The 10 Biggest Data Breaches in History
Data breaches are not something new. Since the early 2000s, thousands of companies have suffered attacks that have exposed the data of billions of people. In this article, we review the 10 most impactful breaches in history.
1. Yahoo (2013–2014) — 3 billion accounts
The biggest data breach in history. Yahoo took three years to make the leak public. Emails, hashed passwords, names, birth dates, and security questions were exposed.
Lesson: Even tech giants can fail. The delay in notification was heavily criticized and caused a $350 million drop in the sale price to Verizon.
2. Facebook (2019) — 533 million users
Data from more than 500 million Facebook users appeared on a hacking forum. Phone numbers, full names, locations, birth dates, and email addresses were leaked.
Lesson: Data you voluntarily share on social networks can end up in the wrong hands. Review your privacy settings periodically.
3. LinkedIn (2012 / 2021) — 700 million profiles
In 2012, 6.5 million passwords were leaked, but years later it was discovered that the real figure was 117 million. In 2021, massive scraping exposed data from 700 million profiles.
Lesson: Change your passwords periodically, especially if you haven't done so in years.
4. Adobe (2013) — 153 million records
Emails, encrypted passwords (with a weak algorithm), usernames, and password hints in plain text were leaked. The hints revealed worrying patterns.
Lesson: Weak encryption is almost as dangerous as storing passwords in plain text.
5. Equifax (2017) — 147 million people
One of the three largest credit agencies in the U.S. suffered an attack that exposed Social Security numbers, birth dates, addresses, and driver's license numbers.
Lesson: Companies that handle financial data are priority targets. Monitor your credit history.
6. Marriott International (2018) — 500 million guests
The hotel chain discovered that its Starwood reservation system had been compromised since 2014. Names, passports, credit cards, and travel data were exposed.
Lesson: Business mergers can inherit vulnerabilities. Marriott acquired Starwood without detecting the active breach.
7. MySpace (2016) — 360 million accounts
Although MySpace had already lost relevance, the leaked data was still dangerous: many users kept the same passwords on other services.
Lesson: Old accounts that you no longer use are still a risk. Delete them or change their passwords.
8. Twitter/X (2023) — 200 million emails
A database linking email addresses with Twitter accounts was leaked. This facilitated targeted phishing campaigns against specific profiles.
Lesson: Your email address linked to a social network can be used for personalized attacks.
9. Canva (2019) — 137 million users
The popular design tool suffered an attack that exposed usernames, emails, and passwords hashed with bcrypt (at least they used a robust algorithm).
Lesson: Even with good encryption, a breach exposes valuable metadata for attackers.
10. Zynga (2019) — 218 million players
The maker of games like FarmVille and Words With Friends saw emails, passwords hashed with SHA-1, phone numbers, and Facebook IDs exposed.
Lesson: Mobile games store more personal data than you imagine.
Common pattern: what do all these breaches share?
- Late detection — Most took months or years to be discovered.
- Reused passwords — The greatest damage wasn't the breach itself, but the domino effect on other services.
- Exposed personal data — Emails, phones, and names are enough to launch phishing attacks.
- Lack of monitoring — Victims didn't know they were affected until much later.
How to know if you're affected?
The fastest way is to use a breach scanner. With SecuryBlack Breach Scanner you can check your email in seconds, for free and without registration.
If your email appears in any of these leaks, follow the steps in our guide: What to Do If Your Data Appears in a Leak.
Want to understand better how breaches work? Read our article What Is a Data Breach and How Does It Affect You?.