Top 25 Biggest Data Breaches of All Time (Updated 2026)

The Scale of the Problem: Why This List Matters

Data breaches are not isolated incidents — they are a defining feature of the digital age. Since the early 2000s, the scale and frequency of breaches have grown exponentially, from thousands of records to billions in a single incident. The total number of records exposed in known breaches now exceeds 30 billion, and those are only the ones we know about.

This list documents the 25 largest data breaches in recorded history, updated through early 2026. For each breach, we detail the company affected, the date, the number of records exposed, the types of data compromised, how the attack happened, and the real-world impact on victims. If your data was in any of these breaches, attackers may have your email, password, phone number, or even financial information right now.

The best way to find out is to check. Run a search on PR-SAFE — it covers over 3,500 known breaches including every one on this list. Our breach checking guide walks you through the process step by step.

#1 — Yahoo (2013-2014): 3 Billion Accounts

The largest data breach in history affected every single Yahoo account in existence at the time — all 3 billion of them. Initially disclosed in 2016 as affecting 1 billion accounts, the true scope was revealed in 2017 when Verizon (which had acquired Yahoo) announced the real number: 3 billion.

Data exposed: Names, email addresses, phone numbers, dates of birth, hashed passwords (MD5), security questions and answers (some unencrypted).

How it happened: State-sponsored hackers (later attributed to Russian intelligence officers) used forged cookies and a compromised internal tool to access accounts without passwords. The breach went undetected for over two years.

Impact: Verizon reduced its Yahoo acquisition price by $350 million. Yahoos CEO resigned. Four individuals, including two Russian FSB officers, were indicted by the US Department of Justice. Most critically, billions of reused passwords were exposed — many still being exploited years later through credential stuffing attacks.

Lesson: Even the largest tech companies can be comprehensively breached. MD5 password hashing was already considered obsolete when Yahoo was still using it. Always use unique passwords — check if yours leaked on PR-SAFE.

#2 — National Public Data / MC2 Data (2024): 2.9 Billion Records

In mid-2024, a massive breach of background check and data broker companies exposed 2.9 billion records containing extraordinarily sensitive personal information of individuals primarily in the United States, United Kingdom, and Canada.

Data exposed: Full names, Social Security numbers, mailing addresses (including decades of history), phone numbers, dates of birth, and family relationships.

How it happened: The data brokerage firm stored vast quantities of aggregated personal data with inadequate security controls. The breached database was posted on dark web forums by a threat actor group.

Impact: This breach was particularly devastating because the exposed data — especially Social Security numbers — is permanent. Unlike passwords, you cannot change your SSN. The breach fueled a massive wave of identity theft, fraudulent tax filings, and credit fraud throughout 2024-2025.

Lesson: Data brokers collect and store your information without your knowledge or consent, creating massive honeypots for attackers. Regularly monitor your credit reports and consider freezing your credit.

#3 — First American Financial (2019): 885 Million Records

First American Financial Corporation, a major US title insurance company, exposed 885 million records containing mortgage closing documents dating back to 2003. The staggering part? No hacking was required.

Data exposed: Bank account numbers, bank statements, mortgage and tax records, Social Security numbers, wire transaction receipts, drivers license images.

How it happened: An Insecure Direct Object Reference (IDOR) vulnerability meant that anyone who knew the URL format could access any document by simply changing the document number in the URL. No authentication required.

Impact: The SEC charged First American with cybersecurity disclosure failures. Exposed financial documents provided everything needed for comprehensive identity theft and financial fraud.

Lesson: Some of the largest data exposures are not sophisticated hacks — they are simple misconfigurations. The aftermath of breaches can haunt victims for years.

#4 — LinkedIn (2021): 700 Million Records

In June 2021, data from 700 million LinkedIn users — approximately 92% of all LinkedIn members at the time — appeared for sale on a hacking forum. LinkedIn maintained this was data scraping, not a breach, but the distinction offered little comfort to affected users.

Data exposed: Email addresses, full names, phone numbers, physical addresses, geolocation records, LinkedIn usernames, profile URLs, work history, genders, connected social media accounts.

How it happened: Attackers exploited LinkedIns API to harvest user profile data at scale, combining it with data from other sources to create comprehensive profiles.

Impact: The combined dataset enabled highly targeted phishing attacks, social engineering, and identity theft. Professional contact information was particularly valuable for business email compromise (BEC) scams.

Lesson: Information you share on professional networks can be scraped and combined with breach data to create detailed profiles. Limit what you share publicly and be cautious of unsolicited professional communications.

#5 — Facebook (2019): 533 Million Records

Phone numbers and personal data of 533 million Facebook users from 106 countries were posted on a hacking forum in April 2021, though the data was originally scraped in 2019.

Data exposed: Phone numbers, Facebook IDs, full names, locations, birthdates, bios, email addresses (for some users).

How it happened: Attackers exploited Facebooks contact importer feature, which allowed them to look up users by phone number. By systematically querying billions of phone numbers, they matched numbers to accounts.

Impact: The exposed phone numbers were used for SIM swapping attacks, SMS phishing, and social engineering. Since phone numbers are harder to change than passwords, the impact was long-lasting. Check if your phone number was exposed on PR-SAFE.

Lesson: Even data that seems innocuous (like your phone number linked to your name) can be weaponized at scale.

#6 — Marriott International (2014-2018): 500 Million Records

The Marriott breach, which actually originated in the Starwood Hotels reservation system before Marriotts acquisition, went undetected for four years — from 2014 to late 2018.

Data exposed: Names, mailing addresses, phone numbers, email addresses, passport numbers, dates of birth, arrival/departure information, encrypted credit card numbers. For approximately 327 million guests, passport numbers were exposed.

How it happened: Attackers gained access to the Starwood guest reservation database through a remote access trojan (RAT). The compromise persisted through Marriotts 2016 acquisition of Starwood because Marriott failed to audit Starwoods systems.

Impact: Marriott was fined $124 million by the UK ICO under GDPR (later reduced to $23.8 million). Exposed passport numbers raised national security concerns, as the breach was later attributed to Chinese intelligence services.

Lesson: Mergers and acquisitions create security blind spots. Inherited systems inherit their vulnerabilities.

#7 — Zynga (2019): 218 Million Records

The game developer behind FarmVille, Words With Friends, and Draw Something suffered a breach affecting 218 million user accounts.

Data exposed: Usernames, email addresses, login IDs, hashed passwords (SHA-1 with salt), password reset tokens, phone numbers, Facebook IDs.

How it happened: A Pakistani hacker known as "GnosticPlayers" exploited a vulnerability in Zyngas systems to extract the user database.

Impact: SHA-1 hashing, while salted, was already considered weak at the time. Many of the passwords were cracked and used in credential stuffing campaigns against other services.

Lesson: Gaming accounts are not "throwaway" accounts. If you used the same password for a game as for your email, both are now compromised.

#8 — Exactis (2018): 340 Million Records

Data marketing firm Exactis left a database containing 340 million records exposed on a publicly accessible server. The records covered nearly every US adult plus millions of businesses.

Data exposed: Email addresses, physical addresses, phone numbers, interests, habits, number of children, ages, religions, pet ownership, and hundreds of other personal characteristics.

How it happened: An ElasticSearch database was left accessible on the public internet without any authentication. A security researcher discovered it using Shodan, a search engine for internet-connected devices.

Impact: The breadth of personal details enabled extremely targeted phishing and social engineering. An attacker knowing your religion, pets name, and childrens ages can craft devastatingly convincing scams.

Lesson: Data brokers and marketing companies are massive breach risks because they aggregate enormous amounts of personal data with minimal security investment.

#9 — Adobe (2013): 153 Million Records

In October 2013, Adobe revealed that attackers had accessed IDs and encrypted passwords for 38 million active users. It was later discovered that the breach actually affected 153 million records.

Data exposed: User IDs, usernames, email addresses, encrypted passwords, password hints, source code for Adobe products (Photoshop, ColdFusion, Acrobat).

How it happened: Attackers exploited vulnerabilities in Adobes network to access both user databases and source code repositories. Adobes password encryption used 3DES in ECB mode — a fundamentally flawed approach that allowed pattern analysis.

Impact: The encrypted passwords were effectively cracked through pattern analysis. Password hints stored in plaintext made cracking even easier. The breach highlighted how bad encryption can be worse than no encryption because it provides a false sense of security.

Lesson: Encryption implementation matters as much as encryption itself. Adobes approach was textbook-wrong.

#10 — Equifax (2017): 147 Million Records

Perhaps the most consequential breach in history, Equifax — one of the three major US credit reporting agencies — exposed deeply sensitive financial data of 147 million Americans (nearly half the US population).

Data exposed: Social Security numbers, birth dates, addresses, drivers license numbers, credit card numbers (209,000 consumers), dispute documents with personal identifying information.

How it happened: Attackers exploited a known vulnerability in Apache Struts (CVE-2017-5638) that Equifax had failed to patch despite the fix being available for two months. They maintained access for 76 days.

Impact: Equifax paid a $700 million settlement. The breach exposed the fundamental problem with Social Security numbers: they are used as both identifiers and authenticators, cannot be changed, and are now known for half the US population. The consequences of this breach continue to affect victims years later.

Lesson: Patching known vulnerabilities is basic cybersecurity hygiene. Equifaxs failure to apply a two-month-old patch cost them $700 million and affected nearly half the country.

#11 — eBay (2014): 145 Million Records

In May 2014, eBay disclosed that a cyberattack had compromised a database containing 145 million user records. The attack went undetected for 229 days.

Data exposed: Encrypted passwords, email addresses, physical addresses, phone numbers, dates of birth.

How it happened: Attackers compromised employee credentials through a phishing attack, then used those credentials to access the user database over a period of several months.

Impact: eBay forced all 145 million users to change their passwords. The breach was notable for the extended dwell time — attackers had access for nearly eight months before detection.

Lesson: Employee phishing training is critical. A single compromised employee account can cascade into a company-wide breach.

#12 — Heartland Payment Systems (2008): 130 Million Cards

Heartland, a major payment processing company, suffered one of the largest credit card breaches in history when hackers stole 130 million credit and debit card numbers.

Data exposed: Credit card numbers, expiration dates, cardholder names, card verification codes.

How it happened: SQL injection attacks gave hackers access to Heartlands payment processing network, where they installed packet-sniffing malware to capture card data as it flowed through the system.

Impact: Heartland paid over $140 million in settlements. The lead hacker, Albert Gonzalez, was sentenced to 20 years in prison — one of the longest sentences for cybercrime at the time.

Lesson: Payment processors are high-value targets because they handle millions of financial transactions. The breach accelerated adoption of end-to-end encryption in payment processing.

#13 — Target (2013): 110 Million Records

The Target breach became a watershed moment for retail cybersecurity, exposing credit card information of 40 million customers and personal information of 70 million more.

Data exposed: Credit/debit card numbers, expiration dates, CVVs, customer names, mailing addresses, phone numbers, email addresses.

How it happened: Attackers first compromised Fazio Mechanical Services, a small HVAC contractor with network access to Targets systems. Using stolen credentials, they installed point-of-sale malware on Targets payment terminals across 1,797 stores.

Impact: Targets CEO and CIO resigned. The company spent over $200 million on breach-related costs. The breach demonstrated how third-party vendor access can be exploited to reach high-value targets — a technique now commonly called a "supply chain attack."

Lesson: Your security is only as strong as your weakest vendor. Third-party access must be tightly controlled and monitored.

#14 — Capital One (2019): 106 Million Records

A former Amazon Web Services employee exploited a misconfigured web application firewall to access Capital Ones credit card application data stored on AWS.

Data exposed: Names, addresses, phone numbers, email addresses, dates of birth, self-reported income, credit scores, credit limits, balances, payment history, Social Security numbers (140,000), bank account numbers (80,000).

How it happened: The attacker exploited a Server-Side Request Forgery (SSRF) vulnerability in combination with a misconfigured WAF to access AWS metadata and obtain temporary credentials with excessive permissions.

Impact: Capital One was fined $80 million by the OCC. The attacker, a former AWS employee, was convicted and sentenced to time served plus probation. The case highlighted the risks of cloud misconfigurations.

Lesson: Cloud security is a shared responsibility. Misconfigured cloud resources are one of the most common causes of modern data breaches.

#15 — MOVEit Transfer (2023): 95+ Million Records

The MOVEit breach was not a single incident but a cascade — a zero-day vulnerability in Progress Softwares MOVEit file transfer tool was exploited by the Cl0p ransomware gang to breach hundreds of organizations simultaneously.

Data exposed: Varied by organization, but included Social Security numbers, financial records, health data, employment information, and personal identifiers across government agencies, universities, corporations, and healthcare providers.

How it happened: Cl0p exploited a SQL injection zero-day vulnerability (CVE-2023-34362) in MOVEit Transfer to deploy web shells and exfiltrate data from every organization running the vulnerable software.

Impact: Over 2,500 organizations were affected, including the US Department of Energy, Shell, British Airways, the BBC, and numerous state governments. The breach highlighted the catastrophic risk of supply chain vulnerabilities in widely-used enterprise software.

Lesson: Supply chain attacks can compromise thousands of organizations simultaneously. Critical file transfer infrastructure must be hardened and monitored with extreme diligence.

#16 — 23andMe (2023): 6.9 Million Records

Genetic testing company 23andMe suffered a breach that exposed the genetic ancestry data and personal information of 6.9 million customers — about half of the companys user base.

Data exposed: Names, birth years, relationship labels, DNA-relative matches, ancestry reports, self-reported locations, percentage of DNA shared with relatives.

How it happened: Attackers used credential stuffing — testing leaked username/password combinations from other breaches — to access individual accounts. Through the "DNA Relatives" feature, they then scraped data from the relatives of compromised accounts, massively amplifying the impact.

Impact: The breach raised unprecedented privacy concerns about genetic data, which is permanent and shared with biological relatives who did not consent to having their data exposed. 23andMe later filed for bankruptcy in 2024. Check if your credentials were used in the credential stuffing attack on PR-SAFE.

Lesson: Genetic data is the most personal and permanent information you can leak — it cannot be changed and affects your entire biological family. Password reuse enabled the initial breach.

#17 — T-Mobile (2021-2023): Multiple Breaches, 100+ Million Records Total

T-Mobile has been breached so many times that their incidents deserve a collective entry. The 2021 breach alone exposed 76.6 million records, followed by additional breaches in 2022 and 2023.

Data exposed (across incidents): Names, dates of birth, Social Security numbers, drivers license/ID information, phone numbers, IMEI and IMSI numbers, account PINs, addresses.

How it happened: The 2021 breach exploited an unprotected testing environment that provided access to production systems. Subsequent breaches involved API exploitation, SIM swap fraud infrastructure, and employee credential theft.

Impact: T-Mobile agreed to a $500 million settlement in 2022, including $350 million to affected customers and $150 million for security improvements. The exposed SIM-related data (IMEI, IMSI) was particularly dangerous for enabling SIM swap attacks.

Lesson: Repeated breaches indicate systemic security failures. If a company you use has been breached multiple times, consider whether they can be trusted with your data. Always enable a second factor of authentication beyond SMS.

#18 — Uber (2016/2022): 57 Million + Additional Records

Uber was breached in 2016 (exposed in 2017) and again in 2022, making it another repeat offender on this list.

Data exposed (2016): Names, email addresses, phone numbers of 57 million riders and drivers. Drivers license numbers of 600,000 drivers.

Data exposed (2022): Internal Slack messages, source code, financial data, internal documents.

How it happened: The 2016 breach exploited credentials stored in a GitHub repository. The 2022 breach used social engineering — an 18-year-old convinced an Uber contractor to approve a push notification MFA prompt through repeated requests (MFA fatigue attack).

Impact: Ubers former CSO, Joe Sullivan, was convicted of obstruction and failure to report the 2016 breach — a landmark case that established personal criminal liability for security executives who cover up breaches. Uber paid $148 million in settlements.

Lesson: The 2022 breach via MFA fatigue demonstrates why push-based 2FA can be vulnerable. The 2016 coverup shows that hiding breaches has severe legal consequences.

#19 — Twitch (2021): Entire Source Code + 125 GB Data

Amazon-owned streaming platform Twitch suffered a breach that was unique in its scope — the attackers leaked virtually everything, including the platforms entire source code.

Data exposed: Complete source code, internal tools, creator payout records (showing exactly how much streamers earned), internal security tools, unreleased Amazon game studio projects, encrypted passwords.

How it happened: An internal server misconfiguration allowed the attacker to access and download Twitchs entire codebase and internal data. The attacker posted the 125 GB data dump as a torrent, calling Twitchs community "a disgusting toxic cesspool."

Impact: The payout data was particularly embarrassing, revealing the earnings of top streamers. The source code leak exposed internal tools and potentially undiscovered vulnerabilities. Twitch forced a password reset for all users.

Lesson: Server misconfigurations can expose not just user data but an entire companys intellectual property. Regular security audits are essential.

#20 — Canva (2019): 137 Million Records

Australian graphic design platform Canva was breached by the prolific hacker GnosticPlayers, the same actor behind the Zynga breach.

Data exposed: Usernames, real names, email addresses, city and country of residence, hashed passwords (bcrypt), Google tokens for users who signed in via Google.

How it happened: The attacker exploited a vulnerability in Canvas infrastructure to access and download the user database.

Impact: Canvas use of bcrypt hashing was a positive point — unlike weaker algorithms, bcrypt makes password cracking computationally expensive. However, Google tokens and personal information were still exposed. Canva forced all users to reset passwords.

Lesson: Proper password hashing (bcrypt) significantly mitigates the impact of a breach. All companies should use strong, modern hashing algorithms.

#21 — Cam4 (2020): 10.88 Billion Records

Adult streaming site Cam4 exposed a staggering 10.88 billion records through an unsecured Elasticsearch database — the largest known exposure by record count, though many records were log entries rather than unique users.

Data exposed: Email addresses, sexual orientation, chat transcripts, IP addresses, payment logs, device information, user correspondence.

How it happened: A misconfigured Elasticsearch database was left accessible on the public internet without authentication — a pattern that appears repeatedly in this list.

Impact: Given the sensitive nature of the platform, the exposed data created blackmail and extortion risks for affected users. The inclusion of sexual orientation data made this particularly dangerous for users in countries where homosexuality is criminalized.

Lesson: Sensitive platforms require extra security diligence. Unsecured Elasticsearch and MongoDB databases remain one of the most common causes of massive data exposures.

#22 — Ticketmaster / Snowflake (2024): 560 Million Records

In 2024, the ShinyHunters hacking group breached Ticketmaster (owned by Live Nation) through compromised credentials on the Snowflake cloud data platform, affecting 560 million customers.

Data exposed: Full names, addresses, email addresses, phone numbers, order history, partial payment card data, Ticketmaster account details.

How it happened: Attackers used stolen credentials (obtained via infostealer malware) to access Ticketmasters Snowflake cloud data environment. The Snowflake accounts lacked multi-factor authentication. The same attack vector was used to breach AT&T, Santander Bank, and over 160 other Snowflake customers.

Impact: The breach exposed the systemic risk of cloud data platforms when basic security controls like MFA are not enforced. Live Nation faced regulatory scrutiny and lawsuits from affected customers.

Lesson: Cloud platforms are only as secure as the credentials used to access them. MFA is not optional for cloud infrastructure — a lesson reinforced by our 2FA guide.

#23 — AT&T (2024): 73 Million Records

In 2024, AT&T confirmed that data from approximately 73 million current and former customers had been found on the dark web, including Social Security numbers.

Data exposed: Social Security numbers, full names, email addresses, mailing addresses, phone numbers, dates of birth, AT&T account numbers, passcodes.

How it happened: The exact attack vector was initially unclear, though AT&T acknowledged the data appeared to be from 2019 or earlier. Additionally, a separate Snowflake-related breach in 2024 exposed call and text records of nearly all AT&T customers.

Impact: AT&T reset passcodes for 7.6 million current customers and offered credit monitoring. The combination of SSNs with other personal details created a comprehensive identity theft toolkit for attackers.

Lesson: Telecommunications companies are high-value targets because they hold both personal data and communication records. Exposed passcodes combined with personal data enable account takeovers.

#24 — Dell (2024): 49 Million Records

In 2024, Dell Technologies confirmed a breach affecting approximately 49 million customers who had purchased Dell products since 2017.

Data exposed: Customer names, physical addresses, Dell order information including service tags, item descriptions, order dates, and warranty information.

How it happened: An attacker claimed to have accessed the data through a Dell partner portal by registering fake company accounts and brute-forcing the system to extract customer data over several weeks.

Impact: While no financial data or passwords were exposed, the detailed purchase and address information enables highly targeted phishing. Attackers can craft convincing emails referencing specific Dell products a customer owns, pretending to be Dell support.

Lesson: Partner and vendor portals are often less secured than primary systems but can provide access to extensive customer data. Read more about how hackers exploit such data in our security guide.

#25 — Change Healthcare / UnitedHealth (2024): 100+ Million Records

In February 2024, the BlackCat/ALPHV ransomware gang attacked Change Healthcare, a subsidiary of UnitedHealth Group that processes approximately 50% of all US medical claims. The breach affected over 100 million individuals.

Data exposed: Health insurance information, medical records, billing and claims data, Social Security numbers, banking information used for claims processing, personal identifiers.

How it happened: Attackers used compromised credentials to access a Citrix remote access portal that lacked multi-factor authentication. Once inside, they deployed ransomware and exfiltrated terabytes of data over nine days.

Impact: The attack disrupted healthcare payment processing across the United States for weeks, delaying prescriptions and medical procedures for millions of patients. UnitedHealth paid a $22 million ransom. The total cost is estimated to exceed $1.6 billion. It was the most impactful healthcare breach in US history.

Lesson: Healthcare data is among the most sensitive and valuable data types. A single missing MFA control on a remote access portal led to the most disruptive healthcare cyberattack in history.

Impact Analysis: What These Breaches Mean for You

Looking at these 25 breaches collectively, several patterns emerge that directly affect your personal security.

Your Data Is Almost Certainly Compromised

The breaches listed above alone account for over 15 billion records. With the global internet population around 5.5 billion, the math is simple: the average persons data appears in multiple breaches. If you have ever had a Yahoo, LinkedIn, Facebook, or Adobe account, your data is in the hands of attackers. Verify your exposure now on PR-SAFE.

Password Reuse Is the Primary Amplifier

Breach after breach, credential stuffing — using leaked passwords to access other accounts — is the mechanism that turns a single breach into a cascade of compromised accounts. The solution is simple: use a unique password for every service. A password manager makes this effortless.

MFA Prevents the Majority of Account Takeovers

Even when passwords are leaked, two-factor authentication blocks unauthorized access. The Change Healthcare and Snowflake-related breaches both occurred because MFA was not enabled. Enable it everywhere.

Breach Detection Is Slow

Many of these breaches went undetected for months or years. Yahoos breach persisted for two years, the Marriott breach for four years, and eBays for 229 days. You cannot rely on companies to notify you promptly — proactive monitoring through services like PR-SAFE is essential.

Lessons Learned: How to Protect Yourself

After reviewing the 25 largest breaches in history, here are the actionable lessons that will protect you going forward.

1. Check your breach exposure now — Visit PR-SAFE and check every email address, phone number, and username you have ever used. Our breach checking guide shows you how.
2. Use unique passwords everywhere — Get a password manager today. It is the single most effective step you can take.
3. Enable 2FA on every account — Preferably authenticator-based, not SMS. See our 2FA setup guide for every platform.
4. Monitor your credit — With SSNs leaked in multiple breaches, freeze your credit with all three bureaus if you are a US resident.
5. Be skeptical of all communications — Breached data makes phishing incredibly convincing. Verify requests through official channels.
6. Minimize your data footprint — Delete accounts you no longer use. The fewer places your data lives, the fewer places it can be breached from.
7. Stay informed — Follow cybersecurity news and review our comprehensive security guide for ongoing protection strategies.

Remember: You cannot prevent companies from being breached, but you can control how much damage a breach causes to you personally. Unique passwords, 2FA, and regular monitoring transform a breach from a catastrophe into an inconvenience. Take action today — start by checking your exposure on PR-SAFE.