Call us
The history of data breaches follows one logic: wherever data concentrates, someone will come for it. A billion Indian biometrics. Three billion Yahoo passwords. The financial records of nearly half of the U.S. adult population. Explore the biggest data breaches in history, understand their impact, and find out how to protect yourself against this persistent threat.
A data breach is unauthorized access to sensitive information followed by its theft, exposure, or sale. The history of data breaches stretches back to a telegraph swindle in 1834, long before the internet. But while the technology has changed completely, data thieves’ motives haven’t. Reported breaches in the U.S. jumped from over 1,800 during 2021 to more than 3,300 during 2025, according to findings from the Identity Theft Resource Center.
Read on for 18 of the biggest data breaches in history. Where possible, we list how many people were affected. In some cases, however, only the number of breached records is available, which is often higher because companies store multiple pieces of data for each person (like name, date of birth, and email).
For this reason, and because the true scale of certain breaches remains uncertain or undisclosed, this list should be treated as indicative rather than as a definitive ranking of the world’s largest data breaches.
At its peak, Yahoo was one of the most-visited websites on the internet. It provided email, news, finance, and search, with over 3 billion registered accounts. In 2013, attackers breached every single one of them, according to the BBC, exposing names, email addresses, dates of birth, phone numbers, and even cryptographically hashed passwords. The breach went undetected until 2016, leaving users unaware and unable to take recommended steps to protect themselves.
In a separate attack on Yahoo, the U.S. Department of Justice charged Russian FSB officers and their criminal associates with a second intrusion in 2024 that affected roughly 500 million accounts.
What set this data breach apart
Because the breach went undetected for years, many users never realized they needed to change their passwords. Although Yahoo stored passwords as hashes rather than plain text, hashing does not make passwords impossible to crack. Weak, reused, or commonly used passwords can still sometimes be recovered from stolen hashes, potentially putting other accounts at risk if the same credentials were reused elsewhere.
National Public Data is a background-check company and data broker that assembled personal records on hundreds of millions of people, largely without their knowledge or consent. In 2024, the hacking group USDoD claimed to have stolen 2.9 billion records and initially offered the dataset for $3.5 million before posting a version publicly on dark web forums.
What set this data breach apart
The exposed individuals had never directly shared data with National Public Data and had no account or notification relationship with the company. The leaked files reportedly included names, Social Security numbers, addresses, and phone numbers in pre-aggregated datasets, making them highly useful to identity thieves. For many victims, the first sign of the breach may have been the fraud that followed.
Aadhaar is the Indian government’s national biometric identity system, the largest of its kind on Earth, according to Wikipedia. It holds the fingerprints, iris scans, and demographic records of over one billion enrolled citizens.
In January 2018, a Tribune India investigation found that access to the personal details of any of the 1.1 billion enrolled citizens could be purchased through WhatsApp for approximately $8. Reporters were able to obtain login credentials that allowed them to look up personal details associated with Aadhaar numbers, including names, addresses, phone numbers, and photographs.
What set this data breach apart
While Indian authorities stated that the core biometric database remained secure, the incident raised serious concerns about how access to sensitive personal data was being managed. Unlike passwords or credit card numbers, biometric identifiers such as fingerprints and iris scans cannot be changed, which is why any potential exposure of such data is considered especially high risk.
In July 2022, a hacker operating as “ChinaDan” posted a sample of 750,000 records on the cybercrime forum Breach Forums and offered the full dataset (approximately 23 terabytes) for 10 bitcoin. According to The Guardian, the seller claimed the database contained records on approximately 1 billion Chinese residents, including names, national ID numbers, addresses, mobile numbers, and criminal case details, as well as information on minors.
What set this data breach apart
According to TechCrunch, the exposure has been attributed to a misconfigured Alibaba Cloud instance that was left publicly accessible without authentication. The Chinese government never officially acknowledged the incident: soon after the breach became public, censors blocked related keywords on Weibo. That suppression prevented the billion people potentially affected from learning their data was compromised, let alone taking action.
In May 2024, according to reporting by Wired and Time, the hacking group ShinyHunters accessed a Snowflake cloud storage environment used by Ticketmaster to hold customer data, and exfiltrated records relating to 560 million users, including names, contact details, order histories, and encrypted payment card information. The Ticketmaster data breach was confirmed in a regulatory filing; the stolen dataset subsequently appeared for sale on dark web forums for $500,000.
What set this data breach apart
The attackers didn’t overcome Ticketmaster’s own defenses; instead, they compromised a third-party vendor entrusted with customer data. The fact that card details were encrypted offered relatively strong protection against cracking attempts, but the contact and transaction history was immediately usable for spear phishing attacks against tens of millions of people who had recently purchased tickets.
Friend Finder Networks operated several adult-oriented dating and social platforms, including AdultFriendFinder.com. In 2016, attackers reportedly exploited a vulnerability to steal 412 million account records spanning more than two decades, according to the BBC. The exposed data included email addresses, hashed passwords, browser information, and last-visit dates — often tied to personal or work email accounts that could be linked back to users’ real identities.
What set this data breach apart
The threat profile in this breach extended far beyond financial fraud. Because the exposed data revealed membership on adult platforms, many victims faced the possibility of blackmail and reputational harm. Someone whose work email appeared in the dataset, for example, could be vulnerable to extortion targeting their career, relationships, or public image, making the breach especially personal and damaging.
Myspace dominated early social networking, accumulating hundreds of millions of registered users through the mid-2000s before losing most of its user base to Facebook. In 2016, a hacker known as “Peace” posted more than 360 million Myspace account records for sale on dark web markets, after having stolen them in 2013, according to reporting by USA Today and Time.
The listing was a credential dump: a packaged database of usernames and passwords sold in bulk, typically without notifying the affected platform or its users. Many passwords had been hashed using the outdated SHA-1 algorithm, readily crackable by 2016.
What set this data breach apart
The real target wasn’t a dormant social network. It was password reuse. Most of those 360 million accounts had been inactive for nearly a decade, but their credentials hadn’t changed, and many users had applied the same username and password to active services still in use. A decade-old Myspace password became a live key to email inboxes, banking apps, and cloud storage accounts.
Change Healthcare processes roughly 15 billion healthcare transactions a year, including insurance claims, pharmacy payments, and prior authorizations, making it central to U.S. medical billing. According to a report to Congress, in February 2024, the ransomware group ALPHV/BlackCat breached Change Healthcare’s systems and exfiltrated data belonging to 192.7 million individuals, the largest healthcare data breach in U.S. history at the time. UnitedHealth Group paid a $22 million ransom. The attackers published portions of the stolen data anyway.
What set this data breach apart
The stolen records included diagnosis codes, treatment histories, insurance member IDs, and prescription data — data that could be used for medical identity theft, such as filing fraudulent insurance claims or obtaining prescription drugs in a victim’s name. In some cases, false medical records created risks of coverage denials or disrupted treatment.
The operational damage ran in parallel, with hospitals and pharmacies across the country unable to process insurance claims for weeks, and some providers unable to make payroll.
Equifax is one of the three major credit bureaus, meaning its data plays a major role in decisions about mortgages, loans, credit cards, and housing. In 2017, attackers exploited a known Apache Struts vulnerability that Equifax had failed to patch, despite a fix being publicly available for months.
The attackers remained inside Equifax’s systems for 78 days before detection, compromising the personal information — including Social Security numbers, birthdates, home addresses, and in some cases driver’s license and credit card numbers — of 145.5 million people.
What set this data breach apart
The damage caused by the Equifax breach was unusually long-lasting because Social Security numbers are extremely difficult to replace. Combined with birthdates and home addresses, they create a powerful identity profile that criminals can use to open fraudulent accounts, file false tax returns, or bypass identity verification checks. Although Equifax ultimately agreed to settlements worth at least $575 million, affected consumers have no true way to “reset” the compromised information, which may continue circulating indefinitely.
eBay is among the world’s largest peer-to-peer marketplaces, with more than 190 million active buyers globally. In early 2014, attackers used a small number of compromised employee credentials to access a corporate database containing the personally identifiable information of approximately 145 million active users, including names, addresses, dates of birth, phone numbers, and hashed passwords, according to CNBC reporting.
What set this data breach apart
Password hashing adds an important layer of protection, but it doesn’t keep passwords secure forever. Attackers can compare stolen hashes against precomputed rainbow tables to recover weak or reused passwords. When combined with the other personal information exposed in this breach, those cracked credentials created the perfect conditions for widespread account takeovers, not just on eBay, but across other services where victims reused the same login details.
Heartland Payment Systems, then the sixth-largest U.S. payment processor, handled more than 100 million transactions monthly for over 250,000 merchants. Attackers exploited an SQL injection vulnerability and installed packet-sniffer malware at a critical point where payment card data briefly traveled unencrypted between a magnetic stripe swipe and its encryption step. The malware remained undetected for months, capturing roughly 130 million card records in real time before each transaction was secured.
What set this data breach apart
The intrusion was ultimately detected, not by Heartland’s own monitoring, but by fraud-pattern alerts from Visa and MasterCard. The orchestrator, Albert Gonzalez, received a 20-year federal prison sentence, the longest identity theft sentence in U.S. history at the time.
The breach established that data in motion through a live payment pipeline was just as vulnerable to attack as data sitting in a stored database, and directly accelerated the payment industry’s eventual transition to EMV chip technology, which does not expose magnetic stripe track data.
TJX Companies is the parent corporation of TJ Maxx, Marshalls, HomeGoods, and Winners (a Canadian department store). Beginning at least as early as 2003, attackers exploited a critical weakness in TJX’s in-store wireless infrastructure: the network still used WEP, an encryption protocol that security researchers had publicly demonstrated could be broken in minutes using freely available tools.
To take advantage of this vulnerability, attackers positioned themselves in store parking lots, intercepted traffic flowing between checkout terminals and company servers, and exfiltrated transaction data undetected, even though prior security audits had already flagged the same vulnerabilities.
When the breach was disclosed in January 2007, TJX estimated 46 million cards had been compromised. According to Wired, Forensic investigators eventually traced the intrusion back through years of logs to determine the true figure: as many as 94 million cards.
What set this data breach apart
The gap between the early estimate and the final count reflects two years of silent access through a door that auditors had already marked as wide open. TJX settled with the FTC and paid over $40 million in additional consumer settlements. The case became a catalyst for broad retail adoption of PCI-DSS compliance standards.
Anthem (now Elevance Health) was the second-largest health insurance company in the United States at the time, covering roughly 37 million members through affiliated Blue Cross Blue Shield plans.
In early 2015, attackers later attributed by the FBI to a Chinese state-sponsored group gained access to Anthem’s database and exfiltrated records on 78.8 million current and former members, including names, Social Security numbers, dates of birth, home addresses, employment details, and annual income. Medical records and payment card data were not affected.
What set this data breach apart
Social Security numbers, combined with employment and income history, don’t expire and can be used to file fraudulent tax returns, open lines of credit, or construct synthetic identities years later. Anthem paid $115 million to settle a related class action, the largest healthcare data breach settlement in U.S. history at the time, according to Reuters.
J.P. Morgan Chase is the largest bank in the United States by assets. In the summer of 2014, attackers used compromised credentials to enter the bank’s network through a single application server that had not been upgraded to two-factor authentication.
According to The New York Times, from that entry point, they moved through 90 servers and ultimately accessed contact information for 76 million households and 7 million small businesses, including names, addresses, phone numbers, and email addresses. No financial account numbers, passwords, or Social Security numbers were accessed.
What set this data breach apart
Because no financial data was exposed, many people initially underestimated the seriousness of the breach. But a verified database containing real names, addresses, phone numbers, and banking relationships for 83 million U.S. households created a valuable resource for spear phishing and targeted fraud. In response, the bank was forced to nearly double its annual cybersecurity budget to around $500 million.
In the weeks before Thanksgiving 2013, attackers obtained network credentials belonging to Fazio Mechanical Services, an HVAC and refrigeration vendor with remote access to Target systems for billing and energy monitoring. Unfortunately, that vendor had broader permissions than the role required, which gave the attackers a foothold inside Target’s internal network.
According to a Senate report, cybercriminals used this access to install BlackPOS (a RAM-scraping malware) on point-of-sale terminals across Target’s retail locations. RAM scrapers extract card data directly from a terminal’s working memory at the moment of a transaction; i.e., before encryption. The breach ultimately exposed payment card data for 40 million customers and personal information for up to 70 million more.
What set this data breach apart
Target paid $18.5 million in a multistate settlement — the largest of its kind at the time. The case became a prime example of digital supply chain risk in retail cybersecurity. Attackers didn’t need to overcome Target’s defenses directly. Instead, they compromised a vendor with existing network access. The breach accelerated the U.S. retail industry’s transition to EMV chip card technology.
Conduent is a business process outsourcing company that administers government programs on behalf of state and federal agencies, disbursing child support payments, processing unemployment benefits, and managing healthcare and transit benefit systems.
In early 2025, the company disclosed that attackers had enjoyed undetected access from October 2024 through January 2025. Initial estimates suggested that roughly 4 million individuals were affected. But by February 2026, that number had grown to nearly 25 million. The ransomware group SafePay later claimed responsibility for the attack.
What set this data breach apart
Three months of undetected access gave the attackers ample time to selectively and repeatedly steal data. Many of the affected individuals relied on government assistance programs, making the breach especially concerning because financially vulnerable individuals are often less equipped to detect or recover from identity theft and fraud.
The Office of Personnel Management manages federal employment records and conducts security clearance investigations across the U.S. government. According to the International Association of Privacy Professionals, two related intrusions in 2015, attributed to Chinese state-sponsored hackers, affected 22.1 million people.
The breaches followed a 2013 intelligence-gathering operation, impacting federal employees, contractors, job applicants, and, in some cases, their family members and personal references.
The primary target was SF-86, 85, and 85 P forms. These are rigorous questionnaires used in security clearance background investigations, disclosing decades of personal history, foreign contacts, past financial difficulties, and personal vulnerabilities shared with the government in confidence. Certain types of biometric data, such as fingerprints, was also stolen.
What set this data breach apart
A House Oversight Committee investigation concluded that the breach jeopardized U.S. national security for more than a generation. A foreign intelligence service holding these files can identify American officers serving abroad under cover, map leverage points across the federal workforce, and target people with detailed foreknowledge of their lives. And, unlike passwords or account numbers, the exposed fingerprints cannot simply be replaced.
TransUnion is one of the three credit reporting agencies whose files shape access to housing, credit, and employment for hundreds of millions of consumers across the U.S., U.K., Canada, South Africa, and more than 30 other countries. In 2025, the company confirmed that a cyberattack had compromised records belonging to approximately 4.4 million individuals, including personal information. A small subset of this group also had their Social Security numbers exposed.
What set this data breach apart
Credit bureaus are especially attractive targets because they aggregate large amounts of verified personal and financial data. A single TransUnion record, for example, may contain identity details, account information, and credit history — enough to help attackers open fraudulent loans, bypass identity verification, or craft highly convincing phishing and debt collection scams.
To make matters worse, the consequences of a credit bureau breach can persist for years, often surfacing long after the incident fades from public attention.
One of the first documented instances of what we would now call a data breach stretches back to 1834, when two brothers named François and Joseph Blanc hacked France’s semaphore telegraph network to intercept Paris stock exchange prices before they reached provincial traders. The scheme ran for two years before a postal worker connected the dots.
Every major element of modern cybercrime was already present: unauthorized access to a data channel, a financial advantage extracted from the information asymmetry, and detection that came far too late.
Before digital networks existed, exploiting a communication system meant physical presence, social manipulation, or technical ingenuity with whatever infrastructure was at hand.
In the 1950s and 1960s, “phone phreakers” discovered that specific audio tones could trick telephone switching equipment into routing free long-distance calls. A 1971 Esquire investigation brought the subculture to mainstream attention, and, according to The New York Times, directly inspired a young Steve Jobs and Steve Wozniak to build and sell “blue boxes” (devices used in the phreaking process) before they built their first computer. The culture was more curiosity than serious criminality, but its instincts carried directly into the computer age.
Early hacking wasn’t usually focused on stealing personal data or making money. Instead, many early hackers were researchers, students, or hobbyists exploring computer systems and experimenting with what connected networks could do. However, the techniques developed during this era helped lay the groundwork for methods later used in modern cyberattacks and data breaches.
When ARPANET connected the first universities and government research facilities in the late 1960s, it was established without meaningful access controls. The 1971 Creeper program became the first known self-replicating program to spread across the network — something that would later be called a computer worm. In response, developers created Reaper, a program designed to locate and remove Creeper, making it one of the earliest examples of antivirus software.
Then, the 1986 Brain virus, created by two brothers who operated a software shop in Lahore, Pakistan, became the first widely distributed PC virus spread through floppy disks. Originally intended to track unauthorized copies of their medical software, the virus spread far beyond its creators’ expectations and marked an early example of how self-replicating malware could move between systems through infected removable media.
The next major progression was the Morris Worm in 1988 — the first malware to propagate across the internet at scale, crashing an estimated 6,000 machines within hours. Its creator, Robert Morris, became the first person convicted under the Computer Fraud and Abuse Act. By the 1990s, hacking had become a federal matter: Kevin Mitnick, who had been breaking into corporate and government systems for years, was arrested in 1995 in what became the highest-profile cybercrime case of the decade.
The 2010s marked a turning point in the scale of data breaches as businesses centralized massive amounts of customer information in cloud-connected systems. A single successful intrusion could now expose millions of records at once. Reported U.S. data breaches rose from 136 in 2005 to more than 1,800 by 2021, reflecting the growing value of digital data and the expansion of online services.
This shift also magnified the consequences of cybersecurity failures. While earlier data leaks often affected smaller groups, centralized databases in the 2010s could expose information belonging to entire populations. Large-scale incidents in countries like India and China demonstrated how a single leak could reveal sensitive data — including identification records, phone numbers, and biometric information — on a national scale.
Data breaches may happen less frequently than before, but they are often more serious. Whether things are getting “worse” depends on whether the measure is frequency or volume. According to research conducted by Gen (the company behind LifeLock), those two numbers may be moving in opposite directions.
The Gen Q3/2025 Threat Report’s Trust and Identity section reveals: “Digital identity theft is clustering around fast-cash products and routine account probing. Criminals are applying for short-term loans and new cards in victims’ names, then testing access to existing bank accounts.”
Breach events increased 76% quarter-over-quarter in Q3 2025, while the total volume of exposed records fell by 81%. Gen is seeing more, smaller incidents, but with a critical shift in what’s being taken. Passwords appeared in over 83% of breach events, giving criminals direct access to existing accounts instead of requiring additional exploitation.
The most damaging breaches in the years ahead may not resemble massive incidents like the Yahoo leaks that exposed billions of records at once. Instead, they may involve smaller, highly targeted credential thefts that quietly grant attackers access to financial accounts, corporate systems, or personal data before victims realize anything is wrong.
Keeping track of where your personal information has landed is increasingly difficult to do manually, especially across the dozens of services that each hold a piece of it. LifeLock Advanced monitors the information that matters most: Social Security numbers, financial accounts, credit activity, and personal details that signal potential identity threats.
Features like dark web monitoring and data breach notifications flag when your credentials or personal details surface in exposed datasets, giving you time to change passwords, contact your financial institutions, or place a credit freeze.
Yes. In 2019, NordVPN confirmed that in early 2018, an attacker had accessed one of its servers in Finland via a third-party data center provider. The company stated there was no evidence that user credentials or personal data were accessed. The incident was notable because, like several other major breaches, the weakness originated not in the company’s own infrastructure but through a vendor relationship.
By confirmed account count, the largest data breach in history is Yahoo’s 2013 incident, which ultimately affected all 3 billion accounts on the platform. In terms of the scope of personal data exposed, the Aadhaar breach in India, covering more than 1.1 billion enrolled citizens, is comparable in scale.
The earliest recorded case of a data breach dates to 1834, when François and Joseph Blanc exploited France’s telegraph network to intercept Paris stock exchange data before it reached provincial traders. They ran the scheme for two years before a postal worker detected it. The mechanism was pre-digital; the motive, unauthorized access to information, has not changed in nearly 200 years.
Most breaches stem from a handful of recurring weaknesses: misconfigured cloud storage, excessive vendor access permissions, phishing attacks, social engineering, malware spreading through compromised networks, and unpatched software vulnerabilities.
In many historic cases, attackers didn’t need sophisticated techniques. They simply exploited systems, credentials, or infrastructure that organizations failed to properly secure, monitor, or maintain long after known fixes and security updates were available.
Editors’ note: Our articles provide educational information about identity theft, scams, financial fraud, and other topics that can put your identity or personal accounts at risk. LifeLock offerings may not cover or protect against every type of crime, fraud, scam, or threat we write about. For more details about how we write, review, and update our articles, see our Editorial Policy.
LifeLock is part of Gen – a global company with a family of trusted brands.
Copyright © 2026 Gen Digital Inc. All rights reserved. Gen trademarks or registered trademarks are property of Gen Digital Inc. or its affiliates. Firefox is a trademark of Mozilla Foundation. Android, Google Chrome, Google Play and the Google Play logo are trademarks of Google, LLC. Mac, iPhone, iPad, Apple and the Apple logo are trademarks of Apple Inc., registered in the U.S. and other countries. App Store is a service mark of Apple Inc. Alexa and all related logos are trademarks of Amazon.com, Inc. or its affiliates. Microsoft and the Window logo are trademarks of Microsoft Corporation in the U.S. and other countries. The Android robot is reproduced or modified from work created and shared by Google and used according to terms described in the Creative Commons 3.0 Attribution License. Other names may be trademarks of their respective owners.