10 biggest data breaches in history and how to prevent them

Data breaches happen for many reasons, as evidenced by this list of the biggest data breaches in history. Whether it’s an outdated and vulnerable network or an employee clicking on a phishing email, data breaches can harm a business and its reputation.

A number of lessons can be learned from reviewing past data breaches. In fact, some of the most damaging breaches listed here could have been avoided if organizations had followed simple good cybersecurity hygiene practices.

Learn about the biggest data breaches, based on the number of compromised records, and get tips on how to prevent a similar breach in your organization.


Compromised files: 3 billion

Breakup date: August 2013

Publication date: December 2016

Yahoo initially announced in 2016 that its 2013 breach affected only one billion accounts. After Verizon acquired Yahoo in 2017, news broke that the figure was actually 3 billion. The breach affected Yahoo email accounts and other company services, including Tumblr, Flickr, Yahoo Fantasy Sports and Yahoo Finance.

Malicious hackers obtained users’ names, dates of birth, phone numbers and passwords, as well as security questions and email addresses used to reset passwords. No financial data – such as credit card numbers or bank details – was exposed. Yahoo said in its initial disclosure that it forced password resets for all accounts that had been changed since 2013 and invalidated old security questions and accounts. To date, the cause of the breach has not been disclosed.

How to prevent this type of attack:

  • Perform continuous security monitoring and testing.
  • Perform vulnerability and penetration testing regularly to enable security teams to fix flaws before cybercriminals can take advantage of them.

2. Aadhar

Files compromised: 1.1 billion

Breakup date: Unknown

Publication date: January 2018

The records of 1.1 billion Indian citizens have been exposed after a breach of Aadhaar, the country’s government identification database. Although it is not mandatory for citizens to register with the database, it is mandatory for those who wish to access certain government resources or aids.

The Tribune reported the breach after journalists paid someone on WhatsApp 500 Indian rupees (about $8 in 2018) for a code allowing unauthorized access to names, dates of birth, email addresses, phone numbers and codes from the database. The seller offered journalists – for an additional Rs 300 (about $5 in 2018) – software that would allow them to print unique ID cards.

The seller was part of a group that gained access to the database through former Aadhaar employees, according to The Tribune. ZDNet later reported that the leak involved a system run by a public utility company that accessed the database through an insecure API used to verify customer identities.

How to prevent this type of attack:

3. America’s first financial

Compromised files: 885 million

Breakup date: Unknown

Publication date: May 2019

In May 2019, security researcher Brian Krebs reported that 885 million First American Financials files had been leaked from the insurance company’s website. The records, which dated back to 2003, included bank account information, social security numbers, mortgage records, tax documents and photocopies of driver’s licenses. The website did not require a password to access the files.

First American said it “became aware of a design flaw in an application that made possible unauthorized access to customer data.” The design error, known as insecure direct object reference (IDOR)is an access control vulnerability where a link intended for a specific user is created but does not verify the user’s identity to allow access.

How to prevent this kind of attack:

4. Online spambot

Compromised files: 711 million

Breakup date: Unknown

Publication date: August 2017

In 2017, security researcher Troy Hunt reported that Benkow, a Paris-based security researcher, discovered an exposed spam server known as Onliner. Benkow gave Hunt the spambot’s list of 711 million exposed records, which included email addresses and passwords.

Onliner was spread via a data-stealing Trojan horse for at least a year before it was detected.

How to prevent this kind of attack:


Compromised files: 533 million

Breakup date: Unknown

Publication date: April 2021

A 2021 Facebook data breach was reported after a leaked database containing the sensitive data of 533 million users was posted on a hacking forum page. Facebook said malicious actors obtained the phone numbers, names, locations and email addresses of its users by scraping, not hacking, its systems. Scraping is a process that allows users and robots to extract data from publicly available websites.

Facebook said it believed the threat actors had harvested the data using a feature designed to help users find friends by connecting their account to their contact lists. The company changed the feature in September 2019, after discovering it was being used for malicious purposes, to prevent future scraping.

How to prevent this kind of attack:

Data breaches affect every industry, from hospitality to technology and finance.


Compromised files: 500 million

Breakup date: November/December 2014

Publication date: September 2016

Yahoo has the unique distinction of not only being at the top of our list of biggest data breaches, but also being on the list for two separate events.

Yahoo announced in 2016 that 500 million of its accounts were compromised in a state-sponsored attack in 2014. Yahoo said the information stolen could include names, email addresses, birth dates, hashed phone numbers and passwords. In 2018, Karim Baratov was sentenced to five years in prison for the offense after being found guilty of helping Russian intelligence agents gain access to “persons of interest” accounts.

Yahoo attributed the attack to a spear phishing email following an internal investigation.

How to prevent this kind of attack:

7. FriendFinder Networks

Compromised files: 412 million

Breakup date: Unknown

Publication date: November 2016

A breach in 2016 exposed the accounts of 412 million users of adult data and entertainment company FriendFinder Networks. The leak included 20 years of usernames, email addresses, passwords and other sensitive information, as well as 15 million deleted accounts that were still in its systems.

The researchers found source code for the company’s production environment and leaked public and private key pairs online. The company confirmed to ZDNet that it fixed an injection vulnerability that allowed access to source code.

How to prevent this kind of attack:

8. Marriott International

Compromised files: 383 million

Breakup date: 2014

Publication date: November 2018

Hotel provider Marriott International announced in 2018 that attackers had accessed its Starwood guest database four years prior. The records exposed included names, phone numbers, passport details, postal and email addresses, guest arrival and departure information and, in some cases, encrypted credit card numbers.

The breach was discovered following an alert from its internal security systems. Attackers had infiltrated the database and encrypted and exfiltrated sensitive data. Marriott originally believed the breach exposed information for 500 million customers, but after further internal investigation, the company announced that the breach affected approximately 383 million customers. The cause of the rupture, however, remains unknown. Marriott acquired Starwood in 2016, but by 2018 had not migrated it to Marriott’s systems; the Starwood database continued to use legacy computing infrastructure.

How to prevent this kind of attack:

9. Twitter

Number of records: 330 million

Breakup date: Unknown

Publication date: May 2018

Twitter advised its more than 330 million users are changing their passwords following a 2018 issue that resulted in some plaintext passwords being stored in an internal logging system. The company said it discovered the bug itself and has since removed unhashed passwords, putting measures in place to prevent future issues.

It remains unclear how long the passwords were exposed and how many users were affected. The social network said it had no evidence the passwords had been maliciously accessed.

How to prevent this kind of attack:


Compromised files: 250 million

Breakup date: December 2019

Publication date: January 2020

Microsoft revealed in 2020 that 250 million customer service and support cases spanning a 14-year period had been leaked online. The company said personal data was removed from records before it was stored, but some plaintext email addresses and IP addresses were exposed. Microsoft said it found no signs of misuse of the recordings, which were on display for just under a month.

Microsoft attributed the breach to the misconfiguration of internal database security rules.

How to prevent this kind of attack:

Comments are closed.