Biggest Data Breaches
Overview of the biggest data breaches in history, how they happened, the scale of these incidents, and their consequences.
Data Breaches Over the Years
In today’s hyper-connected world, data breaches have become all too common, leaving millions vulnerable to cyberattacks. This article explores the biggest data breaches in history, from massive corporate hacks to breaches that shook governments.
Whether you’re curious about the early days of cybersecurity failures or the more recent incidents over the past decade, this resource provides a deep dive into some of the most notorious breaches ever recorded. Click through the links for a closer look at the events that continue to shape the digital landscape.
15 Biggest Data Breaches in History & Their Consequences
The following list covers the biggest data breaches in history, showing just how far-reaching the consequences can be when sensitive information falls into the wrong hands. It’s important to understand that these breaches not only compromised data but also reshaped the way companies and individuals approach cybersecurity.
1. Yahoo!
Number of records lost: 3,000,000,000
In August 2013, Yahoo experienced a massive data breach that compromised all 3 billion user accounts. The breach was not revealed until late 2017, raising concerns about Yahoo’s security practices and transparency.
Hackers, believed to be state-sponsored actors, exploited vulnerabilities in Yahoo’s security systems. The stolen data included names, email addresses, telephone numbers, dates of birth, hashed passwords (using the outdated MD5 algorithm), and in some cases, encrypted or unencrypted security questions and answers.
Yahoo prompted affected users to change their passwords and invalidated unencrypted security questions and answers.
The delayed disclosure and extensive nature of the breach had significant repercussions. When Verizon Communications acquired Yahoo’s core internet business in 2017, the purchase price was reduced by $350 million due to the impact of the breach.
Yahoo faced several lawsuits and regulatory actions in response to the breach. The U.S. Securities and Exchange Commission (SEC) fined Yahoo $35 million for failing to promptly disclose the breach to investors.
Additionally, Yahoo settled a class-action lawsuit for $117.5 million in 2019. This settlement included compensation for affected users and funding for enhanced security measures.
The breach highlighted critical issues in data protection and corporate transparency, leading to increased scrutiny and demands for stronger cybersecurity practices.
2. River City Media
Number of records lost: 1,370,000,000
In January 2017, River City Media (RCM), a major email marketing firm, exposed a database containing approximately 1.37 billion records due to a misconfigured backup system. The exposed data included names, email addresses, IP addresses, physical addresses, and zip codes.
The leaked information spanned from 2009 to 2017 and included both accurate and outdated records. This data leak was discovered by Chris Vickery, a security researcher at MacKeeper, who found the company’s Rsync backup system was left publicly accessible without password protection.
The breach was significant not only for its scale but also for the nature of the compromised information. RCM is known for sending up to a billion spam emails daily. They collected this data through methods like credit check requests and prize giveaways.
Following the discovery, RCM worked with security researchers and law enforcement to address the situation and prevent future incidents.
Despite the company’s attempts to mitigate the breach, the incident exposed its extensive spam operations and questionable data-gathering practices. This has likely harmed RCM’s reputation significantly.
3. Aadhaar
Number of records lost: 1,100,000,000
In January 2018, a significant data breach involving India’s Aadhaar national ID database came to light. The breach reportedly exposed the personal data of approximately 1.1 billion Indians, including names, fathers’ names, phone numbers, passport numbers, and Aadhaar numbers, which were verified as authentic by cybersecurity firm Resecurity.
The data was offered for sale on the dark web by a hacker using the alias “pwn0001” on the Breach Forums platform, with the entire dataset priced at $80,000. The breach was discovered when the hacker posted a thread on October 9, 2023, disclosing access to these records.
The leaked data was initially suspected to originate from various government databases, raising significant concerns about the security of India’s biometric ID system managed by the Unique Identification Authority of India (UIDAI).
The Indian government responded by initiating a police investigation into the breach, with the Central Bureau of Investigation (CBI) taking charge of the probe.
This incident raised questions about the integrity and security of the Aadhaar system, which is a critical component of India’s digital public infrastructure.
The breach highlighted vulnerabilities in the Aadhaar system and underscored the need for robust cybersecurity measures to protect sensitive personal information in one of the world’s largest biometric databases.
4. First American Corporation
Number of records lost: 885,000,000
First American Financial Corporation is a leading provider of title insurance and settlement services. In May 2019, they experienced a significant data breach that exposed approximately 885 million sensitive customer records.
The breach was discovered by a cybersecurity journalist, Brian Krebs, who found that First American’s website had a vulnerability in its EaglePro application, which stored consumer data.
This vulnerability allowed unauthorized access to document images dating back to 2003, containing personal information such as social security numbers, bank account details, and mortgage and tax records.
The breach’s cause was linked to poor security measures within the company’s document management system, which did not adequately protect the stored data.
Upon discovery, First American quickly took steps to secure their systems and initiated an internal investigation to assess the scope and impact of the breach. They reported the incident to the Securities and Exchange Commission (SEC) and worked to restore the compromised systems.
The SEC charged the company with failing to implement adequate disclosure controls, resulting in a settlement that required First American to pay a fine of nearly $500,000. Additionally, the New York State Department of Financial Services (DFS) fined the company $1 million for violating cybersecurity regulations.
5. Spambot
Number of records lost: 711,000,000
In August 2017, a major data breach involving the Onliner Spambot was uncovered by security researcher Benkow. This breach exposed approximately 711 million email addresses and passwords.
The Onliner Spambot, based on a server in the Netherlands, was found to store text files containing email addresses, passwords, SMTP server information, and ports used to send spam. These credentials were used to distribute malware, specifically the Ursnif banking trojan, which has been active since 2016, targeting victims’ banking information.
The spambot’s success was attributed to its method of validating email credentials before using them, ensuring high success rates for its spam campaigns.
Emails sent by the spambot often included a hidden pixel-sized image that bypassed spam filters by appearing legitimate, thus allowing the collection of IP addresses and user-agent information for targeted attacks.
Troy Hunt, the founder of Have I Been Pwned, added this vast dataset to his website, enabling users to check if their email addresses were compromised. He emphasized the sheer scale of the breach, noting that it accumulated more email addresses in one incident than his site had collected from 110 data breaches over two and a half years.
Hunt and Benkow coordinated with authorities to shut down the server, highlighting the ongoing threats posed by such extensive data breaches.
6. Facebook
Number of records lost: 540,000,000
A significant data breach in April 2019 exposed over 540 million records related to Facebook users. The cybersecurity firm UpGuard discovered that the records were left unsecured on Amazon Web Services (AWS) servers by third-party companies.
The majority of the data came from the Mexican media company Cultura Colectiva, which stored 146GB of information, including user account names, comments, likes, and Facebook IDs. Another batch of data from a defunct app called “At the Pool” exposed an additional 22,000 passwords along with other sensitive information.
The breach was not directly caused by Facebook but highlighted the vulnerabilities in how third parties handle user data.
UpGuard attempted to contact Amazon and Cultura Colectiva about the exposed data in January 2019, but the data remained accessible until April when Bloomberg contacted Facebook for comment. Following this, Facebook worked with Amazon to secure the data.
Facebook’s response emphasized that storing user data in public databases is against its policies, and the company has taken steps to limit third-party access to data. However, this incident underscored the challenges tech companies face in ensuring data security across their entire ecosystem.
7. Marriott International
Number of records lost: 500,000,000
In late 2018, Marriott International disclosed a significant data breach that impacted its Starwood guest reservation database. This breach, which was first detected in September 2018, exposed the personal information of approximately 500 million guests.
The compromised data included names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, birthdates, gender, and reservation information. For some, it also included encrypted credit card numbers.
The breach’s origins trace back to 2014, long before Marriott acquired Starwood in 2016.
During the investigation, Marriott discovered that the attackers had copied and encrypted information before attempting to remove it from the system. The breach’s full scope was uncovered when an internal security tool flagged unauthorized access.
In response, Marriott set up a dedicated website and call center to provide information to affected guests. They also began sending out email notifications to those impacted.
The company faced substantial legal and financial repercussions, including a fine of £18.4 million by the UK’s Information Commissioner’s Office (ICO) for failing to ensure adequate security measures to protect customers’ data.
Marriott’s handling of the breach has been scrutinized, with many calling for stricter data protection measures and more robust cybersecurity protocols. Despite the severity of the breach, Marriott has continued to invest in improving its data security infrastructure to prevent future incidents of this magnitude.
8. Yahoo!
Number of records lost: 500,000,000
In 2014, Yahoo experienced a significant data breach that exposed the personal information of about 500 million user accounts. This breach was particularly notable as it was the second significant security incident for Yahoo, following a similar breach in 2013 that affected around 3 billion accounts.
The breach involved stolen data including names, email addresses, telephone numbers, dates of birth, and encrypted passwords. Additionally, the attackers accessed unencrypted security questions and answers.
This incident was initially kept secret until 2016 when it was revealed that the hacker named “Peace” was attempting to sell data on 200 million Yahoo accounts. This same hacker had previously been linked to other high-profile breaches, including those of LinkedIn and Tumblr.
Yahoo attributed the breach to a state-sponsored actor, though it did not identify the responsible country. The FBI confirmed its investigation into the incident.
The breach did not include credit card information, but it raised serious concerns about Yahoo’s security practices and response. The delay in disclosing the breach led to widespread criticism and questions about Yahoo’s transparency and handling of the incident.
In the UK, around eight million user accounts were affected, prompting ISPs Sky and BT to alert their customers. Sky estimated that about 2.5 million of its email account holders might have been impacted.
The breach contributed to a reduction of the sale price of Yahoo’s core internet business to Verizon, which was finalized at $4.48 billion in 2017 from 4.83 billion. This breach, coupled with an earlier breach in 2013, underscored significant vulnerabilities in Yahoo’s data security infrastructure.
9. Myspace
Number of records lost: 427,000,000
In May 2016, MySpace confirmed a significant data breach that resulted in the exposure of approximately 427 million passwords and emails. This breach, considered one of the largest at the time, reportedly occurred prior to June 2013 when the platform was more actively used.
The compromised data included usernames, passwords, and email addresses. Notably, the passwords were stored using a weak hashing algorithm (SHA-1), which made them relatively easy for hackers to decrypt.
The breach was discovered when the data was put up for sale on the dark web by the hacker “Peace.”
MySpace, which had declined in popularity but still retained a significant amount of user data, responded by invalidating the affected passwords and notifying users of the need to reset their credentials.
Despite the massive scale of the breach, the specific cause of the security vulnerability that allowed the breach to occur was not publicly detailed.
10. Friend Finder Networks
Number of records lost: 412,214,295
The Friend Finder Network, a prominent online adult dating service, experienced a massive data breach that compromised over 412 million user accounts.
The breach was discovered in mid-October 2016 and affected multiple websites under the FriendFinder Networks Inc. umbrella. This includes AdultFriendFinder, Cams.com, Penthouse.com, Stripshow.com, and iCams.com.
Sensitive user data such as usernames, emails, passwords, and IP addresses were exposed. Alarmingly, many passwords were either stored in plaintext or hashed with the outdated SHA-1 algorithm, rendering them easily crackable.
The breach’s cause was linked to several security vulnerabilities in the network’s infrastructure. Despite prior warnings about these vulnerabilities, inadequate security measures allowed attackers to exploit the system. The compromised information quickly surfaced on underground forums, leading to widespread exposure of users’ private data.
In response, FriendFinder Networks initiated an investigation with law enforcement and cybersecurity experts to identify the breach’s extent and enhance its security framework. Users were notified and advised to change their passwords immediately.
The company faced significant legal challenges, including class-action lawsuits from affected users who accused them of negligence in protecting personal information.
11. Exactis
Number of records lost: 340,000,000
In June 2018, Exactis, a data marketing firm, experienced a significant data breach exposing around 340 million records. This breach was discovered by security researcher Vinnie Troia, who found an unprotected database on a publicly accessible server.
The exposed data included nearly 2 terabytes of detailed personal information of American adults and businesses, such as phone numbers, email addresses, home addresses, and detailed demographic information including political interests, habits, and even children’s data that could be used for highly targeted advertising or phishing attacks.
Troia described the Exactis database as “one of the most comprehensive collections” he had seen, with two-thirds of the records pertaining to individuals and the remaining third to businesses.
The database was discovered during a routine scan for unsecured ElasticSearch servers, among over 7,000 other exposed databases. The data appeared to have been compiled from various sources, including web searches, magazine subscriptions, and credit reports.
This incident is notable not only for the volume of data but also for the nature of the information exposed. Exactis secured the database after being notified by Troia, but it remains unclear if any unauthorized access occurred prior to its closure.
12. Airtel
Number of records lost: 320,000,000
In December 2019, Bharti Airtel, a major telecom operator in India, faced a significant data breach due to a vulnerability in their mobile application, specifically within one of their APIs. This flaw potentially exposed the personal data of over 320 million subscribers.
The compromised information included sensitive details such as email addresses, IMEI numbers, addresses, and subscription information.
The security flaw was first discovered by independent cybersecurity researcher Ehraz Ahmed. He highlighted the ease with which the vulnerability could be exploited, allowing unauthorized access to vast amounts of personal data. Ahmed noted that it took him only 15 minutes to identify the flaw.
Upon being notified, Airtel promptly addressed the issue, stating that the bug was fixed immediately. The company emphasized its commitment to customer privacy and the security of its digital platforms.
Despite the quick resolution, the incident underscored broader concerns about data security practices and the lack of transparency in how such issues are handled in India.
13. Truecaller
Number of records lost: 299,055,000
Truecaller, a popular caller identification app, faced a major data breach in May 2019 involving almost 300 million users.
Researcher Rajshekhar Rajaharia discovered the breach, revealing that the compromised data included leaked data 29.9 million Indian mobile numbers, 1.9 million email addresses, 1.8 million photos, and 20 million Facebook IDs, affecting a broad spectrum of users, including celebrities and corporate executives.
This extensive data was found for sale on the dark web, with prices ranging from 2,000 Euros for Indian user data to 25,000 Euros for global data.
Truecaller, developed by True Software Scandinavia AB, denied any breach of their servers. The company stated that their database was secure and suggested that some malicious users might have abused their accounts to collect phone numbers, rather than a direct breach of the system.
They emphasized that no sensitive financial information had been accessed or extracted.
Truecaller assured that they were investigating the incident and would implement new security protocols to prevent future breaches.
14. MongoDB
Number of records lost: 275,000,000
In May 2019, a significant data breach was discovered involving an unsecured MongoDB database, exposing over 275 million Indian citizens’ records.
The database included personal details such as names, dates of birth, gender, mobile numbers, email addresses, education, employment history, and salary information. It was hosted on a server without a password, making it easily accessible.
The breach was identified by security researcher Bob Diachenko and the security team at Comparitech.
Despite attempts to notify the database owner and the Indian CERT-IN (Computer Emergency Response Team), the database remained unsecured for nearly two weeks. During this period, it was accessed by hackers known as Unistellar, who left a ransom note demanding 0.5 Bitcoin to restore the data.
The breach was particularly concerning because of the sheer volume of records exposed and the sensitive nature of the information. This vulnerability highlighted the importance of securing databases with proper authentication mechanisms.
The exposure of such a large amount of personal data posed significant risks for identity theft and fraud, raising serious concerns about data security practices.
15. Wattpad
Number of records lost: 270,000,000
In June 2020, Wattpad, a popular storytelling platform, suffered a massive data breach, compromising over 270 million user records. The breach was initially detected when a database containing user information was posted on a hacking forum for sale.
The compromised data, amounting to 120GB, included usernames, email addresses, dates of birth, IP addresses, and encrypted passwords.
This breach was carried out by the hacker group “Shiny Hunters,” who initially listed the database on a dark web forum for 10 bitcoins or $100,000.
Wattpad promptly initiated an investigation and collaborated with cybersecurity experts to mitigate the damage. They also engaged with law enforcement agencies to trace the origins of the breach.
In response, Wattpad forced password resets for affected users and implemented enhanced security measures to prevent future incidents.
Despite the encrypted nature of the passwords, the breach’s extensive scope made it one of the largest recorded in history, leading to heightened scrutiny and criticism of Wattpad’s security protocols. The incident underscored the critical need for robust cybersecurity practices and vigilant user data protection.