10 Biggest Data Breaches of the Last 10 Years

Counting Down the 10 Biggest Data Breaches of the Last 10 Years

In Uncategorized by bertie

The ‘2010s’ was the decade of the data breach.

In just ten years, hackers gained access to some 38 billion records — as reported by cybersecurity specialists, Risk Based Security.

If that number is hard to comprehend, picture this…

The US population is roughly 330 million, meaning every single one of us has had, on average, 116 personal accounts hacked since 2010. And while many of these are small in scale — soon to be forgotten — a handful of mega-breaches will stick in the memory for decades to come.

Here’s a rundown of the top ten data breaches since 2010.*


*Sidebar: Truth be told, several other big names could have appeared on this list, but some companies failed to report the scale of their data breaches (including Fortnite, 7-Eleven, even the hyper-encrypted WhatsApp) — and we can only list the figures we know.


10. MyFitnessPal

  • Records accessed: 143.6m
  • Reported: March 2018

Under Armour-owned diet and fitness app, MyFitnessPal announced a hack back in March 2018

In a targeted attack, Cybercriminals managed to obtain the usernames, email addresses, and hashed passwords (an encrypted password that still needs cracking before use) of most of its user base.

9. Equifax

  • Records accessed: 147m
  • Reported: September 2017

Credit reporting company Equifax Inc. reported one of the biggest data breaches to-date when it announced a hack in September 2017.  In fact, the hack affected more than 50% of the American population, compromising upwards of 147 million separate accounts.

Hackers stole names, social security numbers, dates of birth, credit card details, even driver’s license information. To make matters worse, a revelation came to light that Equifax may have known about the potential vulnerability in its IT network.

Yet, the company failed to implement the necessary security patches.

As a result, Equifax had to pay a $700m consumer settlement owing to how it handled the incident — despite the fact, there were no reported signs of any data for sale on the dark web.

8. Dubsmash

  • Records accessed: 161.5m
  • Reported: February 2019

In a more recent incident, the video messaging platform Dubsmash revealed a data breach in which almost 162 million user accounts were compromised. 

Hackers accessed the names, email addresses, and hashed passwords of account holders, with the information appearing for sale on the dark web in February: two months after the data breach itself (which happened December 2018).

The Dubsmash hack was part of a vast data dump of more than 600m accounts — stemming from 16 separate websites.

7. Deep Root Analytics

  • Records accessed: 198m
  • Reported: June 2017

In June 2017, a group of independent researchers discovered that the personal information of 198 million American voters was freely available on a public server.

But how did this come to pass? 

Well, the Republican National Committee had hired Deep Root Analytics to support its digital activities, and it appears the marketing firm subsequently failed to keep the sensitive voter information adequately secure. Reports state that anyone could access Deep Root’s cloud server for around 12 days, finding home addresses, dates of birth, phone numbers, even political opinions.

It’s a timely lesson in the risks of cloud-based computing.

6. Zynga

  • Records accessed: 218m
  • Reported: September 2019

On September 12th, 2019, a lone hacker stole the login credentials of some 218 million users of popular Zynga games “Draw Something” and “Words with Friends.”

Alongside the login details, the cyberthief found the email addresses, Facebook IDs, and phone numbers of users who had installed either of the games pre-September 2nd — with Zynga announcing the breach ten days later.

5. Exactis

  • Records accessed: 340m
  • Reported: June 2018

Exactis had kept a relatively low profile for much of its life. 

All-the-while, the marketers and data aggregators had been stealthily building a database of hundreds-of-millions of Americans and businesses. Then, in June 2018, Wired magazine reported that a security researcher had discovered the information on an unsecured server. 

In total, Exactis had put roughly two terabytes of data into the public domain: a leak that included email and home addresses, phone numbers — as well as deeply personal information like hobbies and the number of children in a household.

4. Starwood

  • Records accessed: 383m
  • Reported: November 2018

If you don’t know the Starwood name, you’ll likely recognize the Marriott brand. 

In November 2018, the global hotel operator released news of a hack in which the names, addresses, passport numbers, and personal contact details of almost 400 million customers who had previously stayed at any Starwood property had been accessed in a significant breach.

Marriott acquired Starwood in 2016 and revealed that ongoing breaches of Starwood’s guest reservation database might have started as early as 2014.

3. Veeam

  • Records accessed: 445m
  • Reported: September 2018

Perhaps the most ironic breach: a data management firm caught red-handed … mishandling customer data.

In Q3 2018, Swiss firm Veeam admitted that one of its databases was “mistakenly left visible to unauthorized third-parties”: a faux pas that put 445 million public records, including names, email addresses, and IP addresses, in the public domain for some ten days.

Veeam went on to state that most of the records were duplicates, with only 4.5m unique details actually exposed — nevertheless, it was a costly human error.

2. River City Media

  • Records accessed: 1.37bn
  • Reported: March 2017

Scaling things up several-fold, email marketers River City Media hit the headlines in 2017 when it lost as many as 1.37 BILLION records owing to an incorrectly configured data backup.

A mistake meant the whole database was accidentally published online, with details ranging from IP addresses, names, and physical addresses hitting the public domain. Some questioned how River City Media had come to own so much information on billions of people in the first place… 

Suffice to say; opinions varied on the matter.

1. Yahoo

  • Records accessed: 3bn-plus
  • Reported: September & December 2016

How does one of the earliest darlings of the internet go on to compromise the personal data of over 3 billion users?

By reporting not one, but two separate incidents — all within the space of three months. Yahoo waited until September 2016 to announce an initial breach from 2014, which exposed the details of at least 500 million of its users … then, in December 2016, confirmed a second breach in 2013 had exposed at least 1 billion other accounts.

Users had their names, email addresses, telephone numbers, and dates of birth exposed to hackers. In a twist of the tale, Verizon acquired Yahoo in 2017 and confirmed the 2013 attack did, in fact, compromise all 3 billion Yahoo users

…and the incident has cost Yahoo $117.5m due to poor communications surrounding the breaches.


Data breaches will continue to be a cybersecurity trend in 2020: keep your customer data secure by giving Mid-Coast Tech a call on 207-223-7613.