The 60 Biggest Data Breaches, Ranked
(Updated for November 2021)
Here is a list of the 60 biggest data breaches in history, including the most recent data breaches in November 2021. Even prestigious companies like Facebook, LinkedIn, and Twitter are vulnerable to the rising trend of data breaches.
The 60 Biggest Data Breaches Ranked by Impact
Each of the data breaches reveals the mistakes that lead to the exposure of up to millions of personal data records.
1. CAM4 data breach
Date: March 2020
Impact: 10.88 billion records.
Adult video streaming website CAM4 has had its Elasticsearch server breached exposing over 10 billion records. The breached records included the following sensitive information:
Email correspondence transcripts
Many of the exposed email addresses are linked to cloud storage services. If hackers were to launch successful phishing attacks on these users, they could gain deeper access to personal photos and business information.
Due to the licentious connection of the breached database, compromised users could fall victim to blackmail and defamation attempts for many years to come.
2. Yahoo data breach 2017
Date: October 2017
Impact: 3 billion accounts
Yahoo disclosed that a breach in August 2013 by a group of hackers had compromised 1 billion accounts. In this instance, security questions and answers were also compromised, increasing the risk of identity theft. The breach was first reported by Yahoo while in negotiations to sell itself to Verizon, on December 14, 2016. Yahoo forced all affected users to change passwords and to reenter any unencrypted security questions and answers to re-encrypt them.
However, by October of 2017, Yahoo changed the estimate to 3 billion user accounts. An investigation revealed that users' passwords in clear text, payment card data and bank information were not stolen. Nonetheless, this remains one of the largest data breaches of this type in history.
3. Aadhaar data breach
Date: March 2018
Impact: 1.1 billion people
In March of 2018, it became public that the personal information of more than a billion Indian citizens stored in the world’s largest biometric database could be bought online. This massive data breach was the result of a data leak on a system run by a state-owned utility company. The breach allowed access to private information of Aadhaar holders, exposing their names, their unique 12-digit identity numbers, and their bank details.
The type of information exposed included the photographs, thumbprints, retina scans and other identifying details of nearly every Indian citizen.
4. First American Financial Corp. data breach
Date: May 2019
Impact: 885 million users
In May 2019, First American Financial Corporation reportedly leaked 885 million users' sensitive records that date back more than 16 years, including bank account records, social security numbers, wire transactions, and other mortgage paperwork.
5. Verifications.io data breach
Date: February 2019
Impact: 763 million users
In February 2019, email address validation service verifications.io exposed 763 million unique email addresses in a MongoDB instance that was left publicly facing with no password. Many records also included names, phone numbers, IP addresses, dates of birth and genders.
6. LinkedIn data breach 2021
Date: June 2021
Impact: 700 million users
Data associated with 700 million LinkedIn users was posted for sale in a Dark Web forum on June 2021. This exposure impacted 92% of the total LinkedIn user base of 756 million users.
The data was dumped in two waves, initially exposing 500 million users, and then a second dump where the hacker "God User" boasted that they were selling a database of 700 million LinkedIn.
The hackers published a sample containing 1 million records to confirm the legitimacy of the breach. The data included the following:
LinkedIn username and profile URLs
Personal and professional experience
Other social media accounts and details
The hacker scraped the data by exploiting LinkedIn's API.
LinkedIn claims that, because personal information was not compromised, this event was not a 'data breach but, rather, just a violation of their terms of service through prohibited data scraping.
Learn about the difference between a data breach and a data leak.
But the leaked data is sufficient to launch a deluge of cyberattacks targeting exposed users, which makes the incident heavily weighted towards a data breach classification.
7. Facebook data breach 2019
Date: April 2019
Impact: 533 million users
In April 2019, the UpGuard Cyber Risk team revealed two third-party Facebook app datasets had been exposed to the public Internet. One, originating from the Mexico-based media company Cultura Colectiva, weighs in at 146 gigabytes and contains over 533 million records detailing comments, likes, reactions, account names, FB IDs and more. This same type of collection, in similarly concentrated form, has been cause for concern in the recent past, given the potential uses of such data. Read more about this Facebook data breach here.
This database was leaked on the dark web for free in April 2021, adding a new wave of criminal exposure to the data originally exfiltrated in 2019. This makes Facebook one of the recently hacked companies 2021, and therefore, one of the largest companies to be hacked in 2021.
All 533,000,000 Facebook records were just leaked for free. This means that if you have a Facebook account, it is extremely likely the phone number used for the account was leaked. I have yet to see Facebook acknowledging this absolute negligence of your data. https://t.co/ysGCPZm5U3 pic.twitter.com/nM0Fu4GDY8 — Alon Gal (Under the Breach) (@UnderTheBreach) April 3, 2021
8. Yahoo data breach 2014
Impact: 500 million accounts
Yahoo believed that a "state-sponsored actor" was behind this initial cyberattack in 2014. The stolen data included personal information such as names, email addresses, phone numbers, hashed passwords, birth dates, and security questions and answers, some of which were unencrypted. Yahoo had become aware of this breach back in 2014, taking a few initial remedial actions but failing to investigate further. It was only about two years later that Yahoo publicly disclosed the breach after a stolen database from the company allegedly went up for sale on the black market.
9. Starwood (Marriott) data breach
Date: November 2018
Impact: 500 million guests
In November 2018, Marriott International announced that hackers had stolen data about approximately 500 million Starwood hotel customers. The attackers had gained unauthorized access to the Starwood system back in 2014 and remained in the system after Marriott acquired Starwood in 2016. However, the discovery was not made until 2018.
The information that was exposed included names, contact information, passport number, Starwood Preferred Guest numbers, travel information, and other personal information. Marriott believes that financial information such as credit and debit card numbers, and expiration dates of more than 100 million customers were stolen, although the company is uncertain whether the attackers were able to decrypt the credit card numbers.
According to the New York Times, the breach was eventually attributed to a Chinese intelligence group, The Ministry of State Security, seeking to gather data on US citizens. If true, this would be the largest known breach of personal data conducted by a nation-state.
10. Adult Friend Finder data breach
Date: October 2016
Impact: 412.2 million accounts
In October 2016, hackers collected 20 years of data on six databases that included names, email addresses and passwords for The AdultFriendFinder Network. The FriendFinder Network includes websites like Adult Friend Finder, Penthouse.com, Cams.com, iCams.com, and Stripshow.com.
Most of the passwords were protected only by the weak SHA-1 hashing algorithm, which meant that 99% of them had been cracked by the time LeakedSource.com published its analysis of the entire data set on November 14.