The rising pattern in information breaches continues to angle upwards, and consequently, there has by no means been a extra precarious time in historical past to launch and keep a profitable enterprise.
To forestall the repetition of errors that end in information theft, we’ve compiled an inventory of the 72 greatest information breaches in historical past, which incorporates the latest information breaches in February 2022.
As you’ll see, even prestigious corporations like Fb, LinkedIn, and Twitter are weak to the rising pattern of knowledge breaches.
You may additionally be desirous about our listing of greatest information breaches within the finance and healthcare industries.
The 83 Greatest Information Breaches Ranked by Affect
Every of the info breaches reveals the errors that result in the publicity of as much as thousands and thousands of non-public information information .
1. Mom of All Breaches (MOAB).png "The 83 Greatest Information Breaches of All Time [Updated 2025] | Cybersecurity 1")
Date: January 2024
Affect: 26 billion information
This was not a single breach however an infinite compilation of credentials from 1000’s of earlier breaches, consolidated right into a single 12TB database. The aggregation itself was found on-line resulting from a firewall misconfiguration on a knowledge breach search engine that uncovered the repository to the general public web.
Emails, usernames, passwords, telephone numbers, dates of beginning, addresses, and different Personally Identifiable Info (PII). Whereas most information are outdated, the sheer quantity of doubtless reusable credentials is the principle threat.
Organizations should assume that outdated consumer credentials have been compromised and mandate multi-factor authentication (MFA) or passwordless options. For shoppers, this highlights the acute hazard of password reuse.
2. CAM4 Information Breach
Date: March 2020
Affect: 10.88 billion information.
Grownup video streaming web site CAM4 has had its Elasticsearch server breached exposing over 10 billion information.
The breached information included the next delicate data:
Full namesEmail addressesSexual orientation Chat transcriptsEmail correspondence transcriptsPassword hashesIP addressesPayment logs
Because of the licentious connection of the breached database, compromised customers may fall sufferer to blackmail and defamation makes an attempt for a few years to come back.
Be taught concerning the prime Vendor Danger Administration resolution choices in the marketplace >
3. Chinese language Surveillance Community
Date: June 2025
Affect: 4 billion information
A large 631-gigabyte database was found on-line, missing password safety or safety protocols, making the info simply accessible to anybody who knew the place to look. This compromise included WeChat information, financial institution particulars, Alipay profile data, telephone numbers, dwelling addresses, and behavioral profiles.
This breach reinforces the elemental rule of cybersecurity. All information storage, particularly large-scale databases, have to be secured with correct authentication and entry controls. Primary safety hygiene prevents the most important leaks, as centralized information continues to change into the prime goal.
4. Yahoo Information Breach (2017)
Date: October 2017
Affect: 3 billion accounts
Yahoo disclosed {that a} breach in August 2013 by a gaggle of hackers had compromised 1 billion accounts. On this occasion, safety questions and solutions had been additionally compromised, rising the danger of identification theft. The breach was first reported by Yahoo whereas in negotiations to promote itself to Verizon, on December 14, 2016. Yahoo pressured all affected customers to vary passwords and to reenter any unencrypted safety questions and solutions to re-encrypt them.
Nevertheless, by October of 2017, Yahoo modified the estimate to three billion consumer accounts. An investigation revealed that customers’ passwords in clear textual content, fee card information and financial institution data weren’t stolen. Nonetheless, this stays one of many largest information breaches of this kind in historical past.
5. Nationwide Public Information (NPD) Information Breach
Date: December 2023 (Disclosed April 2024)
Affect: 2.9 billion information
In accordance with Microsoft, the breach was brought on by a safety lapse the place a publicly accessible file on an affiliated website contained plain-text administrator credentials, permitting a menace actor to entry and steal information from the first background examine database. Compromised information included full names, dates of beginning, addresses, telephone numbers, and Social Safety numbers.
This information breach reinforces the significance of organizations by no means storing credentials, particularly for privileged accounts, in plain-text information. The exploitation of a easy safety lapse to compromise extremely delicate information underscores the significance of adopting a “least privilege” mannequin and implementing safe credential administration.
6. Salesforce/Salesloft Drift Marketing campaign
Date: September 2025
Affect: 1.5 billion folks (unconfirmed)
This monumental breach highlights the significance of usually reviewing and revoking pointless OAuth tokens and API credentials for third-party apps. By coaching workers to withstand social engineering (vishing), even when requested for multi-factor codes over the telephone, one of these assault could be thwarted sooner or later.
7. Actual Property Wealth Community (REWN)%202.png "The 83 Greatest Information Breaches of All Time [Updated 2025] | Cybersecurity 7")
Date: December 2023
Affect: 1.5 billion information
The Actual Property Wealth Community leak resulted from an unsecured database totaling 1.16 terabytes that was left uncovered on the web with no password. Property historical past, mortgage data, tax identification numbers, and delicate private particulars on thousands and thousands of individuals, together with celebrities and politicians.
Misconfigured cloud or non-relational databases stay one of the crucial widespread causes of huge information leaks. Due to this fact, conducting common, automated audits of community configurations is essential for organizations at this time.
8. Aadhaar Information Breach
Date: March 2018
Affect: 1.1 billion folks
In March of 2018, it turned public that the non-public particulars of greater than a billion residents in India saved on this planet’s largest biometric database may very well be purchased on-line.
This huge information breach was the results of a knowledge leak on a system run by a state-owned utility firm. The breach allowed entry to the non-public data of Aadhaar holders, exposing their names, their distinctive 12-digit identification numbers, and their financial institution particulars.
The kind of data uncovered included the pictures, thumbprints, retina scans and different figuring out particulars of practically each Indian citizen.
9. Alibaba Information Breach
Date: July 2022
Affect: 1.1 billion customers
In mid-2022, Chinese language e-commerce large Alibaba suffered a significant information breach that contained buyer information together with:
NamesID numbersPhone numbersPhysical addressesCriminal recordsOnline papers
In whole, over 23 terabytes of knowledge had been compromised from Alilbaba’s cloud internet hosting servers, Alibaba Cloud, additionally the most important public cloud service supplier in China. The breach was first introduced by a hacker via on-line boards, claiming to have information on the Shanghai police power, whose information was additionally hosted on Alibaba Cloud. Alibaba and its founder, Jack Ma, confronted huge criticism for leaving crucial servers fully unprotected with no password lock, regardless of dealing with extraordinarily delicate authorities data.
This was not Alibaba’s first information breach incident, as only one yr earlier, they had been uncovered by a third-party developer who had been scraping Alibaba’s procuring website, TaoBao, for consumer information. Once more, over a billion customers had been uncovered and regardless of a three-year jail sentence for the developer and his employer, Alibaba confirmed that they continued to follow lax safety going into 2022.
10. First American Monetary Company Information Breach
Date: Might 2019
Affect: 885 million customers
In Might 2019, First American Monetary Company reportedly leaked 885 million customers’ delicate information that date again greater than 16 years, together with checking account information, social safety numbers, wire transactions, and different mortgage paperwork. The leak occurred via a web site configuration error, permitting the general public to view delicate data while not having any authentication. As a result of First American’s information had been sequential, anybody may improve or lower the quantity within the URL to rapidly view one other buyer’s information. Regardless of the huge leak, there have been no reviews of any buyer data being stolen and used for malicious functions.
Discover ways to reply to the Fortigate SSL VPN vulnerability >3
11. Indian Council of Medical Analysis (ICMR) Information Breach
Date: October 2023
Affect: 815 million folks
A menace actor claimed to have exploited a vulnerability within the ICMR’s programs to steal a database containing delicate citizen information. Extremely delicate PII and Protected Well being Info (PHI), together with names, addresses, telephone numbers, Aadhaar IDs, passport particulars, and COVID check outcomes, had been uncovered.
Authorities and healthcare sectors proceed to be prime targets as a result of quantity and sensitivity of their information. Due to this fact, prioritizing patching and vulnerability administration for programs that maintain PHI is crucial as a result of regulatory and affect dangers related to these programs.
12. Verifications.io Information Breach
Date: February 2019
Affect: 763 million customers
13. LinkedIn Information Breach (2021)
Date: June 2021
Affect: 700 million customers
Information related to 700 million LinkedIn customers was posted on the market in a Darkish Internet discussion board on June 2021. This publicity impacted 92% of the overall LinkedIn consumer base of 756 million customers.
The information was dumped in two waves, initially exposing 500 million customers, after which a second dump the place the hacker “God User” boasted that they had been promoting a database of 700 million LinkedIn.
Preview of leaked information – Supply: 9to5mac.com
The hackers printed a pattern containing 1 million information to substantiate the legitimacy of the breach. The information included the next:
Electronic mail addressesFull namesPhone numbersGeolocation recordsLinkedIn username and profile URLsPersonal {and professional} experienceGenders Different social media accounts and particulars
The hacker scraped the info by exploiting LinkedIn’s API.
LinkedIn claims that, as a result of private data was not compromised, this occasion was not a ‘information breach however, quite, only a violation of their phrases of service via prohibited information scraping.
Be taught concerning the distinction between a knowledge breach and a knowledge leak >
However the leaked information is adequate to launch a deluge of cyberattacks concentrating on uncovered customers, which makes the incident closely weighted in the direction of a knowledge breach classification.
14. Ticketmaster Information Breach
Date: October 2023
Affect: 560 million folks
With provide chain threat a prime menace, organizations should implement strict safety controls and conduct steady monitoring of all third-party distributors and companions who’ve entry to buyer information.
15. Fb Information Breach (2019)
Date: April 2019
Affect: 533 million customers
This database was leaked on the darkish internet totally free in April 2021, including a brand new wave of prison publicity to the info initially exfiltrated in 2019. This makes Fb one of many just lately hacked corporations 2021, and due to this fact, one of many largest corporations to be hacked in 2021.
All 533,000,000 Fb information had been simply leaked totally free.
Which means that when you have a Fb account, this can be very doubtless the telephone quantity used for the account was leaked.
I’ve but to see Fb acknowledging this absolute negligence of your information. https://t.co/ysGCPZm5U3 pic.twitter.com/nM0Fu4GDY8
— Alon Gal (Below the Breach) (@UnderTheBreach) April 3, 2021 16. Yahoo Information Breach (2014)
Date: 2014
Affect: 500 million accounts
Be taught concerning the prime Third-Get together Danger Administration options in the marketplace >
17. Starwood (Marriott) Information Breach
Date: November 2018
Affect: 500 million visitors
In November 2018, Marriott Worldwide introduced that hackers had stolen information about roughly 500 million Starwood resort prospects. The attackers had gained unauthorized entry to the Starwood system again in 2014 and remained within the system after Marriott acquired Starwood in 2016. Nevertheless, the invention was not made till 2018.
The data that was uncovered included names, contact data, passport quantity, Starwood Most well-liked Visitor numbers, journey data, and different private data. Marriott believes that monetary data reminiscent of credit score and debit card numbers, and expiration dates of greater than 100 million prospects had been stolen, though the corporate is unsure whether or not the attackers had been in a position to decrypt the bank card numbers.
In accordance with the New York Instances, the breach was finally attributed to a Chinese language intelligence group, The Ministry of State Safety, searching for to collect information on US residents. If true, this is able to be the most important recognized breach of non-public information performed by a nation-state.
18. Grownup Good friend Finder Information Breach
Date: October 2016
Affect: 412.2 million accounts
A lot of the passwords had been protected solely by the weak SHA-1 hashing algorithm, which meant that 99% of them had been cracked by the point LeakedSource.com printed its evaluation of all the information set on November 14.
19. MySpace Information Breach
Date: June 2013
Affect: 360 million accounts
In June 2013 round 360 million MySpace accounts had been compromised by a Russian hacker, however the incident was not publicly disclosed till 2016. The data that was leaked included account data such because the proprietor’s listed title, username, and birthdate. Between 2013 and 2016, anybody who gained entry to this breached data may have taken over any Myspace account. The previous social media community large has since invalidated all passwords belonging to accounts that had been arrange previous to 2013.
20. Exactis Information Breach
Date: June 2018
Affect: 340 million folks
21. Indonesian Directorate Normal of Inhabitants and Civil Registration (Dukcapil)
Date: 2023
Affect: 337.2 million folks
Information leak resulting from safety vulnerabilities and an unsecured database operated by the Indonesian Directorate Normal of Inhabitants and Civil Registration. The non-public data of thousands and thousands of Indonesian residents was compromised.
Authorities our bodies, which maintain elementary PII, should prioritize stringent cybersecurity practices and common safety audits to forestall information from being uncovered via easy configuration weaknesses.
22. Twitter Information Breach (2018)
Date: Might 2018
Affect: 330 million customers
In Might of 2018, social media large Twitter notified customers of a glitch that saved passwords unmasked in an inside log, making all consumer passwords accessible to the inner community. Twitter instructed its 330 million customers to vary their passwords however the firm mentioned it fastened the bug and that there was no indication of a breach or misuse, however inspired the password replace as a precaution. Twitter didn’t disclose what number of customers had been impacted however indicated that the variety of customers was vital and that they had been uncovered for a number of months.
23. NetEase Information Breach
Date: October 2015
Affect: 234 million customers
In October 2015, NetEase (situated at 163.com) was reported to suffered from a knowledge breach that impacted a whole bunch of thousands and thousands of subscribers. Whereas there may be proof to say that the info is official (many customers confirmed their passwords the place within the information), it’s tough to confirm emphatically.
24. X (previously Twitter) Information Breach
Date: January 2023
Affect: 200 million folks
All public-facing APIs should implement strict price limiting and environment friendly safety checks to forestall automated information scraping, a typical vector for large-scale information breaches.
25. Sociallarks Information Breach
Date: January 2021
Affect: 200 million information
Sociallarks, a quickly rising Chinese language social media company suffered a monumental information leak in 2021 via its unsecured ElasticSearch database.
Sociallarks’ server wasn’t password-protected, wasn’t encrypted, and it was a publicly uncovered asset. This deadly mixture meant that anyone with information of the server IP handle may entry the leaked delicate information, and that’s precisely what occurred.
The breached database saved the scraped information of over 200 million Fb, Instagram, and Linkedin customers.
Uncovered information included:
NamesPhone numbersEmail addressesProfile descriptionsFollower and engagement dataLocationsLinkedIn profile linksConnected social media account login names26. Deep Root Analytics Information Breach
Date: Jun 2017
Affect: 200 million U.S voters
The information of 200 million voters was accessed from Deep Root Analytics, a agency engaged on behalf of the Republican Nationwide Committee (RNC).
The information consisted of 1.1 terabytes of voter Private Identifiable Info (PII) together with names, addresses and birthdates.
The accessed information additionally contained complete voter evaluation primarily based on Reddit submit exercise which may very well be used to foretell how anyone would vote on a selected situation.
The breached database was found by the Cybersecurity Cyber Analysis group.
27. Court docket Ventures Information Breach
Date: Oct 2013
Affect: 200 million private information
Court docket Ventures, a subsidiary of bank card monitoring agency Experian, was breached exposing 200 million private information.
The hacker was operating a enterprise promoting Private Identifiable Info and was promoting the bank card numbers and social safety numbers he had accessed within the breach.
Penetration was achieved by the hacker posing as a personal investigator from Singapore and convincing employees to relinquish entry to the inner database.
Experian suffered one other breach in 2020, when a menace actor claiming to be Experian’s shopper satisfied employees to relinquish buyer data for advertising functions.
These occasions have earned Experian the repute of struggling one the most important information breaches within the monetary companies sector.
28. LinkedIn Information Breach
Date: June 2012
Affect: 165 million customers
In June 2012, LinkedIn disclosed a knowledge breach had occurred, however password-reset notifications on the time indicated that solely 6.5 million consumer accounts had been affected. LinkedIn by no means confirmed the precise quantity, and in 2016, we realized why: a whopping 165 million consumer accounts had been compromised, together with 117 million passwords that had been hashed however not “salted” with random information to make them tougher to reverse.
That revelation prompted different companies to comb their LinkedIn information and power their very own customers to vary any passwords that matched (kudos to Netflix for taking the lead on this one.) Left unanswered is why LinkedIn didn’t additional examine the unique breach, or inform greater than 100 million affected customers, within the intervening 4 years.
29. Dubsmash Information Breach
Date: December 2018
Affect: 162 million customers
30. Adobe Information Breach
Date: October 2013
Affect: 152 million
31. MyFitnessPal Information Breach
Date: February 2018
Affect: 150 million customers
32. Equifax Information Breach
Date: September 2017
Affect: 148 million folks
In September 2017, Equifax, one of many three largest client credit score reporting companies in the USA, introduced that its programs had been breached and the delicate private information of 148 million Individuals had been compromised. The information compromised included names, dwelling addresses, telephone numbers, dates of beginning, social safety numbers, and driver’s license numbers. The bank card data of roughly 209,000 shoppers was additionally uncovered via this information breach. The sensitivity of the knowledge processed by Equifax makes this breach unprecedented, and one of many largest information breaches to this point.
33. Change Healthcare Information Breach
Date: March 2024
Affect: 147 million folks
The Change Healthcare incident was a ransomware assault that started by exploiting a recognized vulnerability (reportedly an unpatched server). The following system shutdown had a extreme affect on medical billing and prescription companies nationwide. Buyer and affected person PII and PHI, together with names, dates of beginning, medical insurance data, and probably Social Safety Numbers, had been compromised.
Within the healthcare sector, velocity in patching and the usage of community segmentation (to forestall lateral motion of a menace actor) are paramount, as a breach can paralyze important public companies.
34. eBay Information Breach
Date: February/March 2014
Affect: 145 million customers
Between February and March 2014, eBay was the sufferer of a breach of encrypted passwords, which resulted in asking all of its 145 million customers to reset their password. Attackers used a small set of worker credentials to entry this trove of consumer information. The stolen data included encrypted passwords and different private data, together with names, e-mail addresses, bodily addresses, telephone numbers and dates of beginning. The breach was disclosed in Might 2014, after a month-long investigation by eBay.
35. Canva Information Breach
Date: Might 2019
Affect: 137 million customers
The suspected wrongdoer(s) — Gnosticplayers — contacted ZDNet to boast concerning the incident, saying that Canva had detected and remediate the cyber menace that prompted the info breach. The attacker additionally claimed to have gained OAuth login tokens for customers who signed in through Google.
Canva confirmed the incident, notified customers, and prompted them to vary passwords and reset OAuth tokens. This occasion was one of many greatest information breaches in Australia.
36. Heartland Cost Techniques Information Breach
Date: March 2008
Affect: 134 million bank cards uncovered
On the time of the breach, Heartland was processing north of 100 million bank card transactions per thirty days for 175,000 retailers. The breach was found by Visa and MasterCard in January 2009 when Visa and MasterCard notified Heartland of suspicious transactions. The attackers exploited a recognized vulnerability to carry out a SQL injection assault.
The corporate paid an estimated $145 million in compensation for fraudulent funds.
37. Apollo Information Breach
Date: July 2018
Affect: 126 million customers
38. Badoo Information Breach
Date: July 2013
Affect: 112 million customers
39. AT&T Information Breach
Date: February 2024 (Information from 2019 or earlier)
Affect: 110 million folks
The AT&T uncovered dataset, which surfaced on the darkish internet, reportedly stemmed from a earlier breach that was not publicly disclosed on the time. The tactic suggests a failure to safe a legacy information set.
Extremely delicate PII, together with buyer names, Social Safety numbers, and addresses, was compromised.
This breach underscored the significance of organizations conducting common information inventories and purging or securely archiving legacy information that’s not wanted. Delicate information from earlier years have to be handled with the identical stage of safety as reside information.
40. Capital One Information Breach
Date: July 2013
Affect: 106 million bank card numbers
In July 2013, Capital One recognized a safety breach of its buyer information that uncovered the non-public data of its prospects, together with bank card information, social safety numbers, and checking account numbers.
41. Evite Information Breach
Date: August 2013
Affect: 101 million customers
42. Quora Information Breach
Date: December 2018
Affect: 100 million customers
43. VK Information Breach
Date: January 2012
Affect: 93 million customers
44. MyHeritage Information Breach
Date: June 2018
Affect: 92 million customers
45. Youku Information Breach
Date: December 2016
Affect: 92 million customers
Youku a Chinese language video service uncovered 92 million distinctive consumer accounts and MD5 password hashes.
46. Rambler Information Breach
Date: March 2014
Affect: 91 million customers
47. Fb Information Breach (2018)
Date: early 2018 (that is when a Cambridge Analytica whistleblower disclosed the story)
Affect: 87 million customers
Although a barely completely different kind of knowledge breach as the knowledge was not stolen from Fb, the incident that affected 87 million Fb accounts represented the usage of private data for functions that the affected customers didn’t admire. Cambridge Analytica was a knowledge analytics firm that was commissioned by political stakeholders together with officers within the Trump election and pro-Brexit campaigns. Cambridge Analytica acquired information from Aleksandr Kogan, a knowledge scientist at Cambridge College, who harvested it utilizing an app known as “This Is Your Digital Life”. One of the controversial components of this breach was that customers didn’t admire or consent to the political utilization of knowledge from a seemingly-innocuous life-style app.
Cybersecurity’s researchers additionally found and disclosed a associated breach by AggregateIQ, a Canadian firm with shut ties to Cambridge Analytica. Particulars about these discoveries could be present in our Mixture IQ breach collection (half 1, half 2, half 3 and half 4).
48. Dailymotion Information Breach
Date: October 2016
Affect: 85 million customers
49. Anthem Information Breach
Date: February 2015
Affect: Theft of as much as 78.8 million present and former prospects
NamesAddressesDates of birthEmployment historiesSocial safety numbersHealth identification numbers
The assault additionally affected different manufacturers via the Anthem community, together with Blue Cross, Blue Protect, Amerigroup, Caremore, and Unicare. The breach was undiscovered and undetected for weeks whereas the hackers stole data from Anthem servers. Though the info was not required to be encrypted, Anthem nonetheless confronted backlash for failing to guard consumer information.
In 2017, Anthem paid a file $115 million as a part of a landmark class-action settlement in one of many largest healthcare information breaches of all time. Moreover, Anthem additionally settled with the Division of Well being and Human Providers (HHS) for $16 million for failing to implement applicable measures to detect hackers and unauthorized community exercise.
50. Dropbox Information Breach
Date: mid-2012
Affect: 69 million customers
51. tumblr Information Breach
Date: February 2013
Affect: 66 million customers
52. Uber Information Breach
Date: Late 2016
Affect: Private data of 57 million Uber customers and 600,000 drivers uncovered.
![The 83 Greatest Information Breaches of All Time [Updated 2025] | Cybersecurity](https://cdn.prod.website-files.com/5efc3ccdb72aaa7480ec8179/68a7ecbce6dc904a0e8fba81_databreach_BlogCTA.png "The 83 Greatest Information Breaches of All Time [Updated 2025] | Cybersecurity")
53. The House Depot Information Breach
Date: September 2014
Affect: Publicity of the bank card data of 56 million prospects
House Depot introduced that its POS (point-of-sale) programs had been contaminated with a custom-built malware, which posed as antivirus software program, affecting prospects from throughout the US and Canada. After investigation, cyber regulation enforcement found that the cybercriminals probably breached House Depot’s servers via a third-party provider, which allowed them to steal fee data undetected for nearly 5 months.
After the assault and damages leading to over $180 million, House Depot promised to spend money on cybersecurity to higher shield delicate monetary information. A lot of the damages included funds to affected people, bank card corporations, banks, and lawsuits.
54. TJX Firms Inc. Information Breach
Date: Jul 2005
Affect: 45.6 million card numbers
TJX, the proprietor of numerous retail manufacturers, had one among its fee programs breached exposing over 45 million credit score and debit card numbers. The information was garnished over a number of waves of breaches
The breaches occurred over a number of events starting from July 2005 to January 2007.
TJX claimed that the names and addresses related to every stolen card quantity weren’t uncovered within the breach.
55. Goal Information Breach
Date: November 2013
Affect: 32 million customers.
Goal was compromised via a third-party information breach. The assault vector was a portal used to share information with third-party distributors. This portal created a pathway into Goal’s community, in the end resulting in the compromise. of over 41 million credit score and debit card numbers.
Goal was slapped with a number of fines, together with a $19 million class-action lawsuit.
56. Ashley Madison Information Breach
Date: July 2015
Affect: 32 million customers.
Hacking group recognized as Affect Staff compromised 35 million consumer information from the dishonest web site Ashley Madison.
The hackers demanded that dad or mum firm Avid Life Media shut down Ashley Madison and sister web site Established Males inside 30 days to keep away from the publication of compromised information.
Avid Life Media didn’t comply which resulted in wave after wave of categorised information dumps in Pastebin. The listing of uncovered customers included members of the navy and authorities.
The next information had been included within the accessed information:
Seven years value of bank card fee historyFull namesResidential AddressesEmail addressesDescriptions of what members had been searching for
Affect Staff claimed the breach was simple to attain with little to no safety to bypass.
57. LastPass Information Breach
Date: August 2022
Potential Affect: 30 million customers.
In a well-planned superior persistent assault, which concerned bypassing advanced safety measures like MFA, hackers compromised the laptop computer of a LastPass DevOps engineer to achieve entry to buyer private vaults. The incident probably impacted 30 million of LastPass’ customers, calling into query the efficacy of the corporate’s data safety measures.
Be taught extra concerning the LastPass Information breach >
58. Plex Information Breach
Date: August 2022
Affect: 20 million customers
Streaming platform Plex suffered a knowledge breach impacting most of its customers, roughly 20 million. The next varieties of delicate data had been compromised within the cyberattack:
UsernamesEmail AddressesPasswords59. Bonobos Information Breach
Date: January 2021
Affect: 12.3 million information
Males’s clothes retailer Bonobos suffered a knowledge breach in 2021 after a cybercriminal compromised its backup server containing buyer information.
The next classes of knowledge had been accessed, amounting to the 12.3 million whole:
7 million delivery handle records1.8 million account data records3.5 million partial bank card information.
This database was not related to Bonobo’s non-public information, which was siloed for defense. However menace actors may nonetheless exploit the stolen data.
After the stolen information was dumped on a hacker discussion board, a menace actor claimed to have uncovered 158,000 hashed SHA-256 passwords. However the remaining passwords hashed with SHA-512 couldn’t be cracked.
60. MGM Grand Information Breach
Date: Feb 2020
Affect: 10.6 million prospects.
Hackers gained entry to over 10 million visitor information from MGM Grand. The information uncovered the contact data of former resort visitors together with Justin Bieber, Twitter CEO Jack Dorsey, and authorities officers.
MGM Grand assures that no monetary or password information was uncovered within the breach.
61. Optus Information Breach
Date: Sep 2022
Affect: 9.8 million prospects.
Cybercriminals gained aceess to Optus’ inside community, getting access to a buyer information base pertaining to as much as 9.8 million prospects. The compromised information, dates way back to 2017, included the next varieties of data:
NamesBirth datesPhone numbersEmail addresses
Sub units of knowledge additionally contains road addresses, drivers licenses, and passport numbers.
It’s speculated that the cybercriminal group gained entry via an unauthorized API endpoint, which means a consumer/password or every other authentication technique wasn’t required to hook up with the API.
The alleged particulars of the Optus information breach as revealed by a cybercriminal claiming accountability – Supply: Twitter – Jeremy Kirk.
Be taught extra concerning the Optus information breach >
62. Medibank Information Breach
Date: November 2022
Affect: 9.7 million information.
Utilizing stolen privileged credentials procured on the darkish internet, a cybercriminal gained entry to Medibank’s inside programs. After finding the corporate’s delicate buyer information assets, the hackers deployed a script to automate the info theft course of. When exfiltration was full, 200 GB of buyer information was stolen from Medibank, impacting 9.7 million prospects.
Compromised information included:
NamesBirth datesPassport numbersInformation on medicare claims
Be taught extra concerning the Medicare information breach >
63. Easyjet Information Breach
Date: Might 2020
Affect: 9 million prospects.
A extremely refined cyber assault breached uncovered the info of 9 million easyJet prospects.
As a result of buyer bank card data was leaked, this cyber assault exposes Easyjet’s breach of the Normal Information Safety Regulation, which may end in a fantastic of as much as 4% of its world annual turnover.
64. 123RF Information Breach
Date: Nov 2020
Affect: 8.3 million information
8.3 million database information from standard inventory photograph and vector picture vendor 123RF had been copied and posted for gross sales on a hacker discussion board.
The compromised information included:
Cellphone numbersAddresses Paypal e mail’sIP addressesMD5 hashed passwords.
ImagineGroup (the proprietor of 123RF) assured that no monetary data was accessed within the breach and that every one consumer passwords had been encrypted.
Nevertheless, information breach investigators BleepingComputer managed to efficiently convert the hashed passwords of quite a few accounts to plain-text utilizing on-line MD5 cracking instruments.
Although this breach didn’t instantly expose monetary data, if compromised customers recycled their Paypal passwords when signing as much as 123RF, they’re at a excessive threat of struggling monetary theft.
65. Twitch Information Breach
Date: October 2021
Affect: 7 million customers (probably)
Twitch, an Amazon-owned firm, suffered a breach of virtually its total code base. The precise affect of the incidents hasn’t been confirmed, however given its depth of compromise, it has the potential of impacting all of Twitch’s customers.
125GB of delicate information was posted through a torrent hyperlink on the nameless discussion board 4chan.
The delicate information leaks embrace:
The whole thing of Twitch’s supply code.Three years of payout reviews for creators (together with high-profile creators.All of Twitch’s properties (together with IGDB and CurseForge).Code associated to proprietary SDKs and inside AWS companies utilized by Twitch.The identification of an unreleased steam competitor from Amazon Sport Studios – “Vapor”Twitch’s inside ‘red teaming tools’, utilized by inside safety groups for cyberattack coaching workouts.
Although Twitch admitted in its assertion {that a} subset of creator payout information was additionally accessed, the corporate assures that bank card quantity and financial institution data was not compromised.
The safety vulnerability that made the breach doable was a server configuration change allowing unauthorized entry by third events. This has now been remediated.
Most cybercriminals submit stolen information on the market after a breach, however the unidentified cybercriminal – who was doubtless utilizing a proxy server – was not desirous about financial acquire. As a substitute, their goal was to name a mass disruption to punch Twitch for fostering a poisonous group of customers.
66. Marriott Information Breach
Date: March 2020
Affect: 5.2 million visitors
Marriott has as soon as once more fallen sufferer to one more visitor file breach. On March 31, the corporate introduced that as much as 5.2 million information had been compromised. A few of the information accessed embrace
Whereas the precise listing of information breached is but to be conformed, it’s believed that the next visitor information had been compromised:
Electronic mail handle Mail addressesPhone numbersCompany namesGenderBirth datesAccommodation preferencesLanguage preferencesLinked airline loyalty packages and numbers
Marriott acknowledged in its press launch that the breach will not be believed to have uncovered pin numbers, fee card data, nationwide IDs, drivers license numbers or loyalty card passwords.
By multiplying its inside login authentications and repeatedly scanning for information breach dangers, Marriott may mitigate, or fully stop future cyber assaults.
67. Neiman Marcus Information Breach
Date: September2021
Affect: 4.8 million prospects
US-based retailer, Neiman Marcus, has confirmed in an announcement that an “unauthorized party” can entry to delicate buyer data together with:
Usernames.Passwords.Safety questionsFinancial data.
The breach impacted nearly 3.1 million fee and digital present playing cards, of which greater than 85% had been both expired or not legitimate.
After studying of the incident, Neiman Marcus Group contacted impacted prospects that had not modified their password since Might 2020, urging them to right away accomplish that.
The incident highlights the hazard of utilizing the identical password throughout completely different registrations. If this cybersecurity finest follow isn’t adopted, a single compromise may end in a sufferer struggling a number of breaches.
68. MeetMindful Information Breach
Date: January 2021
Affect: 2.28 million customers.
MeetiMindful, a courting app specializing in the conscious group, was breached by a widely known hacker by the title of ShinyHunters.
ShinyHunter posted the exfiltrated information totally free on a hacker discussion board on the darkish internet – Supply: ZD Internet
Breached MeetMindful information dumped on darkish internet hacker discussion board – Supply: ZDNet
Private messaged between customers was not compromised, however the next non-public data was uncovered:
IP addressesReal namesEmail addressesCity, state, and ZIP detailsFacebook consumer IDsFacebook authentication tokensDating preferencesMarital statusBirth datesBcrypt-hashed account passwords69. Pixlr Information Breach
Date: January 2021
Affect: 1.9 million customers
A database of 1.9 million consumer information belonging to on-line photo-editor Pixlr was dumped on a darkish internet hacker discussion board by infamous cybercriminal ShinyHunters.
Pixlr breached database dumped in hacker discussion board by ShinyHunters – Supply: bleepingcomputer.com
Uncovered information included:
UsernamesEmail addressesCountryHashed passwords
The information was stolen when the 123RF information breach occurred.
70. Deal with Warehouse LLC, Working Warehouse LLC, Tennis Warehouse LLC, and SkateWarehouse LLC Information Breaches
Date: October 2021 (disclosed December 2021)
Affect: 1.8 million folks
4 on-line sports activities shops fell sufferer to a cyberattack ensuing within the theft of highly-sensitive buyer data together with bank card information.
The information breach was disclosed in December 2021 by a regulation agency representing every sports activities retailer. The information breach was found by the impacted web sites on October 15.
The next web sites had been impacted:
The particular safety vulnerabilities and assault strategies that facilitated the breach haven’t been disclosed, however it’s speculated that entry was achieved through a database breach.
The next information was compromised within the cyberattack:
Buyer namesCredit card numbers (with CVV)Debit card numbers (with CVV)Web site account passwords
On the time of scripting this, it’s unknown whether or not the compromised bank card numbers had been full or hashed. Even when hashed, they might nonetheless be unencrypted with refined brute power strategies.
Whoever is at fault for this breach will doubtless endure powerful monetary regulatory penalties for his or her safety negligence.
71. Harbour Plaza Resort Administration Information Breach
Date: February 2022
Affect: 1.2 million information
Harbour Plaza Resort Administration, a hospitality administration firm in Hong Kong, suffered a breach of its lodging reservation databases, impacting roughly 1.2 million prospects.
In accordance with the FAQs associated to the incident, Harbour Plaza is but to substantiate whether or not cybercriminals managed to decrypt encrypted bank card information included within the breach.
72. Graff Information Breach
Date: November 2021
Affect: 1.1 million information
Unique UK Jeweller, Gaff, suffered a knowledge breach that compromised lots of its well-known purchasers. The Russian cybercriminal group, Conti, was liable for the assault which concerned the deployment of ransomware (ransom software program).
After stealing Gaff’s delicate information and encrypting their inside programs, Conti began publishing among the stolen information on the darkish internet, promising to solely cease of their ransom of as much as ten thousands and thousands of kilos is paid.
To show they weren’t bluffing, Conti printed 11,000 information on the darkish internet, which in line with the Russian cybercriminals, represents simply 1% of the overall information that had been stolen.
The stolen information embrace shopper names, addresses, invoices, receipts and credit score notes.
A few of the high-profile prospects reportedly impacted by this breach embrace:
Donald TrumpDavid BeckhamOprah WinfreyAlec BaldwinSir Philip GreenGhislaine MaxwellSaudi Crown Prince Mohammed bin SalmanSheikh Mohammed bin Rashid Al Maktoum73. Los Angeles Unified College District (LAUSD)
Date: September 2022
Affect: 1000 faculties / 600,000 college students / 500GB of knowledge
In one of many greatest information breaches of all time within the schooling trade, the Los Angeles Unified College District (LAUSD) was attacked by Vice Society, a Russian prison hacking group. The assault affected over 1000 faculties and 600,000 college students within the second-largest college district in the USA. The ransomware assault occurred over Labor Day weekend, and prevented LAUSD officers from accessing essential information, together with:
Private data (names, bodily addresses, telephone numbers)Electronic mail addressesComputer programs and applicationsPassport detailsEmployee social safety numbersEmployee account login informationTax formsContracts and authorized documentsFinancial reportsBanking detailsHealth data (together with COVID-19 vaccination information)Background checks and conviction reportsStudent psychological assessmentsVPN credentials
After consulting with CISA and the FBI, LAUSD launched an announcement saying they might not be paying the ransom that Vice Society had demanded. Because of this, Vice Society launched the stolen information on their darkish internet discussion board. Though the lasting affect of the assault has but to be decided, there may very well be potential litigations within the coming years resulting from negligence and mishandling of delicate information. Previous to the assault, LAUSD was instructed of potential vulnerabilities of their programs however the college district didn’t act to remediate the problems.
74. Zoom Information Breach
Date: April 2020
Affect: 500,000 customers.
When Zoom signal ups had been nearing their pandemic peak in April of 2020, hackers breached 500,000 accounts and both offered or freely printed them on the darkish internet.
Observe provide chain dangers with this free pandemic questionnaire template >
Hackers initially canvassed darkish internet databases of beforehand compromised login credentials courting again to 2013. As a result of passwords are often recycled, this gave them prompt entry to a swathe of energetic Zoom accounts.
A collection of credential stuffing assaults was then launched to compromise the remaining accounts.
Recipients of compromised Zoom accounts had been in a position to log into reside streaming conferences.
75. Slickwraps Information Breach
Date: Feb 2020
Affect: 370,000 prospects
Slickwraps, a producer of vinyl skins for telephones and tablets, suffered a breach impacting 370,000 of its prospects.
This breach may have been prevented if Slickwraps listened to the warnings of a white hat hacker highlighting the corporate’s horrible cybersecurity. After being ignored, the hacker echoed his concert events in a medium submit.
Slickwraps nonetheless ignored the warnings.
Earlier than the medium submit was deleted, a second hacker learn it and determined to additionally attempt to persuade Slickwraps however with a barely extra impactful method.
Let’s hope SlickWraps lastly strengthens their cybersecurity framework after such a tumultuous historical past.
Slickwraps e mail saying breach76. Magellan Well being Information Breach
Date: Apr 2020
Affect: 365,000 sufferers
Magellan Well being, a Fortune 500 firm has been the sufferer of a classy ransomware assault the place over 365,000 affected person information had been breached.
Worker login data was first accessed from malware that was put in internally. Then, by posing as a Magellan shopper in a phishing assault, the hackers gained entry to a single company server and applied their ransomware.
Included within the breached information was affected person social safety numbers, W-2 data and worker ID numbers.
77. Nintendo Information Breach
Date: April 2020
Affect: 300,000 accounts.
300,000 Nintendo accounts had been compromised and used to make unsolicited digital purchases. The quantity affected accounts was nearly doubled from the initially acknowledged 140,000 upon additional investigation.
The next data was uncovered:
Account passwordsAccount proprietor nameDOBEmail addressesCountry of residence
Whereas it isn’t clear how hackers gained entry to accounts, it’s speculated that weak passwords are guilty. To forestall additional breaches, Nintendo posted a tweet asking members to allow 2-step authentication.
78. Mailfire Information Breach
Date: September 2020
Affect: 100,000 customers
The breach occurred via Mailfire’s unsecured Elasticsearch server. Onced breached, the hacker had entry to over 320 million information from notifications being pushed out to Mailfire purchasers.
The information uncovered included non-public conversations between grownup courting website members in addition to the next Personally Identifiable Info:
Title AgeDOBGenderLocation of message sendersIP addressesMember profile picturesMember bio descriptions
Apart from the non-public data of web site members, this information breach additionally uncovered many rip-off courting web sites with fabricated feminine profiles..
79. Antheus Tecnologia Information Breach
Date: March 2020
Affect: 76,000 fingerprints
Antheus Tecnologia, a Brazilian biometrics firm specializing within the growth of fingerprint identification programs, suffered a breach to its server which may probably expose 76,000 distinctive fingerprint information.
The information accessed consists of two.3 thousands and thousands information factors which may very well be reverse engineered to recreate every authentic fingerprint.
80. SolarWinds Information Breach
Date: March 2020
Affect: 18,000 companies
In March 2020, nation-state hackers believed to be from Russian, compromised a DLL file linked to software program replace for the Orion platform by SolarWinds. The provision chain assault impacted as much as 18,000 SolarWinds prospects together with six U.S Authorities departments. The assault wasn’t found till December 2020.
This incident was the impetus to Joe Biden’s Cybersecurity Govt Order that now enforces all organizations to strengthen their provide chain safety efforts
The extremely refined hackers are believed to even be liable for the FireEye cyberattack ensuing within the theft of its Purple Staff Evaluation instruments – a set of instruments developed by FireEye to find cyberattack vulnerabilities inside any organizations.
On condition that FireEye’s clientbase contains authorities entities, it’s additional speculated that these Purple Staff Evaluation instruments made the U.S. Authorities information breach doable – an assault labeled by cyber safety specialists as the most important breach within the nation’s safety historical past.
The listing of victims continues to develop. To examine for those who’ve been impacted, you must carry out a radical threat evaluation for every vendor.
81. Pegasus Airline Information Breach
Date: March 2022
Affect: 6.5 Terabytes of knowledge
A misconfigured AWS bucket led to the compromise of 23 million information belonging to the Turkish airline firm Pegasus Airways. The safety publicity was found by the safety firm Security Detectives.
The information was linked to the airline’s EFB software program, an answer requiring entry to take off, touchdown, and refueling information and delicate flight crew data.
The AWS bucket misconfiguration meant that anybody had free entry to this database, together with practically 400 information with plain textual content passwords and secret keys.
When the publicity was reported, Pegasus Airways didn’t discover proof of knowledge compromise. Nevertheless, whereas the AWS bucket remained misconfigured, cybercriminals might have clandestinely exfiltrated the uncovered information.
82. Philippines COMELEC Information Breach
Date: January 2022
Affect: 60 GB of knowledge
A hacker group breached the safety programs of the Fee on Elections (COMELEC) for the Republic of the Philippines, compromising 60 gigabytes of delicate voter data.
The depth of this data may permit the cybercriminals to probably map the entire inside operations of the election system within the Philippines, paving the highway to extra devastating follow-up assaults at a nationwide safety stage.
The compromised information included usernames and PINS for vote-counting machines (VCM).
83. MailChimp Information Breach
Date: Apr 2022
Affect: 100 purchasers
How did the info breach happen?
Mailchimp fell sufferer to a knowledge breach after cybercriminals gained entry to a instrument utilized by inside buyer assist and account administration groups following a profitable social engineering assault. Nevertheless, this preliminary breach was simply the preliminary stage of all the cyber assault plan.
The phishing e mail despatched to Trezor prospects – supply: Bleeping Laptop
When clicked, this hyperlink directed customers to a malicious web site nearly indistinguishable from Trezor’s web site. To entry the fraudulent app, customers wanted to submit their restoration seed – an inventory of ordered phrases used to recuperate entry to a crypto pockets.
What information was compromised?
What’s confirmed, at this level, is that roughly 100 Mailchimp shopper accounts had been compromised within the preliminary section of the cyberattack.
Be taught from this breach
This cyber incident highlights the scary sophistication some phishing attackers are able to.
