Biggest Data Breaches in US History [2023-All Time]
Table of contents
The digital age has given rise to a dark underbelly of cyber threats and vulnerabilities. Data breaches have become an all too familiar and devastating reality, affecting individuals, businesses of all sizes, and even governments.
According to a recent study by Statista, the United States is home to 23.5 million breached accounts, coming as third across the globe in terms of the number of breached accounts worldwide.
Experts believe that these numbers will continue to rise. We covered the largest data breaches in US history to help you better understand the extent and impact of data breaches.
Editor’s picks: Major data breaches in US
- Yahoo data breach exposed over 3 billion user accounts.
- First American Financial Corporation data breach leaked 885 million file records.
- Facebook data breach exposed over 530 million individuals’ data to the public
- Shields Healthcare Group data breach affected 2,000,000 patients.
- LinkedIn data breach compromised over 700 million user records.
- MySpace data breach affected approximately 360 million accounts.
- eBay data breach compromised sensitive customer data of 145 million users.
Top 25 biggest data breaches in US History
Data breaches can happen to the most prestigious companies. And when it happens, millions of user records lead to the illicit sale of sensitive information on the dark web or to unauthorized third parties. Here are some of the biggest data breaches in 2023 and history that affected millions.
Impact: Exposure of over 3 billion user accounts
The Yahoo data breach stands as one of the most notorious and severe cyberattacks. It holds the record of being the largest data breach in terms of the number of people affected. The initial breach struck in 2013, followed by a series of subsequent attacks that unfolded over the course of the next three years.
This largest data breach incident to date included personally identifiable information (PII) like:
- Email addresses
- Birth dates
- Security questions
- Phone numbers
Suggested reading: IAM Best Practices for Cloud Security
Date: January 2021
Impact: 30,000 companies in the US - 60,000 companies worldwide
The 2021 Microsoft Exchange Server attacks unfolded as one of the biggest data breaches in US history, exposing a complex network of sophisticated cyber threats orchestrated by over ten advanced persistent threat (APT) groups. Led by Hafnium, an alleged Chinese state-sponsored group, alongside notable entities like Tick, LuckyMouse, Calypso, and the Winnti Group, these attacks left an indelible mark on the nation's cybersecurity landscape.
From small businesses to governments and prominent organizations such as the European Banking Authority, the Norwegian Parliament, and Acer, no sector was spared from the fallout.
Exploiting zero-day vulnerabilities, the threat actors infiltrated servers, strategically deploying web shell backdoors to establish and maintain long-term control. The magnitude of the breach extended beyond conventional data compromises, with ransomware strains like DearCry and REvil wreaking havoc alongside crypto-mining malware like Lemon Duck and Prometei's Monero-mining component.
This far-reaching campaign impacted thousands of servers across 115 countries, highlighting the urgent need for robust cybersecurity measures and constant vigilance.
The breach resulted in the compromise of various types of sensitive data, potentially including but not limited to:
- Personal identifiable information (PII) of individuals
- Financial data and transaction records
- Email communications and attachments
- Intellectual property and confidential business information
- Government and classified documents
3. First American Financial Corporation
Date: May 2019
Impact: 885 million file records leaked
The First American Financial Corporation suffered one of the largest data breaches in US history due to a major data leak caused by poor data security measures. Even though the incident was considered a data leak instead of a data breach later on, as no hacking was involved, it highlights how easily sensitive data can be exposed.
A website design error known as Insecure Direct Object Reference (IDOR) caused a major security issue. Due to this error, private information became accessible to anyone without needing verification or authentication. If someone had a link to the documents, they could view them freely without any safeguards in place.
Adding to the problem, First American's record-keeping system stored data in sequential order. This meant that users could easily change the number in the website address (URL) to view other customers' records, making it even easier for unauthorized individuals to access sensitive information.
An estimated 885 million file records were exposed in the process, including:
- Drivers’ licenses
- Bank account numbers
- Mortgage payments documents
- Bank statements
Date: April 2021
Impact: 530 million users exposed
Facebook, despite being one of the world's largest companies, has experienced a series of data leaks and controversies since going public in 2012. The April 2021 data breach marked one of its largest, exposing:
- Phone numbers
- Account names
Over 530 million individuals’ data were exposed to the public. Facebook attributed the breach to hackers exploiting a vulnerability in the contact-syncing tool, allowing them to scrape user profiles for customer data.
While Facebook claimed that no data had been compromised or misused, the public exposure of information for a brief period raised concerns.
5. Shields Healthcare Group
Date: March 7-March 23, 2023
Impact: 2,000,000 patients
On March 28, 2022, Shields Healthcare Group discovered a data breach, where an unauthorized individual gained access to the network and obtained secure patient information. The breach occurred between March 7 and March 21, 2023. The full extent of the breach was determined after a thorough investigation into the attack.
The method of entry into the file systems remains unclear, but potential vulnerabilities or employee account exploitation through phishing attacks are possible.
During the breach, the attackers accessed a vast amount of medical and personal data from numerous patients within Shields Healthcare. The stolen information included:
- Insurance details
- Medical records
- Treatment information
- Patient IDs
- Billing information
- Social Security numbers
- Medical provider data
Shields Healthcare Group promptly addressed the breach and, on April 19, 2023, reported the incident to the Maine Attorney General. Personalized letters were also sent to individuals impacted by the attack, providing details of the information that may have been compromised.
The stolen medical and personal data poses a risk for future credit and fraud attacks. It may be used to open fraudulent accounts, access lines of credit, and engage in unauthorized spending. Additionally, stolen information might be sold on the dark web for illicit gains.
Date: April 2021
Impact: Over 700 million user records exposed
In August 2021, a series of data breaches occurred on LinkedIn, marking it one of the biggest data breaches in history, compromising the personal information of millions of users. Initially, a threat actor leaked a portion of the original database on a Dark Web forum, while another threat actor took advantage of the situation by offering to sell filtered LinkedIn records based on profession.
Notably, the compromised data included the accounts of 12.9 million IT personnel, 6.7 million HR professionals, and 4.8 million finance executives. Prior to these breaches, in late 2020, executive accounts were also targeted, with access to email accounts of C-level executives being offered for sale.
The breached records contained various fields, such as:
- First and last names
- Company names
- Registered email IDs
- LinkedIn profile links
The threat actor behind these incidents focused on stolen databases, specifically on HR, IT, and finance personnel.
If you're interested in cybersecurity trends, take look at our list of theTop Cybersecurity Podcasts.
7. Marriott International
Impact: An estimated 500 million people
Marriott faced one of the largest data breaches in history when hackers gained access to its hotel chains' reservation systems for the past four years. The breach exposed the private details of approximately 500 million customers, including sensitive travel records. The compromised reservation system belonged to Marriott's Starwood subsidiaries, and the stolen data included:
- Credit card numbers
- Phone numbers
- Passport numbers
- Travel locations
- Arrival and departure dates
Experts believe the breach's nature and the stolen data suggest potential nation-state involvement, aiming to track diplomats, spies, military officials, and business executives. However, even if the hackers were solely profit-driven, the stolen information offers ample opportunities for identity theft and various illicit activities.
The breach raises the importance of monitoring and securing personal information as they lead to an expanded the attack surface. Investigators speculate on the possibility of encryption keys being taken, potentially compromising valuable payment data. The incident is not the first breach for Starwood, further emphasizing the need for enhanced cybersecurity measures within the hospitality industry.
Following the breach, government officials are urging stricter enforcement of consumer data privacy regulations. Investigations have been launched by multiple attorney generals, including New York, Maryland, and Pennsylvania, to address the Marriott breach.
8. JPMorgan Chase
Date: June 2014
Impact: 7 million small businesses and 76 million households
JPMorgan Chase fell victim to a major cyberattack that compromised the accounts of 76 million households and seven million small businesses. This breach, considered one of the largest data breaches in history, has raised concerns about consumer confidence in corporate digital operations following recent high-profile data breaches. As the nation's largest bank, JPMorgan's breach is significant, with potential access to sensitive financial information beyond credit card details.
Initially underestimating the impact, JPMorgan believed only one million accounts were affected. However, as the severity of the breach became evident, it was revealed that the intrusion started in June but went undetected until July. Hackers gained unauthorized access to a comprehensive list of the bank's applications and programs, exploiting known vulnerabilities and breaching JPMorgan's systems. Personal information was compromised, such as:
- Phone numbers
- Emails of the account holders
There is no evidence of stolen account information or fraudulent activity using customer data.
It joins the ranks of the largest data breaches in history, emphasizing the importance of investing in comprehensive digital security practices. The ongoing investigation points to a potential nation-state involvement, although the motive behind the attack remains unclear.
In response to the breach, JPMorgan has intensified efforts to strengthen its security defenses and enhance customer confidence. The incident serves as a reminder that recent data breaches have far-reaching consequences, warranting increased investment in digital security. Regulatory authorities, including the Federal Reserve, have been informed about the extent of the breach. As the investigation continues, JPMorgan aims to address vulnerabilities and negotiate with technology suppliers to ensure robust protection against future cyber threats.
Interested in getting into a cybersecurity career? Check out "Is Cybersecurity Hard?"
9. FriendFinder Networks
Date: November 2016
Impact: 412 million accounts
FriendFinder Networks experienced one of the major data breaches, exposing more than 412 million user accounts across various platforms, making it the largest data breach of 2016.
LeakedSource, which identified the breach, revealed that the compromised databases included Adultfriendfinder.com, Cams.com, Penthouse.com, Stripshow.com, iCams.com, and an unidentified domain. The exposed records contained usernames, email addresses, and passwords, some stored in plaintext or hashed using SHA1 with pepper.
The breach affected many users and included deleted accounts, suggesting that previously removed data might still be at risk. The incident raised concerns about the company's security practices, as passwords were inadequately protected.
Additionally, it was discovered that FriendFinder Networks had been previously hacked in 2015, indicating potential vulnerabilities in their security measures.
10. Home Depot
Date: April 2014
Impact: 53 million email addresses and 56 million payment card numbers
Home Depot, the largest U.S. home improvement retailer, has reached a $17.5 million settlement with 46 U.S. states and Washington, D.C., to resolve a multistate probe into a 2014 data breach. Marking it as one of the biggest breaches in history, hackers gained access to payment card data belonging to 40 million customers who used self-checkout terminals at Home Depot stores in the U.S. and Canada.
The hackers used stolen vendor credentials and deployed custom-built malware to infiltrate the company's network. In addition to the compromised payment card data, approximately 52 million customers had their email addresses exposed.
- Payment card data
- Email addresses
Under the settlement, Home Depot does not admit liability but is required to implement security enhancements, including hiring a chief information security officer and upgrading security procedures and training. Connecticut, Illinois, and Texas led the investigation. Connecticut Attorney General William Tong emphasized that companies collecting sensitive personal information are responsible for protecting it from unlawful use or disclosure and stated that Home Depot had failed to take adequate precautions.
Home Depot stated that security is a top priority and has made significant investments to enhance system security since 2014. The company had previously incurred expenses of $198 million related to the breach and resolved litigation with affected customers, card issuers, and banks. With the settlement, Home Depot aims to put the matter behind it.
Date: June 2013
Impact: Over 360 million accounts
MySpace, once a popular social networking site, experienced one of the largest data breaches in history back in 2013. Approximately 360 million accounts were compromised, leading to the exposure of user logins, names, and dates of birth. The incident resurfaced in 2016, highlighting a significant flaw in MySpace's security measures.
Security researcher Leigh-Anne Galloway discovered the vulnerability and notified MySpace. The flaw allowed anyone with the account owner's listed name, username, and date of birth to take control of MySpace accounts. The account recovery form did not properly validate crucial fields, such as the account email address, facilitating unauthorized access.
MySpace took steps to mitigate the issue after the flaw was made public. However, the full extent of affected accounts remains uncertain due to limited disclosure of user numbers and vulnerability duration.
This incident underscores the importance of robust security practices and the erosion of consumer trust caused by security breaches. Users are advised to consider deleting their MySpace accounts, particularly considering the service's history of data breaches.
Date: October 2013
Impact: 38 million credit card numbers
Adobe suffered one of the most significant data breaches in the 21st century when approximately 38 million accounts had their sensitive payment card details posted on the dark web.
Initially believed to affect around 3 million users, the actual number turned out to be much higher. The attackers gained access to a wide range of information, including:
- Adobe user IDs
- Full names
- Credit/debit card details
- Product source codes
The breach highlighted Adobe's vulnerability during its transition from selling desktop licenses to a cloud-based software-as-a-service (SaaS) model.
Cause of data breach: Insufficient IT security measures, from servers to infrastructure, left them exposed. Furthermore, Adobe's poor data protection practices were evident as they used the same password encryption key for all 38 million affected users.
45% of data breaches take place in the cloud. (See cloud security statistics)
In 2016, Adobe settled a lawsuit with 15 states for a mere $1 million. This incident was recognized as one of the 17 biggest data breaches of the 21st century. As Adobe continues to address the aftermath, the recent introduction of a new Experience Cloud feature emphasizes the critical importance of security.
Suggested reading: Cloud Computing Trends
Date: March 2014
Impact: 145 million users
eBay suffered one of the major data breaches when hackers accessed sensitive customer information, including personal details and encrypted passwords.
Cause of data breach: Compromised employee credentials and a lack of proper security measures, such as two-factor authentication caused the breach.
The breach's aftermath was significant for eBay, with decreased customer activity, loss of customers, and a $200 million revenue loss. The company also faced technical difficulties in handling the surge of traffic after asking users to change passwords.
eBay's response was slow, and the incident resulted in a loss of customer trust and significant financial repercussions. This serves as a reminder of the importance of robust security practices and prompt disclosure in preventing and managing data breaches.
Date: September 2017
Impact: 148 million US citizens (163 million worldwide)
A major credit reporting agency, Equifax, experienced one of the biggest cyber attacks in history in September 2017. The breach compromised sensitive personal information belonging to 148 million Americans, including names, addresses, phone numbers, dates of birth, social security numbers, and driver's license numbers. Additionally, approximately 209,000 consumers had their credit card numbers breached. This breach stands out for the scale and severity of the compromised data, making it a significant incident regarding the sensitivity of the information involved.
15. River City Media
Date: March 2017
Impact: 1.4 billion file records
One of the largest spam operations in the world suffered a data breach when its faulty backup leaked a database of 1.37 billion email addresses. The leaked information included personal data such as:
- Real names
- IP addresses
- Physical addresses
The operation, called River City Media, is an email marketing firm that sends billions of messages daily. The breach threatened online privacy and security by combining email accounts with personal information. The leak was accidentally published without password protection, adding credibility to the incident.
“The situation presents a tangible threat to online privacy and security as it involves a database of 1.4bn email accounts combined with real names, user IP addresses, and often physical address,” said MacKeeper’s Chris Vickery. “Chances are that you, or at least someone you know, is affected.”
16. Heartland Payment Systems
Date: May 2008
Impact: Over 100 million payment card records
In 2008, Heartland Payment Systems, a Fortune 1000 company specializing in payment systems, experienced one of the worst data breaches in US history. The breach was discovered after suspicious transactions were reported by Visa and MasterCard.
It was revealed that the breach occurred due to an SQL injection attack that compromised the company's payment transaction computers. The attackers gained access to a web login page and collected enough data to create counterfeit credit cards.
The aftermath of the breach was devastating for Heartland. The company lost its PCI DSS compliance, suffered a significant drop in its stock price, and incurred a total monetary loss of over $200 million.
Date: June 2018
Impact: 340 million people
Another of the biggest data breaches in history occurred in June 2018. A a little-known Florida marketing firm called Exactis became the center of attention after a major data breach was discovered. Exactis, specializing in aggregating and selling data, had amassed a staggering 3.5 billion business and consumer records.
Security expert Vinny Troia brought the breach to light during his assessment of ElasticSearch's security protocols. Through a tool called Shodan, Troia found around 7,000 databases accessible on public servers, and to his astonishment, the Exactis database was completely unsecured.
The magnitude of the breach was significant, with over 340 million records exposed and vulnerable to theft. This incident stands out as one of the largest data breaches ever involving a marketing firm.
Upon discovering the breach, Troia promptly alerted the FBI and notified Exactis. What made the Exactis breach particularly alarming was the level of personal information it contained. In addition to names, email addresses, and phone numbers of U.S. citizens, each person had a staggering 400 data entries associated with them.
Date: November 2013
Impact: 70 million customer records & 41 million payment card records
The Target data breach of 2013 was a major security incident, where hackers stole 40 million credit and debit card records and 70 million customer records. This breach had a significant impact on Target, as it eroded customer trust and resulted in financial losses.
- Credit and debit card records
- Customer records
One important lesson from this breach is the vulnerability of third-party vendors, which is one of the most critical attack vectors. The attackers gained access to Target's network through a compromised third-party solution. Companies need to ensure that their vendors have robust security measures in place to protect sensitive data.
51% of businesses do not vet third parties' security and privacy procedures before allowing them to access sensitive data.
Target responded to the breach by issuing more secure chip-and-pin cards. However, while these cards provided better security, they couldn't address all the potential risks, such as identity theft. Target could have improved the segregation of its network to make it more challenging for attackers to infiltrate.
The aftermath: With estimated losses exceeding the $18 million settlement. Earnings declined significantly, and customer confidence was shaken.
43% of organizations have experienced security incidents due to SaaS misconfigurations. The best practice is to discover the SaaS apps used in your company, even the ones in Shadow IT and continuously monitor SaaS security risks.
Date: May 24, 2019
Impact: Approximately 139 million users
One of the recent data breaches occurred when Canva, a popular graphic design platform based in Australia, experienced a significant data breach that led to the compromise of 139 million user records. A hacker known as GnosticPlayers claimed responsibility for the Canva data breach and stated that they had obtained over 1 billion user credentials, including:
- Email addresses
- Location data
This hacker has previously posted stolen data on the dark web. After validating the breach, Canva was notified by ZDNet and confirmed the security incident. They assured users that passwords were stored securely using strong encryption methods and that there was no evidence of compromised user credentials. However, as a precaution, Canva encouraged users to change their passwords. It was revealed that 78 million users' Gmail addresses were exposed in the breach, but Canva emphasized the difficulty for hackers to crack passwords due to their strong security measures.
It is important to note that while some passwords were encrypted using advanced security methods, others were linked to Google tokens for authentication.
20. Capital One
Date: July 2019
Impact: 100 million user records
The Capital One data breach was one of the biggest data breaches in the financial sector. Capital One has agreed to pay U.S. regulators an $80 million fine following a major hacking incident in which approximately 100 million credit card applications were illegally accessed. The Virginia-based bank has already implemented security measures and made arrests related to the breach.
However, under the terms of an order issued by the Office of the Comptroller of the Currency, Capital One will be required to further demonstrate the security of its computer systems. The breach, one of the largest in the financial services sector, exposed sensitive customer data. The alleged hacker has been arrested, and Capital One has emphasized that credit card numbers and log-in credentials were not compromised in the incident.
Date: September 2019
Impact: 218 million users
In September 2019, Zynga Inc., an online game company, experienced a password breach that impacted around 200 million users. The breach potentially exposed login details of players from games like Draw Something and Words With Friends, including:
- Email addresses
Zynga promptly informed affected users and assured them that no financial information was compromised. However, a recent report from a data breach monitoring website reveals that the stolen database actually contained information from 172,869,660 unique accounts, making it one of the largest data breaches in US history.
22. Deep Root Analytics
Date: June 2017
Impact: 198 million US citizens
A major data breach has occurred involving DeepRootAnalytics, a Republican data analysis company. The breach exposed an online database containing personal information of nearly all of America's 200 million registered voters. The compromised data includes sensitive details such as:
- Birth dates
- Phone numbers
- Party affiliations
- Racial demographics
- Voter registration status
The breach, which lasted from June 1 to June 14, was discovered by cybersecurity firm UpGuard. DeepRoot has taken responsibility for the incident and is conducting a thorough review. It is believed that only the UpGuard analyst who found the files accessed the database. The exposed data consists of 1.1 terabytes of information, providing insights into the likely political preferences of approximately 198 million potential voters across 48 different categories. This breach represents the largest exposure of personal voter data to date.
Date: December 2018
Impact: 162 million user records
In February 2019, a significant data breach occurred involving the video messaging app Dubsmash. Hackers posted the stolen data on the dark web for sale. The breach, which took place in December 2018, resulted in unauthorized access to personal information such as:
- User names
- Email addresses
- Hashed passwords of nearly 173 million Dubsmash users
In response, Dubsmash promptly notified affected customers and advised them to change their passwords to mitigate potential risks.
As a global company based in New York, Dubsmash also faced potential consequences regarding compliance with the European Union's General Data Protection Regulation (GDPR). The GDPR mandates that companies must report a data breach within 72 hours of becoming aware of it.
However, it remains unclear whether Dubsmash complied with this requirement and what consequences they may face if found in violation. Complicating matters further, the dark web sale included not only Dubsmash data but also approximately 617 million accounts from Dubsmash and 15 other websites.
Suggested reading: Popular Cybersecurity Frameworks and Standards
Date: August 2022
Impact: 30 million users
One of the recent biggest data breaches in US happened to Plex, a popular streaming media platform. Plex has experienced a data breach, prompting the company to urge users to change their passwords. The breach involved unauthorized access to a limited amount of data, including:
- Encrypted passwords
Plex assured users that credit card and payment information is not stored on its servers. The breach impacts both personal media and streaming customers, but the exact number of affected users has not been disclosed.
25. Cash App
Date: April 2022
Impact: 8.2 million users
Financial service company Block, owner of the mobile payment app Cash App, reported a data breach that may impact over 8 million users. An ex-employee downloaded reports containing personal information of U.S. users after leaving the company. The data did not include sensitive information like usernames, passwords, Social Security numbers, or bank account details.
However, it did include:
- Full names
- Brokerage account numbers
- Some stock trading activity
Only users in the U.S. who use Cash App Investing are potentially affected. Block is contacting all current and former customers of the feature to provide information and support, and law enforcement has been notified of the breach.
Frequently Asked Questions
What is the largest data breach in history?
The largest data breach in history remains the Yahoo data exposure incident between 2013 and 2016, affecting 3 billion user accounts. Despite subsequent breaches, the Yahoo data exposure incident continues to hold the title for the largest breach ever recorded,
What is the largest data breach in US government history?
The largest data breach in the US government history is the exposure of the U.S. Voter Database, which affected 191 Million voters in 2015.
What is the largest data breach in 2023?
The largest data breach in 2023 was targeted at the Shield Health Care Group, a medical services provider headquartered in Massachusetts. The company suffered the most substantial data breach of the month in April, resulting in the compromise of personal data belonging to a staggering 2.3 million individuals.
How common are data breaches in the US?
During the year 2022, the United States witnessed a total of 1802 instances of data compromises. Concurrently, an astonishing 422 million individuals fell victim to various forms of data compromises, encompassing data breaches, leaks, and exposures. Despite the distinct nature of these events, they share a common thread: all three occurrences involved unauthorized threat actors gaining access to sensitive data. (Statista)
Keep on Learning: