The 15 Most Devastating Data Breaches in History

From nation-state cyberattacks to corporate security failures, these breaches exposed billions of records and reshaped global cybersecurity practices.
1. Mother of All Breaches (MOAB) (2024)
Records Affected: 26 billion (aggregate)
Type: Massive data aggregation
Key Details:
- Discovered by Security Discovery researcher Bob Diachenko in January 2024.
- Combined 3,876 databases from previous leaks (e.g., Tencent, LinkedIn, Twitter) stored on an unsecured server.
- Included passwords, emails, IP addresses, and payment logs.
Impact: Enabled unprecedented credential-stuffing attacks and identity theft globally[4][9].
2. Yahoo (2013–2016)
Records Affected: 3 billion
Type: State-sponsored espionage
Key Details:
- Russian hackers infiltrated Yahoo via forged cookies and backdoors.
- Exposed names, birthdates, passwords, and security questions.
Aftermath: Reduced Verizon’s acquisition price by $350M; $35M SEC fine[1][4][16].
3. Equifax (2017)
Records Affected: 147 million
Type: Unpatched vulnerability
Key Details:
- Exploited Apache Struts flaw exposed SSNs, credit card details, and addresses.
- Caused a 20% stock drop and $700M in settlements.
Legacy: Catalyzed stricter credit bureau regulations in the U.S.[2][8][13].
4. FriendFinder Networks (2016)
Records Affected: 412 million
Type: Plaintext storage negligence
Key Details:
- AdultFriendFinder and Penthouse databases breached via SQL injection.
- Exposed 20 years of sexual preferences, emails, and IP addresses.
Fallout: Led to extortion campaigns and suicides linked to leaked data[1][17].
5. Marriott (2018)
Records Affected: 500 million
Type: Chinese state-sponsored attack
Key Details:
- Compromised Starwood Hotels’ reservation system for 4 years.
- Leaked passport numbers and travel histories of diplomats/CEOs.
Penalty: $123M GDPR fine for delayed breach disclosure[8][18].

6. Heartland Payment Systems (2008)
Records Affected: 130 million
Type: SQL injection
Key Details:
- Sniffer malware stole credit card data from 250,000+ merchants.
- Mastermind Albert Gonzalez later sentenced to 20 years.
Impact: Spurred PCI DSS compliance mandates[5][8].
7. Alibaba (2019)
Records Affected: 1.1 billion
Type: Unsecured developer API
Key Details:
- Scraped user data from Chinese e-commerce giant’s Taobao platform.
- Included purchase histories and device identifiers.
Outcome: Forced China’s Personal Information Protection Law (PIPL)[15].
8. WannaCry Ransomware (2017)
Records Affected: 200,000+ systems
Type: NSA exploit weaponization
Key Details:
- North Korea-linked Lazarus Group used EternalBlue to cripple NHS hospitals.
- Caused $4B+ in global damages.
Legacy: Highlighted risks of government stockpiled vulnerabilities[7][18].
9. Saudi Aramco (2012)
Records Affected: 35,000 workstations
Type: Wiper malware (Shamoon)
Key Details:
- Iranian “Cutting Sword of Justice” erased oil company data.
- Disrupted 10% of global oil supply for months[6][12].
10. US Office of Personnel Management (2015)
Records Affected: 22 million
Type: Chinese espionage
Key Details:
- Stole security clearance files, fingerprints, and SF-86 forms.
- Enabled blackmail of CIA/FBI agents.
Fallout: $1B+ cost to replace federal ID systems[6][15].
11. SolarWinds (2020)
Records Affected: 18,000+ organizations
Type: Supply chain attack
Key Details:
- Russian APT29 compromised Orion software updates.
- Breached Microsoft, FireEye, and U.S. government agencies.
Cost: $90M+ in recovery for Fortune 500 firms[18].
12. Cambridge Analytica/Facebook (2018)
Records Affected: 87 million
Type: Data misuse
Key Details:
- Harvested psychographic profiles via “This Is Your Digital Life” quiz.
- Weaponized for 2016 U.S. election microtargeting.
Penalty: $5B FTC fine against Facebook[14][17].
13. Colonial Pipeline (2021)
Records Affected: Operational shutdown
Type: Ransomware (DarkSide)
Key Details:
- Forced first-ever U.S. national fuel emergency declaration.
- Paid $4.4M ransom in Bitcoin (later partially recovered).
Reform: Mandated TSA cybersecurity rules for pipelines[15].
14. Exactis (2018)
Records Affected: 340 million
Type: Public database exposure
Key Details:
- Marketing firm leaked pet ownership, smoking habits, and net worth.
- Found via unsecured Elasticsearch server.
Risk: Enabled hyper-targeted social engineering[1].
15. LinkedIn Scraping (2021)
Records Affected: 700 million
Type: API exploitation
Key Details:
- “God User” hacker sold datasets including geolocation and salaries.
- Fueled surge in CEO fraud and spear phishing.
Outcome: GDPR probe into Microsoft’s acquisition due to lax oversight[4][17].
Key Trends & Lessons
- Supply Chain Vulnerabilities: SolarWinds and MOVEIT breaches exploited trusted vendors.
- Ransomware Militarization: Attacks on healthcare (WannaCry) and infrastructure (Colonial) show life-threatening stakes.
- State-Sponsored Espionage: China’s OPM hack and Iran’s Shamoon set precedents for cyber warfare.
- GDPR Domino Effect: Post-2018, global fines surpassed $4B, forcing CCPA/LGPD adoption.
Protection Strategies
- Zero-Trust Architecture: Assume breaches; validate every access request.
- Multifactor Authentication (MFA): Block 99.9% of credential-stuffing attacks.
- Automated Patching: Heartland and Equifax breaches stemmed from unpatched flaws.
As NSA veteran Richard Clarke warned: “The next Pearl Harbor could be a cyberattack.” These breaches underscore the urgent need for proactive defense.
Citations:
[1] https://www.upguard.com/blog/biggest-data-breaches-us
[2] https://www.purdueglobal.edu/blog/information-technology/worst-data-breaches-infographic/
[3] https://www.csoonline.com/article/534628/the-biggest-data-breaches-of-the-21st-century.html
[4] https://nordvpn.com/blog/biggest-data-breaches/
[5] https://www.indusface.com/blog/notorious-hacks-history/
[6] https://en.wikipedia.org/wiki/List_of_security_hacking_incidents
[7] https://www.pentestpeople.com/blog-posts/the-top-5-most-dangerous-cyber-attacks-of-all-time
[8] https://brightsec.com/blog/the-top-10-notorious-hacks-of-all-time/
[9] https://en.wikipedia.org/wiki/List_of_data_breaches
[10] https://www.fbi.gov/investigate/cyber/major-cases
[11] https://informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
[12] https://www.fortinet.com/resources/cyberglossary/most-notorious-attacks-in-the-history-of-cyber-warfare
[13] https://www.spanning.com/resources/largest-data-breaches-us-history/
[14] https://www.phinsec.io/blog/worst-breaches-in-history
[15] https://www.csis.org/programs/strategic-technologies-program/significant-cyber-incidents
[16] https://www.sunmark.org/connect/sunmark-360/12-worst-data-breaches-last-decade
[17] https://termly.io/resources/articles/biggest-data-breaches/
[18] https://blog.netwrix.com/biggest-cyber-attacks-in-history