ABCDEFGHIJKLMNOPQRSTUVWXYZ
1
organisationalternative namerecords lostyear datestorysectormethodinteresting storydata sensitivitydisplayed recordssource name1st source link2nd source linkID
2
visualisation here: https://informationisbeautiful.net/visualizations/worlds-biggest-data-breaches-hacks/
pink = new
(use 3m, 4m, 5m or 10m to approximate unknown figures) year story brokeweb
healthcare
app
retail
gaming
transport
financial
tech
government
telecoms
legal
media
academic
energy
military
poor security
hacked
oops!
lost device
inside job
1. Just email address/Online information
2 SSN/Personal details
3 Credit card information
4 Health & other personal records
5 Full details
=IF(C3>100000000,C3,")
3
Irish towing company512,0002023 Oct 23The driving licences and payment card etails of thousands of motorists who had vehicles towed on behalf of the Irish policetransportpoor security3Irish independenthttps://www.independent.ie/irish-news/thousands-of-drivers-have-sensitive-data-exposed-to-hackers-in-major-it-breach/a1379036136.html463
4
Maine Government1,300,0002023 May 23Russian ransomware group Clop stole names, dates of birth, Social Security numbers, driver’s license and other state or taxpayer identification numbers. Some individuals had medical and health insurance information taken.governmenthacked4Tech Crunchhttps://techcrunch.com/2023/11/09/maine-government-data-breach-clop-ransomware/462
5
Welltok8,500,0002023 Nov 23Patient data was exposed during the breach, including full names, email addresses, physical addresses, and telephone numbers. For some, it also includes Social Security Numbers (SSNs), Medicare/Medicaid ID numbers, and certain Health Insurance information.health hacked4Bleeping Computerhttps://www.bleepingcomputer.com/news/security/welltok-data-breach-exposes-data-of-85-million-us-patients/461
6
Maximus10,000,0002023 Jul 23Exploit of a zero-day flaw in the MOVEit file transfer application. Data stolen included social security numbers, protected health information.governmenthacked4Bleeping Computerhttps://www.bleepingcomputer.com/news/security/8-million-people-hit-by-data-breach-at-us-govt-contractor-maximus/460
7
Okta1342023 Nov 23Names and email addresses of customers of the identity security company. 134 of the company's 18,400 clients were impacted, but that only five instances of successful session hijacking were loggedtechhacked1Oktahttps://sec.okta.com/harfiles459
8
Delta Dental7,000,0002023 May 23The dental insurance company suffered unauthorized access by threat actors through the MOVEit file transfer software application exposing full credit card details of customershealth hacked3Bleeping Computerhttps://www.bleepingcomputer.com/news/security/delta-dental-of-california-data-breach-exposed-info-of-7-million-people/458
9
Xfinity36,000,0002023 Oct 23Hackers using the CitrixBleed vulnerability accessed acocunt details like name, last four digits of social security numbers and hashed passwordstelecomshacked2Tech Crunchhttps://techcrunch.com/2023/12/19/comcast-xfinity-hackers-36-million-customers/457
10
Atlassian13,2002023 Feb 23SiegedSec hacked Atlassian, the owner of Trello and other apps, via a third party office app, leaking employee details and office floor plans after an employee publicly shared credentials.techoops!y1Cyberscoophttps://cyberscoop.com/atlassian-hack-employee-data-seigedsec/456SiegedSec, a hacking group, posted an employee file containing data on thousands of Atlassian employees, including names, email addresses, work departments and other information, and floor plans for two of the company's offices. The data was accessed from the Envoy app “using an Atlassian employee’s credentials that had been mistakenly posted in a public repository by the employee." Envoy is a third party app used by Atlassian to coordinate in-office resources.
11
Reddit100,0002023 Feb 23A phishing attack granted access to Reddit's internal documents and systems, but without breaching main production systems, user passwords, or accounts.webhackedy1Forbeshttps://www.forbes.com/sites/daveywinder/2023/02/10/reddit-confirms-it-was-hacked-recommends-users-set-up-2fa/455Due to a phishing campaign by the attacker, they were able to gain access to internal documents and coder, as well as internal dashboards and business systems. Though there's no evidence of Reddit's primary production systems, user passwords or accounts being breached.
12
Go Daddy1,228,0002022 Dec 23GoDaddy faced a multi-year breach (2020-2022) by a single intruder, resulting in stolen source code, user credentials, malware installation, and user redirects to malicious sites. WordPress customers’ email addresses, usernames, passwords, and even their SSL private keys were stolen.webhackedy3Bleeping Computerhttps://www.bleepingcomputer.com/news/security/godaddy-hackers-stole-source-code-installed-malware-in-multi-year-breach/454GoDaddy, one of the world’s largest domain registrars, and by extension, third-party to more than 21 million organizations worldwide, stated that they suffered a multi year security compromised that allowed for the theft of company source code, customer and employee logins, and the installation of malware which redirected users to malicious sites. These events began in 2020 and lasted through 2022 and were carried out by the same intruder. In 2020, the intruder gained access to GoDaddy user's web hosting account credentials. In 2021, the intruder gained access to current and inactive managed WordPress customers’ email addresses, usernames, passwords, and even their SSL private keys. In 2022, users were being redirected from GoDaddy sites to random domains by the same intruder.
13
MGM10,600,0002023Sept 23AlphV and Scattered Spider's cyberattack on MGM caused slot machine errors and hotel queues in Las Vegas, stealing pre-March 2019 customer data and inflicting a $100m loss on the company's Q3 results. MGM declined to say if any ransom was paid. retailhackedy3Reutershttps://www.reuters.com/business/mgm-expects-cybersecurity-issue-negatively-impact-third-quarter-earnings-2023-10-05/453A cyberattack on the gamblling firm disrupted operations, causing slot machine errors and queues at hotels in Las Vegas. AlphV worked with Scattered Spider to break into MGM and stole private data of customers who used MGM services before March 2019, including contact information, gender, date of birth and driver’s license numbers. MGM has declined to comment on whether any ransom has been requested or paid. The theft and disruption to services has caused MGM to experience a $100m loss to its 3rd quarter results
14
Uber20,000,0002022 Dec 22Data on 77,000 Uber employees and internal reports were leaked on forums. While Uber denied ownership of the implicated source code, the breach stemmed from their third-party vendor, Teqtivity, which had a security incident earlier that year.transporthackedy1Restore Privacyhttps://restoreprivacy.com/uber-data-leak-breach-third-party-vendor-hacked/452Uber has been repeatedly hacked, however in December 2022, a new trove of Uber data containing personally identifiable information pertaining to 77,000 Uber employees, as well as internal reports and possibly even source code was released onto Breached forums, though Uber stated the source code implicated in this breach did not belong to them. The source of the data breach was its third party vendor Teqtivity (which provides asset management and tracking services for Uber) which experinced a security breach earlier in the year.
15
X (Twitter)200,000,0002023 Jan 23From Nov 2022 to Jan 2023, over 200 million Twitter users' data, including emails and names, was exposed due to repeated security flaw exploitations and posted on hacker forums. But no highly sensitive data was revealed.webpoor security1Firewall Timeshttps://firewalltimes.com/twitter-data-breach-timeline/451After a string of ransom attempts and leaks, data on over 200 million Twitter users was released among hackers and published in full on hacker forums in January. The data included email addresses, names, and usernames, but no highly sensitive data. The data was originally stolen by exploiting a security flaw which was repeatedly exploited by a number of hackers. The total number of user accounts affected by the attacks from November 2022 to January 2023 is ~205 million.
16
CommuteAir1,500,0002023 Jan 23Swiss hacker Maia Arson Crimew, stumbled upon a misconfigured AWS server containing TSA's No Fly list and exposed ~250,000 'selectees' (selectees are automatically chosen for additional screening each time they fly) to a hacker forum.transporthackedy2Bleeping Computerhttps://www.bleepingcomputer.com/news/security/us-no-fly-list-shared-on-a-hacking-forum-government-investigating/450Swiss hacker Maia Arson Crimew, stumbled upon a misconfigured AWS server containing TSA's No Fly list and exposed ~250,000 'selectees' (selectees are automatically chosen for additional screening each time they fly) to a hacker forum. The presence of duplicates and aliases in the lists implies the total number of exposed names are fewer than 1.5 million.
17
Yum!10,000,0002023 Jan 23The brand owner of KFC, Pizza Hut, and Taco Bell fast food chains saw an undisclosed amount of personal user information stolen during a ransomware attack: names, driver's license numbers, and other ID card numbers. ~300 restaurants were shut down in the UK due to IT system disruptions caused by the attack. retailhackedy2Bleeping Computerhttps://www.bleepingcomputer.com/news/security/kfc-pizza-hut-owner-discloses-data-breach-after-ransomware-attack/449The brand owner of KFC, Pizza Hut, and Taco Bell fast food chains had an undisclosed amount of personal user information stolen during a ransomware attack. The company revealed that the attackers stole some individuals' personal information, including names, driver's license numbers, and other ID card numbers. ~300 restaurants were shut down in the UK due to IT system disruptions caused by the attack.
18
PharMerica5,800,0002023 May 23Full names, addresses, dates of birth, social security numbers (SSNs), medications, and health insurance information of 5,815,591 people.health hacked4Bleeping Computerhttps://www.bleepingcomputer.com/news/security/ransomware-gang-steals-data-of-58-million-pharmerica-patients/448According to a data breach notification submitted to the Office of the Maine Attorney General, hackers breached PharMerica's system and stole the full names, addresses, dates of birth, social security numbers (SSNs), medications, and health insurance information of 5,815,591 people.
19
NATO8,0002023 Jul 23Hacktivist group, SiegedSec, claimed to have broken into six NATO web portals and stolen >3,000 files and 9GB of data. Threat intel biz CloudSEK analysis revealed 20 unclassified documents and 8,000 personnel records with names, job titles, email addresses, home addresses, and photos.governmenthackedy4The Registerhttps://www.theregister.com/2023/10/04/nato_data_attack/#:~:text=On%20Sunday%2C%20the%20SiegedSec%20crew,)%3B%20the%20Communities%20of%20Interest447Hacktivist group, SiegedSec, claimed to have broken into six NATO web portals and stolen >3,000 files and 9GB of data. Threat intel biz CloudSEK analyzed the leaked data and said it contained at least 20 unclassified documents and 8,000 personnel records with names, companies and units, working groups, job titles, business email addresses, home addresses, and photos.
20
Topgolf Callaway1,114,9542023 Aug 23Only full names, shipping and email addresses, phone numbers, order histories, account passwords and answers to security questions were exposed. retailhacked2Bleeping Computerhttps://www.bleepingcomputer.com/news/security/golf-gear-giant-callaway-data-breach-exposes-info-of-11-million/446According the data breach notification from the company, no SSNs, government ID or payment card information was exposed, only full names, shipping and email addresses, phone numbers, order histories, account passwords and answers to security questions were exposed.
21
Sony6,8002023 Oct 23Personal information belonging to current and former employees and their family members was stolen by Clop in a ransomware attack. Details unrevealed by Sony.techhacked2The Vergehttps://www.theverge.com/2023/10/5/23905370/sony-interactive-entertainment-security-breach-confirmationhttps://www.bleepingcomputer.com/news/security/sony-confirms-data-breach-impacting-thousands-in-the-us/445Personal information belonging to current and former employees and their family members was stolen by Clop in a ransomware attack. The details of the information stolen hasn't been declared by the Sony.
22
23andMe6,900,0002023 Oct 23Hackers accessed the genetic site's user data via login guesses and information from DNA relatives (users opt into sharing info through DNA relatives for others to see). Stolen data included personal and some genetic ancestry and health details. After two breaches, one unverified, 23andMe now faces legal action.health hackedy46.9mTech Crunchhttps://arstechnica.com/tech-policy/2023/12/hackers-stole-ancestry-data-of-6-9-million-users-23andme-finally-confirmed/https://www.bleepingcomputer.com/news/security/23andme-hit-with-lawsuits-after-hacker-leaks-stolen-genetics-data/444Hackers gathered user data by guessing the login credentials from a group of users and then getting more people's information from DNA relatives (users opt into sharing info through DNA relatives for others to see). The stolen data includes personal info like name, sex, birth year, current location, and some details about genetic ancestry and health results. 23andMe has been sued over this data breach. A second breach occurred two weeks later, with the hacker claiming to have stolen data from 4 million more users, though this hasn't been verified, 23andMe are facing legal action due to these breaches of security.
23
Optus9,700,0002022Sept 2022The telecom company faced a 'sophisticated attack' exposing ~10 million accounts including personal details (passport, driver’s licence & Medicare numbers). Hacker demanded $1m ransom but later apologized and claimed data deletion, unverified.telecomshacked4The Guardianhttps://www.theguardian.com/business/2022/sep/29/optus-data-breach-everything-we-know-so-far-about-what-happenedhttps://www.optus.com.au/about/media-centre/media-releases/2022/09/optus-notifies-customers-of-cyberattack443The telecommunication company was the victim of a 'sophisticated attack' in which ~10 million user accounts have been exposed, which included names, email addresses, postal addresses, phone numbers, dates of birth, identification numbers including passport numbers, driver’s licence numbers and Medicare numbers. A user called OptusData threatened to sell the data unless Optus paid a $1m ransom, however, the user later apologised and claimed they deleted the data, though there's no way to verify this.
24
PayPal 349422023 Dec 22PayPal's breach involved unauthorized account access using credential stuffing (exploiting users reusing the same password for multiple accounts). It wasn't from a direct security lapse and hackers couldn't transact. PayPal reset passwords.financehacked2Office of the Maine Attorney Generalhttps://apps.web.maine.gov/online/aeviewer/ME/40/766753f1-f9c7-4dc5-9a5c-fe0f3ff51c06.shtmlhttps://www.bleepingcomputer.com/news/security/paypal-accounts-breached-in-large-scale-credential-stuffing-attack/442According to PayPal's investigation the breach involved unauthorised access to user accounts using valid credentials. The company insists that the breach did not originate from poor security and found no proof that user credentials were obtained directly from them. The hackers used credential-stuffing (taking advantage of users reusing the same password for multiple accounts) to gain access to the PayPal accounts. PayPal ensures that though the hackers gained access, they are not able to perform transactions and have initiated a password reset.
25
Acer10,000,0002023 Mar 23Acer suffered a data breach when a server was hacked, with threat actors selling 160GB of stolen data. The company said the incident hadn't impacted customer info.techhacked1Slashdothttps://it.slashdot.org/story/23/03/07/1459230/acer-confirms-breach-after-hacker-offers-to-sell-stolen-data?utm_source=feedly1.0mainlinkanon&utm_medium=feedhttps://www.bleepingcomputer.com/news/security/acer-confirms-breach-after-160gb-of-data-for-sale-on-hacking-forum/441Acer suffered a data breach after a server hosting private documents was hacked by threat actors who have since began selling 160GB of data stolen from Acer. The company says the incident hasn't impacted customer data.
26
MSI10,000,0002023 Apr 23Money Message ransomware group claims to have stolen MSI's source code, demanding $4 million to prevent leaks. MSI downplays impact and hasn't confirmed paying ransom, assuring no user data was affected but advises software downloads only from official sources.techhacked1Slashdothttps://it.slashdot.org/story/23/04/07/152242/msi-confirms-breach-as-ransomware-gang-claims-responsibility?utm_source=feedly1.0mainlinkanon&utm_medium=feedhttps://uk.pcmag.com/security/146322/msi-confirms-breach-as-ransomware-gang-claims-responsibility440Ransomware group Money Message claims it breached MSI to steal the company's source code, including the framework for the BIOS used in MSI products. The group posted screenshots of the stolen files on the group's dark web site and demanded MSI paid $4million to prevent the data being leaked. MSI stated that the breach shouldn't have a significant impact on its financials or operations and haven't declared whether they have paid the ransom. MSI claims that user data hasn't been impacted, and urges users to only download software from official sources.
27
T-Mobile37,000,0002023 Jan 23T-Mobile's system was exploited by 'bad actors' from November 2022 to January 2023, exposing customer data. It's their ninth hack since 2018, with a 2021 breach affecting 49 million customers.techhacked2Ars Technicahttps://arstechnica.com/information-technology/2023/05/t-mobile-discloses-2nd-data-breach-of-2023-this-one-leaking-account-pins-and-more/439T-Mobile stated that 'bad actors' abused its application programming in a way that gave them access to customer data including names, billing addresses, email addresses, phone numbers, dates of birth, T-Mobile account numbers, and more. The hack started in November 2022 and wasn't detected until January 2023. This is the ninth hack since 2018, including one in 2021 exposing data belonging to 49 million customers.
28
T-Mobile8362023 Mar 23T-Mobile faced its second 2023 data breach, exposing PINs and data from Feb to Mar. Though way smaller than the first 2023 breach (only affecting 836 customers), it adds to the $350mil 2021 settlement and erodes customer trust.techhacked2Bleeping Computerhttps://www.bleepingcomputer.com/news/security/t-mobile-discloses-second-data-breach-since-the-start-of-2023/438T-Mobile experienced a hack exposing account PINs and other customer data in the second data breach experienced by the company in 2023. The breach started in February until it was detected in March, and the company states that it was 'bad actors' that had again gained access to customer information, as in the first breach of 2023, however the breadth of the breach was significantly smaller. Despite the reduced size, this second breach will cost the company significantly on top of a $350mil settlement related to a breach in Aug 2021, as well as the loss of trust of their customers.
29
ChatGPT101,0002023 Mar 23Over 101,000 ChatGPT accounts were stolen by malware last year. Breakdown: Asia-Pacific 40,999, Middle-East/Africa 24,925, Europe 16,951, Latin America 12,314, North America 4,737. Malware extracts browser credentials from SQLite databases, using CryptProtectData function to decrypt stored data.techhackedy2Bleeping Computerhttps://www.bleepingcomputer.com/news/security/over-100-000-chatgpt-accounts-stolen-via-info-stealing-malware/437More than 101,000 ChatGPT user accounts have been stolen by malware during the year prior. Asia-Pacific had the most reported infected devices across the world at 40,999, Middle-East and Africa had reported 24,925 infected devices, Europe has 16,951, Latin America: 12,314, and North America: 4,737. The malware steals credentials saved to web browsers by extracting them from the program's SQLite database and abusing the CryptProtectData function to reverse the encryption of the stored data.
30
TIAAThe Teachers Insurance and Annuity Association of America2,300,0002023 May 23This US retirement fund for teachers faced a data breach exposing client details. A former teacher-client is suing for inadequate cybersecurity and leaving data unencrypted on a vulnerable platform.financehacked, poor security2ClassActionhttps://www.classaction.org/news/teachers-insurance-and-annuity-association-of-america-hit-with-class-action-over-may-2023-data-breach#:~:text=Teachers%20Insurance%20and%20Annuity%20Association%20of%20America%20faces%20a%20class,of%20approximately%202.3%20million%20individuals.https://news.slashdot.org/story/23/06/30/2038234/schools-say-us-teachers-retirement-fund-was-breached-by-moveit-hackers?utm_source=feedly1.0mainlinkanon&utm_medium=feed436TIAA, a retirement fund, experienced a data breach of clients' full names, addresses, dates of birth, gender and Social Security numbers. The company is being sued by a former teacher that was a client due to its failure to implement adequate cybersecurity measures and for leaving sensitive data unencrypted on an insecure platform, despite the known risk of a breach.
31
Microsoft30,000,0002023 Jun 23Anonymous Sudan hacked Microsoft, accessed customer data, and caused outages. They offered the database for $50,000. But Microsoft claims no evidence of compromised customer data.webhacked2Bleeping Computerhttps://www.bleepingcomputer.com/news/security/microsoft-denies-data-breach-theft-of-30-million-customer-accounts/435Anonymous Sudan breached Microsoft's servers, accessed a database containing customer account information, including emails and passwords, and caused service disruptions and outages. The hackers offered to sell the database for $50,000. Microsoft states that they "have seen no evidence" that their "customer data has been accessed or compromised"
32
Microsoft10,000,0002023 May 23China-backed hackers stole a cryptographic key from Microsoft, undetected for a month, accessing 25 organizations, including government. Microsoft's postmortem cites past system vulnerabilities.webhacked3unknownNYThttps://www.nytimes.com/2023/07/11/us/politics/china-hack-us-government-microsoft.html?smid=nytcore-ios-sharehttps://www.wired.com/story/china-backed-hackers-steal-microsofts-signing-key-post-mortem/434China-backed hacking group had stolen a cryptographic key from the company's systems. The hackers went undetected for a month, allowing them to access information from approx. 25 organisations, including government agencies. A postmortem published by Microsoft explains the company's own fault, including a critical system crash in 2021, in allowing the hackers access to the keys needed to steal the data.
33
Roblox4,0002020 Dec 20Data identifying Roblox creators was breached at a developers' conference, undisclosed for 2 years due to a third-party security issue.gamingpoor security2The Vergehttps://www.theverge.com/2023/7/21/23802742/roblox-data-breach-leak-developer-personal-information-exposed433Information identifying Roblox creators has been exposed by a data breach impacting attendees at a conference for Roblox developers. This breach remained undisclosed for 2 years following the attack which was due to a third-party security issue.
34
Discord.io760,0002023 Aug 23Unidentified person listed user data for sale on darknet. Discord.io enables custom Discord invites.gaminghacked1Stackdiaryhttps://stackdiary.com/the-data-of-760000-discord-io-users-was-put-up-for-sale-on-the-darknet//432An unidentified individual has listed the data of Discord.io users for sale on a darknet forum. Discord.io is a platform which allows users to create custom and personal Discord invites.
35
Clorox10,000,0002023 Aug 23Clorox detected unauthorized IT activity in August 2023. By September, the contained hack led to slower production and a 2% stock drop. Specific affected files undisclosedretailhacked1unknownSlashdothttps://it.slashdot.org/story/23/10/04/1917217/clorox-security-breach-linked-to-group-behind-casino-hacks?utm_source=feedly1.0mainlinkanon&utm_medium=feed431Clorox disclosed in August 2023 that the company had identified unauthorised activity on some of its IT systems, later in September, the company further declared that the hack was contained but had caused slower production rates and lower product availability which saw a 2% drop in Clorox stock. The company hasn't disclosed the number or type of files affected by this attack.
36
Latitude Financial14,000,0002023 Apr 2314 million customer records, including driver's licence numbers, passport numbers and financial statements, stolen in a cyber-attack that was worse than the company initially reported.financehacked2Privacy Commissionerhttps://www.privacy.org.nz/publications/statements-media-releases/new-zealands-biggest-data-breach-shows-retention-is-the-sleeping-giant-of-data-security/43014 million customer records, including driver's licence numbers, passport numbers and financial statements, were stolen from Latitude's system in a cyber-attack that was worse than the company initially reported.
37
Toyota296,0192022 Oct 22An access key to a data server storing customer email addresses and management numbers was mistakenly published publically on GitHub for five years.transportpoor security 2Slashdothttps://yro.slashdot.org/story/22/10/10/2032250/toyota-discloses-data-leak-after-access-key-exposed-on-github?utm_source=feedly1.0mainlinkanon&utm_medium=feed429An access key to the data server that stored customer email addresses and management numbers was mistakenly published publically on GitHub for five years.
38
Shein39,000,0002022 Oct 22Online fast fashion retailer suffered a breach of its login credentials in 2018 but failed to notify its customersretailhacked2Tech Crunchhttps://techcrunch.com/2022/10/13/shein-zoetop-fined-1-9m-data-breach/?guccounter=1428Online fast fashion retailer suffered a breach of its login credentials in 2018 but failed to notify its customers
39
Indonesia's health agencyBPJS Kesehatan279,000,0002022 May 21The ID numbers, salary and phone numbers of every single man, woman and child in the country was stolen.governmenthackedy3Kr Asiahttps://kr-asia.com/shoddy-data-protection-in-indonesia-threatens-personal-security-of-citizens427Indonesia's health & social security agency was breached. The ID numbers, salary and phone numbers of every single man, woman and child in the country was stolen.
40
CoinSquare50,0002022 Nov 22Major Canadian Crypto Exchange. company claims customer assets are “secure in cold storage and are not at risk.”techhacked1Coin Deskhttps://www.coindesk.com/tech/2022/11/26/major-canadian-crypto-exchange-coinsquare-says-client-data-breached/426Major Canadian Crypto Exchange. company claims customer assets are “secure in cold storage and are not at risk.”
41
Indian Railways30,000,0002022 Dec 22Stolen data includes usernames, emails, phone numbers, gender, city, state, invoicestransporthacked2Techlo Mediahttps://techlomedia.in/2022/12/data-of-30-million-indian-railways-users-is-up-for-sale-on-a-dark-forum-96589/425User data includes username, email, phone number, gender, city, state, and language preference. In the booking data, passenger’s name, mobile, train number, Tavel details, invoice PDF
42
Indonesian SIM cards1,000,000,0002022 Oct 22A vast data hack of 1.3 bn SIM registrations evealing national identity numbers, phone numbers, and more.telecomshacked31.3bnRest of Worldhttps://restofworld.org/2022/indonesia-hacked-sim-bjorka/424A vast data hack into 1.3 billion SIM registrations — one that revealed national identity numbers, phone numbers, names of telecommunications providers, and more.
43
LastPass33,000,0002022 Aug 22Popular password manager breached; basic account info exposed. Sensitive vault data like usernames and passwords remained safely encrypted.webhacked2Tech Crunchhttps://techcrunch.com/2022/12/14/parsing-lastpass-august-data-breach-notice/https://www.forbes.com/sites/daveywinder/2023/03/03/why-you-should-stop-using-lastpass-after-new-hack-method-update/423Popular password management software was breached. Basic customer account information including company names, end-user names, billing addresses, emails, telephone numbers, and IP addresses. The hackers also gained access to the development environment, stole portions of the LastPass source code, and copied a backup of customer vault data, this includes usernames and passwords, secure notes, attachments, and form-fill fields.
44
Twitter200,000,0002022 Dec 22Over 200 million Twitter emails were stolen and posted online, possibly before Musk's 2022 takeover.web hacked1Wiredhttps://www.wired.com/story/twitter-leak-200-million-user-email-addresses/422Hackers stole the email addresses of more than 200 million Twitter users and posted them on an online hacking forum. May have taken place as early as 2021, which was before Elon Musk took over ownership of the company last year.
45
City of Amagasaki, Japan500,0002022Jun 2022An unnamed government official lost his bag after a night's drinking. It contained a USB stick with sensitive data of the entire city's residents. USB stick was encrypted and passworded.governmentoops!3BBChttps://www.bbc.co.uk/news/world-asia-61921222421
46
Shanghai Police500,000,0002022Jul 2022A database containing records of over a billion Chinese civilians – allegedly stolen from the Shanghai Police. Addresses, police records and national ID numbers. Potentially one of the largest data breaches in history. Details repressed and censored by Chinese media.financehacked5"one billion"The Registerhttps://www.theregister.com/2022/07/05/shanghai_police_database_for_sell/420
47
Twitter5,400,0002021Dec 2021Zero day vulnerability allowed a threat actor to create profiles of 5.4 million Twitter users inc. a verified phone number or email address, and scraped public information, such as follower counts, screen name, login name, etcwebhacked2Bleeping Computerhttps://www.bleepingcomputer.com/news/security/twitter-confirms-zero-day-used-to-expose-data-of-54-million-accounts/419
48
Plex15,000,0002022Aug 2022Intruders access password data, usernames, and emails for at least half of its 30 million users.web hacked1Ars technicahttps://arstechnica.com/information-technology/2022/08/plex-imposes-password-reset-after-hackers-steal-data-for-15-million-users/418
49
Dubai Real Estate Leak800,0002022May 2022Data leak exposes how criminals, officials, and sanctioned politicians poured money into Dubai real estate including more than 100 members of Russia's political elite, public officials, or businesspeople close to the Kremlin, as well as dozens of Europeans implicated in money laundering and corruptionfinanceinside joby1E24https://e24.no/internasjonal-oekonomi/i/Bj97B0/dubai-uncovered-data-leak-exposes-how-criminals-officials-and-sanctioned-politicians-poured-money-into-dubai-real-estate417
50
Heroku50,0002022Apr 2022A compromised token was used by attackers to exfiltrate customers' hashed and salted passwords from "a database." on the Salesforce-owned cloud platform.techhacked2Bleeping Computerhttps://www.bleepingcomputer.com/news/security/heroku-admits-that-customer-credentials-were-stolen-in-cyberattack/416
51
Mailchimp106,5862022Apr 2022Hackers gained access to internal customer support and account management tools of the email marketing company to steal audience data and conduct phishing attacks.techhacked1Bleeping Computerhttps://www.bleepingcomputer.com/news/security/hackers-breach-mailchimps-internal-tools-to-target-crypto-customers/415
52
PayHere1,580,2492022Mar 2022Sri Lankan payment gateway PayHere suffered a data breach exposing more than 65GB of payment records including over 1.5M unique email addresses. (IP and physical addresses, names, phone numbers, purchase histories and partially obfuscated credit card data (card type, first 6 and last 4 digits plus expiry date).financehacked3Pay Herehttps://blog.payhere.lk/ensuring-integrity-on-payhere-cybersecurity-incident/414
53
CDEK18,218,2032022Mar 2022UNVERIFIED. Russian courier service CDEK was hacked by Ukrainian hacker group "IT Army" - including 19M unique email addresses along with names and phone numbers. retailhacked319mHave I Been Pwnedhttps://twitter.com/haveibeenpwned/status/1504343470072549377?lang=en413
54
Washington State Dpt of Licensing257,0002022Feb 2022The Washington State Department of Licensing said the personal information of potentially millions of licensed professionals may have been exposed after it detected suspicious activity on its online licensing system.governmenthacked3Seattle Timeshttps://www.seattletimes.com/business/breach-at-state-licensing-agency-may-have-exposed-data-from-1000s-of-professionals/412
55
Red Cross500,0002022Jan 2022A network intrusion at the International Committee for the Red Cross (ICRC) in January led to the theft of personal information on more than 500,000 people receiving assistance from the group. KrebsOnSecurity has learned that the email address used by a cybercriminal actor who offered to sell the stolen ICRC data also was used to register multiple domain names the FBI says are tied to a sprawling media influence operation originating from Iran.NGOhacked4Arsetechniahttps://arstechnica.com/information-technology/2022/01/red-cross-hack-compromises-the-personal-data-of-515k-highly-vulnerable-people/411
56
Open Subtitles100,0002022Jan 2022webhacked1Open Subtitleshttps://forum.opensubtitles.org/viewtopic.php?t=17685410
57
FlexBooker3,700,0002022Jan 2022appointment scheduling servicewebhacked33.7mBleeping Computerhttps://www.bleepingcomputer.com/news/security/flexbooker-discloses-data-breach-over-37-million-accounts-impacted/409
58
LINE Pay133,0002021Dec 2021financepoor security 2The Registerhttps://www.theregister.com/2021/12/07/line_pay_leaks_around_133000/408
59
Robinhood5,000,9372021Nov 2021a malicious hacker had socially engineered a customer service representative over the phone November 3 to get access to customer support systems. That allowed the hacker to obtain customer names and email addresses, but also the additional full names, dates of birth and ZIP codes of 310 customers.financehacked25mTech Crunchhttps://techcrunch.com/2021/11/09/robinhood-data-breach/?guccounter=1407
60
GoDaddy1,200,0002021Nov 2021Security Incident Affecting Managed WordPress Servicwebhacked1SEChttps://techcrunch.com/2021/11/09/robinhood-data-breach/?guccounter=1406
61
Travelio471,3762021Nov 2021The Indonesian real estate website Travelio suffered a data breach of over 470k customer accounts. The data included email addresses, names, password hashes, phone numbers and for some accounts, dates of birth, physical address and Facebook auth tokens. mischacked2470KHaveIBeenPwnedhttps://www.riskbasedsecurity.com/2021/12/14/dark-web-roundup-november-2021/405
62
Acer3,000,0002021Oct 2021techhacked1Hot Hardwarehttps://hothardware.com/news/acer-confirms-hacked-again-60gb-stolen-customer-data404
63
Brewdog200,0002021Oct 2021BrewDog, one of the world's largest craft beer brewers, has exposed personally identifiable information (PII) belonging to more than 200,000 of its shareholders and customers,retailpoor security1Tech Radarhttps://www.techradar.com/news/brewdog-exposes-data-of-200000-customers-and-shareholders403
64
Experian SASouth Africa24,000,0002020 Jul 2020Handed over personal information of their South African customers to a fraudulent client.weboops!3Uni of Hawaiihttps://westoahu.hawaii.edu/cyber/global-weekly-exec-summary/experian-security-breach-in-south-africa/#:~:text=Experian%20disclosed%20the%20data%20breach,local%20businesses%20(Cimpanu%202020).402
65
Nvidia100,0002021Mar 2021techhacked2CNN Businesshttps://edition.cnn.com/2022/03/01/tech/nvidia-information-leak/https://it.slashdot.org/story/22/03/01/1523248/nvidia-says-employee-company-information-leaked-online-after-cyber-attack?utm_source=feedly1.0mainlinkanon&utm_medium=feed401
66
Okta100,0002021Jan 2021Identity and access management provider Oktatechhacked1The Vergehttps://www.theverge.com/2022/4/20/23034360/okta-lapsus-hack-investigation-breach-25-minuteshttps://twitter.com/BillDemirkapi/status/1508527487655067660/399
67
Royal Enfield420,8732020 Jan 2020Motorcycle maker Royal Enfield left a database publicly exposed that resulted in the inadvertent publication of over 400k customers. (Email and physical addresses, names, motorcycle information, social media profiles, passwords, and other personal information)transportpoor security3The Quinthttps://www.thequint.com/news/india/royal-enfield-exposed-database-containing-450000-customer-data-cyber-security-expert398
68
Avvo4,101,1012019Dec 2019A data breach of the lawyer directory service released 4.1M unique email addresses alongside SHA-1 hashes, most likely representing user passwords. legalhacked14.1mHaveIBeenPwnedhttps://www.troyhunt.com/breach-disclosure-blow-by-blow-heres-why-its-so-hard/397
69
Aimware305,4702019May 2019Video game cheats website "Aimware" suffered a data breach of subscribers' personal information (email and IP addresses, usernames, forum posts, private messages, website activity and passwords stored as salted MD5 hashes)gaminghacked3HaveIBeenPwned396
70
Twitch10,000,0002021Oct 2021Full source code breach of the streaming gaming site revealed a trove of internal data & documents including core config packages, devtools, and payments to top streamers. gaminghackedy4unknownBBChttps://www.bbc.co.uk/news/technology-58817658395
71
Syniverse500,000,0002021Sep 2021"A company that is a critical part of the global telecommunications infrastructure used by AT&T, T-Mobile, Verizon and several others around the world such as Vodafone and China Mobile, quietly disclosed that hackers were inside its systems for years, impacting more than 200 of its clients and potentially millions of cellphone users worldwide."telecomshacked4unknownVicehttps://www.vice.com/en/article/z3xpm8/company-that-routes-billions-of-text-messages-quietly-says-it-was-hacked394
72
Pandora Papers11,900,0002021Oct 2021Millions of documents reveal offshore deals and assets of more than 100 billionaires, 30 world leaders and 300 public officialsgovernmenthackedy4Guardianhttps://www.theguardian.com/news/2021/oct/03/pandora-papers-biggest-ever-leak-of-offshore-data-exposes-financial-secrets-of-rich-and-powerful393
73
Neiman Marcus4,600,0002021Sep 2021Occurred sometime in May 2020 after "an unauthorized party" obtained the personal information of some Neiman Marcus customers from their online accounts.retailhacked3Ars Technicahttps://arstechnica.com/information-technology/2021/10/neiman-marcus-data-breach-impacts-4-6-million-customers/392
74
Epik15,000,0002021Sep 2021An Internet-services company for concealing online identities, popular with the far right retailhackedy5Ars Technicahttps://arstechnica.com/information-technology/2021/09/epik-data-breach-impacts-15-million-users-including-non-customers/391
75
Thailand visitors100,000,0002021Sep 2021Any foreigner who has travelled to Thailand in the last decade ‘might have had their information exposed’governmentpoor security 2100mSouth China Morning Posthttps://www.scmp.com/news/asia/southeast-asia/article/3149475/details-some-100-million-visitors-thailand-exposed-online390
76
T-Mobile 76,000,0002021Aug 2021Exposed the names, date of birth, Social Security number and driver’s license/ID information of more than 40 million current, former or prospective customers who applied for credit with the company. T-mobile paid a $500m settlement.telecomshacked3Krebson Securityhttps://krebsonsecurity.com/2021/08/t-mobile-breach-exposed-ssn-dob-of-40m-people/389
77
Contact tracing data38,000,0002021Aug 2021A thousand web apps mistakenly exposed 38 million records on the open internet, including data from a number of Covid-19 contact tracing platforms, vaccination sign-ups, job application portals, and employee databases.telecomshacked338mWiredhttps://www.wired.com/story/microsoft-power-apps-data-exposed/388
78
Estonian gov280,0002021Jul 2021A hacker was able to obtain over 280,000 personal identity photos following an attack on the state information system last Friday.governmenthacked4News ERRhttps://news.err.ee/1608291072/hacker-downloads-close-to-300-000-personal-id-photos387
79
GuntraderUK firearms sales website111,0002021Jul 2021Criminals have hacked into a Gumtree-style website used for buying and selling firearms, making off with a 111,000-entry database containing names, mobile phone numbers, email addresses, user geolocation data, and more including bcrypt-hashed passwords used by gun shops across the UK.retailhacked2The Registerhttps://www.theregister.com/2021/07/23/guntrader_hacked_111k_users_sql_database/386
80
Linkedin700,000,0002021Jul 2021The hacker appears to have misused the official LinkedIn API to scrape the data, the same method used in a similar breach back in April. User details, but no passwords.web hacked1700m9 to 5 machttps://9to5mac.com/2021/06/29/linkedin-breach/385
81
VW3,300,0002021Jun 2021Phone numbers, email addresses and some sensitive credit data. Nearly all those impacted were current or potential customers of Audi, one of the German automaker's luxury brandstransporthacked2Reutershttps://www.reuters.com/business/autos-transportation/vw-says-data-breach-vendor-impacted-33-million-people-north-america-2021-06-11/384
82
MacDonalds10,000,0002021Jun 2021Unknown detailretailhacked2unknownWall St Journalhttps://www.wsj.com/articles/mcdonalds-hit-by-data-breach-in-south-korea-taiwan-11623412800383
83
Air India4,500,0002021May 2021Passenger’s name, date of birth, contact information, passport information, ticket information, frequent flyer data and credit card information.transporthacked2Indian Expresshttps://indianexpress.com/article/explained/air-india-sita-data-breach-explained-7325501/382
84
Omiai dating appJapanese dating app1,710,0002021May 2021Addresses and dates of birth from identification, including passports, drivers’ licenses and health insurance cards, provided to the company.apphacked2Japan Timeshttps://www.japantimes.co.jp/news/2021/05/22/business/tech/omiai-dating-app-hack-japan/381
85
Amazon Reviews13,124,9622021May 2021Database exposing an organized fake reviews scam affecting Amazon. The server contained a treasure trove of direct messages between Amazon vendors and customers willing to provide fake reviews in exchange for free productswebpoor security y2Safety Detectiveshttps://www.safetydetectives.com/blog/amazon-reviews-leak-report/380
86
Peloton3,000,0002021May 2021techpoor security 2Ars Technicahttps://arstechnica.com/gadgets/2021/05/peloton-takes-3-months-to-fix-flaw-that-exposed-users-private-information/#p3379
87
Digital Ocean10,000,0002021Apr 2021techpoor security unknownTech Crunchhttps://techcrunch.com/2021/04/28/digitalocean-customer-billing-data-breach/378
88
Park Mobilemobile parking app21,000,0002021Apr 2021Customer email addresses, dates of birth, phone numbers, license plate numbers, hashed passwords and mailing addresses.transporthacked2Krebson Securityhttps://krebsonsecurity.com/2021/04/parkmobile-breach-exposes-license-plate-data-mobile-numbers-of-21m-users/377
89
Ubiquiti16,000,0002021Feb 2021Unknown amount of user data breachedtechhacked2ZDNethttps://www.zdnet.com/article/ubiquiti-tells-customers-to-change-passwords-after-security-breach/376
90
Meet Mindful2,240,0002021Feb 2021Dating site user data includes real names, phone numbers, Facebook account codes, latitude & longtitude. Thankfully private messages were not leaked.techhacked4ZDnethttps://www.zdnet.com/article/hacker-leaks-data-of-2-28-million-dating-site-users/375
91
Experian Brazil220,000,0002021Feb 2021Details hazyfinancehacked2220mZDNethttps://www.zdnet.com/article/experian-challenged-over-massive-data-leak-in-brazil/374
92
Gab4,000,0002021 Mar 2021Over 70GB of data from the far-right social media site was hacked. Alll posts, messages, passwords from all users were breached.techhackedy3100KWiredhttps://www.wired.com/story/gab-hack-data-breach-ddosecrets/373
93
Star Alliance16,000,0002021 Mar 2021The Star Alliance of airlines including Singapore Airlines, Lufthansa and United, said on Thursday it had been the victim of a cyber attack leading to a breach of passenger data. Lufthansa, Cathay Pacific and Air New Zealand were also affected. Breached data was limited to "name, tier status and membership number”transporthacked1The Guardianhttps://www.theguardian.com/world/2021/mar/05/airline-data-hack-hundreds-of-thousands-of-star-alliance-passengers-details-stolen372
94
Facebook533,000,0002021 Mar 2021Phone numbers, full names, locations, email addresses, and biographical information on 533 million users from 106 countries. Scraped due to a vulnerability "patched in 2019".techhackedy1533mBusiness Insiderhttps://www.businessinsider.com/stolen-data-of-533-million-facebook-users-leaked-online-2021-4?r=US&IR=T371
95
Ledger270,0002020 Dec 2020A threat actor has leaked the stolen email and mailing addresses for Ledger cryptocurrency wallet users on a hacker forum for free.financehacked2Bleeping Computerhttps://www.bleepingcomputer.com/news/security/physical-addresses-of-270k-ledger-owners-leaked-on-hacker-forum/370
96
T-mobile200,0002020 Dec 2020The information exposed in this breach includes phone numbers, call records, and the number of lines on an account.telecomshacked1Bleeping Computerhttps://www.bleepingcomputer.com/news/security/t-mobile-data-breach-exposed-phone-numbers-call-records/369
97
The Hospital Group1,000,0002020 Dec 2020Hackers compromised the plastic surgery firm and threatened to release over 900 gigabytes of private surgery photographs. health hackedy4BBChttps://www.bbc.co.uk/news/technology-55439190368
98
SolarWinds50,000,0002020 Dec 2020Suspected Russian hackers compromised network monitoring software used by the Pentagon, intelligence agencies, nuclear labs and many Fortune 500 companies. A tainted software update acted as a trojan horse. An unknown number of companies and individuals might be affected.apphackedy3New York Timeshttps://www.nytimes.com/2020/12/14/us/politics/russia-hack-nsa-homeland-security-pentagon.html367
99
Ho Mobile2,500,0002020 Dec 2020Italian mobile operator owned by Vodaphone is now taking the rare step of offering to replace the SIM cards of all affected customers. Data hacked full names, telephone numbers, social security numbers, email addresses, dates and places of birth, nationality, and home addresses.telecomshacked2ZD Nethttps://www.zdnet.com/article/italian-mobile-operator-offers-to-replace-sim-cards-after-massive-data-breach/366
100
Spotify500,0002020 Dec 2020Undisclosed number of users had their email addresses and passwords left open online. Spotify said the vulnerability existed as far back as April 9 but wasn’t discovered until November 12.appoops!1Tech Crunchhttps://techcrunch.com/2020/12/10/spotify-resets-user-passwords-after-a-bug-exposed-private-account-information/?guccounter=1&guce_referrer=aHR0cHM6Ly9pdC5zbGFzaGRvdC5vcmcv&guce_referrer_sig=AQAAAMGNMpm00iWQgE4Zhw1q6_5FoeBsJUbWyKEniavHxaZR-X1oBrnXuFtvr9B4IYBK1C6x9AfEqEZwzfJaZhhINvaBZltXd-DF036LVwwnAhWAMQpD98Lahw3sni-Z2bS6qEIjPgodPdZHV3DRJWLrNt0bOoohuh_DWM8-IngVnCl6365