The 10 biggest data breaches in history and how to prevent them


Data breaches happen for many reasons, as illustrated in this list of the largest data breaches in history. From an outdated, vulnerable network to an employee clicking on a phishing email, data breaches can damage a business and its reputation.

There are a number of lessons to be learned from looking at past data breaches. In fact, some of the most damaging breaches listed here could have been prevented if organizations had followed simple cybersecurity hygiene best practices.

Learn about the top data breaches based on the number of records compromised and get advice on how to prevent a similar breach at your organization.


Records compromised: 3 billion

Date of Injury: August 2013

Release date: December 2016

Yahoo originally announced in 2016 that its 2013 breach affected just 1 billion accounts. After Verizon acquired Yahoo in 2017, it was revealed that it was actually 3 billion. The breach affected Yahoo email accounts and other business services, including Tumblr, Flickr, Yahoo Fantasy Sports and Yahoo Finance.

Malicious hackers obtained usernames, dates of birth, phone numbers and passwords, as well as security questions and email addresses used to reset passwords. No financial information — such as credit card numbers or bank account details — was disclosed. Yahoo announced in its first disclosure that it had enforced password resets on all accounts changed since 2013 and invalidated old security questions and accounts. So far, the cause of the violation has not been disclosed.

To prevent this type of attack:

  • Conduct continuous security monitoring and testing.
  • Conduct regular vulnerability and penetration testing so security teams can close gaps before cybercriminals can exploit them.

2. Aadhaar

Records compromised: 1.1 billion

Date of Injury: Unknown

Release date: January 2018

The records of 1.1 billion Indian citizens have been exposed after an attack on Aadhaar, the country’s government ID database. While citizens are not required to register with the database, those who wish to access specific government resources or assistance are required to do so.

The grandstand reported the breach after reporters WhatsApped someone 500 Indian rupees (approx. The seller offered reporters – for an additional Rs 300 (approx. US$5 in 2018) – software to print unique ID cards.

The seller was said to be part of a group that had gained access to the database through former Aadhaar employees The grandstand. ZDNet later reported the leak was on a state utility system, which had access to the database via an unsecured API to verify customers’ identities.

To prevent this type of attack:

3. First American finance

Records compromised: 885 million

Date of Injury: Unknown

Release date: May 2019

In May 2019, security researcher Brian Krebs reported that 885 million First American Financials files were leaked on the insurance company’s website. The 2003 records included bank account information, social security numbers, mortgage records, tax documents, and photocopies of driver’s licenses. The website did not require a password to access the files.

First American said it “learned about a design flaw in an application that allowed unauthorized access to customer data.” The design flaw known as Insecure Direct Object Reference (IDOR)is an access control vulnerability that creates a link specific to a specific viewer, but does not verify the viewer’s identity to allow access.

How to prevent such an attack:

4. Online Spambot

Records compromised: 711 million

Date of Injury: Unknown

Release date: August 2017

In 2017, security researcher Troy Hunt reported that Benkow, a Paris-based security researcher, discovered an exposed spam server called Onliner. Benkow gave Hunt the spambot’s list of 711 million exposed records containing email addresses and passwords.

Onliner propagated via a data-stealing Trojan horse for at least a year before it was discovered.

How to prevent such an attack:


Records compromised: 533 million

Date of Injury: Unknown

Release date: April 2021

A 2021 Facebook data breach was reported after a leaked database containing the sensitive data of 533 million users was published on a hacking forum site. Facebook said malicious actors obtained its users’ phone numbers, names, locations and email addresses scratch, not hack, his systems. Scraping is a process that allows users and bots to retrieve data from publicly-facing websites.

Facebook said it believes the threat actors scraped the data with a feature designed to help users make friends by connecting their account to their contact lists. The company changed the feature in September 2019 after discovering it was being used maliciously to prevent future scraping.

How to prevent such an attack:

Data breaches affect every industry, from hospitality to technology to finance.


Records compromised: 500 million

Date of Injury: November/December 2014

Release date: September 2016

Yahoo has the unique distinction of not only topping our list of top data breaches, but also making the list for two separate events.

Yahoo announced in 2016 that 500 million of its accounts were compromised in a 2014 state-sponsored attack. According to Yahoo, the stolen information could have included names, email addresses, dates of birth, phone numbers and hashed passwords. In 2018, Karim Baratov was sentenced to five years in prison for the violation after being found guilty of helping Russian intelligence officials access the accounts of “persons of interest”.

After an internal investigation, Yahoo traced the attack to a spear phishing email.

How to prevent such an attack:

7. FriendFinder Networks

Records compromised: 412 million

Date of Injury: Unknown

Release date: November 2016

A 2016 breach exposed 412 million user accounts of adult data and entertainment company FriendFinder Networks. The leak included 20 years of usernames, email addresses, passwords and other sensitive information, as well as 15 million deleted accounts still in its systems.

Researchers found source code from the company’s production environment and leaked public and private key pairs online. The company confirmed to ZDNet that it fixed an injection vulnerability that allowed access to the source code.

How to prevent such an attack:

8.Marriott International

Records compromised: 383 million

Date of Violation: 2014

Release date: November 2018

Hotel provider Marriott International announced in 2018 that attackers had accessed its Starwood guest database four years earlier. The records disclosed included guests’ names, phone numbers, passport details, postal and email addresses, arrival and departure information, and in some cases encrypted credit card numbers.

The breach was discovered after an alert from its internal security systems. Attackers had infiltrated the database and encrypted and exfiltrated sensitive data. Marriott originally believed the breach exposed the information of 500 million guests, but after further internal investigation, the company announced the breach affected approximately 383 million guests. However, the cause of the burglary is still unknown. Marriott acquired Starwood in 2016 but hadn’t migrated it to Marriott’s systems until 2018; The Starwood database continued to use the old IT infrastructure.

How to prevent such an attack:

9. Tweet

Number of records: 330 million

Date of Injury: Unknown

Release date: May 2018

Twitter recommended Its more than 330 million users change their passwords after a bug in 2018 that caused some passwords to be stored in plain text in an internal log system. The company said it discovered the bug itself and has since removed the unhashed passwords to take action to prevent future disruptions.

It remains unclear how long the passwords were disclosed and how many users were affected. The social network said it had no evidence the passwords were maliciously obtained.

How to prevent such an attack:


Records compromised: 250 million

Date of Injury: December 2019

Disclosure Date: January 2020

Microsoft announced in 2020 that 250 million customer service and support records leaked online over a 14-year period. The company said personal data was removed from the records prior to storage, but some email and IP addresses were disclosed in clear text. Microsoft said it found no evidence of malicious use of the recordings, which have been exposed for just under a month.

Microsoft attributed the breach to the misconfiguration of the security rules of an internal database.

How to prevent such an attack:


Comments are closed.