some cases a second password.” At the time the story was reported, it was unclear who was originally responsible for the breach, or how this person (or group) was able to gain unauthorized access.

3. Friend Finder Networks

Friend Finder Networks

Number of records lost: 412,214,295

Over 412 million account details were leaked to online criminal marketplaces after attackers gained access to the company’s network of sites, including AdultFriendFinder, Cams.com, Penthouse, Stripshow, and iCams.

The hack also revealed that the company had retained information on 15 million accounts that had been previously “deleted” by users, calling the company’s data privacy practices into question.

4. Philippines Commission on Elections

Philippines Commission on Elections

Number of records lost: 55,000,000

Fingerprint data and passport information were among the records compromised by hackers in an apparent cyber attack on the Philippines Commission on Elections in 2016. As a result of the hack, the Commission also saw its website defaced at the end of March.

The group claiming responsibility, known as Anonymous Philippines, stated that it sought to highlight “vulnerabilities” in the system: in particular, the use of automated voting machines.

5. Weebly

Weebly

Number of records lost: 43,430,316

According to data breach notification site LeakedSource, the web design platform known as Weebly was the victim of a cyber attack in February 2016, which saw the integrity of more than 43 million accounts compromised.

Usernames and encrypted passwords, along with user IP addresses, were all taken in the massive data breach, although Weebly maintains that it does not store credit card information.

In response to the breach, Weebly sent an email notification to affected users and mandated password resets.

6. Taobao

Taobao

Number of records lost: 20,000,000

Taobao is a Chinese shopping site owned by Alibaba. Users can buy or sell, similar to eBay in the US. According to Alexa, it is the eighth most visited website in the world as of 2021.

In October 2015, it’s believed that crooks acquired access to nearly 21 million Taobao accounts and then exploited them for fake reviews and fake bidding.

Biggest Data & Security Breaches in 2015

1. Anthem Inc.

Anthem Inc.

Number of records lost: 80,000,000

In 2015, health insurance provider Anthem Inc. was the victim of a massive cyber attack that put approximately 80 million customers’ data at risk.

The breach affected current and former customers, employees, and even Anthem’s own CEO, Joseph Swedish. At the time the attack occurred, it was the largest healthcare breach to date.

In 2019, US federal prosecutors charged a Chinese national and an unnamed accomplice for the hack, which exposed data including names, health ID numbers, dates of birth, and social security numbers.

2. Ashley Madison

Ashley Madison

Number of records lost: 32,000,000

Hackers who breached the cheating dating website AshleyMadison.com subsequently dumped the 9.7 gigabytes of data they obtained onto the dark web.

The leaked files apparently include account details for some 32 million users, along with up to seven years of credit card transaction details. These transaction details could be linked back to names, street addresses, email addresses and amounts paid, but not the full credit card numbers.

3. US Office of Personnel Management

US Office of Personnel Management

Number of records lost: 21,500,000

In 2015, the US government announced that it suspected a Chinese espionage operation had exposed data relating to 21.5 million employees and applicants of the US Office of Personnel Management.

Intelligence experts stated that the massive theft could give Chinese intelligence operatives a strategic advantage for recruiting informants within the US government, and for identifying US spies abroad.

4. Experian / T-Mobile US

Experian

Number of records lost: 15,000,000

On September 15 of 2015 Experian, one of the world’s largest consumer credit monitoring firms, announced that it had discovered the theft of sensitive personal data belonging to 15 million people who had applied for service with telecom giant T-Mobile.

T-Mobile’s CEO John Legere revealed that the stolen data included names, addresses, birthdates, Social Security numbers, driver’s license numbers, and passport numbers. These details are highly valuable to fraudsters looking to commit identity theft.

5. Premera

Premera

Number of records lost: 10,400,000

Premera is the name of a not-for-profit Blue Cross Blue Shield licensed health insurance provider based in Washington state.

In 2020, Premera agreed to pay nearly $7 million to settle a 2015 data breach that occurred as a result of a “sophisticated cyberattack” that exposed the data of around 10.4 million people.

Beginning in 2014, hackers used a phishing email to install malware on Premera’s systems, giving them access to member data including names, birthdates, email addresses, Social Security numbers, bank account details, and health plan clinical information.

6. Excellus

Excellus

Number of records lost: 10,000,000

Excellus, an upstate New York healthcare insurance provider, announced in August 2015 that a cyber breach tracing back to 2013 may have exposed private details for as many as 10 million of its nationwide clients.

The attackers may have gained access to a plethora of information on these clients ranging from Social Security numbers to member identification numbers, insurance claim information, and even financial accounts.

In response to the breach, Excellus began offering affected individuals two years of free identity theft protection services.

Biggest Data & Security Breaches in 2014

1. eBay

eBay

Number of records lost: 145,000,000

The popular online marketplace eBay was forced to ask nearly 150 million users to change their passwords in May of 2014 after hackers stole encrypted passwords and other personal data including addresses, phone numbers, and dates of birth.

In a statement released to the public, the company reported that “cyberattackers compromised a small number of employee log-in credentials, allowing unauthorized access to eBay’s corporate network,” adding that they were working with law enforcement to investigate the attackers behind the breach.

2. JP Morgan Chase

JP Morgan Chase & Co.

Number of records lost: 76,000,000

Due to a cybersecurity breach in the summer of 2014, over 76 million account holders at JP Morgan Chase saw their private data compromised. The affected customers included both households and small businesses.

The final tally dwarfed previous estimates: only a few weeks before the information was reported, executives at the financial institution maintained that only one million accounts had been affected.

3. Home Depot

The Home Depot

Number of records lost: 56,000,000

In 2014, a massive set of stolen credit and debit cards went on sale in darknet marketplaces according to multiple banks who reported that Home Depot stores may be the source of the leak.

Russian and Ukrainian hackers were suspected of being responsible for the massive data breach, which was interpreted by some as retaliation for US and European sanctions against Russia for its aggressions in Ukraine since the stolen cards were being sold under the label “European Sanctions.”

4. Benesse

Benesse

Number of records lost: 35,040,000

Up to 35 million personal records were leaked in a massive data breach allegedly committed by an engineer working for Benesse, an educational services firm in Japan.

Private information such as names, addresses, phone numbers, and birthdays were all stolen by the attacker, who then sold the information for just under $25,000 USD. Benesse confirmed the leak but maintained that financial information like credit card numbers and banking data remained safe.

5. Korea Credit Bureau

Korea Credit Bureau

Number of records lost: 20,000,000

Korean state regulators revealed in 2014 that the private data of at least 20 million bank and credit users was leaked by an employee of the personal credit rating firm Korea Credit Bureau (KCB).

20 million users are no small figure: it’s worth noting that the population of South Korea stood at approximately 50 million at the time of the leak.

The employee, who was arrested after working for the firm as a temporary consultant, is accused of selling private data to phone marketing companies whose managers were also arrested.

Biggest Data & Security Breaches in 2013

1. Yahoo!

Yahoo!

Number of records lost: 3,000,000,000

Nearly a decade after its occurrence, the staggering Yahoo data breach remains the single biggest of all time – that we know about!

In 2017, it was revealed that an eye-watering 3 billion accounts were compromised. Every single person who had a Yahoo account in August 2013 was likely affected by the astonishing attack.

2. Adobe Systems Incorporated

Adobe Systems Incorporated

Number of records lost: 152,000,000

According to researcher Paul Ducklin at the Sophos Naked Security Blog, a database of Adobe user data surfaced online at a website known to be frequented by cybercriminals.

Although Adobe initially estimated that a mere 3 million user accounts were compromised by the intrusion, Ducklin estimates that over 150 million “breached records” could be found in the staggering 10GB database.

For their part, Adobe puts this number at only 38 million users, reporting that the intruders likely uncovered “many invalid Adobe IDs, inactive Adobe IDs, Adobe IDs with invalid encrypted passwords, and test account data” in the breach.

3. Target Corporation

Target Corporation

Number of records lost: 110,000,000

US retail giant Target confirmed in 2013 that previous reports about unauthorized access to customer credit card data were true. The customers affected by the breach made purchases in US stores between November and December of that year.

Target reported it was working with law enforcement to investigate, and advised its customers to call a toll-free phone number if they noticed any unauthorized activity on their credit and debit cards following the breach.

4. Tumblr

Tumblr

Number of records lost: 65,469,298

In 2016, Tumblr revealed that it had recently discovered a 2013 data breach that affected “a set” of user email addresses and passwords, which independent security analysts pegged at over 65 million.

After the announcement, the hacked data was seen circulating within darknet marketplaces. Fortunately, the passwords were hashed and “salted,” meaning that a random series of bytes were affixed to the end of passwords before hashing, making them very difficult to crack.

5. Evernote

Evernote

Number of records lost: 50,000,000

In a 2013 blog post, Evernote’s CTO, Dave Engberg, disclosed that “individual(s) responsible [for the breach] were able to gain access to Evernote user information, which includes usernames, email addresses associated with Evernote accounts and encrypted passwords.”

As a result, Evernote enforced a mandatory password reset for its tens of millions of users as a precautionary measure, even though the passwords were “hashed and salted,” a term referring to a high level of encryption.

6. Living Social

Living Social

Number of records lost: 50,000,000

April 2013: online offers site LivingSocial notified its some 50 million users of a security breach that resulted in unauthorized access to private customer data from its internal servers. The notification email informed users that “information accessed includes names, email addresses, the date of birth of some users, and encrypted passwords.”

The fact that the passwords were “hashed” and “salted” reduced the severity of the security breach since these methods greatly increased the difficulty required to gain access to the actual passwords.

7. Yahoo! Japan

Yahoo! Japan

Number of records lost: 22,000,000

In 2013, Yahoo’s Japanese division revealed that it suspected up to 22 million user IDs may have been “leaked.”

The company also stated that it had uncovered evidence of an unauthorized attempt to access the internal administrative systems for its Japanese web portal. Fortunately, the agency maintained that the leaked information was insufficient to acquire access to individual user accounts or their passwords.

Biggest Data & Security Breaches in 2012

1. Multiple American Businesses (including 7-Eleven and Nasdaq)

Number of records lost: 160,000,000

Over a period of seven years, a handful of Russian and Ukrainian hackers were able to gain access to over 160 million credit and debit card numbers.

The attacks occurred between 2005 and 2012, particularly in 2008 and 2009 during the height of the global financial crisis. While banks and payment processors were the primary targets, retail chains like 7-Eleven were also affected by the breach.

2. Rambler.ru

Rambler.ru

Number of records lost: 98,167,935

Rambler is a Russian search, news, and email website resembling Yahoo. In 2012, a major dump of the user database revealed usernames, passwords, and ICQ messaging accounts for over 98 million users.

What’s especially troubling in this case is that user passwords were stored in unencrypted plain text, which meant that anyone who breached the database had instant access to the private email accounts of tens of millions of users.

3. Dropbox

Dropbox

Number of records lost: 68,648,009

More than 68 million account holders at Dropbox were affected by a 2012 security breach, which resulted in Dropbox resetting all passwords that had remained unchanged since mid-2012, a move done as a “preventative measure” in 2016.

The details of the Dropbox accounts, which included hashed passwords, emerged on hacker trading sites as part of a 5 GB document.

4. Zappos

Zappos

Number of records lost: 24,000,000

Zappos is a Las Vegas-based online shoe and clothing retailer which was acquired by Amazon in 2009. In 2012, the firm revealed that its internal network was hacked, leaking the private details of 24 million of its users.

In response to the breach, Zappos mandated password resets for all of its customers and warned users to be on the lookout for phishing attempts utilizing the stolen information, which included names, emails, phone numbers, addresses, and the last four digits of credit card numbers.

5. Blizzard Entertainment

Blizzard Entertainment

Number of records lost: 14,000,000

Activision Blizzard, which developed World of Warcraft and operates the Battle.net gaming portal, warned its users that their personal data had been accessed by hackers in the summer of 2012.

Blizzard president and co-founder Mark Morhaime said in a public statement: “our security team found unauthorized and illegal access into our internal network here at Blizzard. We quickly took steps to close off this access and began working with law enforcement and security experts to investigate what happened.”

6. Government of Greece

Government of Greece

Number of records lost: 9,000,000

A 35-year-old Greek computer programmer was arrested in 2012 after he was found to possess “nine million data files containing identification card data, addresses, tax ID numbers, and license plate numbers” which he was attempting to sell on the black market. While police suspect he obtained the information via hacking, it’s also possible the breach arose from an inside job.

Given Greece only had a population of around 10 million at the time of the breach, this means that a majority of the Mediterranean nation’s citizens were placed at risk of identity theft by the actions of this singular attacker.

7. KT Corporation

KT Corporation

Number of records lost: 8,700,000

Korean police announced in 2012 that two computer programmers had been arrested for obtaining unauthorized access to the personal data of nearly 9 million KT subscribers.

KT Corporation is one of South Korea’s largest wireless service providers, in one of the world’s most wired countries.

According to the police, seven other individuals were also suspected of having purchased and used the hack data, which included resident registration numbers.

8. Gamigo

Gamigo

Number of records lost: 8,000,000

According to the data breach alert service PwnedList, more than 8 million usernames, emails, and encrypted passwords from the gaming site Gamigo were published on the internet.

The half-gigabyte data dump was posted to a password-cracking forum several months after Gamigo warned its users about a hacker intrusion. In response to the leak, the free gaming site enforced a mandatory password reset for all its users.

Biggest Data & Security Breaches in 2011

1. Sony Playstation Network

Sony Playstation Network

Number of records lost: 77,000,000

Sony had to shut down its Playstation network for over a month in response to a hacker attack that affected roughly 77 million customers. The company blamed the shutdown on an “external intrusion” that exposed account information on nearly 25 million users, including over 12,000 encrypted credit numbers.

2. Steam

Steam

Number of records lost: 35,000,000

Valve, the owner and operator of the popular PC gaming platform Steam, uncovered an intrusion into one of its user databases while it was investigating a security breach of its online discussion forums.

Attackers were able to obtain login details from the forum and then access a database that held private ID and credit card data, though Steam maintains that it found no evidence that the credit cards were actually used for fraudulent purposes.

At the time of the breach, the Steam service was used by an estimated 35 million people.

3. Tianya Club

Tianya Club

Number of records lost: 28,000,000

Tianya is the name of one of China’s most popular online discussion forums. In 2011, the site suffered a data breach for which the private details of between 28 and 40 million users were leaked. Hackers were suspected of perpetrating the breach and then publishing the account details online.

In response to the breach, the online forum notified users via email and forum messaging to change their passwords immediately. The site also reported the breach to the police.

4. Sony Online Entertainment

Sony Online Entertainment

Number of records lost: 24,600,000

2011: Sony had to temporarily suspend its Online Entertainment network, used for MMORPGs like Everquest, Star Wars: Galaxies and Matrix Online, after it was revealed that 24.6 million user accounts may have been compromised as part of a widely publicized hack.

The stolen data included names, email addresses, and hashed passwords, but in some cases, Sony reported that credit card numbers and expiration dates may have been taken from an “outdated database from 2007.”

5. Nexon Korea Corp

Nexon Korea Corp

Number of records lost: 13,200,000

Just weeks before the leading Korean game developer’s planned initial public offering (IPO) on the Tokyo Stock Exchange, the Korea Communications Commission (KCC) announced that the company had reported it discovered the leakage of personal data of its online game Maple Story’s 13.2 million subscribers.

While the company – one of two leading online game developers in South Korea – maintained the leak data did not include financial transactions or bank account numbers, it did include user IDs, full names, resident registration numbers, and hashed passwords.

6. National Health Service (UK)

National Health Service

Number of records lost: 8,300,000

A single laptop containing records on more than 8 million UK patients went missing from a storeroom at London Health Programmes, a medical research organization based within the NHS North Central London health authority.

The computer was reportedly being used for large-scale data analysis and contained unnamed patient records showing postal

Biggest Data & Security Breaches in 2010

1. Education Credit Management Corporation

Education Credit Management Corporation

Number of records lost: 3,300,000

According to the identity theft unit of the Maryland attorney general’s office, a piece of “portable media” was stolen from the Education Credit Management Corporation. The stolen media contained names, addresses and even Social Security Numbers for around 3.3 million people across the nation.

The ECMC provides collection and document management services for the US department of education. Responding to the data theft, the corporation committed to providing affected borrowers with free credit monitoring and protection services through the credit protection agency Experian. Presumably, users who took advantage of the offer would be able to monitor whether they had been the victims of identity theft and/or other types of fraud.

2. Gawker

Gawker

Number of records lost: 1,500,000

In 2010, a large data breach occurred at the well-known news and gossip website Gawker, exposing the personal data of over 1.3 million of its registered users.

A sophisticated cyber-attack that took advantage of a weakness in the website’s security procedures caused the breach. Usernames, email addresses, and password hashes were among the stolen data. The attackers also had access to the website’s source code and users’ private messages.

When the vulnerability was found, the company’s security staff immediately took the website offline to limit additional harm. Later, the business acknowledged that the data had been taken and promised to strengthen its security protocols.

Despite the company’s best efforts, the harm had already been done, and the company’s reputation suffered. Additionally, many users reported falling victim to spear phishing and other fraudulent practises.

3. Ohio State University

Ohio State University

Number of records lost: 760,000

Ohio State University experienced a serious data breach in 2010. This occasion exposed important data including the personal information of over 5.6 million people–students, alumni, faculty, staff, and other affiliates.

The breach was discovered by the IT department, which reported a successful phishing attack on the school’s online systems. Some of the stolen data included names, addresses, social security numbers, financial aid details, and other student records.

The incident was a significant blow to the university, and its reputation took a hit, with many students and alumni left worried about the safety of their data.

Upon notice, the institution took steps to secure its systems. They notified the victims of the breach and provided credit monitoring services. They also offered them identity theft protection training.

One major step taken was hiring a third-party cyber security firm to investigate the incident and implement additional security measures to prevent future breaches.

4. Apple

Apple

Number of records lost: 114,000

In 2010, AT&T, Apple’s exclusive wireless carrier for the iPad, suffered a major data breach that exposed the personal information of 114,000 iPad 3G owners, including high-profile individuals such as CEOs, military officials, and politicians.

The breach was done by a web security group called Goatse Security, which exploited vulnerabilities in the AT&T network. The group gained access to the email addresses and ICC-ID of the affected subscribers by guessing a large swath of ICC IDs through pictures posted on the internet and by sending an iPad-style “User agent” header in their web request.

The group also shared the script used to automate data harvesting with third parties, which means that the number of affected accounts could be much higher. The script was on the AT&T website and accessible to anyone on the internet. AT&T closed the security hole after the breach, but the victims were unaware until the media reported it.

The incident complicated the relationship between AT&T and Apple and raised concerns about the security of the iPad 3G and AT&T’s cellular network.

codes, ages, ethnic origins, and other details pertaining to 18 million hospital visits.

Biggest Data & Security Breaches in 2009

1. Heartland

Heartland

Number of records lost: 130,000,000

A 2008 attack on Heartland Payment Systems (HPY) exposed critical data on an estimated 130 million customer accounts.

As a result of the breach, Heartland eventually paid out more than $110 million to Visa, Mastercard, American Express, and other institutions to settle the associated claims.

2. National Archives and Records Administration (US Military Veterans)

National Archives and Records Administration

Number of records lost: 76,000,000

While many data breaches involve unsecured internet cloud storage, this particular case involved the mishandling of a defective hard drive.

In 2009, the National Archives and Records Administration sent a defective hard drive back to its vendor for repair without first destroying the data. The vendor then determined it couldn’t be fixed and passed it to another firm to be recycled. A NARA IT manager charges that the move put 70 million veterans at risk of identity theft.

3. RockYou!

RockYou!

Number of records lost: 32,000,000

In late 2009, word spread that the social media application site RockYou suffered a gigantic data breach exposing the details of over 32 million user accounts.

Some experts criticized the site for its allegedly poor security policies and lackluster response to the breach, noting that user account data was stored in plain text format and that it wasn’t until a taunt from the hacker that the company bothered to issue a public response.

4. Virginia Department of Health

Virginia Department of Health

Number of records lost: 8,257,378

A hacker hijacked a Virginia government health website in 2009, replacing the front page with a ransom note claiming that he stole personal and prescription drug information from nearly 8.3 million patients.

The site for the Virginia Prescription Monitoring Program was replaced with the following text: “Attention Virginia! I have your [expletive]! In *my* possession, right now, are 8,257,378 patient records and a total of 35,548,087 prescriptions. Also, I made an encrypted backup and deleted the original. Unfortunately for Virginia, their backups seem to have gone missing, too. Uhoh 🙁 For $10 million, I will gladly send along the password.”

Biggest Data & Security Breaches in 2008

1. Auction.co.kr

Auction

Number of records lost: 18,600,000

Auction.co.kr is the name of eBay’s local Korean unit, and at the time it was breached in 2008, it was the country’s largest online retailer.

Korean police announced in 2010 that the Chinese hackers who penetrated the site two years earlier stole the private information of more than 18.6 million people. At the time, this was the nation’s largest-ever identity theft case, even though Auction initially tried to downplay the number of affected users, pegging it at a mere 10 million.

2. The Bank of New York Mellon

The Bank of New York Mellon

Number of records lost: 12,500,000

A total of 12.5 million American consumers may have had their personal information leaked in February 2008 when an archive vendor lost six backup tapes during transport to a storage facility.

The tapes contained personally identifiable information which could have been used by criminals looking to commit identity theft and/or execute fraudulent transactions.

3. GS Caltex

GS Caltex

Number of records lost: 11,100,000

GS Caltex is one of America’s largest oil refineries. In September 2008, two discs were discovered lying in the street which contained the personal data of over 11 million GS Caltex customers.

It’s believed the DVD and CD were thrown in the trash, even though they contained names, Social Security numbers, addresses, cell phone numbers, email addresses, and workplaces of customers.

The incident highlights the importance of following due diligence when disposing of media containing sensitive information. This leak could have been avoided if the discs had been thoroughly destroyed.

Biggest Data & Security Breaches in 2007

1. TJ Maxx

TJ Maxx

Number of records lost: 94,000,000

A hacker (or group of hackers) stole purchasing data from tens of millions of shoppers at off-price retailers including TJ Maxx and Marshalls. The parent company, TJX, disclosed multiple security loopholes indicating that they failed to promptly delete and properly encrypt data on customer transactions.

The case led banks to reissue customer cards as a precaution. Information was stolen from transactions dating between 2003 and 2004.

2. UK Revenue & Customs

UK Revenue & Customs

Number of records lost: 25,000,000

HK Revenue & Customs is a UK government department responsible for collecting taxes and administering regulatory regimes. In 2006, the HMRC lost computer disks containing the confidential details of 25 million recipients of child benefits.

However, the agency maintained that the records – which include names, addresses, birthdates, and even bank account numbers – fell into the “wrong hands.”

3. Dai Nippon Printing

Dai Nippon Printing

Number of records lost: 8,637,405

Dai Nippon, one of Japan’s largest commercial printing companies, announced in 2007 that a former contract worker stole almost 9 million pieces of private data on customers from 43 different clients, including Toyota.

According to the company, the employee stole the data between 2001 and 2006 by copying the information onto floppy disks and other media. The former employee was subsequently arrested following the announcement.

4. Fidelity National Information Services

Fidelity National Information Services

Number of records lost: 8,500,000

A California law firm filed a class action lawsuit charging Fidelity Information Services (FIS) with negligence arising from a data breach that exposed the personal details of around 8.5 million people.

The suit came after the firm (which is not affiliated with well-known Fidelity Investments) disclosed that a database administrator had illegally accessed and downloaded millions of consumer records and then sold them to data brokers.

Biggest Data & Security Breaches in 2006

1. US Department of Veteran Affairs

US Department of Veteran Affairs

Number of records lost: 26,500,000

While most of the data breaches on our list happened because of internet hacks and leaks, sometimes they can occur due to the loss or theft of physical media like computers, USB drives and cell phones.

That’s exactly what happened in 2006 when a thief stole a laptop PC and external hard disk containing personal data on 26.5 million veterans and active-duty military personnel, directly from the home of a VA employee.

Although the FBI, who later recovered the hardware, insisted that the data remained untouched, the fact that leaks of this nature can happen to official government military organizations remains a disturbing reminder of how no one is invulnerable to the threat of large-scale breaches.

2. AOL

AOL

Number of records lost: 20,000,000

In what must have been a total accident, AOL publicly released private data on 20 million web queries from 650,000 of its users.

The sizable data dump included all searches from affected users during a three-month period in 2006, in addition to what results they clicked on, and where they appeared on the result page.

Critics scolded the once dominant online platform for its “utter stupidity” in the unauthorized publication of private user data.

Biggest Data & Security Breaches in 2005

CardSystems Solutions Inc.

CardSystems Solutions Inc.

Number of records lost: 40,000,000

CardSystems is a third-party payment data processor located in Tucson Arizona, where this massive data breach occurred according to a statement from Mastercard.

A hacker was able to exploit security vulnerabilities to gain access to the company’s internal network and access cardholder data for 40 million account holders. The exposed card numbers were for major credit card brands: 13.9 million Mastercard cards, 20 million Visa cards, and other brands including American Express and Discover.

A spokesperson for Discover noted that cardholders would not be held responsible for any fraudulent transactions arising from the breach.

Biggest Data & Security Breaches in 2004

AOL

AOL

Number of records lost: 92,000,000

While this data breach at AOL occurred almost 2 decades before this article, it still ranks among the biggest of all time. This particular case was an inside job: a software engineer at the company was arrested and charged with stealing AOL’s subscriber list and selling it to a spam email distributor.

According to prosecutors, the spammer then used the email list to promote his online gambling business and also sold it to other spammers to the tune of over $50,000.

Biggest Data & Security Breaches in 2003

Data Processors International

Number of records lost: 8,000,000

In one of the oldest incidents on our list: in 2003, Mastercard disclosed that a hacker may have obtained unauthorized access to nearly 8 million credit card accounts. Visa, Discover, and American Express also confirmed that some of their card accounts may have been accessed in the intrusion.

The hacker was able to obtain the data after he breached the security systems of Data Processors International, a transaction processing firm that acts on behalf of merchants.

Summary

Whether it’s hackers, lost or stolen media, inside jobs, or accidental data dumps – the consequences of data breaches can be devastating to an organization’s business interests, public image, and credibility.

People rely on businesses to do their due diligence in safeguarding their information and preventing it from falling into the hands of malicious actors. Yet all too often, breaches happen anyway.

In many cases, these breaches are preventable if only the proper security resources – time, money, and skilled cybersecurity experts – are allocated and deployed. At the very least, people should be informed about how their personal information is being managed and secured.

This might seem like an inconvenience in the short term for companies seeking a profit, and for government entities seeking to advance their political interests. But in the long run, people will ultimately choose service providers who demonstrate a willingness over time to do the hard work of protecting their critical personal information.

Share with your friends & colleagues!
Jason Crawford

Jason is highly knowledgeable in business legal compliance and protection. He works with all types of businesses to ensure their legal needs are met. He’s a strategic thinker and can quickly develop solutions to complex problems.

Share to...