The 10 biggest data breaches of all time

(Image credit: Shutterstock)

We expect websites, online stores, payment companies, and especially banks to look after the personal data we submit. After all, we've given them their custom, used their online service - it's the least they can do.

And yet, on an almost monthly basis, we learn about new security breaches, where hackers have somehow infiltrated the security precautions of large organizations and stolen a large proportion (if not all) of the customer data.

If you've been hit by ID fraud, cybercriminals might have used leaked records. Wondering if your records have been leaked? Here are the 10 biggest data breaches  to date (compiled by Purdue University). 

1. Heartland Payment Systems

Affecting at least 100 million people, this hack wasn't detected for 8 months. Hackers stole enough data to create new physical cards. Heartland Payment Systems was forced to pay $140 million in fines and penalties.

Career hacker Albert Gonzalez was given a 20-year sentence for the hack, served concurrently with a matching punishment for hacks against other businesses.

2. Capital One

In 2019, the names of 106 million people who had applied for credit with Capital One were exposed in a breach. Names, addresses, credit scores, payment histories, and more could be found in the stolen data.

The handywork of a single hacker, the breach included 140,000 social security numbers, 1 million Canadian Social Insurance numbers, 80,000 bank account numbers, and credit card applications dating back to 2005.

(Image credit: Shutterstock)

3. Equifax

Incredibly, an actual credit agency has even been hacked. Credit card numbers and dispute documents were exposed in this 2017 hack which seriously impacted Equifax's credibility. The compromised 143 million records also included 14 million from the UK. Further, the incident was a masterclass in bad crisis management, with multiple figures released, and claims that passwords had not been leaked when in fact they had. The scandal also saw the departure of Equifax's chairman and chief executive, Richard Smith.

4. MySpace

No one knows when MySpace was hacked. After all, most people stopped using it years ago. The Facebook forerunner was breached at some point before 2016, however, as this is when the password records of 360 million people appeared online.

While few use MySpace these days (it's pivoted to attract musicians and artists), the leaked passwords have been shown to work on other sites. It's a key reason why every account you own should have its own, unique password.

5. Friend Finder Network

Online dating and adult entertainment sites owned by Friend Finder Network became headline news when it transpired that over 15 million supposedly deleted accounts had not been dumped from the database. These were leaked alongside active customers in a breach totalling 412 million accounts.

The 2016 hack included data from AdultFriendFinder,,, and other smaller properties. Leaked accounts dated back to the late 1990s.

(Image credit:

6. Marriott Hotels

The Marriott Hotels group was breached in 2018 with 500 million people affected. Personal information such as travel schedules and passport numbers were leaked, data that is usually hard for identity thieves to acquire.

Incredibly, Marriott Hotels were hit by another hacked data breach in 2020, this time revealing that up to 5.2 million accounts were exposed in January and February.

7. Yahoo

2014's hack on Yahoo resulted in 500 million accounts being leaked. Personally identifiable information was stolen by hackers, along with encrypted passwords and security questions. Yahoo publicly declared that the hack was the work of a "state sponsored actor," implying Russia, China, or North Korea. However, the hack, which wasn't confirmed until two years later, is believed by independent security analysts to have been undertaken by a cybercrime gang.

(Image credit: Shutterstock)

8. Facebook

Even your Facebook account isn't safe from data breaches. In 2019 it was found that third party apps had exposed 540 million accounts. The data was left unencrypted on Amazon cloud servers used by the apps. That this occurred after the Cambridge Analytica scandal, gave the impression that Facebook hadn't learned from that event. In fairness, the data was in the hands of third parties who had failed to encrypt the data. However, this incident again underlined Facebook's casual approach to user data.

9. First American

In 2019 First American was breached, resulting in 885 million records being exposed. Social security numbers, bank account numbers and details, wire transactions, and mortgage paperwork were all leaked.

Accounts dated back to 2003 and were exposed due to a complete lack of security. Anyone who wished to see a record simply had to figure out the format of First American's document URLs. That they were exposed to the internet rather than kept safely on a company intranet is bad enough. The complete lack of encryption is unforgivable.

10. Yahoo

Incredibly, Yahoo has twice been the victim of major data breaches. In 2013, 3 billion accounts were hacked, pretty much the entire database of all users at that point. Confirmation didn't come until 2017, after a four-year investigation. Further, the once popular webmail and search engine didn't reveal the true scale of the hack until March 2017, a whole 10 months after claiming the hack was a mere 1 billion compromised records.

Christian Cawley

Christian Cawley has extensive experience as a writer and editor in consumer electronics, IT and entertainment media. He has contributed to TechRadar since 2017 and has been published in Computer Weekly, Linux Format, ComputerActive, and other publications. Formerly the editor responsible for Linux, Security, Programming, and DIY at, Christian previously worked as a desktop and software support specialist in the public and private sectors.