A photo of planet earth with lights connecting various cities

Top 10 Worst Data Breaches of All Time

We know size isn’t everything… Despite that fact, the sheer scope of these breaches is absolutely worth marveling at! Furthermore, each of them offers valuable insight into some of the potential risk areas that all companies need to be aware of at any size.

10. Heartland Payment Systems


100 million users affected

This breach was one of the largest of its time, and it revealed the credit card information of a huge swath of users. The company responded to this breach by not only increasing the security of their payment processing system but also introducing a breach warranty for all users. The warranty essentially guaranteed that merchants will receive a reimbursement for any costs that occurred due to future breaches involving Hearltand’s credit card payment system. Not a bad guarantee for users, but it may not have been the best decision for Hearltand given that it suffered an additional breach in 2015. As far as cybersecurity is concerned, it definitely pays to protect.

9. Capital One


106 million users affected

Anytime a major banking institution reveals a breach, it’s always a cause for concern. Most users are on higher alert for cybersecurity attacks when it comes to their banking information because it’s such a prime target for identity fraud or theft.

What’s particularly interesting about this breach is that the company accused a particular person of the attack, a former employee of Amazon Web Services, the cloud hosting company Capital One used at the time. The attacker gained access to the information by “exploiting a misconfigured web application firewall,” according to their court filing. Though the company claimed to have fixed the vulnerability, this is definitely a lesson that hiring the right people in every department is critical when it comes to cybersecurity.

8. Equifax

143 million users affected

The Equifax breach is particularly nerve-wracking due to the personal nature of the exposed data such as Social Security numbers, birth dates, and even (in some cases) driver’s license numbers. Though there weren’t significant reports of unauthorized activity on their core databases, it was still recommended that users take appropriate action such as staying up to date from potential updates from the company on the next steps. Being aware that a breach may affect you is good to keep in mind as you may need to be on the lookout for critical communications.

7. Myspace


360 million users affected

You may think this out-of-date social media platform wouldn’t be on anyone’s minds by 2016. And, well, you’d be half right. This breach was made public by Time Inc. (the company that had purchased Myspace) in 2016, and the company quickly invalidated the passwords that were exposed as soon as they realized. Though the records exposed could go back for years, so, as always, don’t forget to use a wide variety of passwords for your accounts! You never know what may have been exposed somewhere else, even if you haven’t logged on in years.

6. Friend Finder


412 million users affected
You may have read our previous coverage of this particular breach as an example of how personal cyber-attacks often can feel. Not only is this attack significant in numbers alone (412 million accounts is a lot to be exposed!) but it’s also extra sensitive due to the nature of Friend Finder.

Friend Finder is an adult-oriented brand aimed at helping users find partners for casual sex. The data exposed stretched back 20 years and included names, emails, user activity information, and passwords. But whether or not any “sensitive” information may have been revealed, the nature of the site itself could cause any users to blush at the thought of being exposed as a user in the first place.

5. Marriott

500 million users affected
This breach allowed hackers access to Marriott’s online reservation systems for a variety of their hotel chains for over four years. The breached data included a wide variety of sensitive information, like names, addresses, phone numbers, payment information, and (even worse) travel information such as locations and passport numbers. The sensitive nature of the data disclosed underscores and the length of time it was available underscores two consistent concerns in the cybersecurity industry: data and timing.

4. Yahoo


500 million users affected

Believe it or not, this breach is not the last time you’ll be seeing Yahoo on this list. In fact, this 2014 Yahoo data breach was announced as a mere after-shock of sorts to a much larger data breach that occurred in 2013. But more on that later… Suffice to say, this second data breach was no small potatoes either.

This breach was announced mere months after they blamed “state-sponsored” hackers on their previous, significant breach. This secondary breach was announced in the middle of Yahoo being acquired by Verizon and it seems to have significantly impacted the final purchasing price. Moreso, this degree of this issue and the gap between when it occurred and when it was reported (2017), underscore one of the greatest challenges in the cybersecurity industry: most companies don’t realize they’ve been hacked until well after it’s already happened.

3. Facebook

540 million records exposed

This breach impacted 50 million users, and it occurred at a time when Facebook was already under fire for its handling of user data. The breach allowed attackers to gain access to roughly 50 million accounts, which not only gave them access to countless user data but it also allowed them to act on behalf of the user and access any number of apps connected to Facebook such as Instagram and Spotify.

2. First American Financial Corporation


885 million records impacted

In 2019, it was revealed that First American’s website had leaked hundreds of millions of important records—885 million, to be exact. These records included bank accounts numbers, tax and mortgage records, Social Security numbers, receipts, and even photos of people’s driver’s licenses! At the time of the leak, anyone with access to the internet and a Web browser could have access to these critical documents.

This isn’t a typical breach in that it wasn’t enacted by nefarious actors, it was actually the fault of First American themselves due to a lack of security measures. The company only found out about it when KrebsOnSecurity notified them after a real estate developer revealed that “anyone who knew the URL for a valid document at the Web site could view other documents just by modifying a single digit in the link.” This is a key example of how cybersecurity is something that needs to be considered at every step of a company’s process.

1. Yahoo


3 billion users affected

This was the first of the two significant Yahoo data breaches and is, of course, notably larger. The second breach was an unfortunate dessert to an already significant main course. This breach affected literally every single Yahoo account at the time and compromised their names, email addresses, phone numbers, and birthdays. Although the breach occurred in 2013, it wasn’t discovered and announced until September 2016.

Initially, the breach was announced as impacting 1 billion accounts but in 2017 Yahoo revised that estimate to cover all 3 billion of them. Since then, this has been known as the biggest data breach in history.