Our list of the biggest data breaches involves the number of records siphoned by hackers or left unsecured in a public database. This doesn't equate to the amount of people since one individual can have multiple records (name, address, phone number, social security details).
We've sorted this list in descending order, so the most significant breaches come first with the smaller ones being lower down. Let's dive in.
1. CAM4 (March 2020) – 10.88 billion records
Data included user names, sexual orientations, email and chat transcripts, and payment logs from an adult cam site’s leaky database.
2. Chinese Database (June 2025) — 4 billion records
Billions of documents with financial data, WeChat and Alipay details, as well as other sensitive personal data, were exposed to the public.
3. Yahoo (August 2013) – 3 billion accounts
Yahoo’s entire user database was compromised in 2013 (initially disclosed as 1B and later revised to all 3B accounts), exposing account details including names, emails, phone numbers, birthdates, and security questions (hashed passwords were obtained, not plaintext).
4. National Public Data (April 2024) – 2.9 billion records
A subsidiary of Jerico Inc. had a cache of 2.9 billion public records files breached and sold on the dark web, containing names, addresses, dates of birth, Social Security numbers, and other personally identifiable information (PII).
5. Aadhaar (January 2018) 1.1 billion records
In a reported breach of India’s biometric ID program, an undercover purchase allowed access to the Aadhaar database, revealing names, contact information, photographs, and personal details of virtually all enrolled Indians.
6. Alibaba Taobao (2019–2020) – 1.1 billion records
An employee of a contractor scraped eight months’ worth of Taobao e-commerce user info (user IDs, mobile numbers, etc.), accumulating over a billion data points before the activity was detected.
7. Shanghai Police Database (July 2022) – 1 billion records
A hacker offered data from a Shanghai police database (23TB worth) containing the names, national ID numbers, birthplaces, addresses, phone numbers and crime records of roughly 1 billion people.
8. LinkedIn (June 2021) – 700 million users
A data scraping incident led to a leak of profile data for over 90% of LinkedIn’s user base. Information in the sale included member IDs, names, email addresses, phone numbers, genders, job titles and other profile details.
9. Ticketmaster (May 2024) – 560 million customers
Hackers from the ShinyHunters group claimed to have stolen names, emails, phone numbers, order histories and partial payment card data from the ticketing giant’s cloud environment.
10. Facebook (April 2019) — 533 million users
The personal records of over half a billion Facebook users were leaked, including full names, Facebook IDs, phone numbers, locations, birth dates, biographies, and email addresses.
11. Sina Weibo (March 2020) – 538 million users
China’s Weibo social network confirmed hackers sold a dataset containing user profile info for 538M Weibo users. The records included nicknames, genders, locations and phone numbers for 172M users (passwords were not leaked in this incident).
12. Yahoo (late 2014) – 500 million accounts
In a separate breach, Yahoo saw 500M user accounts hacked (disclosed in 2016). Stolen data included users’ names, email addresses, telephone numbers, birth dates, and hashed passwords (using bcrypt), as well as security questions and answers.
13. Marriott/Starwood Hotels (2014–2018) – 500 million guests
A long-running intrusion into Starwood’s reservation system (acquired by Marriott) exposed records on half a billion guests. Personal information – including names, mailing addresses, phone numbers, email addresses, passport numbers, birth dates, and travel details – was stolen, and some records contained encrypted credit card data.
14. FriendFinder Networks (October 2016) – 412 million accounts
A breach of adult dating networks (AdultFriendFinder, Cams.com, Penthouse etc.) exposed 20 years of user data, totalling 412 million accounts. The leaked info included usernames, emails, passwords (many stored in plaintext or weakly hashed), and site membership data.
15. MySpace (June 2013, disclosed May 2016) – 360 million accounts
An old MySpace user database from before a 2013 site relaunch was stolen and put up for sale. The dump contained emails and passwords for approximately 360M accounts (stored as unsalted SHA-1 hashes, many of which were later cracked).
16. Exactis (June 2018) – 340 million records
A data broker’s publicly accessible server exposed a marketing database with close to 340M individual records (and millions of business records). Each entry contained extensive personal details – phone numbers, home addresses, emails, number of children, ages, interests and other profiling fields – though not financial account or SSN data.
17. Wattpad (June 2020) – 268 million accounts
The user-generated fiction site suffered a breach impacting 268M users. Hackers obtained a database with usernames, hashed passwords, email and IP addresses, and birthdates, which was later leaked online.
18. Facebook (2020) – 267 million users
In 2020, a database of 267 million Facebook users’ information (IDs, names and phone numbers) was found exposed on the internet without a password. The records – primarily of Facebook users in the US – were likely scraped via Facebook’s API and posted to a hacker forum.
19. Twitter (Jan 2023 disclosure) – 235 million accounts
Data scraped via a 2021 API flaw—including handles, emails and, in many cases, phone numbers—was posted on a hacker forum, allowing anonymous profiles to be linked to real identities.
20. Brazil Citizen Database (Jan 2021) – 223 million people
Personal information on virtually all Brazilian citizens (around 223M individuals, including deceased) was leaked on a hacking forum. The data (allegedly from credit bureau Serasa Experian) included names, taxpayer IDs (CPF numbers), birth dates, and other ID details for millions of Brazilians.
21. Zynga (September 2019) – 218 million accounts
A Pakistani hacker known as Gnosticplayers breached Zynga’s database for the popular "Words With Friends" game, stealing names, usernames, email addresses, phone numbers, Facebook IDs and bcrypt-hashed passwords for 218M player accounts.
22. Apollo / People Data Labs (October 2018) – 212 million contact records
An enormous data-enrichment repository was left unsecured, containing 212M contact listings with ~9 billion data points. The exposed data – later traced to People Data Labs and Oxygene (Apollo) – included personal and professional details (names, email addresses, employers, titles, social media profiles, etc.) aggregated from multiple sources.
23. Deep Root Analytics (June 2017) – 198 million U.S. voter records
A contractor for the U.S. Republican National Committee left a database of 198M voter registration records exposed on an Amazon server. The 1 terabyte dataset covered personal information and voter profiling data for roughly every registered voter in the U.S. (names, addresses, birthdates, voter IDs, party affiliation, turnout history, etc.).
24. U.S. Voter Database (December 2015) – 191 million voter records
An independent security researcher discovered an unsecured database containing detailed info on 191M U.S. voters. The huge data set (over 300GB) appeared to be a compiled national voter file – including names, dates of birth, addresses, phone numbers, party affiliations and voting history for registered voters across 50 states.
25. LinkedIn (June 2012) – 165 million accounts
LinkedIn was initially hacked in 2012 (6.5M password hashes posted at the time), but in 2016 hackers sold a much larger dataset of 165M LinkedIn users’ credentials. The breach included email addresses and SHA-1 hashed passwords (unsalted), which led to widespread account compromises.
26. Dubsmash (December 2018) – 162 million accounts
The video-messaging app was hacked in 2018, and 162M usernames, email addresses and hashed passwords were stolen. The data was later sold on the dark web as part of a multi-company credential dump in early 2019.
27. Adobe (October 2013) – 152 million user records
Adobe’s network was breached and account data for at least 152M users was stolen. The trove included Adobe IDs, email addresses, and encrypted passwords (and password hints). (Originally Adobe reported 38M, but the number proved far higher when the data appeared on hacking sites.)
28. MyFitnessPal (February 2018) – 150 million accounts
The popular fitness and nutrition app was breached, exposing usernames, email addresses, and bcrypt-hashed passwords for 150M users. (No payment data or location data were impacted.)
29. Equifax (May–July 2017) – 147 million people
One of the largest credit-reporting agencies was hacked, reportedly by China-linked actors. In one of the most damaging breaches ever, attackers accessed names, Social Security numbers, dates of birth, addresses and some driver’s license numbers of 145.5M Americans (and even a few hundred thousand credit card numbers).
30. Canva (May 2019) – 139 million accounts
The graphic design platform Canva was attacked, with hackers stealing ~139M users’ data. The breach exposed names, usernames, email addresses, city and country information, and hashed passwords (bcrypt) for users, as well as Google tokens for some users’ Google integrations.
31. Heartland Payment Systems (2008) – 130 million card numbers
A major U.S. card payment processor was breached by cybercriminal Albert Gonzalez and associates. Malware planted on Heartland’s network siphoned approximately 130M unique credit and debit card numbers (plus cardholder names and expiration dates) over many months, in what was then the largest theft of payment cards on record.
32. Huazhu Hotels (China, August 2018) – 130 million customers
A massive breach at Huazhu Group (which operates hotel brands in China such as Ibis, Novotel, Mercure) led to 130M hotel guests’ data being offered for sale on the dark web. Leaked information reportedly included guests’ names, mobile numbers, identity card numbers, and booking details spanning several years.
33. Capital One (Jul 2019) – 106 million U.S. & Canadian customers
A misconfigured AWS firewall let an ex-AWS employee grab names, addresses, phone numbers, dates of birth, credit-scores and ~140 k SSNs / 80 k linked bank-account numbers.
34. Evite (February 2019) – 101 million accounts
The online invitation service Evite confirmed a breach after 101M user records showed up for sale on a dark web marketplace. Exposed data included names, usernames, email addresses, passwords (hashed), dates of birth, phone numbers and mailing addresses.
35. VKontakte (VK.com, 2012) – 100 million accounts
Russia’s largest social network was breached in 2012 (though disclosed in 2016). Hackers obtained a database of 100M VK users, including email addresses, usernames, and plaintext passwords for tens of millions (since VK at the time stored many passwords unhashed).
36. TJX Companies (2005–2007) – 94 million payment cards
Retailers T.J. Maxx, Marshalls, and others (TJX parent company) were breached by hackers who exploited weak in-store Wi-Fi security. Over 18 months they stole at least 94M unique credit/debit card numbers, plus personal information for 450k customers, in an unprecedented retail data heist discovered in 2007.
37. Mexican Voter Database (April 2016) – 93.4 million records
A 132GB database containing Mexico’s entire voter registry was left publicly accessible in the cloud. The data (later taken down by authorities) included names, addresses, national voter IDs, and other details on 93.4 million Mexican voters, representing virtually all of Mexico’s electorate.
38. MyHeritage (October 2017) – 92 million accounts
In 2018, the genealogy site MyHeritage disclosed that an external researcher found a file containing 92,283,889 users’ email addresses and hashed passwords. (No DNA or raw genetic data were stored in the compromised database.) The breach date was traced to late October 2017.
39. Tokopedia (March 2020) – 91 million accounts
Indonesia’s largest online marketplace was breached in 2020, and the records of 91 million users (names, emails, and SHA2-hashed passwords) were later found for sale on a hacker forum. Tokopedia forced password resets after the incident.
40. Facebook–Cambridge Analytica (2013–2015) – 87 million users
In a notorious privacy scandal, a political consulting firm harvested Facebook profile data on up to 87M users via a quiz app. The data – which included users’ identities, friend networks, and “Likes” – was used for targeted political advertising. (This was an abuse of Facebook’s API, and not a traditional external hack, but is one of the largest data misuse incidents on record.)
41. Dailymotion (October 2016) – 85 million accounts
The French video-sharing site was hacked, and approximately 85M user accounts were compromised. The breach dump contained 87 million email addresses and usernames, and about 18 million accounts’ passwords (hashed with Bcrypt) were included in the leak.
42. JPMorgan Chase (Jun–Aug 2014) – ≈ 83 million households & small businesses
Attackers used compromised employee credentials to raid a data center, collecting customer names, emails, addresses and phone numbers—the biggest U.S. bank breach on record.
43. Sony PlayStation Network (April 2011) – 77 million accounts
Sony’s PSN suffered a major breach in 2011, compromising the personal data of 77M gamers. Hackers obtained PSN account details including names, email addresses, handles, passwords, security questions, and possibly purchase histories. Sony stated that credit card info was encrypted and not confirmed stolen, but the network was shut down for weeks. (This remains one of the largest console network breaches.)
44. Nitro PDF (September 2020) – 77 million records
Nitro, a popular PDF services firm, was breached, and a 14GB database with roughly 77M user records was stolen. It contained names, email addresses, bcrypt-hashed passwords, titles, company names and IP addresses for users of Nitro’s cloud services.
45. Neopets (Jul 2022) – 69 million user accounts
An attacker took source code plus a database with usernames, passwords, birth-dates, emails, zip codes and gender info from the long-running virtual-pet site.
46. Dropbox (mid-2012) – 68 million accounts
In 2016 Dropbox disclosed that an old 2012 breach was much larger than thought – attackers had stolen 68,680,741 users’ credentials. The dump included email addresses and hashed passwords (SHA-1 with salt) for about 68M users. Dropbox had already forced a password reset for all impacted accounts by the time the data surfaced.
47. Uber (October 2016) – 57 million users
Uber’s systems were hacked in 2016 and the names, email addresses and mobile phone numbers of 57M riders and drivers were taken. Uber infamously paid the hackers $100K to suppress the breach instead of disclosing it. (Only in late 2017 did Uber admit that, in addition to rider data, about 600k drivers’ license numbers were also stolen.)
48. Philippines Voters (COMELEC, March 2016) – 55 million voters
Hacktivist groups penetrated the Philippine Election Commission and leaked a massive database containing the personal information of about 55M registered Filipino voters. The data dump (dubbed “Comeleaks”) included voters’ full names, birth dates, addresses, and in some cases passport and fingerprint data – one of the largest government breaches ever in terms of individuals affected.
49. Epsilon (March 2011) – 50–60 million emails leaked
Attackers breached email marketing giant Epsilon, accessing consumer email lists for 100+ client companies. The final tally was never confirmed, but estimates put it around 60M unique email addresses (with associated customer names). Major brands like Chase, Best Buy, Marriott, and others notified customers that their name and email had been stolen. The breach led to a wave of phishing attacks but no passwords or financials were taken.
50. Turkish Citizenship Database (2016) – 49.6 million citizens
In 2016, a voter/citizenship database allegedly from Turkey’s government was leaked online. The 6.6GB SQL file contained detailed personal data on 49.6M Turkish citizens – including national ID numbers (TC Kimlik No), full names, parents’ names, genders, birth dates, city of birth, and full addresses.
51. T-Mobile (August 2021) – 48 million people
In a 2021 attack, hackers stole records of ~40M past or prospective customers (and ~8M current postpaid customers) from T-Mobile’s servers. Exposed data included full names, dates of birth, SSNs, driver’s license/ID numbers, phone numbers, as well as account and PIN information for some accounts.
52. Malaysia Telco Data (2017) – 46 million mobile subscribers
In what authorities called Malaysia’s worst-ever data breach, sensitive data on 46M Malaysian mobile phone service customers was leaked online. The data (from all major Malaysian telcos) included customers’ mobile numbers, SIM card serial numbers, device details, and billing information (name, billing address, etc.), essentially the entire Malaysian cellular user base.
53. Weebly (February 2016) – 43 million users
The DIY website builder Weebly was breached in 2016, and 43.4M user accounts were stolen. The stolen database contained usernames, email addresses, and passwords hashed with bcrypt. The breach was disclosed to users in October 2016, and no abuse of the data was widely reported.
54. ShareThis (July 2018) – 41 million users
The social sharing widget company ShareThis was hacked in 2018, and data for 41M users was later sold on the dark web. The breach included names, email addresses, ages, and hashed passwords. (ShareThis confirmed the incident and forced password resets in early 2019.)
55. UK Electoral Commission (2018–2021) – 40 million voters’ data
In 2023, Britain’s Electoral Commission revealed that attackers had infiltrated its systems and had access to copies of the UK electoral registers for 2018-2020, affecting around 40M individuals. Exposed data included voters’ names and home addresses (but not vote results). The attackers went undetected for over a year.
56. Chegg (April 2018) – 40 million accounts
Online education firm Chegg had a database of ~40M users compromised in 2018. Names, email addresses, usernames, shipping addresses, and hashed passwords were stolen. (Chegg suffered additional breaches in 2019 and 2020, prompting an FTC action over its security practices.)
57. SHEIN / Zoetop (June 2018) – 39 million accounts
Fashion retailer SHEIN (owned by Zoetop) was breached in 2018, with 39M customers’ details stolen. The data included email addresses and encrypted passwords (and possibly credit card info for 6.4M users). The company did not adequately inform users at the time and later paid fines in 2022 for covering up the scope.
58. Last.fm (March 2012) – 37 million accounts
The music tracking/social site Last.fm was breached in 2012, though it only came to light in mid-2016 when the data was dumped online. Approximately 37M user accounts were compromised. The leak contained usernames, email addresses, and unsalted MD5 hashes of passwords – many of which were easily cracked, since users often chose weak passwords.
59. BitTorrent Forum (2016) – ~35 million accounts
In 2016, hackers breached the official forum for uTorrent/BitTorrent, obtaining data on upwards of 34–35M users. The dump – later sold on the black market – contained usernames, email addresses, and salted SHA1 password hashes for forum members (no torrent activity data was included, as this was a separate community site).
60. RockYou (December 2009) – 32 million accounts
In a watershed early breach, hackers stole 32M usernames and passwords from social app maker RockYou and leaked the credentials in plaintext. The incident, caused by SQL injection on RockYou’s site, exposed millions of weak passwords and led to a major industry wake-up on storing passwords securely (RockYou had stored them unhashed).
61. Ashley Madison (July 2015) – 32 million accounts
The notorious infidelity dating site was hacked by a group called “Impact Team,” which dumped approximately 32M users’ data online. The leaked files (over 20GB) included customers’ email addresses, usernames, hashed passwords, profile information, and transaction records – exposing millions of would-be adulterers and prompting lawsuits, resignations, and reported extortion attempts.
62. LiveJournal (2014, disclosed 2020) – 26+ million accounts
A long-rumored breach of LiveJournal was confirmed in 2020 when a database of 26M LiveJournal user credentials emerged. The records included usernames, emails, profile URLs, and passwords (many cracked from unsalted MD5 hashes). Hackers used the data to target LiveJournal users with credential-stuffing and phishing attacks (LiveJournal’s operator denied a hack, but the data appears authentic and likely dates to 2014).
63. Zappos (January 2012) – 24 million customers
Amazon’s shoe retail subsidiary Zappos was breached, with hackers obtaining data on 24M customers. Exposed information included customer names, email addresses, billing and shipping addresses, phone numbers and the last four digits of credit cards. (Full card numbers were not exposed. Zappos forced all customers to reset passwords after the incident.)
64. CafePress (February 2019) – 23 million accounts
The custom merchandise site CafePress was breached in early 2019, but the company failed to notify users for many months. Ultimately, 23M customer records were found for sale on the dark web. The data included names, email addresses, physical addresses, phone numbers and SHA-1 hashed passwords (many weakly salted). In 2022 CafePress’s parent settled FTC allegations that it covered up the breach.
65. Office of Personnel Management (OPM, 2015) – 21.5 million individuals
The U.S. OPM suffered an attack (attributed to China) that exposed personnel files and security-clearance background investigation data for 21.5M people. The stolen records included sensitive SF-86 forms with data on millions of current, former, and prospective federal employees and contractors – including 5.6M fingerprints – making it one of the most devastating breaches of government-held personal data.
66. ParkMobile (March 2021) – 21 million users
A breach of the ParkMobile parking app compromised basic account data for about 21M users. The leaked data, later sold online, included license plate numbers, vehicle nicknames, phone numbers, email addresses and encrypted passwords. (No payment card numbers were in the stolen data.)
67. South Korean Card Companies (Jan 2014) – 20 million people
An insider at the Korea Credit Bureau was arrested for stealing and selling the personal data of approximately 20M credit card customers in South Korea. The data (from KB Kookmin, Lotte, and NH Card) included cardholders’ names, Social Security numbers, phone numbers, addresses and credit card numbers/expiry dates. The breach led to widespread card reissuance and new data protection laws in South Korea.
68. AMCA / Quest / LabCorp (2018–19) – 20+ million patients
American Medical Collection Agency – a billing collections vendor for Quest Diagnostics, LabCorp, and other labs – was hacked in 2018, exposing the personal data of at least 20.1M patients. Exposed information varied by client but could include names, dates of birth, test and billing information, and for ~200k people, credit card or bank account data. The breach forced AMCA into bankruptcy and led to multiple state settlements.
69. Yahoo Japan (2013) – 22 million user IDs
Yahoo Japan reported that up to 22M user ID records were siphoned off in a 2013 hack. The data stolen was said to be user IDs only (since Yahoo Japan stored passwords separately). While limited in scope, in terms of count it was one of Japan’s largest breaches. Yahoo Japan urged all users to change passwords as a precaution.
70. Experian/T-Mobile (September 2015) – 15 million customers
Hackers penetrated an Experian server that handled credit checks for T-Mobile, stealing data on approximately 15M T-Mobile postpaid applicants.
Compromised data included names, addresses, birthdates, and encrypted fields for Social Security numbers and driver’s license/passport IDs. (Experian later disclosed the encryption may have been broken.) No payment information was taken. T-Mobile offered affected customers 2 years of identity monitoring.
71. Armor Games (2019) – 11 million accounts
The Flash gaming website Armor Games was among several sites breached in a 2019 credential theft spree. Over 11M Armor Games user records (email addresses, usernames, and bcrypt-hashed passwords) were stolen and later sold on a dark web marketplace. (Armor Games notified users and implemented a password reset.)
72. MGM Resorts (July 2019) – 10.6 million guests
In 2019, MGM Resorts International was hit by a data breach that wasn’t publicly revealed until February 2020 when 10.6M hotel guest records appeared on a hacking forum. The leaked data (from a cloud server) included guest names, postal addresses, emails, phone numbers, birthdates and hotel details. MGM later admitted the breach and, in 2023, agreed to a settlement for affected guests. (Some reports suggest the incident may have impacted up to 142M guests in total, though only 10.6M were confirmed leaked initially.)
73. U.S. Dental firm — 8 million records
A database from a large U.S. dental firm was left sitting unprotected on the internet for several years. The database contained personally identifiable information and other records belonging to millions of U.S. residents.
74. 23andMe (Oct 2023) – ≈ 6.9 million genetic-profile owners
Credential-stuffing allowed hackers to exploit the DNA Relatives feature and exfiltrate ancestry reports, names, birth years, relationship labels and shared-DNA percentages; the fallout is ongoing, culminating in a multi-state lawsuit (June 10 2025).
75. Patreon (October 2015) – 2.4 million accounts
The crowdfunding platform Patreon was hacked and ~15GB of data was dumped online by the attackers. The breach exposed 2.3 million users’ names, email addresses, shipping addresses and bcrypt-hashed passwords, as well as donation records and some source code. No credit card numbers were leaked (Patreon doesn’t store them), but the incident raised concerns over the exposure of creators’ and donors’ personal details.
![What is Content Filtering? [+Practical Applications]](/blog/content/images/size/w600/2024/12/What-is-Content-Filtering.png)