Top 10 Biggest Data Breaches of All Time

In May 2018, Twitter notified its 330 million users of a software glitch that stored personal information in an internal log, exposing account passwords to the company’s internal network. The social media giant immediately urged its users to change their passwords but insisted it had solved the problem and that there was no indication that any data had been breached or used maliciously. 

Twitter did not disclose how many users’ passwords were exposed by the bug, but did say that the number was significant and that the passwords had been exposed for several months. But a Federal Trade Commission inquiry revealed that there had been at least two data breaches at Twitter where flaws in Twitter’s security flaws had led to personal data being compromised. Since the 2019 attack, several further breaches have occurred. Just last week, 200 million Twitter users’ credentials were posted online by hackers, dating back to breaches dating back to 2021.

In June 2013,  the personal data of 360 million users of the social network platform MySpace was accessed by Russian hackers. The incident was not publicly disclosed until 2016 when LeakedSource.com revealed that the users’ names, emails and passwords had been stolen by hackers and were being sold on the dark web. 

What made the MySpace breach so damaging was the fact that the site was no longer widely used when the breach became publicly known, meaning that many users were no longer able to change their passwords and protect their accounts. The breach also exposed Myspace’s severely outdated security system, which allowed threat actors to infiltrate accounts using basic personal information. Following the breach, many users were prompted to log in one last time and delete their accounts.

At the end of 2018, an internal investigation by hotel operator Marriott found that the data of approximately 500 million Starwood hotel guests had been accessed by hackers. The threat actors had gained access to the Starwood system by planting malware onto the hotel network to gain access to the names, contact information, passport numbers, and personal information of half a billion victims, as well as 100 million credit and debit card numbers and card expiry dates stored on the system. 

The malware remained on the system for four years until it was eventually discovered in 2018, two years after the company’s acquisition of Starwood hotels. A Chinese state-sponsored intelligence group wishing to gather data on US citizens has since been attributed to the attack, making it the largest known breach of personal data ever conducted by a nation-state. 

Marriott faced significant penalties as a result of the data breach for failing the meet the security standards required by US and UK data protection laws. Additionally, customer satisfaction scores dipped, suggesting long-term damage to guest loyalty.

In April 2021, a user in a low-level hacking forum published the personal data of hundreds of millions of Facebook users for free. The exposed data included the details of over 533 million accounts from 106 countries, with phone numbers, Facebook IDs, full names, locations, birthdates, bios and email addresses of each user being exposed to anyone with rudimentary data skills. Facebook revealed that the data had been scraped due to a vulnerability from 2019 that temporarily enabled the mass data scraping of Facebook users. This vulnerability was only patched after it was revealed that Cambridge Analytica had scraped the data of over 80 million users to target voters with political advertisements for the 2016 election. 

Following a year-long inquiry into the breach, Meta would receive a $277 million fine by Ireland’s data privacy regulator for breaking multiple GDPR laws.

In June 2021, the data of 700 million LinkedIn users – was found for sale on a Dark Web forum post. The huge data breach, which affected 92% of the total LinkedIn user base, included the email addresses, full names, phone numbers, and geolocation records of each user. The hackers were reportedly able to scrape the data by exploiting LinkedIn’s application programming interface, which allowed them to store massive amounts of data from the site. 

When the data was first posted online, LinkedIn claimed that, because passwords and other sensitive data were not compromised, the attack was not a data breach, but instead a violation of their terms of service prohibited through data scraping. However, the scale of the incident could allow threat actors to use professionals’ personal data to launch cyberattacks targeted attacks on other businesses.

In February 2019, third-party email validation service Verifications.io suffered a data breach that exposed an estimated 763 million user records. The breach was first discovered by security researcher Bob Diachenko, who worked with fellow researcher Vinny Troia to identify the exposed records and the threat actors. The exposed data included email addresses, names, IP addresses, phone numbers and social media account details, and was accessed through an unprotected MongoDB database.

The reason why this particular breach was so damaging was the fact that all of the stolen data was unencrypted, giving malicious actors unlimited access to all of the personal information on the massive database.. If all identifiable information had been encrypted, then the intruders wouldn’t have been able to access the sensitive data, reducing the effects to near zero.

In May 2019, Ben Shoval, a Washington state real estate developer, stumbled upon the l files of approximately 885 million First American Financial Corporation customers. The files, which dated back to as early as 2003, contained the account numbers and financial information of hundreds of millions of buyers and sellers, along with other sensitive personal and financial information.

Unlike other breaches on this list, the First American Financial Corporation leak was not the result of a cyberattack, but rather a simple example of corporate negligence. The data was not exposed by a cyberattack but was always publicly available due to a website configuration error called Insecure Direct Object Reference (IDOR) that allowed customers to view private information without any form of authentication.

The personal data of more than a billion Indians stored in the world’s largest biometric database was leaked to the world in 2018 following a massive data leak on a system run by an Indian state-owned utility company. The breach was catastrophic, resulting in the private information and biometric data of over a billion Aaadhaar holders being sold to malicious actors around the world for as little as $7. This data included photographs, thumbprints, retina scans, credit and debit card numbers, email addresses, passwords, and other personal information of almost all Indian citizens. 

Following the breach, the breach Identification Authority of India (UIDAI)introduced new penalties for anyone hacking, sharing or using Aadhaar data without the consent of account holders reaching upwards of $140,000 and potential prison time.

2019 kicked off with one of the biggest data breaches in history when Troy Hunt from data breach watchdog HaveIBeenPwned.com discovered Collection 1# – a database of some 773 unique email addresses and more than 21 million passwords – for sale on cloud storage website Mega. The data, approximately two or three years old, was a collection of credentials acquired from previous high-level breaches, including the LinkedIn and Dropbox breaches of 2016. 

But collection 1# was just the beginning. By the end of that year, four subsequent databases, dubbed Collections #2-5 surfaced, and were available for download on torrent websites. Together these five databases totalled 2.2 billion unique credentials, all collected from different breaches from past decades. What makes the Collection #1-5 breach so significant was that it was the first time in history that major data breaches had been collated by cybercriminals, opening cybersecurity experts’ eyes to the possibility of stolen data being shared and saved for years following an attack.

When Yahoo fell victim to a large-scale data breach in 2014, the company originally claimed that a “state-sponsored actor” had infiltrated security systems. It was only some years later it was found that the personal details of over 3 billion users had been stolen by malicious hackers through a phishing scheme and put up for sale on the black market, making it the biggest data breach of all time. The stolen data included the names, email addresses, phone numbers, hashed passwords and birthdays of each user. 

Yahoo was aware of the breach when it happened in 2014 but failed to conduct a thorough investigation at the time, instead opting to introduce several small security fixes to prevent attacks of a similar nature. This reluctant approach, paired with the fact that identifying information was not encrypted, led to the company receiving a $35 million fine and being forced to pay 117.5 million to the victims of the data breach.