11 Of The Worst Data Breaches In The History Of The Internet

If you thought the startling number of yearly data breaches would spur tech companies to improve security, then buckle up, because the trend is only getting worse. Almost every year, we see an increased number of data breaches, sometimes even double the previous year. According to Statista, 2024 saw a slight decrease in the number of data compromises, yet the number of individuals impacted skyrocketed. So if you're making some of the worst cybersecurity mistakes right now — like reusing the same simple password — then consider this article a friendly warning. Today, we're taking a look at the worst data breaches in the history of the internet.

There are different types of cyberattacks to protect yourself from, which affect very different sorts of information. Plus, data breaches are often measured in terms of leaked records, not necessarily individual people. In that spirit, we're discussing data breaches primarily in terms of numbers. These are the worst data breaches in history, numerically, and everything you should know about them.

Yahoo's infamous 2013 and 2014 data breaches reign as the largest ever in internet history. Approximately 3 billion records were affected. There were two breaches spanning two years, which Yahoo did not deign to publicly disclose until 2016. The first in 2013 affected all 3 billion Yahoo accounts, including email addresses, personal information like birth dates and phone numbers, and more. It was later determined that nothing sensitive (like passwords and payment information) was stolen unencrypted, but some of the passwords were stored in the more vulnerable MD5 hashed format.

The second breach in 2014 affected 500 million accounts. Ironically, Yahoo disclosed this breach first in September 2016, then much more concerning the 2013 breach in December. Even before the company acknowledged the breach, there were reports of account credentials being sold on the dark web as far back as August 2016. At first, experts believed the hackers were foreign state-sponsored, but it was later determined to be three Russians and a Canadian. The hackers may have directly accessed about 32 million accounts, but it's difficult to know just how damaging this attack was to Yahoo users. Only one suspect — Karim Baratov — was arrested and charged.

Yahoo was in the process of selling properties to Verizon, so there's a chance it concealed its knowledge of the hack to make sure the deal went through; The agreed-upon price dropped when the hack was disclosed. After a long class action legal battle, Yahoo settled with users for $118 million. It's because of large breaches such as these that we recommend using a website like "Have I Been Pwned?" to check if your data was compromised.

The 2024 compromise of National Public Data, a background check company owned by Jerico Pictures Inc., was a deeply concerning breach since it affected Social Security numbers and other sensitive details. A background check company has access to all sorts of dirty secrets, after all. The 2.7 billion records belonged to approximately 300 million people across the U.S., the U.K., and Canada.

Fortunately, the information was not always accurate. There were reports of Social Security numbers matched to incorrect names, and some records belonged to the deceased. Still, if you haven't yet acted on it yet, we highly recommend checking your credit reports and placing a credit freeze on your Equifax, Experian and TransUnion reports. It's not like someone will immediately use your Social Security number to sign up for a credit card and buy a car, but it never hurts to be safe.

The hackers responsible are believed to be USDoD, which caused other data breaches in the past. The group initially tried to sell 4TB of data (plus server credentials) for $3.5 million, but then it was all leaked for free, although it ended up being only 277 gigabytes. This breach was so devastating for National Public Data that it went bankrupt. It's difficult to say how many people experienced real, provable damage as a direct result of this hack. Social Security fraud has always run rampant, and the credit bureaus themselves have suffered their own breaches.

Verifications.io used to be an email validation service for enterprise purposes. The service was storing information in plain text — the equivalent to storing it unencrypted in Windows Notepad and its alternatives — making it all too easy for hackers to steal. Cyber Threat Intelligence Director Bob Diachenko discovered a curious 150-gigabyte (later discovered to be 196 GB) online database in 2019, according to his blog post, filled with 808 million records of emails, phone numbers, and other personal information. The database had no password protection. So, where does the 2 billion number come from? This was because the results can be interpreted in different ways, Andrew Martin told Forbes. The server had three other databases, for a total of about 2 billion records — although it is disputed how many of the records were real and not duplicates, so the true number may be significantly lower.

Some of the data was deeply concerning, like credit score and mortgage information, and links to social media profiles. On the flip side, there were no leaked passwords, and no evidence that hackers found and took advantage of the database. Perhaps more concerning, however, was the veil of mystery around the shady company providing email validation services. It wasn't clear how they got all the information they had, nor where the company was actually based. To make matters worse, the website went down early in 2019, and the company quietly closed its doors for business. It's impossible to say if anyone was directly affected by this breach, but those responsible certainly won't be paying the price.

Aadhaar is India's biometric identification number. It's a more or less compulsory national ID, replete with biometric information and vital for Indian citizens to obtain things like government benefits. Access to Aadhaar would let individuals commit a devastating amount of identity fraud, including opening bank accounts and getting federal financial aid, making it a juicy target for hackers. Aadhaar had security issues before 2018 when it became the subject of one of India's worst data breaches in history. In a now-deleted article from India's Tribune, journalists were able to purchase the information for any person's Aadhaar from a hacker via WhatsApp, plus a counterfeit card to use it. Accounting for the currency conversion rate in early 2018, it would cost you less than $10 to forge someone's identity in Aadhaar at the time.

The Unique Identification Authority of India (UIDAI), which oversaw issuing Aadhaar numbers to citizens, denied these allegations on Twitter, claiming that Aadhaar "remains safe and secure." Despite this, the vulnerability was clear as day for security experts, and even after the hacker selling numbers was taken offline, the application programming interface granted access to anyone determined enough. So, regardless of how bad actors got access to Aadhaar information, it blew open the doors for the information of over a billion Indians. As proof that the system definitely was not secure, there was another data breach in 2019 that affected 100,000 numbers, and another in 2023 affecting 815 million. It's difficult to say how many people were measurably impacted by this breach (and others) and whether or not UIDAI has patched the holes.

Among the many computer hacking myths you need to stop believing is the idea that it's only Chinese and Russian hackers targeting U.S. databases; It's all but confirmed that the U.S. was responsible for creating the devastating Stuxnet worm that single-handedly kneecapped an Iranian nuclear fuel processing facility. The point is, the U.S.'s foreign rivals have their own share of cyberattacks, and China is certainly not immune, as evidenced by a 2022 breach of the Shanghai National Police database. Officials became aware of this breach when a hacker attempted to sell 23 terabytes of data for $200,000 in equivalent Bitcoin at the time (via The Guardian). China is a surveillance state that collects everything from citizens' DNA to social media information, so it's likely that an incalculable amount of highly sensitive information was contained therein for many of its citizens.

It was later revealed that the police database had no password since at least 2021, and it wasn't the only one. Another in Henan province had likewise been open season for hackers. Later analysis and verification suggested Shanghai NP's database leaked about 970 million records. Others took inspiration from the event to bring forward even more leaked information for sale online. Sadly, it appears the PRC has done little in the way of acknowledging, fixing, or mitigating the leak. It seems unlikely Chinese citizens will get redress, especially since this leak is an indirect result of the PRC collecting so much surveillance data on its citizens in the first place.

Often, data breaches reveal that data has been quietly leaking for years. Recently, to give an example, a VPN vulnerability was discovered that could have potentially allowed hackers to see VPN traffic unencrypted for the past 20 years — a fact to keep in mind when hunting for the best VPN services available in 2025. The First American Financial Corp breach, a Fortune 500 real estate title insurance company, is a similar situation. The data had been leaked for 20 years before the flaw's discovery in 2019. KrebsOnSecurity describes how they discovered that anyone with a browser could view 885 million digitized files, including bank account numbers, tax records, social security numbers, and even driver's license images. Yikes.

To do this, KrebsOnSecurity says that someone only needed to change the digits in the URL of one valid document (which corresponded to the document's date), and they'd be taken to another document — no need for authentication. So, in theory, someone with bad intentions could write a script to create multiple permutations of the URL and gather the documents for every single result. KrebsOnSecurity says that this would be a "virtual gold mine" for Business Email Compromise (BEC) scammers. They could make themselves men in the middle between real estate agents and property buyers to trick them into wiring funds. In 2023, First American Financial Corp settled for $1 million with the New York State Department of Financial Services. Unfortunately, this was not the last of its cybersecurity failures. Another data breach in 2024 affected 44,000 people.

LinkedIn is a weird place. When it's not people making nauseating hustle-culture posts, it's using your personal data for AI training. Yet it's the de facto job resume social media site, so you're kinda stuck with it. Consequently, it's also a treasure trove of data, and this fact was exploited in 2021. On RaidForums (a forum for hackers to sell compromised information), a user claimed to be selling the data for 700 million users. However, this was not a data breach in the typical sense, where some flaw in a company's online architecture allowed data to be too easily accessed or stolen. Rather, the data had been scraped.

LinkedIn forbids data scraping in its terms of service, but data scraping in general is legal. Given how AI companies have been unscrupulously training their models on literally everything — one reason why musicians might want to avoid SoundCloud — there's clearly not much political willpower to stop the practice from happening. So, the LinkedIn breach teaches us one big lesson, which is that whatever you put on the internet is effectively there forever.

Many people loathe Ticketmaster so much that they'd probably rather use alternatives to Ticketmaster for buying concert tickets. Well, here's another reason to loathe them. In May 2024, the hacking group ShinyHunters claimed it had compromised the info for 560 million Ticketmaster customers (roughly 1.3TB of info) and put it up for sale for $500,000, after which Ticketmaster acknowledged the breach to the SEC (via NYT). For reference, this same group also hacked a spate of U.S. companies like Microsoft and AT&T.

The information stolen in the breach was effectively everything you would expect to find in a Ticketmaster account: contact information, payment information, as well as orders for tickets, although Ticketmaster assured customers that the most sensitive information, like credit card numbers, was encrypted and therefore inaccessible. Although it's again hard to determine how much damage happened as a result of the breach, the law firm Cotchette, Pitre, and McCarthy is currently in court against Ticketmaster. Until there is a verdict and a settlement, here's how to change your Ticketmaster password just in case.

It might seem funny that Facebook is on this list. After all, the company has been famous for misusing user data on multiple occasions without requiring the assistance of hackers. Never to be left out of the fun, though, Facebook suffered a devastating breach in January 2019. Similar to other breaches on this list, hackers posted the compromised information on forums for 533 million users originating from 106 countries with full names, phone numbers, addresses, and more (via Business Insider). On the bright side, the data was procured in 2019 when the system effectively allowed hackers to do so — an ability Facebook patched out, meaning some of it was likely out of date by 2021.

While the information didn't include things like passwords, it still was a shocking amount that could help bad actors pull off more effective scams against Facebook users. As Meta is wont to do, the company did not take responsibility, claiming that it wasn't a data breach, technically speaking. U.S. courts did nothing, either, but thanks to German courts, there was a potential improvement in holding Silicon Valley accountable. Germany's Federal Court of Justice decided that even if no concrete damages could be proven, Facebook is still on the hook for financial compensation (via Forbes).

In 2018, Marriott International Hotels announced that hackers had stolen the records for 500 million customers of its Starwood hotel line, meaning anyone who'd stayed in those properties since 2014 was affected. What did this data include? Personal information, contact details, government identification information, and possibly even credit card info for at least 327 million guests out of the 500 million compromised. Marriott seems to have interrupted hackers in the process of encrypting and exfiltrating the data.

Marriott acquired Starwood in 2016, which meant that the company's IT infrastructure hadn't yet been integrated into Marriott's. That, and Starwood already had a history of security issues. It was later determined the hackers had infected the Starwood/Marriott system for 4 years without their knowledge.

Concerningly, this may not be a breach facilitated by hacker groups looking to sell the data or scam the victims, but rather state-sponsored cyberwarfare straight out of Beijing. Some theorize that because Marriott frequently serves U.S. government personnel, the PRC was looking for personal information on officials. Marriott offered to cover the cost of replacement documents if customers could provide evidence of fraud, but it's not clear if this ever happened. This was one of multiple data breaches happening between 2014 and 2020, according to the FTC, and Marriott got a slap on the wrist for it.

Adult Friend Finder, believe it or not, isn't a website for meeting your bestie. Sarcasm aside, the website (for discreet adult sexual encounters) suffered a breathtaking breach of 412 million accounts in 2016, a year on the heels of the infamous Ashley Madison breach (a dating site for extramarital affairs) exposed 33 million. Of all the breaches out there, one that is essentially for swingers is the last one its users want being blown open to the world. The 412 million figure factors in its active 339 million accounts (and 15 million deleted ones), plus millions more accounts from other dating sites under the Friend Finder Network umbrella, one of which (Penthouse) no longer belonged to them. To describe that leaked data another way, this is two decades' worth of user info. Major, major yikes.

Ironically, this hack took place after a security researcher warned that a flaw in the architecture could allow for this sort of breach to happen. This wasn't the first time Friend Finder Network had been hacked, either. The leaked info included everything you're imagining: photos, contact info, membership status, and passwords. At the time (in the wake of the Yahoo breaches we mentioned earlier), this was the second-largest data breach in history. It appears the class action lawsuit as a result of this breach was struck down.

As stated in the beginning, it's very difficult to compare and contrast data breaches since the information they affect can have wildly differing consequences. The fallout (and remediation) also factor in. So, we readily admit that a bigger number doesn't equal a worse breach. Still, we took into consideration breaches that affected highly sensitive information (National Public Data, Aadhaar, Shanghai NP, etc.) as well as breaches that included a large quantity of personally identifiable information (LinkedIn, Facebook, AdultFriendFinder, etc.). A bank account number could be devastating if leaked, but personal information could lead to scams, stalking, and other undesirable results.

It's important to note that this list is not comprehensive. There have been countless data breaches, and many, much smaller data breaches have had far-reaching consequences. In most cases, it was impossible to determine the exact consequences of these breaches, so we focused on those that had the potential to harm victims if weaponized.