In today’s data-driven world, data breaches can devastate an enterprise. When cybercriminals infiltrate the digital infrastructure of a business, they can release the confidential, private, or otherwise sensitive information of its customers, leaving its reputation in tatters.
From high-level corporations to governmental bodies, thousands of organisations fall victim to data breaches each year. More than 4,100 companies fell victim to breaches in 2022 alone, equating to 22 billion customer records being accessed and stolen by cybercriminals.
Read our Top 10 for the Biggest Data Breaches of 2023 (so far)
As we enter the new year, the cyber threat landscape continues to evolve and the risk of falling victim to a data breach is higher than ever before. For this reason, it is important enterprises have solid data protection measures in place to reduce the risk of breaches and prevent them before they happen. In order to establish such effective defence measures, however, business leaders must look to previous cases to understand how threat actors are able to infiltrate seemingly solid security systems.
In this list, we’ve compiled the top ten biggest data breaches of all time, exploring how each breach happened and its implications for the affected organisations.
Twitter (2018) – all 330 million users impacted
In May 2018, Twitter notified its 330 million users of a software glitch that stored personal information in an internal log, exposing account passwords to the company’s internal network. The social media giant immediately urged its users to change their passwords but insisted it had solved the problem and that there was no indication that any data had been breached or used maliciously.
Twitter did not disclose how many users’ passwords were exposed by the bug, but did say that the number was significant and that the passwords had been exposed for several months. But a Federal Trade Commission inquiry revealed that there had been at least two data breaches at Twitter where flaws in Twitter’s security flaws had led to personal data being compromised. Since the 2019 attack, several further breaches have occurred. Just last week, 200 million Twitter users’ credentials were posted online by hackers, dating back to breaches dating back to 2021.
MySpace (2013) – 360 million accounts impacted
In June 2013, the personal data of 360 million users of the social network platform MySpace was accessed by Russian hackers. The incident was not publicly disclosed until 2016 when LeakedSource.com revealed that the users’ names, emails and passwords had been stolen by hackers and were being sold on the dark web.
What made the MySpace breach so damaging was the fact that the site was no longer widely used when the breach became publicly known, meaning that many users were no longer able to change their passwords and protect their accounts. The breach also exposed Myspace’s severely outdated security system, which allowed threat actors to infiltrate accounts using basic personal information. Following the breach, many users were prompted to log in one last time and delete their accounts.
Marriott International (2018) – 500 million guests impacted
At the end of 2018, an internal investigation by hotel operator Marriott found that the data of approximately 500 million Starwood hotel guests had been accessed by hackers. The threat actors had gained access to the Starwood system by planting malware onto the hotel network to gain access to the names, contact information, passport numbers, and personal information of half a billion victims, as well as 100 million credit and debit card numbers and card expiry dates stored on the system.
The malware remained on the system for four years until it was eventually discovered in 2018, two years after the company’s acquisition of Starwood hotels. A Chinese state-sponsored intelligence group wishing to gather data on US citizens has since been attributed to the attack, making it the largest known breach of personal data ever conducted by a nation-state.
Marriott faced significant penalties as a result of the data breach for failing the meet the security standards required by US and UK data protection laws. Additionally, customer satisfaction scores dipped, suggesting long-term damage to guest loyalty.
Meta (2021) – 533 million users impacted
In April 2021, a user in a low-level hacking forum published the personal data of hundreds of millions of Facebook users for free. The exposed data included the details of over 533 million accounts from 106 countries, with phone numbers, Facebook IDs, full names, locations, birthdates, bios and email addresses of each user being exposed to anyone with rudimentary data skills. Facebook revealed that the data had been scraped due to a vulnerability from 2019 that temporarily enabled the mass data scraping of Facebook users. This vulnerability was only patched after it was revealed that Cambridge Analytica had scraped the data of over 80 million users to target voters with political advertisements for the 2016 election.
Following a year-long inquiry into the breach, Meta would receive a $277 million fine by Ireland’s data privacy regulator for breaking multiple GDPR laws.
LinkedIn (2021) – 700 million users impacted
In June 2021, the data of 700 million LinkedIn users – was found for sale on a Dark Web forum post. The huge data breach, which affected 92% of the total LinkedIn user base, included the email addresses, full names, phone numbers, and geolocation records of each user. The hackers were reportedly able to scrape the data by exploiting LinkedIn’s application programming interface, which allowed them to store massive amounts of data from the site.
When the data was first posted online, LinkedIn claimed that, because passwords and other sensitive data were not compromised, the attack was not a data breach, but instead a violation of their terms of service prohibited through data scraping. However, the scale of the incident could allow threat actors to use professionals’ personal data to launch cyberattacks targeted attacks on other businesses.
Verifications.io (2019) – 763 million users impacted
In February 2019, third-party email validation service Verifications.io suffered a data breach that exposed an estimated 763 million user records. The breach was first discovered by security researcher Bob Diachenko, who worked with fellow researcher Vinny Troia to identify the exposed records and the threat actors. The exposed data included email addresses, names, IP addresses, phone numbers and social media account details, and was accessed through an unprotected MongoDB database.
The reason why this particular breach was so damaging was the fact that all of the stolen data was unencrypted, giving malicious actors unlimited access to all of the personal information on the massive database.. If all identifiable information had been encrypted, then the intruders wouldn’t have been able to access the sensitive data, reducing the effects to near zero.
First American Financial Corporation (2019) – 885 million users impacted
In May 2019, Ben Shoval, a Washington state real estate developer, stumbled upon the l files of approximately 885 million First American Financial Corporation customers. The files, which dated back to as early as 2003, contained the account numbers and financial information of hundreds of millions of buyers and sellers, along with other sensitive personal and financial information.
Unlike other breaches on this list, the First American Financial Corporation leak was not the result of a cyberattack, but rather a simple example of corporate negligence. The data was not exposed by a cyberattack but was always publicly available due to a website configuration error called Insecure Direct Object Reference (IDOR) that allowed customers to view private information without any form of authentication.
Aadhaar (2018) – 1.1 billion people impacted
The personal data of more than a billion Indians stored in the world’s largest biometric database was leaked to the world in 2018 following a massive data leak on a system run by an Indian state-owned utility company. The breach was catastrophic, resulting in the private information and biometric data of over a billion Aaadhaar holders being sold to malicious actors around the world for as little as $7. This data included photographs, thumbprints, retina scans, credit and debit card numbers, email addresses, passwords, and other personal information of almost all Indian citizens.
Following the breach, the breach Identification Authority of India (UIDAI)introduced new penalties for anyone hacking, sharing or using Aadhaar data without the consent of account holders reaching upwards of $140,000 and potential prison time.
Collection #1-5 (2019) – 2.2 billion records impacted
2019 kicked off with one of the biggest data breaches in history when Troy Hunt from data breach watchdog HaveIBeenPwned.com discovered Collection 1# – a database of some 773 unique email addresses and more than 21 million passwords – for sale on cloud storage website Mega. The data, approximately two or three years old, was a collection of credentials acquired from previous high-level breaches, including the LinkedIn and Dropbox breaches of 2016.
But collection 1# was just the beginning. By the end of that year, four subsequent databases, dubbed Collections #2-5 surfaced, and were available for download on torrent websites. Together these five databases totalled 2.2 billion unique credentials, all collected from different breaches from past decades. What makes the Collection #1-5 breach so significant was that it was the first time in history that major data breaches had been collated by cybercriminals, opening cybersecurity experts’ eyes to the possibility of stolen data being shared and saved for years following an attack.
Yahoo (2013) – more than 3 billion accounts were impacted
When Yahoo fell victim to a large-scale data breach in 2014, the company originally claimed that a “state-sponsored actor” had infiltrated security systems. It was only some years later it was found that the personal details of over 3 billion users had been stolen by malicious hackers through a phishing scheme and put up for sale on the black market, making it the biggest data breach of all time. The stolen data included the names, email addresses, phone numbers, hashed passwords and birthdays of each user.
Yahoo was aware of the breach when it happened in 2014 but failed to conduct a thorough investigation at the time, instead opting to introduce several small security fixes to prevent attacks of a similar nature. This reluctant approach, paired with the fact that identifying information was not encrypted, led to the company receiving a $35 million fine and being forced to pay 117.5 million to the victims of the data breach.