10 of the Biggest Data Breaches of All Time

What is a data breach?

A data breach is any type of cyber attack that results in private or sensitive information being accessed without permission. The information doesn't necessarily have to be “stolen” or removed from a company's network for it to be considered a breach. The moment a non-authorized person gains access to a network, the breach has taken place.

The breach can end up costing a company millions of dollars, its ability to operate, and its reputation. Some of the biggest data breaches of all time have impacted millions of customers.

Some data breaches are intended to humiliate or punish an organization, like in the Twitch Data Breach of 2021, or for reasons of espionage, but mostly they are for financial gain for the hackers. Often, the stolen data is sold on the dark web for massive sums of money.

A study by the University of Maryland found that a cyberattack happens every 39 seconds and stats show that instances of data breaches in the U.S. have been dramatically increasing in the last ten years.

Image Source: Statista

Let's take a look at the biggest data breaches of all time, in terms of how many records were affected, their impact, and any consequences.

Yahoo, 3 billion records

In 2016, Yahoo revealed that an attack three years previous, in August 2013, had compromised one billion user accounts. But a year later, Yahoo's investigation into the data breach provided new intelligence showing that in fact, all 3 BILLION Yahoo user accounts had been affected.

The details exposed in the breach included sensitive user information, including names, telephone numbers, date of birth, security questions, and backup email addresses. Although the company said that no passwords were exposed in plain text, experts claimed the information was protected with outdated and easy-to-crack encryption.

The revelations came at a time when Yahoo was in the process of being bought over, by Verizon, which lowered its original offer by $350 million. Ouch.

Alibaba / Shanghai Police, 1 billion records

Alibaba, China's biggest cloud-service provider is in the hot seat, being blamed for what has been classed as China's worst-ever cybersecurity and personal data breach.

On June 30th, 2020, a hacker by the name of “China Dan” posted on a hacker forum claiming they had for sale 23 TB of data stolen from the Shanghai National Police (SHGA).

The data included sensitive personal information including names, addresses, national ID numbers, any criminal records, contact details, and much more for one billion Chinese residents. The asking price was 10 bitcoin (around U.S.$200,000).

The hacker just happened to mention that the details were hosted on Aliyun (Alibaba Cloud).

Although there have been no official statements from either the Chinese authorities or Alibaba about the data breach, cybersecurity researchers found that the data was accessible via a dashboard that had been left without a password.

It is estimated that the data was publicly available for at least 14 months before “China Dan” announced its sale.

To put the scale of this data breach into context— China is home to 1.4 billion people, meaning the breach could potentially affect more than 70% of the population.

First American Financial Corporation, 885 million records

This data breach is a little different from the others as there is no attack involved, at least no known attack. Instead, the breach was brought to light by a real estate developer who realized that millions of records were exposed on the First American website.

The developer contacted security expert and researcher, Brian Krebs in May 2019 when attempts to contact the insurance giant failed.

What they discovered was scans of original documents, including property buyer and seller forms, bank account numbers, bank statements, mortgage records, tax documents, wire transfer receipts, Social Security numbers, and driver's license photos dating as far back as 2003— all available to view without any authentication.

The data breach was due to a website design error called Insecure Direct Object Reference (IDOR) which left files stored on the company's website wide open making it a treasure trove of data for bad actors.

Although there was no evidence that a malicious third party gained access to files by mass-harvesting, in his report, Krebs suggested it would have been very easy even for novice hackers to conduct low-and-slow or distributed indexing undetected.

Despite the huge number of data records exposed and the sensitive nature of the information, the company then worth $7.5+ billion was fined a mere $487,616 by The New York State Department of Financial Services.

Numbers like this should make any company want to learn how to prevent data breaches from ever happening. We'll get to that a little later.

Indian Council of Medical Research, 815 million records

Resecurity, an American cybersecurity firm, revealed a massive data breach at the Indian Council of Medical Research (ICMR). They discovered a threat actor, identified as 'pwn0001', claiming to have access to the medical records of 815 million Indians.

The cybersecurity firm checked the sample dataset shared by the hacker and found it to be legit and contain sensitive information, including Aadhaar numbers and data of children as young as 10 years old.

The Aadhaar is a biometric ID card with a 12-digit number that is used for proof of identification and address, and can function as digital ID for online payments. It also contains passport information, phone numbers, and of course, the biometric data of an iris scan, fingerprint, and photo.

That's a lot of information to be exposed!

The hacker claimed to have extracted the details from the Covid-19 test details of citizens registered with ICMR and was selling the details on the dark web for $80,000.

To date, it is the biggest data breach to hit the country, which has an estimated population of 1.43 billion people.

LinkedIn, 700 million records

In June 2021, the data of more than 90% of LinkedIn's user base was affected when a hacker hit the professional networking giant. The hacker going by the moniker “God User”, posted on RaidForums, a notorious hacking forum, selling data for 700 million LinkedIn users.

LinkedIn responded to the news of the data breach with a statement that said,

“Our teams have investigated a set of alleged LinkedIn data that has been posted for sale. We want to be clear that this is not a data breach and no private LinkedIn member data was exposed.”

Yet when Restore Privacy analyzed the data sample of 1 million users posted by the hacker, they found that the data was authentic and included information such as:

• Email Addresses
• Full names
• Phone numbers
• Physical addresses
• Geolocation records
• LinkedIn username and profile URL
• Personal and professional experience/background
• Genders
• Other social media accounts and user names

If that's not what you consider to be private data, LinkedIn, then what is?

LinkedIn tried to play the incident down, claiming that the data was an extension of an earlier data breach that had taken place just months before in April 2021. But with 200 million more records available.

Researchers believe that with so much new data scraped, this is much more than a rehash of the previous records, and is, in fact, an entirely new data breach.

Twitter, 5.4 million records

A bug reported in January 2022 via Twitter's bounty program on HackerOne was used to link email addresses and phone numbers to Twitter users' accounts. The bug was reportedly fixed in mid-January but had been an issue for seven months prior, due to a code update, leaving a window of opportunity for a bad actor to do their thing.

Which they did. In July 2022, that bad actor, known as “devil” posted the data set for sale on another infamous hacker forum, Breached Forums, with an asking price of $30,000.

The data included verified phone numbers and email addresses, as well as scraped public information, such as follower counts, screen and login name, user location, and profile picture.

Twitter has since begun the painful process of notifying affected users but has said in a statement that it was impossible to confirm all of the accounts compromised.

The Twitter data breach was especially concerning for users with pseudonymous accounts since with the data leaked, they could be potentially tracked down by the state or other actors.

With the current state of Twitter, another data breach could be on the cards. If you'd rather avoid being caught up in it, here's how to delete your Twitter account.

Sina Weibo, 538 million records

Sina Weibo, China's answer to Twitter, experienced an epic data breach when an attacker gained access to data for almost all of its users. As one of the largest social media platforms in China, Weibo boasts over 600 million users, and in March 2020, 538 million of them were compromised.

The data set which included real names, site usernames, gender, location, and phone numbers was reportedly for sale on the dark web for just $250. The low price tag suggests that no passwords were affected.

However, there has been a lot of speculation on how the data breach occurred and exactly what data was included with differing statements on Chinese media and Weibo's own website. But no matter how the hacker came to be in possession of the data, the samples posted by the hacker have been confirmed as accurate.

Weibo was ordered by China's Ministry of Industry and Information Technology (MIIT) to enhance its data security measures and to notify users and authorities when data security incidents occur.

Facebook, 533 million records

In April 2021, data for 533,000,000 users from 106 countries was posted for sale on a low-level hacking forum. The leaked information resulted from data scraping that had taken place in 2019 when hackers had taken advantage of a vulnerability in Facebook's contact importer, a feature since removed.

Although that security gap was patched at the time, it seems that it was too little too late. The leaked data included user locations, full names, date of birth, biographical information, phone numbers, and in some cases email addresses.

Surprisingly (or maybe not so), Facebook decided not to notify the users affected by the data breach and instead planned to play it off as an industry problem and common occurrence. This response was discovered in an internal email accidentally sent to Belgium-based Data News.

Facebook blunders galore!

A spokesperson for the social media platform later said that they had taken the decision not to notify users as they couldn't be sure who was affected. Plus, the information was publicly available and didn't include passwords, financial information, or health information.

However, data experts claim that the data exposed still poses a serious risk of social-engineering attacks or hacking attempts. As Adam Levin, a cybersecurity expert stated, "Scammers can do an enormous amount with little information from us.”

Marriott, 5.2 million records

Marriott seems to have been very keen to get on the list of the biggest data breaches of all time with not just one, but three data breaches that could have earned it its place.

At the end of February 2020, the hotel chain Marriott discovered its second data breach in just two years, impacting 5.2 million guests. The breach occurred after hackers had obtained the login details of two Marriott employees, gaining access to guest details.

Although the hotel chain claim that no payment data or ID details such as passport numbers or driver's license details were stolen, they did warn that other significant data was taken in the breach, including, names, addresses, phone numbers, loyalty member data, dates of birth, and airline loyalty numbers.

This isn't Marriott's first data breach rodeo either.

In November 2018, Marriott's subsidiary hotel, Starwood, was hit by hackers compromising 500 million records, which did include details such as passport numbers.

It doesn't stop there. Marriott suffered yet another data breach in July 2022. This time hackers “only” made off with 20GB of data but it did include credit card info and confidential internal company documents.

The Marriott staff really should read the section on how to prevent data breach!

Adult FriendFinder Networks, 412.2 million records

Back in 2016, the attack on the Adult FriendFinder Networks was the biggest data breach of all time. And because of the nature of the sites involved, one of the most sensitive. If you're not familiar, FriendFinder Network (FFN) is an adult dating/entertainment website that markets itself as the “world's largest sex and swinger community.”

The data breach affected a total of 412,214,295 user accounts across the FFN which included affiliate sites such as Cams.com, iCams.com, and Stripshow.com. It also included data from Penthouse, which FFN no longer owned by the time of the breach.

The attack breached six databases leaking 20 years' worth of data including:

• user names
• emails
• join dates
• date of users' last visit
• IP addresses
• membership status
• passwords, some in plain text and some poorly encrypted
• data for deleted accounts not yet removed from the system

Just like Marriott, FFN was not new to data breaches.

This attack which took place sometime in October 2016 and was discovered a month later, was the second major attack on the FFN in as many years. The first took place in May 2015, exposing 3.5 million accounts and sensitive data such as sexual preferences and whether a user was looking for an extramarital affair.

How to prevent a data breach?

We've covered the biggest data breaches of all time, so now, let's look at how to avoid your company becoming a data breach statistic. By learning how to prevent data breaches, you can save your company and your customers a whole world of trouble.

Here are our top five tips on how to prevent data breach:

• Limit access to your most valuable data
• Conduct regular employee security awareness training, covering the most common phishing techniques
• Keep software and operating systems up to date— weaknesses can allow bad actors to access
• Ensure staff use good password hygiene and change passwords regularly
• Implement multi-factor authentication (MFA)

But what if the worst has already happened? What if your company is in the running for the next edition of the “biggest data breaches of all time”? What if it's too late to learn how to prevent a data breach?

If your company has been subjected to a data breach or you want to be prepared for it if/when it happens, then check out our Hoody article: What Should A Company Do After A Data Breach