With a history of more than 11,000 US data breaches over the last 15 years, it’s a safe bet that any electronic information relating to you is either at risk or has already been compromised at least once. As James Comey, the former director of the FBI puts it, “there are two kinds of companies. Those that have been hacked and those that don’t know yet that they’ve been hacked.”

The need for online privacy and anonymity grows with every breach that occurs, and there does not appear to be any end in sight. Every corporation is gathering intel on their customers, clients, and even random people. Large corporations invest billions of dollars every year on data gathering systems, database technologies to store it all, expensive servers with massive amounts of storage, and data analysts to make sense of it.

It’s not just a game for businesses. Intelligence agencies the world over gather and try to make sense of information as their primary agenda. The unfortunate irony here is that many companies seem to lack concern over keeping that information safe and out of the hands of others once they have it. If it does fall into the wrong hands, there are various potential repercussions for those involved, including increased risk of falling victim to crimes such as spear phishing schemes, ransomware attacks, and identity theft.

The list below shows an annual breakdown of the largest of these data breaches, with a minimum of 10 million records at risk of being exposed to unauthorized persons. Note that the total number of reported breaches cited refers to breaches involving US companies or that have affected US customers.

Data breaches by year



Breach size: 500M

Following close on the heels of the 2021 Facebook breach, news outlets began reporting in April 2021 that LinkedIn user data had been scraped and was being sold online through dark web marketplaces. Over 500 million individual user accounts had had their data scraped. Information available for sale includes full names, user IDs, phone numbers, email addresses, work history information, and other data accessible from a LinkedIn user’s profile. Thankfully, no passwords had been stolen. In its defense, LinkedIn shared an update on its website that indicated the breach was not from its website but from publicly available LinkedIn profile data aggregated from other websites.


Breach size: 350M

In April 2020, news outlets reported a major data breach from Facebook. The company remained mostly silent about the breach and even refused to notify impacted users. However, it did make a small, poorly formatted page on its website explaining that a malicious actor scraped the data from the company’s website sometime in September 2019, over a year before users learned about the breach. The hackers that broke Facebook’s security scraped phone numbers, names, email addresses, location data, and more from over 530 million users in over 100 countries. The breach was only discovered after hackers released the scraped data to the dark web.

SocialArks (Facebook, Instagram, LinkedIn)

Breach size: 200M

In early 2021, security researchers discovered that Chinese marketing start-up SocialArks had experienced a massive data breach that exposed 200 million social media accounts. The 400 GB file contained social media account data for Facebook Instagram, and LinkedIn users. The company’s ElasticSearch cloud server was not password protected, despite containing personally identifiable information (PII) scraped from social media networking sites.

The company reportedly also suffered another database breach in August 2020 with 150 million records stolen for users of those same websites.

VIP Games

Breach size: 23M

In January 2021, security researchers discovered that gaming company VIP Games had suffered a data breach of one of its ElasticSearch cloud servers. The 30GB database contained 23 million records from over 60,000 users. The exposed data included a significant amount of personally identifiable information, including social media IDs (Facebook, Twitter, Google), in-game purchase details, banned player information, IP addresses, usernames, email addresses, hashed passwords, and more.


In mid-April 2021, Krebs on Security and other outlets reported that customer data from the ParkMobile app were being sold online on the dark web. According to reports, 21 million customers’ data was on sale, and the type of data available was fairly damaging. The hackers responsible were able to snag and subsequently begin to sell usernames, hashed passwords, license plate numbers, birthdays, email addresses, and mailing addresses. According to the company, a third-party provider with access to the data was the source of the breach.



2020 is proving to be a big year for data breaches, with several breaches already exposing hundreds of millions of victims worldwide. A large amount of attention this year appears to be directed at major dumps of collected and assembled personal data, sold in massive files on the dark web.

Unknown Owner, Google Cloud Server

Breach size: 201M

In March 2020, Comparitech was first to report that a Google Cloud Server owned by an unknown source was poorly secured on the web and easily accessible. The server hosted 200 million records that included names, email addresses, physical addresses, age, ethnicity, credit rating, investment preferences, income, net worth, personal preferences, and more.

Instagram (via Social Data)

Breach Size: 200M

In August 2020, Comparitech researchers discovered an unprotected database with 253 million records exposed. Around 200 million of those were Instagram accounts. The database appeared to be owned by a now-defunct company called Deep Social, which had scraped the data from Instagram. Deep Social was banned and threatened with a lawsuit, causing it to shut down, and its assets were taken over by Social Data, which admitted to owning the database and later shut it down after receiving notification from Comparitech about the exposure.


Breach size: 120M

In February 2020, the UpGuard Research team discovered an Amazon S3 bucket that contained information about consumer behavior and purchasing habits. The database appeared to belong to Tetrad, a marketing analysis company. Information included full name, gender, and address, as well as information about commute length, what they buy, and opinions about various topics. It also included specific account information for certain retailers such as Kate Spade, Chipotle, and Bevmo, with data points including shipping address, account number, number of transactions, and dollar amount spent.


Breach size: 56M

In January, a database containing information about more than 56 million US residents was uncovered online. It reportedly belongs to CheckPeople.com, a people search website. The 22GB database, which was linked to a Chinese IP address, was found by a white-hat hacker who relayed the information to The Register. The database included names, current and past addresses, email address, phone numbers, relative’s names, and criminal records. Although this information is available on CheckPeople.com, you can usually only unlock individual profiles by paying a fee. To have all of this information exposed in one place offers endless opportunity for malicious actors.


Breach size: 49M

LimeLeads is a B2B (business-to-business) leads generator based in San Francisco, which rents access to a database of business contacts. In January 2020, it was discovered that a malicious actor, named Omnichrous, was selling this database, containing 49 million contacts, online. This threat actor is a well-known data trader who regularly shares or sells stolen or hacked data.

ZDNet with the help of security researcher Bob Diachenko traced the breach back to July, 2019. Data contained in the database included name, title, email address, employer, company address, phone number, company revenue, and number of company employees. This information could be useful for cybercriminals in various schemes, including highly targeted spear phishing attacks.

Animal Jam

Breach size: 46M

In November 2020, Animal Jam users learned that their accounts were part of a large data breach that targeted the online animal game. According to Animal Jam, 46 million accounts were impacted. The type of records impacted included email addresses, usernames, hashed passwords, birth years, full birth dates, and genders. A smaller number of account users (under 13,000) also had their parents’ full names and billing addresses leaked.


Breach size: 30M

The East Coast-based Wawa convenience store chain suffered a massive data breach at the end of January. Payment card details for over 30 million customers were put up for sale online. It’s believed this data dump was related to a major security breach that Wawa disclosed in December 2019. The hack involved malware affecting point-of-sale systems in all of its 860 stores and gas stations. It collects card details from all customers from the beginning of March until midway through December.


Breach size: 10.6M

In February, the details of over 10.6 million guests of MGM Resorts hotels were published on a hacking forum. As well as regular travelers and tourists, the data applied to tech CEOs, government officials, celebrities, and more high-profile figures. Details included names, phone numbers, home address, email addresses, and dates of birth. The data was traced back to a security breach that occurred in 2019.


data breaches 2019 facebook

In 2019, there were more than 1,400 breaches reported, with 20 of them involving more than 10 million records.

Dropbox, LinkedIn, and others

Breach size: 2.2B

Hackers have collected, passed around, and dumped over 2.2 billion stolen records from a larger number of websites, including Dropbox and LinkedIn. It appears this data has been gathered and combined for several years and is now being dumped on the dark web for sale. The first of these dumps of stolen data, called Collection #1, includes usernames and passwords.

Google Cloud server (owner unknown)

Breach size: 1.2B

Security researcher Vinny Troia discovered an unsecured Google Cloud server containing 1.2 billion consumer records. While no intensely sensitive data, such as passwords and financial information, was revealed, the server did contain email addresses, social media profiles, and even potential income levels. Such information could be used for spam, cyber attacks, or account hacking purposes.

Evite, MindJolt, Wanelo, and More

Breach size: 1B

A hacker by the name “Gnosticplayers” has unloaded nearly 1 billion user records in the first few months of 2019. Information includes user names, email addresses, IP addresses, and passwords from several websites, including Evite, MindJolt, and Wanelo, among several others.

First American

Breach size: 900M

Insurance company First American left 900 million sensitive customer files exposed for over 2 years. The exposed information includes bank account numbers, bank account statements, Social Security numbers, driver’s license images, and more, amounting to more than enough information to successful steal identities and money from victims. It is unclear if any of the exposed data was illicitly accessed.

Dubsmash, MyFitnessPal, MyHeritage, and More

Breach size: 600M

A hacker successfully sold over 600 million records from multiple sites on the dark web for $20,000 in Bitcoin. Records came from multiple companies and websites, including Dubsmash (162 million), MyFitnessPal (151 million), MyHeritage (92 million), ShareThis (41 million), HauteLook (28 million), EyeEm (22 million), 8fit (20 million), Whitepages (18 million), and others.


Breach size: 540M

Two misconfigured Amazon AWS servers exposed over 540 million Facebook user’s account information. One was owned by Mexican company Cultura Colectiva and left vulnerable Facebook IDs and comments. The second server, owned by the “At the Pool” Facebook game, exposed even more sensitive information, including some plain-text passwords, photos, check-ins, likes, and interests, among other data.


Breach size: 309M

A Facebook database containing more than 267 million user IDs, names, and phone numbers was leaked on the web for anyone to view without authentication. Bob Diachenko, in conjunction with Comparitech, discovered the data leak. It appeared to be the result of illegal scraping or abuse of the Facebook API conducted by Vietnamese criminals.

This leak was uncovered in December 2019, but a second server was exposed in March 2020, apparently by the same group, containing an extra 42 million records, bringing the total to 309 million. The leaked information could easily be used in phishing schemes, in particular those that use text messages (known as smishing).


Breach size: 270M

Among the biggest and most popular websites for novice storytellers, Wattpad experienced a massive data breach that was reported in July 2020. It appears a database of 270 million Wattpad records was being sold on the dark web, and then offered for free. The stolen database includes fairly routine account information, including usernames, passwords (hashed), geographic locations, and email addresses. Following the report, Wattpad forced reset all user passwords.


Breach size: 250M

This data leak was discovered right at the end of 2019, but dated back as far as 2005. Comparitech, in conjunction with Bob Dienchenko, discovered five ElasticSearch servers which each contained the same set of 250 million records. Leaked information was from Microsoft’s Customer Service and Support (CSS) department and included email addresses, IP addresses, locations, case numbers, and logs of conversations, among other data. One thing to be concerned about with this type of data in the wrong hands is tech support scams, where a fraudster will contact Microsoft customers and pose as a customer support representative. Under this guise, the malicious actor may attempt to gain access to the user’s device, phish for information, or request some type of payment.

Zynga (Words with Friends)

Breach size: 218M

In a September 12 investor report, Words with Friends creator Zynga announced its servers were hacked by an outside source. According to the company, user account information was accessed, but Zynga offered scant details to the nature of the breach. However, the hacker (or hacker group) known as gnosticplayers later announced responsibility for the hack. Stolen data allegedly included player names, email addresses, Facebook IDs, password reset tokens and Zynga account IDs.

Pipl.com, LexisNexis, and others

Breach size: 188M

Another massive leak discovered by Bob Diachenko and Comparitech involved the exposure of almost 188 million records on the web. The data was from multiple sources, but much of it was from Pipl.com, a people search engine. Some of the records included a ton of personal information, including name, aliases and past names, email address, physical address, date of birth, court and bankruptcy notes, phone number, past and present employers, and more.


Breach size: 139M

In May, Canva, an online design tool company, admitted that a hack had resulted in the breach of around 139 million usernames and email addresses. While there was no personal information revealed, this information could still be used by criminals in spear phishing attacks.

Capital One Bank

Breach size: 106M

On July 29, Capital One Bank announced that it experienced a massive data breach that occurred sometime between March and July. The breach exposed the 100 million customers in the US and 6 million customers in Canada. Although the breached data was mostly contained to names, addresses, phone numbers, and credit scores, some 140,000 customers in Canada had Social Insurance Numbers exposed, while 80,000 US customers had linked bank account numbers exposed.

By the time of its reporting, the culprit, 33-year-old software engineer Paige Adele Thompson, had been apprehended by the Federal Bureau of Investigations. Thompson reportedly posted about the breach on GitHub and bragged about it on  Twitter and the Slack chat app. Thompson appears to have stolen the data from a Capital One server hosted by Amazon Web Services.

Mountberg Limited

Breach size: 100M

In January, an online gambling group exposed over 100 million user bets and other user details. An unsecured ElasticSearch instance on the company’s server revealed user details such as bet amounts and withdrawals.

Unknown Owner

Breach size: 80M

Researchers found an unsecured database containing personal information on over 80 million US households and families. The leaked information includes addresses, approximate geographic location via longitude and latitude, ages, birthdates, income, marital status, homeowner status, dwelling type, and more.


Breach size: 60M

A security researcher found multiple databases appeared to leak over 60 million LinkedIn customers’ information. While LinkedIn reported it is not their database, it appears the leaked database may contain publicly-available profile data, scraped from the site by a third party.


Breach size: 49M

Weak security in an Amazon Web Services server left millions of Instagram accounts exposed. Owned by India-based social media marketing company Chtrbox, the locations and private contact information of over 49 million Instagram “influencers” were readily available. The accounts also include how much each influencer account was worth based on several metrics, including the number of followers and engagement.


Breach size: 42M

In the same breach uncovered by Comparitech researchers that revealed 200 million exposed Instagram accounts, we also discovered over 40 million TikTok records available without protection. Usernames, profile pictures, numbers of followers, and other sensitive account details were available in the Social Data-owned Google Cloud server until Social Data took the server offline after notification.

View Media

Breach size: 38M

In September 2020, reports began to emerge of a major data breach impacting marketing company View Media. Reports indicated that an Amazon Web Service server owned by the company was improperly configured, allowing easy access to over 38 million records. Exposed data included names, email addresses, phone numbers, zip codes, and more.


Breach size: 14M

A cybersecurity researcher using the Shodan service found over 14 million Instagram account details, including profile names, links to profile pictures, and other information, on an unsecured server based in the UK. It was unclear who owns the server or is gathering the data.


Breach size: 13M

An unprotected AWS ElasticSearch database for the job site Ladders exposed 13 million user accounts and profiles. Job seeker information, such as names, email addresses, phone numbers, geolocation, current and desired salaries, employment history, and US H1-B visa status was exposed. Employers’ and recruiters’ personal information on the site was exposed as well.

Quest Diagnostics

Breach size: 11.9M

In June, the American Medical Collection Agency, a medical billing and coding service provider, reported its payment page for Quest Diagnostics was breached. Nearly 12 million customer medical and financial records were exposed. The breach lasted between August 22 and March 30. The payment portal was taken down and migrated to a third party in response.

US Customs Border Patrol

Breach size: Unknown (following)

In June, the US Customs Border Patrol reported that an undisclosed number of biometric data had been stolen from a federal subcontractor. The data included license plate images and ID photos of travelers passing into and out of the United States. CBP reported that the unnamed subcontractor transferred this data from government servers to its own servers without permission, where the data was then stolen following a hack.


Marriott homepage.

In 2018, more than 1,200 reported breaches occurred, with 11 of them involving more than 10 million records.

Marriott International

Breach size: 500M

Up to 500 million Marriott International guests may have been involved in this massive breach that began in 2014. More than 320 million customers’ data was breached, including names, addresses, and passport numbers, prompting many angry guests to demand that Marriott pay for the issue of new passports.


Breach size: 340M

In June 2018, marketing and data aggregation firm, Exactis, leaked almost 340 million records onto a server that could be accessed by the public. Information on individuals and businesses was involved, including phone numbers, home addresses, and email addresses.

Under Armour

Breach size: 150M

An estimated 150 millions users of Under Armour’s food and nutrition app, MyFitnessPal, may have had their information exposed. Data involved in the leak is thought to include email addresses, usernames, and hashed passwords.

MindBody – FitMetrix

Breach size: 113M

Fitness software FitMetrix — which was acquired by MindBody earlier in 2018 — was involved in a breach that affected more than 113 million records, though the number of users this correlates to is unknown. The breach was discovered by a security researcher who found that three of FitMetrix’s servers were unprotected and leaking data.


Breach size: 50M

In September 2018, a data security breach was discovered in the form of a bug that allowed attackers to take over control of people’s Facebook accounts. 50 million accounts were known to have been affected, but up to 40 million more could have been involved.

Facebook (Cambridge Analytica)

Breach size: 50M

Prior to the above breach, the Cambridge Analytica scandal had come to light. The data analysis firm had accessed and stored the personal data of 50 million Facebook users via a third-party researcher. The acquisition of the data violated Facebook’s terms of service, and as such, represented a massive breach of user information.


Breach size: 48M

Localblox is similar to Cambridge Analytica in that it scrapes information from publicly accessible sources to create profiles. It stored data on an unsecured container, a fact discovered by UpGuard, a cybersecurity research firm. As many as 48 million user profiles were being stored without a password, and although Localblox took immediate action, it’s unclear if anyone else accessed the 1.2 TB of data in the meantime.


Breach size: 40M

40 million users of textbook rental and tutorial company, Chegg, and its family of brands were informed in September 2018 that their personal data may have been exposed to an unauthorized party which gained access to a company database. Leaked information included names, passwords, email addresses, and shipping addresses.


Breach size: 27M

A malicious cyber attack led to the personal information of around 27 million Ticketfly account holders being accessed. Customers’ data that was breached included names, addresses, email addresses, and phone numbers.

The Sacramento Bee

Breach size: 19M

After the company left more than 19 million voter records exposed online by failing to restore a protective firewall to its server, a ransomware attack was launched by malicious hackers. The newspaper refused to pay the ransom and notified voters of the breach.


Breach size: 11M

In September 2018, the details of almost 11 million users were leaked from an e-marketing company database due to an unsecured server. Names, email addresses, gender details, and physical addresses were reportedly involved. The database was thought to have belonged to a company named SaverSpy.


Breach size: 4.9M

Nearly 5 million DoorDash customers, drivers, and merchants had highly sensitive data exposed in a breach, DoorDash reported. The breach, which reportedly occurred in May of 2019, saw names, email addresses, physical addresses, phone numbers, and order histories stolen. Hashed and salted passwords, as well as the last four digits (but not the CVV) of some credit cards were also stolen.


Deep Root Analytics

There were reportedly 1,632 breaches in 2017, with nine of them making the list.

River City Media

Breach size: 1.37B

A massive database of over 1.37 billion email addresses was exposed due to an improperly configured backup. Some of those records contained extra details like names, physical addresses, and IP addresses. The leak also exposed River City Media’s entire operation, including details like business plans, Hipchat logs, accounts, and more. River City Media is one of the largest providers of spam in the world, according to the news report.

Deep Root Analytics

Breach size: 198M

A database containing political information on over 198 million US voters was discovered on an Amazon cloud storage system without any form of password protection. The Republican National Committee hired Deep Root Analytics to compile and analyze the data consisting of names, dates of birth, home addresses, phone numbers, and voter registrations. Deep Root Analytics has since taken full responsibility for the breach and implemented improved data security measures.


Breach size: 145M

More than 145 million records including social security numbers, credit card numbers, drivers license numbers, and names were breached at one of the three major US credit reporting agencies.

Name Tests

Breach size: 120M

It was revealed in 2018 that Nametests.com, the website responsible for a popular Facebook quiz app, had a flaw that publicly exposed details about its more than 120 million users.


Breach size: 92M

This breach was announced in 2018 but actually occurred in October 2017 and involved the more than 92 million customers’ data. A security researcher discovered the information, which included email addresses and hashed passwords, on a private server that didn’t belong to MyHeritage.


Breach size: 76M

A security hole in T-Mobile’s website enabled attackers to use a phone number to access account details, including email addresses and a phone’s IMSI network code. Up to 76 million users may have been affected.

Panera Bread

Breach size: 37M

The Panera Bread breach began in 2017 but apparently no action was taken until 2018. Names, email addresses, home addresses, and phone numbers of up to 37 million customers was leaked from the site in plain text. The last four digits of customers’ credit card numbers were also involved.

Dun & Bradstreet

Breach size: 33M

It was revealed that records from a commercial corporate database regarding more than 33 million people were leaked by Dun & Bradstreet. Of the people involved, more than 100,000 worked for the Ministry of Defence and over 70,000 for major financial institutions. While the information wouldn’t be considered sensitive data (it included things like email addresses, job title, and company address), in the wrong hands, it would make executing scams like spear phishing and whaling far simpler.


Breach size: 17M

A hacker on the DarkNet is selling a database that includes emails and password hashes of 17 million registered Zomato users.


Dailymotion homepage.

Almost 1,090 data breaches were reported to occur in 2016, with eight of them hitting above the 10 million mark.

FriendFinder network

Breach size: 412M

Over 412 million accounts representing 20 years of user personal data including email addresses, passwords, usernames, the database outline, sites in the network visited by users, site registration data, and much more.


Breach size: 360M

Over 360 million usernames and passwords were stolen from MySpace. The passwords were stored as “unsalted SHA-1 hashes” and were broken using a cracking server capable of running millions of SHA-1 calculations per second.


Breach size: 167M

Between 117 million and 167 million records are believed to have been stolen from the popular business social network, including user email address, hashed passwords, and LinkedIn ID numbers. The breach is said to have started in 2012 but in 2016, the data was up for sale online.


Breach size: 85.2M

The email addresses and usernames of approximately 85.2 million users of one of the most popular video-sharing sites on the internet were accessed in 2016. About one-fifth of those accounts also had their hashed passwords copied, but the passwords were encrypted with fairly strong encryption making them difficult to crack or guess.


Breach size: 57M

57 million customers’ and drivers’ names, e-mail addresses, and phone numbers were hacked in 2016. Uber then tried to cover up the breach by paying off the attackers who “promised” to delete the data. News of the breach broke in November 2017.


Breach size: 43.4M

43.4 million records were stolen, but the means by which this theft was committed is not yet known. It is known that the compromised data contained email addresses, usernames, passwords, and logged IP addresses of users computers.


Breach size: 32M

32 million login credentials, including plain text passwords, ended up for sale online. The data appeared to have been stolen directly from users rather than from a hack of Twitter’s servers.


Breach size: 22.5M

More than 22.5 million records were apparently taken from publicly available sources. The records contained FourSquare usernames, email addresses, and Twitter and Facebook IDs.


Anthem homepage.

779 data breaches were reported to occur in 2015, but seven of them were fairly large losses.

Voter Database

Breach size: 191M

A publicly available database full of information on 191 million US voters was found on the internet. The database contained names, home addresses, voter IDs, phone numbers, dates of birth, political affiliations, and detailed voting histories since 2000.


Breach size: 80M

Over 80 million records were stolen, consisting of names, birthdays, medical IDs, social security numbers, street addresses, email addresses, and employment and income information, with the breach starting as early as 2014. On June 27th, 2017, Anthem agreed to a $115 million settlement for damages caused by this breach.

Ashley Madison

Breach size: 37M

The company’s user databases, financial records, and other confidential information were leaked to the public. 37 million user records were stolen and dumped to the DarkNet. The hackers attempted to blackmail Ashley Madison into shutting down the website or the stolen database would be released to the public, exposing all of its users. Ashley Madison refused to comply and the data was released, along with several copycat databases containing bogus information.

Office of Personnel Management in Washington, DC

Breach size: 21.5M

This involved 21.5 million entries in a database of government workers and more specifically, anyone who had applied for a security clearance going back to 2000. SSNs and information related to what officials ask during interviews for security clearance were leaked.

Experian’s T-Mobile customers

Breach size: 15M

15 million records of potential T-Mobile customers that had credit checks done by Experian were breached. The records consisted of names, addresses, social security numbers, dates of birth, and various identification numbers, including passports, driver’s licenses, and military identification numbers.

Premera Blue Cross

Breach size: 11M

This involved 11 million records of medical files and personal and financial information, including bank account numbers, social security numbers, birth dates, names, addresses, and “other personal information.”

Excellus BlueCross Blue Shield

Breach size: 10M

It appears this was the year for healthcare industry breaches as yet another huge attack hit health insurer, Excellus BlueCross Blue Shield. The information of more than 10 million individuals was leaked.


Yahoo homepage.

781 breaches were reported with five over the 10 million record threshold.


Breach size: 500M

This breach actually occurred in 2014 but was not announced or acknowledged by Yahoo until two years after the fact. The database that was accessed contained records of over 500 million of Yahoo’s users, including names, phone numbers, email addresses, hashed passwords, birth dates, and “encrypted or unencrypted security questions and answers.”

Russian hacking discovered by Hold Security

Breach size: 500M

An impressive database of over a billion usernames and passwords along with more than 500 million email addresses was discovered on the DarkNet by a security firm. It was apparently the work of a Russian gang of hackers collecting information from hundreds of thousands of websites.


Breach size: 145M

This breach involved a data loss of over 145 million records. Hackers gained access to eBay’s user database using employee login credentials. The data copied consisted of email addresses, encrypted passwords, birth dates, and mailing addresses.

JP Morgan Chase

Breach size: 76M

76 million bank accounts were accessed by Russian hackers, some of which were only modified while others were completely wiped out.

The Home Depot

Breach size: 56M

The Home Depot got hit twice in 2014. In February, three employees were suspected of stealing 30,000 records. Then in September, it was hit again for the details of 56 million credit and debit cards due to a hack of the point-of-sales systems in over 2,200 stores in the U.S.


Evernote homepage.

614 data breaches were reported in 2013, five of which hit above the 10 million mark.


Breach size: 1B

More than 1 billion accounts were compromised in 2013, but this breach was not made public until 2016, and was most likely unrelated to the 500 million records stolen in 2014. Yahoo blamed the largest breach in history on hackers working on behalf of a government. The intruders used forged cookies to access user accounts without their passwords.

Target Corp.

Breach size: 110M

Up to 110 million payment card records were stolen during the Thanksgiving and Christmas holidays of 2013. This incident was used as a precedent for passing legislation in the U.S. implementing chip card technology.


Breach size: 65M

In 2013, hackers accessed more than 65 million passwords of Tumblr users, although the breach was not reported until 2016.


Breach size: 50M

The biggest loss of data in 2014 with 50 million records exposed. Users were told to reset their passwords after the attack was detected.


Breach size: 50M

Up to 50 million member accounts were at risk of being copied, consisting of names, email addresses, dates of birth, and encrypted passwords. At the time, an estimated 29 million people used LivingSocial, many with multiple accounts.


Breach size: 38M

User accounts of up to 38 million Adobe users were stolen. Adobe sent out a notice to all affected users warning them to change their passwords and watch for suspicious activity on their accounts.


Dropbox homepage.

471 data breaches were reported for the year, with two of them making the list.


Breach size: 68M

68 million Dropbox users had their email addresses and hashed passwords copied. They then received spam messages in which the sender posed as Dropbox.


Breach size: 24M

24 million user accounts were detected as accessed including names, email addresses, billing and shipping addresses, phone numbers, final four digits of credit card numbers, and possibly encrypted passwords.


Epsilon homepage.

421 data breaches were reported for 2011 with four of them over 10 million records lost or put at risk.


Breach size: 50-250M

This data breach of anywhere between 50-250 million records took place. Epsilon reported that only email addresses and names were stolen. Customers were warned to expect phishing emails.

Sony, PlayStation Network

Breach size: 77M

77 million PlayStation Network (PSN) users and more than 24 million Sony Online Entertainment customers were affected during this 2011 hack. Leaked details included names, addresses, email addresses, dates of birth, login credentials for PSN and Qriocity, and PSN IDs and handles. It is suspected that hackers may also have accessed purchase histories, billing addresses and security questions.


Breach size: 35M

Hackers defaced a forum on Steam which prompted an investigation that revealed unauthorized access to a database containing user names, hashed and salted passwords, game purchases, email addresses, billing addresses and encrypted credit card information on over 35 million users.


Breach size: 18M

Hackers accessed data on several of WP’s servers exposing source code, API security keys and social media passwords of 18 million WordPress users.


deviantart homepage.

662 data breaches were reported for 2010, but only one of them made the list.

DeviantART, Silverpop Systems Inc.

Breach size: 13M

The largest data breach in 2010 was also the only one above 10 million at 13 million records stolen. Hackers were able to penetrate deviantART through the marketing company Silverpop Systems Inc. The exposed database consisted of user names, email addresses and birth dates of all deviantART users.


Heartland Payment Systems.

498 data breaches were reported for 2009, with three of them making our list.

Heartland Payment Systems

Breach size: 130M

130 million credit cards were stolen through a hack of this credit card processor. The problem was exacerbated by the processor’s delays and inaccurate disclosures regarding the breach. One of the perpetrators was a Secret Service informant and suspect in the previous year’s TJ Stores hack.

U.S. Military Veterans

Breach size: 76M

76 million detailed records were reported at risk of being exposed when a defective hard drive was sent off for repair without first having its data destroyed. The drive was part of a RAID array of six drives that held an Oracle database filled with veterans’ information. The drive was deemed irreparable and was then sent to another entity for recycling, again, without being erased.


Breach size: 32M

An SQL injection flaw in RockYou’s database exposed their entire list of usernames, email addresses, and passwords–around 32 million records. The passwords were stored in plain text and the database included login credentials for various social networks like Facebook and MySpace.


BNY Mellon.

656 data breaches were reported for 2008 with two of them going over the 10 million mark.

Countrywide Financial Corp.

Breach size: 17M

A former employee reportedly stole and sold sensitive data on 17 million account holders’ profiles. It should be noted that Countrywide was the “poster boy” of the subprime lending crisis.

Bank of New York Mellon

Breach size: 12.5M

12.5 million records containing names, social security numbers, and possibly bank account numbers were “lost” when a box of backup tapes arrived at a storage facility with one tape missing.


TJX stores.

446 data breaches were reported to have occurred in 2007, with one of them involving more than 10 million records.

TJ Stores

Breach size: 100M

Over 100 million records lost consisting of credit and debit card numbers; merchandise return records containing names and driver’s license numbers, as well as credit card account numbers. Special note: the primary hacker, Albert Gonzalez, appealed his conviction in 2011 on the grounds that he was acting with authorization from the Secret Service. The U.S. government acknowledged that Gonzalez was a key undercover informant for the Secret Service at the time. Mr. Gonzalez blamed his attorneys for not using this information as part of his defense.


Veterans Affairs.

321 data breaches were reported this year. Two of those breaches surpassed the 10 million records mark.

U.S. Dept. of Veterans Affairs

Breach size: 26.5M

A laptop and computer storage device containing sensitive data on 26.5 million veterans were stolen from the home of an unidentified employee of the Department of Veterans Affairs. The information consisted of names, social security numbers, dates of birth, phone numbers, and addresses on all American veterans discharged since 1975. The laptop and storage device were recovered almost two months later. According to an FBI investigation, the data had not been copied. In spite of this, the VA was still held accountable for ineffectual data security policies and neglecting to take proper security precautions regarding such sensitive data.


Breach size: 17M

Over 17 million records were posted online containing names, phone numbers, addresses, email addresses, IP addresses, login credentials, credit card types, and purchase amounts. It is unclear as to whether the breach was the work of a dishonest insider or malicious software injected into iBill’s systems.


157 data breaches reported for the year with only one of them over our minimum of 10 million.


Breach size: 40M

40 million credit card accounts were exposed due to a security breach that occurred at a third-party vendor. The information exposed included names, card numbers and card security codes. CardSystems filed for bankruptcy in May of 2006. In 2009 it was revealed that CardSystems stored unencrypted credit card information on its servers.


Funny enough, the only data breach that we have information on in 2004 was also a rather major one.


Breach size: 92M

A former software engineer of AOL stole 92 million email addresses belonging to an estimated 30 million users. He then sold the list of addresses to a man in Las Vegas who began spamming the list with an advertisement for an offshore gambling website. Even the judge involved in the case admitted to canceling his AOL email account because of all the spam.

Largest non-US breaches

There have also been some pretty massive breaches in various other parts of the globe over the years. Here are some of the most prominent:

PayPay, Japan (2020)

Breach Size: 20M

In December 2020, multiple Japanese news outlets reported that the business banking service PayPay had been hacked. Over 20 million records were stolen, including business names, bank accounts, and employee information.

Verifications.io, India (2019)

Breach size: 800M

An unsecured marketing email database exposed over 800 million user records. The breached data contained social media logins, gender, birthdates, mortgage amounts, and interest rates.

Aadhaar, India (2018)

Breach size: 1.1B

A data breach could have potentially risked the data of all 1.1 billion citizens of India. In early January, anonymous sellers on WhatsApp were offering access to any Aadhaar number and its associated details, including name, address, phone number, photo, and email address. The information was being sold with the option of software for printing ID cards, presumably for use in identity theft and other related crimes.

Interpark, South Korea (2017)

Breach size: 10M

In 2017, South Korea accused North Korea of stealing the data of 10 million customers of the online mall, Interpark, in an attempt to obtain foreign currency.

Telegram, Iran (2017)

Breach size: 15M

In 2017, Iranian hackers are accused of breaking into an ultra secure instant messaging service by compromising a dozen accounts. The hack exposed 15 million users phone numbers to the hackers. This will allow the hackers to add new devices to user’s account and give those new devices access to chat histories as well as new messages.

Mossack Fonseca, Panama (2016)

Breach size: 11.5M

This Panamanian law firm specializes in setting up anonymous offshore companies. The leak is of 11.5 million encrypted documents like emails, PDF files, photos, and excerpts from an internal database. The main purpose of this collection appears to be hiding the true owners of several of the offshore companies sold by Mossack Fonseca. Given that a lot of the information stored in these files includes evidence of illegal activities, the wish for anonymity is rather obvious.

Turkish citizenship database, Turkey (2016)

Breach size: 49.6M

A database was discovered online containing 49.6 million entries–the entire Turkish citizenship–with names, national IDs, parents names, gender, city of birth, date of birth, ID registration city and district, and their full address.

Philippines’ Commission on Elections, Philippines (2016)

Breach size: 55M

A database containing every registered voter in the Philippines, some 55 million people, was leaked online. The leak came on the heels of a defacement of the Philippines’ Commission on Elections website.

Korea Credit Bureau, South Korea (2014)

Breach size: 20M

A temporary consultant was arrested and charged with stealing bank and credit card data on 20 million users of the credit bureau.

Yahoo Japan, Japan (2013)

Breach Size: 22M

22 million user accounts were put at risk when an attempt to access administrative portions of Yahoo Japan’s servers was detected. No personally identifiable information was stolen, according to Yahoo.

Court Ventures, Vietnam (2012)

Breach size: 200M

Court Ventures was in the business of selling off credit information to a Vietnamese identity theft service, resulting in over 200 million records sold over several years. These records included financial data, credit status, social security numbers, and bank information.

Blizzard, China (2012)

Breach size: 14M

Players of Diablo III, Starcraft II and World of Warcraft, some 14 million gamers, were informed of a data breach that put their user accounts on Blizzard.net at risk. Encrypted passwords, the answers to security questions and email addresses of users outside of China were stolen in the breach.

178.com, China (2011)

Breach size: 10M

Hackers stole 10 million user accounts from the Chinese gaming site, along with several other gaming sites in China.

Nexon Korea Corp, South Korea (2011)

Breach size: 13.2M

13.2 million subscribers of an online game in Korea were stolen through a hack of the site’s servers.

Tianya, China (2011)

Breach size: 28M

28 million clear text passwords and 40 million user accounts showed up on the DarkNet from China’s 12th most popular website at the time.

Auction.co.kr, South Korea (2008)

Breach size: 18M

The records of 18 million members of this South Korean auction site were stolen by a Chinese hacker. The records included user information and a large amount of financial data.

GS Caltex, South Korean (2008)

Breach size: 11.9M

Two compact discs containing this company’s customer list of 11.9 million customers were found on a street in Seoul.

HM Revenue and Customs, United Kingdom (2007)

Breach size: 25M

Computer disks containing confidential information on 25 million recipients of child benefits were lost in the UK. The disks were lost in transit from their headquarters in Newcastle to an insurer’s headquarters in Edinburgh.

T-Mobile, Deutsche Telecom, Germany (2006)

Breach size: 17M

Thieves made off with a storage device containing names, addresses, cell phone numbers, some birth dates, and some email addresses for some high profile German citizens. Luckily the stolen device did not contain any financial details like credit cards or bank accounts.

The big unknown

It should be noted that some reported breaches affect an unknown number of customers, so there may be other breaches that have topped the 10 million records mark. Plus, breaches may go undiscovered, entirely or for a period of time.

The new General Data Protection Regulation (GDPR) in the EU includes a requirement that companies report data breaches (that meet certain criteria) within 72 hours. While there is a California state law that pertains to data breach reporting, there is no federal legislation in place requiring mandatory reporting of data breach details. However, not reporting a breach can lead to lawsuits from affected users, so most companies do report when they discover they have been hacked or lose some information.

Although, the amount of information reported is entirely left up to the reporting company, even to the point of just admitting that there was a breach with no details as to what data or even how much data was at risk of being accessed by unauthorized individuals. According to Privacy Rights Clearinghouse, thousands of companies have opted not to report how much of the data entrusted to them has been leaked or even how many of their customers may be at risk.

Now factor in the knowledge that some of these companies are collecting information without first informing subjects of their data mining that their information is being loaded into a database. Any retail outlet that a person walks into collects information on what they look at, pick up, purchase, and leave their store with. Match that data to facial recognition from the security cameras, as well as the information received from the point-of-sale system, and they have an identity to attach to that data entry.

Just about every retail outlet now has some form of membership that customers are encouraged to voluntarily sign up for with offers of discounts on fuel, points toward in-store savings, customized digital coupons, and other similar incentives. All of these are not, in fact, free. You are selling your personally identifiable information to these companies in exchange for the perks attached to the store’s membership system.

What can you do?

There are some things that you can do to minimize the damage or even prevent your information getting into the wrong hands. Things like using an online anonymity tool (such as a VPN), installing anti-virus software, using strong passwords, and enabling two-factor authentication can help. In the case of the latter, if the platform you’re trying to secure doesn’t offer two-factor authentication, you may be able to use a third-party two-factor authentication app, such as DUO Mobile and Google Authenticator.

On the more extreme end, there is always the option of contacting any company you have entrusted your information with. You can ask them about what they have in place for not only preventing data breaches but what actions they take when they become aware of a leak.

If you want to check to see if your information has been involved in a data breach, a handy tool is the have I been pwned? website

Have you experienced any side effects, or even direct effects of a data breach? How did you recover? Leave your comments below along with any tips you might have for other readers.

Data Breach” by Blogtrepreneur CC BY 2.0