Biggest Data Breaches You Need To Know About

Updated: February 3rd, 2023
17 mins read
biggest data breaches

Data breaches exposed at least 42 million records between March 2021 and February 2022. With the increasing risks associated with the cyber world, this comes as no surprise. 

This article details all the biggest data breaches that have taken place all around the world in different sectors and industries. 

Let’s dive in. 

27 Biggest Data Breaches You Need To Know

  1. Shields Healthcare Group
  2. Twitter
  3. Aadhar
  4. Yahoo
  5. LinkedIn
  6. Facebook
  7. Marriot
  8. Texas Department Of Insurance
  9. SolarWinds
  10. Revolut
  11. Toyota
  12. Keystone Health
  13. SHEIN
  14. Nvidia
  15. OneTouchPoint
  16. Novant Health
  17. Broward Health
  18. Baptist Medical Center
  19. Farrer Park Hospital
  20. Texas Tech University Health
  21. Anthem
  22. Red Cross
  23. Microsoft
  24. Dubsmash
  25. Adobe 
  26. eBay
  27. Myspace

1. Shields Healthcare Group

2022

2 Million Individuals

shields healthcare group

The Shields healthcare data breach is one of the biggest data breaches reported in 2022. Shield Health Care Group, a Massachusetts-based company detected suspicious network activity on March 28th of 2022. The hack took place between the 7th to 21st of March and affected 56 facilities. 

Further inquiry revealed that a malicious actor gained access to certain Shields systems. It affected major partners like Tufts Medical Center and UMass Memorial MRI.

The data breach affected over 2 million individuals revealing their social security numbers, diagnoses, billing information, medical records, and PII like addresses, dates of birth, patient IDs, and more. 

2. Twitter

Twitter has undergone one confirmed and two alleged massive data breaches within the span of a year. The API vulnerability was first reported by a HackerOne bug bounty program in January 2022. 

2022

5.4 Million Records

Twitter recently underwent a massive data breach that resulted in the data leaking of nearly 5.4 million users in a list that was compiled by Breached, a hacking forum through a vulnerability exposed to them by the threat actor, Devil. 

These 5.4 million records were then put for sale on July 21st of 2022 for a price of $30,000. The 5.4 million records were put on the website freely on 24th November 2022 after it was likely bought at a lower price. 

2022

17 Million Records

Another report was then put forth revealing a potential data breach of nearly 17 million Twitter records. According to it, the records consisted of phone numbers, and public information like account names, Twitter ids, and screen names. 

Bleeping Computer obtained a sample of the records which contained the personal phone numbers of nearly 1.3 million individuals in France. They also revealed that the data dump was broken up according to their country and region codes. 

However, the claim of having 17 million Twitter records could not be independently confirmed.  

2022

400 Million Records

On December 23, 2022, a threat actor by the name of Ryushi made a post to a hacker forum, Breached, putting 400 million Twitter profiles on sale for $200,000. Ryushi wishes to sell the data from the Twitter data breach(Dec 2022) to an exclusive buyer, ideally Twitter itself. Otherwise, the threat actor intends to sell multiple copies of the data for $60,000 a copy.

2. Aadhar

2018

1.1 Billion Citizen Records

Aadhar, India’s biometric database was hacked in March 2018 resulting in the exposing of nearly 1.1 billion records of registered Indian citizens like their fingerprints and even iris scans.

The UIDAI (Unique Identification Authority of India) repeatedly denied these claims, however.

The infiltration occurred through the website of Indane, a state-owned utility company connected to the government database which allowed applications to retrieve data stored by other applications or software. 

Access to this data was sold at less than $7 through WhatsApp. 

4. Yahoo

2013

3 Billion Accounts

In 2013, Yahoo faced a data breach of 3 billion accounts of which customer information was leaked. 

However, the data leaked did not contain crucial payment information, passwords, or bank account numbers. 

2014

5 Billion Accounts

Information from 5 million accounts was leaked in 2014. However, this only came to light in 2016, which was when the company disclosed the event. 

It resulted in the leak of private information like security information, telephone numbers, birth dates, and names. 

The U.S. SEC then fined Yahoo owner, Altaba over $35 million for the failure of data breach disclosure. 

5. LinkedIn

2012

165 Million

In 2012 LinkedIn experienced a massive data breach brought about by hackers who accessed nearly 6.5 unassociated million passwords which were later put up on a Russian hacker forum.

This number was later found to be inaccurate when it came to light that the total number of accounts affected was actually 165 million in 2016. 

The extent of the breach was reported to LinkedIn when it found that the hacker was selling the information for 5 bitcoins (worth $ 2,000 at the time). 

2021

700 Million

The latest hack on LinkedIn occurred in April 2021 and affected 700 million accounts, i.e. more than 90% of its users, on LinkedIn. 

The attack was carried out by data scraping which was possible due to a violation of LinkedIn’s API.  

The data revealed, albeit mostly public, including full names, phone numbers, email addresses, usernames, and geolocation records among other data. 

6. Facebook

2021

530 Million Users

In 2021 it was revealed that Facebook underwent a massive data breach due to a vulnerability that was patched in 2019. 

The data was compiled from 106 countries with over 32 million records from the U.S., 11 million user records from the U.K., and 6 million users in India. 

This included information such as their phone numbers, full names, locations, birthdates, bio, and even email addresses in some cases. 

2019

540 Million User Records

In 2019, UpGuard’s cyber risk team discovered 540 million user records of Facebook in unsecured condition on Amazon’s S3 public cloud servers. 

The data breach occurred because third-party app developer, Cultura Colectiva, a Mexican media company failed to password protect their data sets.

Thus leaving the information available for free access and download to anyone. 

2018

50-90 Million User Records

In April of 2018, Facebook underwent a massive data breach that was said to have been a concern among Facebook employees since 2015. However, this was not acted on till the issue blew wide open through a whistle-blower from Cambridge Analytica. 

A British consulting firm Cambridge Analytica stole and sold around 50-90 million Facebook user record data. The information was accessed through a loophole in a third-party quiz app. 

Despite the company going against the terms and conditions of Facebook, they continued selling the data illegally since there was no rule of enforcement. 

This resulted in the FTC (Federal Trade Commission) imposing a historic fine of 5 billion dollars on Facebook for its poor data protection measures and repeated data security violations. 

7. Marriot

2022

20 GB of Data

In 2022, June the hotel chain Marriot was hacked by a hacker stealing 20 GB worth of guest information. This included guest credit card data, as well as personal information regarding guests and employees alike. 

The files were exfiltrated from BWI Airport Mariott in Maryland, U.S.A.Social engineering was used to trick a Mariott employee into giving the threat actors access to their computers. 

2020

5.2 Million Guests

Previous to 2022, Marriot had faced another hack in 2020 between January to March resulting in the leak of over 5.2 million guests’ personal information.

The leaked information varied according to guests but most included contact details and personal information passwords and PINS, national IDs, driver’s license numbers, loyalty account information, birthday, company, and affiliations among others. 

The information was accessed using the login credentials of two employees, which when alerted was disabled to launch an investigation. 

2018

500 Million reassessed at 383 Million

In November 2018, Marriot reported a colossal leak of data through illegally accessing its Starwood reservation database. 

Upon further investigation into the accident, it was found that guest information from since 2014 had been obtained by the hackers adding the number of affected parties to a whopping 500 million. 

The breach was said to have started in Starwood in 2014 before it was acquired by Marriot in 2016. 

The reservation made in the Starwood database included other hotel chains under Marriot like the Westin, Sheraton, Four Points, and St. Regis. 

The number of impacted individuals was later reassessed at 383 million whose home addresses, passport numbers, credit card information, and more were stolen. 

The whole incident resulted in Marriot being issued a $24 million fine from the U.K.’s Information Commission Office (ICO) for failure to meet cybersecurity standards and a class action lawsuit of $100 million in Canada. 

8. Texas Department of Insurance

2022

1.8 Million Individuals

In May 2022 it was revealed through a state audit that the personal information of 1.8 million individuals who filed insurance claims with the Texas Department of Insurance was leaked. 

The leaked information was publicly available for almost three years from March 2019 to January 2022. 

The leak was the result of a problematic program code that allowed access to protected data. This included addresses, date of birth, social security numbers, phone numbers, and more.

9. SolarWinds

2020

50 Million Records

SolarWinds, the network monitoring software opted for by the U.S. Pentagon, Fortune 500 companies like Microsoft and even nuclear labs were hacked by Russian hackers in 2020. 

Companies like FireEye and even the Department of Homeland Security were spied on for months without any detection due to the attack. 

The SolarWinds attack was made possible due to a tainted software update that left the system susceptible to the hackers’ trojan horse. 

More than 18,000 companies installed the tainted update put out by SolarWinds resulting in the massive spread of the malware. 

However, since the malware was spread so stealthily, the true extent of the attack is hard to determine. An estimated 50 million records from various major organizations and companies are thought to have been affected. 

10. Revolut

2022

50,000 Users

This fintech company suffered a breach after a third party gained access to its database. This resulted in the exposure of the personal information of nearly 50.150 users

The breach occurred due to a social engineering attack. The data exposed includes addresses, partial payment card details, names, and email addresses. 

11. Toyota

2022

300,000 Individuals

In October 2022, Toyota underwent a massive data breach after the source code of the T-Connect application (a telematics service that connects vehicles via networks) was posted on GitHub in December 2017. 

However, the public availability of the code was only realized by the company nearly five years later in 2022. 

The breach ended up exposing nearly 300,000 customers and their personal information. Despite having no evidence of any third-party tampering with the exposed data, Toyota maintained that the possibility can’t be ruled out.

12. Keystone Health

2022

235,000 patients

Keystone Health, a group of primary-healthcare providers, revealed in July 2022 that an unauthorized party had hacked into its computer network from the 28th of July 2022 until the 19th of August 2022. 

The breach revealed information about patients like their names, social security numbers, and personal health information of 235,000 patients.

13. SHEIN

2018

39 Million Customers

The incident took place in July 2018 when a malicious third party gained unauthorized access to SHEIN’s payment systems. 

The breach was discovered after the credit card network found the customer payment details on a hacking forum for sale. 

SHEIN parent company, Zoetop Business Company which also owns ROMWE, was fined $ 1.9 million by the state of New York for not disclosing the breach details to their 39 million customers. 

14. Nvidia

2022

1 Terrabyte of data

The largest global semiconductor chip company was compromised by a ransomware attack in February 2022. 

A malicious actor leaked employee credentials and sensitive information online. 

A ransomware group named Lapsus$ took responsibility for the attack, claiming access to 1TB worth of company data they would leak online. 

It demanded $1 million and a percentage of an unspecified fee from Nvidia. 

15. OneTouchPoint

2022

1.07 Million Individuals

OneTouchPoint reported a massive data breach that affected over 1,073,316 individuals in mid-July of 2022. 

The breach occurred due to unauthorized access to certain servers that contained information such as names, member IDs, and data from health assessments. 

More than 35 different organizations were affected by the breach including Anthem ACE, Geisinger, Kaiser Permanente, and Humana.  

16. Novant Health

2022

1.3 Million Individuals

Novant Health reported that a misconfiguration in Meta pixel code potentially led to the unauthorized disclosure of protected health information (PHI) of 1,362,296 individuals. 

Meta, Facebook’s parent company faces two lawsuits in lieu of this since the evidence was found that improper configuration of Meta Pixel has led to the disclosure of sensitive information to Meta. 

Novant Health notified its patients and physicians and facilities regarding the possibility of information disclosure. 

However, there was no reported usage of the disclosed information by Meta or any third party.

17. Broward Health

2022

1.35 Million People

Broward Health based in Florida reported a data breach affecting 1.35 million people on January 2nd of 2022. 

It was reported that the breach occurred through gaining access from a third-party medical provider. 

The health system said the intruders accessed private data including patient names, dates of birth, and Social Security numbers. 

18. Baptist Medical Center

2022

1.24 Million Individuals

Tenet Healthcare-affiliate Baptist Medical Center suffered a cyberattack on April 24th, 2022 affecting 1.24 million individuals.

An unauthorized party gained access to certain systems that contained personal information and took some data between March 31 and April 24. 

The information may have included dates of birth, Social Security numbers, health insurance information, other medical data, and billing and claims information.

19. Farrer Park Hospital

2018 – 2019

3,359 Individuals

Singapore-based Farrer Park Hospital had a breach that spanned over two years between March 8, 2018, and Oct 25, 2019. 

The confidential medical information of 2000 individuals was automatically forwarded to a third party. 

The hospital notified the commission about the breach in July 2020 after receiving a complaint in October 2019.

Among the 3,539 past, present or prospective patients whose personal data was leaked, 1,923 people had their medical information disclosed as well.

20. Texas Tech University Health Sciences Center

2022

1.29 Million People

This science center was hit by a data breach due to a hacking incident that was reported on June 7, 2022. The breach affected over 1,29 million people. 

The breach involved information held by Eye Care Leaders, Inc., a third-party service provider of an electronic medical records system used by Texas Tech’s health sciences center. 

Some of the records included names, birthdates, Social Security numbers, and other medical record data.

21. Anthem

2015

37.5 Million Records

Anthem disclosed on February 2015 that criminal hackers broke into its servers stealing over 37.5 million records that contain personally identifiable information. 

80 million company records were hacked. The compromised information contained names, birthdays, medical IDs, social security numbers, street addresses, e-mail addresses, employment information, and income data.

22. RedCross

2022

515,000 Individuals

The cyber attack on Red Cross was thought to have occurred sometime around November of 2021 but wasn’t discovered until January 18th, 2022.

Hackers gained unauthorized access to the servers of the International Committee of Red Cross  by taking advantage of a vulnerability in the authentication module (CVE-2021-40539) and disguising themselves as authorized users to gain access to sensitive ICRC data. 

Personal data such as names, locations, and contact information of more than 5 million individuals from around the world which included missing persons, detainees, and their families among other individuals. 

23. Microsoft

2021 

60,000 companies

January 2021 began for Microsoft with a sweeping attack on its Microsoft Exchange email servers, one of the largest email servers in the world. 

The data breach was carried out by hackers who exploited four zero-day vulnerabilities that provided them with unauthorized access to emails from small businesses to local government bodies. 

The hack went on for three months during which the hackers needed only two conditions to break into each individual company’s email server: Internet connection and on-premise locally managed systems. 

2021

38 Million Records

Over 38 million customer records were found to be exposed in August 2021. This affected many major companies like Ford, American Airlines, the Maryland Department of Health, and more.

Revealed information included personally identifiable information like COVID-19 vaccination status, social security numbers, and other sensitive data.  

The issue raised from the default settings for Power Apps portals had (until quite recently) been configured to “expose records for display” – unless expressly modified by third-party users.

2019

250 Million records

The lack of password protection resulted in 14 years’ worth of Microsoft’s customer data (250 million customer data records) being exposed. 

The information exposed included email IDs, locations, customer service cases, IP addresses, and more.

The exposure of the database started on December 5th, 2019 as the result of misconfigured security rules and was fixed by December 31st, 2019. 

24. Dubsmash

2018

162 Million Records

Dubsmash was one of the more prominent victims in a hack involving 16 websites. 

The hack affected over 617 million user records out of which 162 million user records were accounted for from Dubsmash. 

The stolen data included, names, passwords, geolocations, and countries.  

25. Adobe

2013

38 million credit card numbers + 153 million user records

One of the worst data breaches in history was faced by Adobe in October 2013 when it experienced a massive hack that resulted in the theft of 38 million credit card information. 

The sensitive payment card details were then posted on the dark web for sale. Information like Adobe IDs and passwords, credit/debit card information, full names, and more were revealed. 

The hack was made possible due to Adobe’s lax security practices which involved using the same password encryption key for 38 million records while making the shift from selling desktop licenses to a cloud-based SaaS company. 

The transition period left them highly vulnerable due to a general lack of IT security for servers to even the basic infrastructure. 

Adobe was required to pay just a $1 million settlement in 2016. 

26. eBay

2014

145 million users

The retailing and auction site eBay was hacked which resulted in a massive data breach. The hacker stole the passwords of 145 million users.

The attack was carried out by stealing login credentials from just a few of the eBay employees from which the actor was able to gain access to the main network. 

The scope of the attack was limited to names, home addresses, phone numbers, and email addresses. 

eBay quickly notified their customers to make a password change to avoid further damage. 

27. Myspace

2013

427 million user accounts

Occurred in June 2013, Myspace experienced severe data exposure when it was hacked to reveal the information of 427 million user account details.

The information included, logins, names, and date of birth was put on the dark web for sale for $ 2,800 or 6 Bitcoins.

The attack was made possible by Myspace’s use of the unsalted hash algorithm to encrypt the users’ passwords. The fixed length of the encryption method made it extremely easy to crack.

The data that was stolen from the company are all from before 2013 when a new security update was rolled out. The passwords of affected users were all invalidated. 

Bottom Line

The cyber world can be downright dangerous if you do not take the right security measures at the right time. 

It is also important to keep abreast of the latest developments in the field of cybersecurity so that you can employ the latest security practices to ensure the safety of your customers’ data. 

Take action to protect today so that you can avoid being the sensational story of tomorrow.