Since the first major online data breaches were reported in 2005 (the biggest of which was 92m through AOL), a whopping 54 billion records have been impacted in breaches affecting 10 million records or more–and counting.
Over the years, hackers have not only invaded systems to steal data and post on the dark web but companies have inadvertently exposed customer data online, sometimes for years at a time.
So how have data breaches developed over the years? How many records have been affected? And what industries have been most impacted?
Check out our interactive dashboards and tables below to find out where the biggest data breaches in the world have occurred.
Breach type definitions: Disc (unintentional disclosure, e.g. leaving a database unsecured), Hack (attacked by an external source or with malware), Insd (theft by an employee, contract, or third-party), Port (loss or theft of a portable device, e.g. laptop), Rans (loss of data via a ransomware attack), and Unknwn (unknown source of data loss).
The top 10 biggest data breaches of all time
- CAM4 — 10.88 billion records affected: In the biggest-ever breach of data, CAM4, an adult website, left an ElasticSearch database unsecured before it was found by security researchers in March 2020. The data was made up of 7TB of data–a total of 10.88 billion records. Names, email addresses, payment logs, IP addresses, sexual preferences, and chat transcripts were all part of the data set. Experts believe around 6.6m US users, 5.4m Brazilian users, 4.9m Italian users, and 4.2m French users were part of the breach. CAM4 said there was no indication bad actors had accessed the database before it was taken down.
- Cognyte — 5 billion records affected: In May 2021, Bob Diachenko, who leads Comparitech’s security research team, discovered an exposed database that was accessible to all users without any form of authentication. Ironically, the database was stored by cybersecurity analytics firm, Cognyte. It formed part of its cyber intelligence service, which would alert users if their data was part of third-party data exposure. Included within the 5bn records were names, passwords, email addresses, and the original source of the leak.
- Yahoo — 3 billion records affected: In August 2013, hackers attacked Yahoo and compromised user accounts. In its initial acknowledgment of the breach, which was only in December 2016, Yahoo said 1bn user accounts had been affected. But in 2017, it updated this to say it believed all 3bn of its users’ accounts had been impacted. These updated figures make it the largest breach in US history.
- Dropbox, LinkedIn et. al. — 2.2 billion records affected: More than 2.2bn records were stolen from across a number of large websites, including Dropbox and LinkedIn. Hackers dumped the stolen records on the dark web in 2019 in an attempt to sell them. Dubbed “Collection #1”, it appeared the data had been collected over a number of years and included usernames and passwords.
- Verifications.io — 2.07 billion records affected: Another unsecured database was discovered by Bob Diachenko in February 2019. It contained 808.5m records which, as well as email addresses, also included personally identifiable information. Upon further analysis, researchers suggested as many as 2.07 billion records had been exposed in total. The database was traced back to verifications.io, an email marketing company.
- Comcast — 1.5 billion records affected: A total of 1,507,301,521 records, including Comcast email addresses, client IPs, and hashed passwords were found in a non-password protected database. It was discovered by security researchers in December 2020. It wasn’t the first Comcast data breach, either. A data incident in 2018 saw 26.5m Comcast Xfinity users’ social security numbers and home addresses being exposed. And, in 2014, an employee mistakenly gave two unauthorized people access to a tool that led to the theft of 24.5m records that contained personally identifiable information (PII).
- River City Media — 1.34 billion records affected: An improperly configured backup led to the exposure of 1.34 billion email addresses in 2017. Some records also contained IP addresses, physical addresses, and names, while River City Media’s sensitive business information, e.g. accounts and Hipchat logs, were also available for everyone to see. There was some good to come from the leak, however, as it exposed River City Media’s illicit IP hijacking techniques that had allowed them to create spam campaigns.
- People Data Labs (PDL) and OxyData.Io (OXY) — 1.2 billion records affected: Another discovery by Bob Diachenko found a huge collection of profiles available on an unsecured Elasticsearch server. The data was traced back to PLD and OXY but both companies denied the database belonged to them–heightening data privacy concerns. It is suggested that the database was leaked by a third party who had purchased the lists (which contained names, phone numbers, email addresses, social profiles, and more) from the companies.
- Aadhaar — 1.1 billion records affected: In 2018, the Indian government’s ID database, Aadhaar, was impacted by a number of breaches which left the 1.1bn citizens registered on the database vulnerable to exploitation. Reports stated that in January 2018, criminals were granting access to the database for 10 minutes at a cost of Rs500 (around $8 at the time).
- Taobao (Alibaba) — 1.1 billion records affected: Joint with the Aaadhaar breach is the hack of Alibaba’s shopping website, Taobao. For eight months (from November 2019), web-crawling software was used by a developer to gather customers’ information, including mobile numbers and user IDs.
To collate this list of the biggest data breaches, we’ve searched through industry news and company announcements from across the globe. We’ve logged any breaches impacting over 10 million records from 2005 to present.
Some of the users impacted by these data breaches may have been located in other countries but we have used the companies’ headquarters as the location for the maps and data. These locations are just for illustrative purposes, however, and may not be the precise location.
Equally, the number of “records” doesn’t necessarily indicate the number of people impacted by the breach. Records often include a multitude of things, e.g. email addresses, documents, bank account details, social security numbers, and so on. Therefore, one user may have a number of records included–or, the record may be a business-related document that doesn’t disclose user data but private data for the business.
To create a location-based map, we have used the headquarters of the company. These locations are for illustrative purposes only. The attacks on “Dropbox, et. al.” and “Evite, et. al.” haven’t been included in the map due to there being multiple locations involved.
The date of the breach is often the date it has been reported/discovered.
Data researcher: George Moody
For a full list of sources, please request access here.