The 70 Largest Data Breaches in History: Impact, Details, and Lessons Learned

Top 70 Historical Data Breaches – Technical Overview

This summary lists the most significant data‑breach incidents by impact, focusing on the exposed data types, underlying technical failures, and dates of discovery.

CAM4 (Mar 2020) – 108.8 billion records exposed via an unsecured Elasticsearch server. Leaked fields: full name, email, sexual orientation, chat logs, email communications, passwords, IP address, payment details.

Yahoo (Oct 2017) – 3 billion accounts compromised. Attack traced to a 2013 breach; exposed usernames, passwords, security questions/answers. Disclosure occurred during Yahoo’s sale to Verizon.

Aadhaar (Mar 2018) – 1.1 billion Indian citizens’ data sold online. Leak originated from a state‑run utility’s system; exposed name, 12‑digit UID, bank details, photos, fingerprints, retina scans.

Alibaba (Jul 2022) – 1.1 billion users’ data leaked from a cloud‑hosted database (≈23 TB). Exposed fields: name, ID number, phone, residential address, online files.

First American Financial (May 2019) – 885 million records accessed due to a misconfigured website that allowed unauthenticated URL enumeration. Leaked bank account records, SSNs, wire‑transfer data, mortgage documents.

Verifications.io (Feb 2019) – 763 million records from an unsecured MongoDB. Exposed email, name, phone, IP, birth date, gender.

LinkedIn (Jun 2021) – 730 million user profiles sold on dark‑web forums. Data included email, name, phone, location, profile URL, employment history, gender. Breach resulted from API scraping after a prior 2012 incident.

Facebook (Apr 2019) – 533 million user records from two third‑party apps made public. Data comprised comments, likes, reactions, account names, FB IDs.

Yahoo (2014) – 500 million accounts breached by a state‑backed actor. Exposed name, email, phone, password, birth date, security questions/answers (some in plaintext).

Starwood (Nov 2018) – 500 million hotel guests’ data accessed after attackers remained in the network since 2014. Leaked name, contact info, passport numbers, loyalty‑program details; credit‑card data possibly compromised.

AdultFriendFinder (Oct 2016) – 412 million accounts from a 20‑year dump of six databases. Mostly SHA‑1 hashed passwords; many cracked after release.

MySpace (Jun 2013) – 360 million accounts breached by Russian hackers. Exposed name, username, birth date.

Exactis (Jun 2018) – 340 million records from a publicly accessible server. Data included phone numbers, family and email addresses, interests, children’s demographics.

Twitter (May 2018) – 330 million users’ passwords exposed due to internal log failure; forced password reset.

NetEase (Oct 2015) – 234 million users; email addresses and plaintext passwords leaked.

Socialarks (Jan 2021) – 200 million records from an unsecured ElasticSearch cluster. Leaked name, phone, email, profile description, follower data, location, LinkedIn URLs, social‑media login names.

Deep Root Analytics (Jun 2017) – 200 million U.S. voter records (≈1.1 TB) accessed; included name, address, birth date and Reddit‑based voter analysis.

Court Ventures (Oct 2013) – 200 million personal records (including credit‑card numbers) from Experian subsidiary breach; attackers used social engineering to gain internal access.

LinkedIn (Jun 2012) – 165 million accounts; initial breach disclosed 6.5 million passwords, later revealed 117 million passwords.

Dubsmash (Dec 2018) – 162 million users; email, username, DBKDF2‑hashed passwords leaked and later sold.

Adobe (Oct 2013) – 152 million accounts; internal IDs, usernames, emails, encrypted and plaintext passwords, password hints exposed.

MyFitnessPal (Feb 2018) – 150 million users; email, IP, SHA‑1 and bcrypt‑hashed passwords posted on “Have I Been Pwned.”

Equifax (Sep 2017) – 148 million Americans; name, address, phone, birth date, SSN, driver’s license, some credit‑card data stolen.

eBay (Feb/Mar 2014) – 145 million users; encrypted passwords, name, email, address, phone, birth date exposed.

Canva (May 2019) – 137 million users; email, name, username, city, bcrypt‑hashed passwords leaked.

Heartland Payment Systems (Mar 2008) – 134 million credit‑card numbers via SQL‑injection; resulted in $145 million settlements.

Apollo (Jul 2018) – 126 million users; email, name, workplace, role, location exposed; data posted to “Have I Been Pwned.”

Badoo (Jul 2013) – 112 million users; email, name, birth date, password leaked.

Capital One (Jul 2013) – 106 million credit‑card numbers, SSNs, bank account numbers accessed.

Evite (Aug 2013) – 101 million users; email, phone, name, location, birth date, gender, plaintext passwords.

Quora (Dec 2018) – 100 million users; name, email, encrypted passwords, public Q&A content leaked.

VK (Jan 2012) – 93 million users; name, phone, email, plaintext passwords exposed.

MyHeritage (Jun 2018) – 92 million users; email, bcrypt‑hashed passwords leaked; no evidence of misuse.

Youku (Dec 2016) – 92 million users; MD5‑hashed passwords and usernames exposed.

Rambler (Mar 2014) – 91 million users; usernames and plaintext passwords leaked.

Facebook (Early 2018) – 87 million users; data used by Cambridge Analytica for political profiling.

Dailymotion (Oct 2016) – 85 million users; email, username, password exposed.

Anthem (Feb 2015) – 78.8 million individuals; name, address, birth date, employment history, SSN stolen via phishing.

Dropbox (Mid‑2012) – 69 million users; email and passwords leaked.

Tumblr (Feb 2013) – 66 million users; email and SHA‑1 passwords exposed.

Uber (Late 2016) – 57 million users and 600 k drivers; name, email, phone, driver’s‑license numbers, AWS certificate accessed after two hackers obtained internal GitHub credentials.

Home Depot (Sep 2014) – 56 million credit‑card records stolen by POS‑malware.

TJX (Jul 2005‑2007) – 45.6 million card numbers compromised via POS breach.

Ashley Madison (Jul 2015) – 32 million users; full name, location, email, payment history leaked.

Plex (Aug 2022) – 20 million users; usernames, email addresses, encrypted passwords exposed.

Bonobos (Jan 2021) – 12.3 million records; shipping addresses, account info, partial credit‑card data accessed from a compromised backup server.

MGM Grand (Feb 2020) – 10.6 million guests; contact information of high‑profile guests leaked; no financial data disclosed.

Optus (Sep 2022) – 9.8 million customers; name, birth date, phone, email, street address, driver’s license, passport obtained via an unauthenticated API.

Medibank (Nov 2022) – 9.7 million records; name, birth date, passport number, medical‑claim information stolen via privileged credential abuse.

EasyJet (May 2020) – 9 million customers; travel details, email, 2,208 full credit‑card records exposed, leading to GDPR fines.

123RF (Nov 2020) – 8.3 million records; phone, address, email, IP, MD5‑hashed passwords leaked.

Twitch (Oct 2021) – 7 million users; source code, creator payment reports, game‑engine assets, internal red‑team tools exposed. No credit‑card data confirmed.

Marriott (Mar 2020) – 5.2 million guests; email, phone, company, gender, birth date, stay preferences, loyalty‑program numbers accessed; passwords and payment data not compromised.

Neiman Marcus (Sep 2021) – 4.8 million customers; usernames, passwords, security questions, mostly expired financial info leaked.

MeetMindful (Jan 2021) – 2.28 million users; IP, real name, email, city/state/ZIP, Facebook ID, auth tokens, dating preferences, marital status, birth date, bcrypt‑hashed passwords exposed.

Pixlr (Jan 2021) – 1.9 million users; username, email, country, password leaked.

Tackle/Running/Skate/Warehouse (Oct 2021) – 1.8 million customers; name, credit‑card numbers with CVV, debit‑card numbers, website passwords compromised.

Harbour Plaza Hotel (Feb 2022) – 1.2 million guests; personal reservation data accessed; encryption status of credit‑card data unclear.

Graff (Nov 2021) – 1.1 million records; name, address, invoices, receipts, credit records of high‑profile clients stolen; ransomware demanded £10 million.

Los Angeles Unified School District (Sep 2022) – 1,000 schools, 600 k students, 500 GB data; personal info, emails, system logs, passports, SSNs, employee credentials, tax forms, contracts, financial reports, health records, VPN certificates leaked after ransomware attack.

Zoom (Apr 2020) – 500 k users; credentials from 2013‑2020 harvested and posted on dark web, enabling unauthorized meeting access.

Slickwraps (Feb 2020) – 370 k users; unsecured server exposed customer data (name, email, phone, etc.).

Magellan Health (Apr 2020) – 365 k patients; ransomware attack exposed SSNs, W‑2s, employee IDs after phishing and malware infiltration.

Nintendo (Apr 2020) – 300 k accounts; passwords, name, birth date, email, country exposed; weak passwords were primary cause.

Mailfire (Sep 2020) – 100 k users; name, age, birth date, gender, location, IP, profile images, bios from 70+ adult sites leaked via insecure ElasticSearch server.

Antheus Tecnologia (Mar 2020) – 76 k fingerprint records plus 81.5 million emails, phone numbers, admin credentials exposed after server breach.

SolarWinds (Mar 2020) – 18 k enterprises (including six U.S. government agencies) compromised via supply‑chain attack on Orion platform; DLL compromised, leading to broad espionage.

Pegasus Airlines (Mar 2022) – 23 TB of data (2.3 million files) exposed due to misconfigured AWS bucket; included flight, crew, passenger information, plaintext passwords and keys.

COMELEC Philippines (Jan 2022) – 60 GB of voter data; usernames and PINs for voting machines stolen, potentially enabling election manipulation.

MailChimp (Apr 2022) – 100 customers; social‑engineering breach gave attackers internal tools, leading to phishing campaign targeting Trezor wallet users and exposure of up to 106 k email accounts.

These incidents illustrate recurring technical failures such as unsecured databases (Elasticsearch, MongoDB), misconfigured cloud storage (AWS S3), inadequate password hashing, SQL injection, supply‑chain compromises, and insufficient patch management. Strengthening authentication, encryption, network segmentation, and regular security audits are critical mitigations.