From Yahoo to eBay: 24 Biggest Data Breaches in History

Not all identities are stolen in the dark. Some slip through the cracks, unnoticed until it's too late.

I remember when a data breach meant a one-off news story about a forgotten website leaking passwords. It felt isolated. But that’s no longer the case. According to the IBM Cost of a Data Breach Report 2024, the average cost of a data breach reached $4.88 million. For the world’s most high-profile leaks, the price tag goes far beyond balance sheets. 

The biggest data breaches don’t just compromise data, they shatter trust, derail operations, and leak identities. From social media giants to healthcare systems, these weren’t just isolated events. They were the result of weak credentials, misconfigured cloud tools, or attackers who knew exactly where to look.

Even with the best defenses in place, breaches still happen — and when they do, the clock starts ticking. The faster an organization can assess the impact, notify affected users, and stay ahead of legal obligations, the less damage it can contain.

That’s where data breach notification software becomes critical. It simplifies a chaotic process, ensures compliance, and helps deliver timely, accurate alerts before misinformation spreads or headlines do.

This article explores the biggest data breaches in recent years, including who was hit, how it happened, and how the stakes keep getting higher. 

12 biggest data breaches in history: At a glance 

Biggest data breaches in history by impact 

From financial fallout to public outrage, each incident left behind more than compromised records: they reshaped policies, priorities, and perceptions of digital security. 

1. Yahoo (2013-2014): 3 billion accounts compromised 

Method: Credential theft
Impact: Entire user base affected; massive reputational fallout

In 2013, Yahoo suffered what remains the largest confirmed data breach in history, compromising the personal data of all 3 billion user accounts. The attackers gained access to names, email addresses, phone numbers, date of birth, and hashed passwords.

The breach wasn’t publicly disclosed until 2016, and the full scope wasn’t confirmed until 2017. It significantly devalued Yahoo during its acquisition by Verizon and remains a cautionary tale about transparency, legacy systems, and the cost of delayed breach disclosure.

2. National Public Data (2024): 2.9 billion Social Security numbers leaked 

Method: Unauthorized access
Impact: Massive identity exposure; lawsuits and financial collapse

In 2024, National Public Data, a data broker firm, was breached in an attack that exposed up to 2.9 billion records, including Social Security numbers, addresses, and other personal identifiers. The breach was made worse by poor encryption practices and a lack of breach detection systems.

The firm filed for bankruptcy soon after, and legal action followed from affected individuals and state attorneys general. This breach reignited debate around data brokers and regulatory oversight of personal data collection.

3. Aadhaar (India, 2018): National ID system compromised 

Method: Misconfiguration and poor access control
Impact: 1.1 billion Indian citizens’ data exposed

In 2018, reports surfaced that Aadhaar, India’s national biometric ID database, had been exposed due to insecure government portals and third-party access. Names, addresses, phone numbers, and Aadhaar numbers of close to 1.1 billion citizens were made accessible for pennies.

Although the Indian government denied a breach of the central database, investigations revealed that access was trivially easy via misconfigured endpoints. The incident raised serious concerns about centralization, surveillance, and privacy in digital identity systems.

4. Indian Council of Medical Research (ICMR, 2023): COVID-19 test records leaked 

Method: Unauthorized access (suspected external breach)
Impact: 815 million individual records exposed

In late 2023, a threat actor leaked the personal information of over 800 million Indian citizens collected by the Indian Council of Medical Research, including COVID-19 test records. The data included names, addresses, passport numbers, and Aadhaar IDs.

Security researchers found the database for sale on the dark web and flagged weak access controls. While the Indian government has not formally confirmed the breach’s origin, it’s among the largest health-related data exposures ever recorded.

5. Spambot (2017): Massive spam server exposes 700 million email addresses

Method: Misconfigured spam server
Impact: Email and partial credential database leaked

In 2017, a misconfigured spam server exposed over 700 million email addresses, some with associated passwords. The server, nicknamed Onliner Spambot, was used to distribute malware-laced emails and phishing attacks.

The breach wasn’t the result of hacking, but rather poor security hygiene. Many of the credentials came from earlier breaches and were reused, reinforcing the dangers of weak password practices.

6. Facebook (2021): Personal data of 533 million users leaked

Method: Data scraping via public APIs
Impact: Phone numbers, emails, and location data leaked

In 2021, data on 533 million Facebook users, including phone numbers, birthdates, and email addresses, was found online for free. The information had been scraped using flaws in Facebook's contact import feature, which were later fixed.

Though not a traditional hack, the data's public availability led to phishing attacks and SIM-swapping concerns. Facebook declined to notify users, stating that the data had been previously collected, sparking public backlash.

7. Marriott International (2018): Passport and travel data exposed

Method: Unauthorized access (legacy Starwood system)
Impact: 500 million guest records compromised

In late 2018, Marriott disclosed that attackers had been inside its Starwood guest reservation system since 2014, affecting over 500 million guests. The stolen data included names, addresses, travel details, and encrypted passport numbers.

The breach led to government inquiries and General Data Protection Regulation (GDPR) fines. It also became a case study in the dangers of inheriting insecure systems during corporate mergers.

8. MySpace (2016): Credentials from early social media giant resurface 

Method: Credential theft
Impact: 360 million accounts leaked

In 2016, a hacker group offered 360 million MySpace account credentials for sale on the dark web. Though MySpace was no longer widely used, the leaked data included email addresses and passwords from a time when many users reused login info.

The breach underscored how long-forgotten platforms can still pose security risks years later due to reused credentials and poor password hygiene.

9. Equifax (2017): Credit data of nearly half of the U.S. compromised

Method: Software vulnerability (Apache Struts)
Impact: 147 million U.S. consumers exposed; $700M+ settlement

A vulnerability in Apache Struts went unpatched at Equifax, allowing hackers to exfiltrate highly sensitive data, including SSNs, birthdates, and credit details. The breach impacted nearly 147 million consumers.

After months of delay in disclosure, Equifax faced regulatory fines, lawsuits, and congressional hearings. It remains one of the most damaging breaches in terms of financial and personal identity fallout.

10. eBay (2014): User data stolen, passwords reset

Method: Credential compromise
Impact: 145 million records accessed

Hackers gained access to eBay’s corporate network using employee credentials and exfiltrated 145 million account details, including usernames, encrypted passwords, and contact info.

eBay urged all users to reset passwords but faced criticism for slow response and vague communication. The breach triggered global investigations and led to tighter corporate controls on employee access.

11. LinkedIn (2016): Stolen credentials resurface from earlier breach

Method: Credential theft
Impact: 117 million user passwords sold on the dark web

Originally breached in 2012, LinkedIn saw a re-emergence of the data in 2016 when 117 million email-password combinations were found online. The passwords were poorly hashed using unsalted SHA-1 encryption.

The breach renewed the focus on credential security and prompted LinkedIn to enforce stricter password resets and authentication protocols.

12. Target (2013): POS breach leaks credit card info 

Method: Third-party vendor compromise
Impact: 41 million customer records affected

Attackers infiltrated Target’s network via stolen credentials from an HVAC vendor. They installed malware on point-of-sale (POS) systems, capturing payment card details during the holiday shopping season.

The breach affected 40 million credit cards and an additional 70 million users’ contact information. It led to a $18.5 million multistate settlement and accelerated retail adoption of chip-based payment terminals in the U.S.

Other data breaches in history by year

Over the years, data breaches have shifted from rare headlines to a persistent reality. What once seemed like isolated lapses have become annual reminders of just how vulnerable even the largest organizations can be.

This timeline highlights the most significant breaches by year, showing not just how much data was lost but also how the stakes have grown with each incident.

• 2013: Excellus BlueCross BlueShield’s systems were breached undetected for nearly two years, exposing 9.3 million health insurance records. 
• 2014: JPMorgan Chase suffered a breach that compromised the information of 451,000 account holders. 
• 2015: Deep Root Analytics left 198 million U.S. voter records exposed through a misconfigured Amazon S3 bucket. 
• 2016: Friend Finder Network had 400 million accounts compromised in a massive leak of passwords and adult site user data.
• 2017: ai.type, a popular keyboard app, leaked 31 million keystrokes and user profiles through an unsecured database.
• 2018: Quora revealed a breach affecting 100 million users, with stolen email addresses and encrypted passwords.  
• 2019: Capital One exposed 100 million credit applications due to an AWS misconfiguration exploited by a former employee. 
• 2020: MGM Hotels saw data on 10.6 million guests leaked to hacker forums, including names and contact details. 
• 2021: The Pandora Papers exposed 11.9 million confidential financial records, unveiling offshore assets of global elites. 
• 2022: SuperVPN, GeckoVPN, and ChatVPN leaked login credentials and user data for 21 million accounts via unsecured storage. 
• 2023: T-Mobile disclosed a breach of 76 million customer records caused by an unauthenticated API vulnerability. 
• 2024: Ticketmaster suffered a breach of 560 million records, with attackers stealing customer names, emails, and payment info. 

From lost records to global headlines

Each data breach in this list is more than a number. It’s a turning point — where oversight met opportunity, and attackers found the cracks. These incidents exposed simple missteps and flaws in how we share information. Whether caused by misconfigurations, credential stuffing, or sophisticated supply chain attacks, these breaches show a clear truth: no database is too obscure, no organization too large, and no system too fortified to be immune.

But these stories aren’t just about loss. They’re about response. They show how organizations rebuild, how regulators catch up, and how security teams evolve, often under immense pressure.

There’s no silver bullet for preventing a breach. But there are patterns, warnings, and lessons, and they’re growing louder with every incident. Understanding how these breaches happened is just the beginning. The real preparation lies in recognizing what they mean for the future of cybersecurity, privacy, and digital trust. 

The numbers behind data breaches tell a bigger story. One of scale, frequency, and rising stakes. Here are the top data breach statistics that deliver key cybersecurity insights.