Data breaches continue to be a security problem around the world. According to Cyber Security Hub, there were 4,100 publicly disclosed data breaches in 2022, with 22 billion records compromised. This represented a 38% increase over 2021 attacks, according to Check Point Research.
Data breaches can expose information ranging from the mundane (such as a public email address) to the worst imaginable (such as banking information and Social Security numbers). While data breaches may feel like a new worry, they’ve been around for years. And while big names like T-Mobile and Twitter are top of mind now, there are plenty of other well-known brands that have been hit since the early 2000s.
This infographic shows the worst data breaches of all time, going back to 2013 and affecting a total of more than 11 billion people. Even the smallest data breach on our list affected 412 million people. Many people are worried about the safety of their personal information, leading to the proliferation of sites to check if your email and password — or worse — are out there on the web.
Because of the increase in threats to cybersecurity and the propensity for damage, companies are now hiring to keep their customer data safe. The U.S. Bureau of Labor Statistics projects that employment of information security analysts will grow 35% from 2021 to 2031, much faster than the average for all occupations.
Earn a Cybersecurity Degree With Purdue Global
After learning about the biggest data breaches, find out more about the online cybersecurity degree programs offered by Purdue Global. And if you’re interested in a career in the growing field of cybersecurity, request more information today.
There were 4,100 publicly disclosed data-compromise events in 2022, exposing over 22 billion sensitive records.1
These are the biggest data breaches of all time, based on the number of records breached and propensity for damage.
1. Yahoo — 2013
Affecting every existing Yahoo account in 2013, this data breach (reported in 2016) is the largest ever to occur.2
Size of breach: 3 billion user accounts
2. “Collection #1-5” — 2019
Mid-January 2019, 773 million unique email addresses and 21 million passwords were found as Collection #1 on torrent websites. By the end of the month, Collections #2-5 were discovered, with 2.2 billion more credentials.3
Size of breach: 2.9 billion usernames and passwords
3. Aadhaar — 2018
Aadhaar, the Indian government’s civilian identification database, was compromised between August 2017 and January 2018. The breach exposed identification numbers, names, email and physical addresses, phone numbers, and photos.4
Size of breach: 1.1 billion records
4. First American Financial Corporation — 2019
This major breach of a U.S. financial service company in 2019 exposed bank account details, Social Security digits, wire transactions, and other mortgage paperwork.5
Size of breach: 885 million records
5. Verifications.io — 2019
This breach of an email verification company exposed email addresses, names, phone numbers, physical addresses, mortgage information, online account names, private data, and business intelligence.6
Size of breach: 800 million records
6. Onliner spambot — 2017
This bot bypassed spam filters and sent an email Trojan that could steal passwords, credit card details, and other personal information from vulnerable computers.7
Size of breach: 711 million records
7. Equifax — 2017
In addition to personal information, some people had their credit card numbers and credit dispute documents exposed.8
Size of breach: 605 million records affecting 143 million people
A swath of records about Facebook users was publicly exposed on Amazon's cloud computing service. Some location data and passwords were also exposed.9
Size of breach: 540 million records
9. Yahoo — 2014
Yahoo believes a state-sponsored actor stole users’ personally identifiable information, including encrypted passwords and security questions.10
Size of breach: 500 million records
10. Friend Finder Networks — 2016
The breach affected over 15 million so-called deleted accounts that had not been purged from the database.11
Size of breach: 412 million records