The 34 Biggest Data Breaches

Data is rapidly becoming one of the most valuable assets in the modern world. The digital giants that monopolise data are arguably the most powerful companies in the world, prompting ongoing conversations about anti-trust legislation and digital privacy.Despite the overwhelming value controlled by these entities, as we'll see, even companies such as Facebook are vulnerable to the byproduct of the rapid move to digitisation -- the data breach epidemic.What is a data breach? An information security incident in which personal information is publicly exposed or accessed without authorization. Although companies such as Yahoo and Facebook have gotten widespread attention for the impact of these incidents of cyber risk exposure, data breaches can affect businesses of all sizes in a variety of ways.They are difficult to identify, are costly to address, and cause reputational damage that some businesses never recover from. However, given the value of data and the inevitability of cyber risk, the best that companies can do to mitigate the effects of a breach is to implement a thorough risk management practice for the detection, containment and communication in the wake of a data breach. According to IBM, companies that contained a breach in less than 30 days saved more than $1 million compared to those that took more than 30 days.

1. Yahoo

Yahoo data breach October 2017

Date: October 2017

Impact: 3 billion accounts

Yahoo disclosed that a breach in August 2013 by a group of hackers had compromised 1 billion accounts. In this instance, security questions and answers were also compromised, increasing the risk of identity theft. The breach was first reported by Yahoo while in negotiations to sell itself to Verizon, on December 14, 2016, and forced all affected users to change passwords, and to reenter any un-encrypted security questions and answers to make them encrypted in the future.

However, by October of 2017, Yahoo changed the estimate to 3 billion user accounts. An investigation revealed that users' passwords in clear text, payment card data and bank information were not stolen. Nonetheless, this remains one of the largest data breaches of this type in history.

2. Aadhaar

Aadhaar data breach March 2018

Date: March 2018

Impact: 1.1 billion people

In March of 2018, it became public that the personal information of more than a billion Indian citizens stored in the world’s largest bio-metric database could be bought online.

This massive data breach was the result of a data leak on a system run by a state-owned utility company. The breach allowed access to private information of Aadhaar holders, exposing their names, their unique 12-digit identity numbers, and their bank details.

The type of information exposed included the photographs, thumbprints, retina scans and other identifying details of nearly every Indian citizen.

3. First American Financial Corp.

First American Data Breach

Date: May 2019

Impact: 885 million users

In May 2019, First American Financial Corporation reportedly leaked 885 million users' sensitive records that date back more than 16 years, including bank account records, social security numbers, wire transactions, and other mortgage paperwork.

4. data breach February 2019

Date: February 2019

Impact: 763 million users

In February 2019, email address validation service exposed 763 million unique email addresses in a MongoDB instance that was left publicly facing with no password. Many records also included names, phone numbers, IP addresses, dates of birth and genders.

5. Yahoo

Yahoo data breach 2014

Date: 2014

Impact: 500 million accounts

Yahoo believed that a "state-sponsored actor" was behind this initial cyber attack in 2014. The stolen data included personal information such as names, email addresses, phone numbers, hashed passwords, birth dates, and security questions and answers, some of which were unencrypted. Yahoo had become aware of this breach back in 2014, taking a few initial remedial actions but failing to investigate further. It was only about two years later that Yahoo publicly disclosed the breach after a stolen database from the company allegedly went up for sale on the black market.

6. Marriott/Starwood

Marriott/Starwood data breach November 2018

Date: November 2018

Impact: 500 million guests

In November 2018, Marriott International announced that hackers had stolen data about approximately 500 million Starwood hotel customers. The attackers had gained unauthorised access to the Starwood system back in 2014 and remained in the system after Marriott acquired Starwood in 2016. However, the discovery was not made until 2018.

The information that was exposed included names, contact information, passport number, Starwood Preferred Guest numbers, travel information, and other personal information. Marriott believes that financial information such as credit and debit card numbers, and expiration dates of more than 100 million customers were stolen, although the company is uncertain whether the attackers were able to decrypt the credit card numbers.

According to the New York Times, the breach was eventually attributed to a Chinese intelligence group, The Ministry of State Security, seeking to gather data on US citizens. If true, this would be the largest known breach of personal data conducted by a nation-state.

7. Adult Friend Finder

Date: October 2016

Impact: 412.2 million accounts

In October 2016, hackers collected 20 years of data on six databases that included names, email addresses and passwords for The FriendFinder Network. The FriendFinder Network includes websites like Adult Friend Finder,,, and

Most of the passwords were protected only by the weak SHA-1 hashing algorithm, which meant that 99% of them had been cracked by the time published its analysis of the entire data set on November 14.

8. MySpace

myspace data breach June 2013

Date: June 2013

Impact: 360 million accounts

In June 2013 around 360 million accounts were compromised by a Russian hacker, but the incident was not disclosed publicly 2016. The information that was leaked included account information such as the owner’s listed name, username, and birth date. Between 2013 and 2016, anyone who gained access to this breached information could have taken over any Myspace account. The former social media network giant has since invalidated all passwords belonging to accounts that were set up prior to 2013.

9. Exactis

Exactis data breach June 2018

Date: June 2018

Impact: 340 million people

In June of 2018, Florida-based marketing and data aggregation firm Exactis exposed a database containing nearly 340 million records on a publicly accessible server. The breach exposed highly personal information such as people's phone numbers, home and email addresses, interests and the number, age and gender of their children. This data exposure was discovered by security expert Vinny Troia, who indicated that the breach included data on hundreds of millions of US adults and millions of businesses.

10. Twitter

Twitter data breach May 2018

Date: May 2018

Impact: 330 million users

In May of 2018, social media giant Twitter notified users of a glitch that stored passwords unmasked in an internal log, making all user passwords accessible to the internal network. Twitter told its 330 million users to change their passwords but the company said it fixed the bug and that there was no indication of a breach or misuse, but encouraged the password update as a precaution. Twitter did not disclose how many users were impacted but indicated that the number of users was significant and that they were exposed for several months.

11. NetEase

NetEase data breach October 2015

Date: October 2015

Impact: 234 million users

In October 2015, NetEase (located at was reported to suffered from a data breach that impacted hundreds of millions of subscribers. While there is evidence to say that the data is legitimate (many users confirmed their passwords where in the data), it is difficult to verify emphatically.

The breach contained email addresses and plain text passwords.

12. LinkedIn

LinkedIn data breach June 2012

Date: June 2012

Impact: 165 million users

In June 2012, Linkedin disclosed a data breach had occurred, but password-reset notifications at the time indicated that only 6.5 million user accounts had been affected. LinkedIn never confirmed the actual number, and in 2016, we learned why: a whopping 165 million user accounts had been compromised, including 117 million passwords that had been hashed but not "salted" with random data to make them harder to reverse.

That revelation prompted other services to comb their LinkedIn data and force their own users to change any passwords that matched (kudos to Netflix for taking the lead on this one.) Left unanswered is why LinkedIn did not further investigate the original breach, or to inform more than 100 million affected users, in the intervening four years.

13. Dubsmash

Dubsmash data breach December 2018

Date: December 2018

Impact: 162 million users

In December 2018, Dubmash suffered a data breach that exposed 162 million unique email addresses, usernames and DBKDF2 password hashes. In 2019, this data appeared for sales on the dark web and was circulated more broadly.

14. Adobe

Adobe data breach October 2013

Date: October 2013

Impact: 152 million

In October 2013, 153 million Adobe accounts were breached. The data breach contained an internal ID, username, email, encrypted password and password hint in plain text. The encryption was weak and many were quickly resolved back to plain text, the password hints added to the damage making it easy to guess the passwords of many users.

15. MyFitnessPal

MyFitnessPal data breach February 2018

Date: February 2018

Impact: 150 million users

In February 2018, the diet and exercise app MyFitnessPal (owned by Under Armour) suffered a data breach, exposing 144 million unique email addresses, IP addresses and login credentials such as usernames and passwords stored as SHA-1 and bcrypt hashes (the former for earlier accounts, the latter for newer accounts). In 2019, this sensitive data appeared listed for sale on a dark web marketplace and began circulating more broadly, so it was identified and provided to data security website Have I Been Pwned.

16. Equifax

Equifax data breach September 2017

Date: September 2017

Impact: 148 million people

In September 2017, Equifax, one of the three largest consumer credit reporting agencies in the United States, announced that its systems had been breached and the sensitive personal data of 148 million Americans had been compromised. The data compromised included names, home addresses, phone numbers, dates of birth, social security numbers, and driver’s license numbers. The credit card information of approximately 209,000 consumers was also exposed through this data breach. The sensitivity of the information processed by Equifax makes this breach unprecedented, and one of the largest data breaches to date.

17. eBay

ebay data breach February/March 2014

Date: February/March 2014

Impact: 145 million users

Between February and March 2014, eBay was the victim of a breach of encrypted passwords, which resulted in asking all of its 145 million users to reset their password. Attackers used a small set of employee credentials to access this trove of user data. The stolen information included encrypted passwords and other personal information, including names, e-mail addresses, physical addresses, phone numbers and dates of birth. The breach was disclosed in May 2014, after a month-long investigation by eBay.

18. Canva

Canva data breach May 2019

Date: May 2019

Impact: 137 million users

In May 2019, online graphic design tool Canva suffered a data breach that impacted 137 million users. The exposed data included email addresses, names, usernames, cities and passwords stored as bcrypt hashes.

The suspected culprit(s) — Gnosticplayers — contacted ZDNet to boast about the incident, saying that Canva had detected their attack and remediate the issue that caused the data breach. The attacker also claimed to have gained OAuth login tokens for users who signed in via Google.

Canva confirmed the incident, notified users, and prompted them to change passwords and reset OAuth tokens.

19. Heartland Payment Systems

Heartland Payment Systems

Date: March 2008

Impact: 134 million credit cards exposed

At the time of the breach, Heartland was processing north of 100 million credit card transactions per month for 175,000 merchants. The breach was discovered by Visa and MasterCard in January 2009 when Visa and MasterCard notified Heartland of suspicious transactions. The attackers exploited a known vulnerability to perform a SQL injection attack.

The company paid an estimated $145 million in compensation for fraudulent payments.

20. Apollo

Date: July 2018

Impact: 126 million users

In July 2018, Apollo left a database containing billions of data points publicly exposed. A subset of the data was sent to Have I Been Pwned which had 126 million unique email addresses. The full data set included personally identifiable information (PII) like names, email addresses, place of employment, roles held and location.

21. Badoo

Badoo data breach July 2013

Date: July 2013

Impact: 112 million users

In June 2013, a data breach allegedly originating from social website Badoo was found to be circulated. The breach contained 112 million unique email addresses and PII like names, birth dates and passwords stored as MD5 hashes.

22. Capital One

Capital One Data Breach

Date: July 2013

Impact: 106 million credit card numbers

In July 2013, Capital One identified a security breach of its customer records that exposed the personal information of its customers, including credit card data, social security numbers, and bank account numbers.

23. Evite

Evite data breach August 2013

Date: August 2013

Impact: 101 million users

In April 2019, Evite, a social planning and invitation site identified a data breach from 2013. The exposed data included 101 million unique email addresses, as well as phone numbers, names, physical addresses, dates of birth, genders and passwords stored in plain text.

24. Quora

Quora data breach December 2018

Date: December 2018

Impact: 100 million users

Quora, a popular site for Q&A suffered a data breach in 2018 exposed the personal data of up to 100 million users.

The types of leaked data included personal information such as names, email addresses, encrypted passwords, user accounts linked to Quora and public questions and answers posted by users. There was no evidence discovered that anonymously posted questions and answers were affected by the breach.

25. VK

Date: January 2012

Impact: 93 million users

Russian social media site VK was hacked and exposed 93 million names, phone numbers, email addresses and plain text passwords.

26. MyHeritage

MyHeritage data breach June 2018

Date: June 2018

Impact: 92 million users

MyHeritage, a genealogical service website was compromised, affecting more than 92 million user accounts. The breach occurred in October 2017, but wasn't disclosed until June 2018. A security researcher discovered a file on a private server containing email addresses and encrypted passwords. The security team at MyHeritage confirmed that the content of the file affected the 92 million users, but found no evidence that the data was ever used by the attackers. MyHeritage earned praise for promptly investigating and disclosing details of the breach to the public.

27. Youku

Youku data breach December 2016

Date: December 2016

Impact: 92 million users

Youku a Chinese video service exposed 92 million unique user accounts and MD5 password hashes.

28. Rambler

Rambler data breach March 2014

Date: March 2014

Impact: 91 million users

A dump of 91 million accounts from Rambler ("Russian Yahoo") was traded online containing usernames (that form part of a Rambler email) and plain text passwords.

29. Facebook

Facebook data breach 2018

Date: early 2018 (this is when a Cambridge Analytica whistle blower disclosed the story)

Impact: 87 million users

Though a slightly different type of data breach as the information was not stolen from Facebook, the incident that affected 87 million Facebook accounts represented the use of personal information for purposes that the affected users did not appreciate. Cambridge Analytica was a data analytics company that was commissioned by political stakeholders including officials in the Trump election and pro-Brexit campaigns. Cambridge Analytica acquired data from Aleksandr Kogan, a data scientist at Cambridge University, who harvested it using an app called "This Is Your Digital Life". One of the most controversial elements of this breach was that users did not appreciate or consent to the political usage of data from a seemingly-innocuous lifestyle app.

UpGuard's researchers also discovered and disclosed a related breach by AggregateIQ, a Canadian company with close ties to Cambridge Analytica. Details about these discoveries can be found in the Aggregate IQ breach series (part 1, part 2, part 3 and part 4).

30. Dailymotion

dailymotion data breach October 2016

Date: October 2016

Impact: 85 million users

In October 2016, Dailymotion a video sharing platform exposed more than 85 million user accounts including emails, usernames and bcrypt hashes of passwords.

31. Anthem

Date: February 2015

Impact: Theft of up to 78.8 million current and former customers

In February 2015, a single user at an Anthem subsidiary clicked on a phishing email which gave attackers access to names, addresses, dates of birth, and employment histories of current and former customers.

32. Dropbox

Dropbox data breach 2012

Date: mid-2012

Impact: 69 million users

In mid 2012, Dropbox suffered a data breach which exposed 68 million records that contained email addresses and salted hashes of passwords (half SHA1, half bcrypt).

33. tumblr

tumblr data breach February 2013

Date: February 2013

Impact: 66 million users

In February 2013, tumblr suffered a data breach that exposed 65 million accounts. The breach included email addresses and salted SHA1 password hashes.

34. Uber

Uber Data Breach

Date: Late 2016

Impact: Personal information of 57 million Uber users and 600,000 drivers exposed.

In late 2016, Uber learned that two hackers were able to access the names, email addresses, and mobile phone numbers of 57 million users of the Uber app. They also got the driver's license numbers of 600,000 Uber drivers. In addition, the hackers were able to access Uber's GitHub account, where they found Uber's Amazon Web Services credentials.

35. Home Depot

Home Depot Data Breach

Date: September 2014

Impact: Exposure of the credit card information of 56 million customers

Home Depot announced that its POS systems had been infected with a custom-built malware, which posed as anti-virus software.

Read the full post on UpGuard.

Get great insight from our expert team.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
By signing up you agree to our Terms & Conditions