Biggest Data Breaches in US History [Updated 2023]

Everyone is at risk of a data breach or cyber attack, no matter how small or large a company is. Hackers and cybercriminals come up with new ways every day to steal sensitive information or personal data that they can potentially sell or ransom for money.

According to a report published by the Identity Theft Resource Center (ITRC), a record number of 1862 data breaches occurred in 2021 in the US. This number broke the previous record of 1506 set in 2017 and represented a 68% increase compared to the 1108 breaches in 2020. Sectors like healthcare, finance, business, and retail are the most commonly attacked, impacting millions of Americans every year.

Many cybersecurity experts believe that this number will continue to increase in 2023 and beyond. To help you understand the scope and extent of data breaches today, here are the largest data breaches in US history.

Top 5 Biggest Data Breaches in US History

When a data breach occurs, sensitive data can be stolen and sold on the dark web or to third parties. Here are some of the biggest data breaches in history that led to the exposure of millions of user records.

1. Yahoo!

Date: 2013-2016

Impact: Over 3 billion user accounts exposed

The data breach of Yahoo is one of the worst and most infamous cases of a known cyberattack and currently holds the record for the most people affected. The first attack occurred in 2013, and many more would continue over the next three years.

A team of Russian hackers targeted Yahoo’s database using backdoors, stolen backups, and access cookies to steal records from all user accounts, which included personally identifiable information (PII) like:

Names

Email addresses

Phone numbers

Birth dates

Passwords

Calendars

Security questions

Initially, Yahoo reported stolen data from about 1 billion accounts. However, after Verizon bought out Yahoo in 2017, they reported that the final number of records totaled about 3 billion accounts affected. Not only was Yahoo slow to react, but the company also failed to disclose a 2014 incident to users, which resulted in a $35 million fine and, in total, 41 class-action lawsuits.

2. Microsoft

Date: January 2021

Impact: 30,000 US companies (60,000 companies worldwide)

In one of the largest cyberattacks in US history, over 30,000 US businesses were affected by a sweeping attack on the Microsoft Exchange email servers, one of the largest email servers in the world. The hackers were able to exploit four different zero-day vulnerabilities that allowed them to gain unauthorized access to emails from small businesses to local governments.

For three months, hackers took advantage of a few coding errors to allow them to take control of vulnerable systems. They only needed two conditions to break into each individual company’s email servers:

Connection to the internet

On-premises, locally managed systems

Once they were in, they could request access to data, deploy malware, use backdoors to gain access to other systems, and ultimately take over the servers. Since the requests looked like they came from the Exchange servers themselves, many people assumed it was legitimate and approved.

Learn how to respond to the Fortigate SSL VPN vulnerability >

Though Microsoft was able to patch the vulnerabilities, if the owners of the individual servers didn’t update their systems, attackers would be able to exploit the system flaw again. Because the systems weren’t on the cloud, Microsoft couldn’t push a patch to fix the issues immediately.

In July 2021, the Biden administration, along with the FBI, accused China of the data breach. Microsoft followed suit and named a Chinese state-sponsored hacker group, Hafnium, as the culprit behind the attack.

3. First American Financial Corp.

Date: May 2019

Impact: 885 million file records leaked

In 2019, First American Financial Corp. suffered a major data leak due to poor data security measures and faulty website design. Although this incident was labeled a data leak instead of a breach (no hacking involved), it shows just how easily sensitive information can fall into the wrong hands.

Due to a website design error called Insecure Direct Object Reference (IDOR), access to private information was allowed without needing verification or authentication procedures. As a result, anyone with a link to the documents could view them freely. On top of that, because First American logged their records in sequential order, users could simply change the number in the URL to view other customer records.

Approximately 885 million files were exposed, including:

Bank account numbers

Bank statements

Mortgage payments documents

Wire transfer receipts with social security numbers

Drivers' licenses

Fortunately, no data was compromised or exploited. Because First American violated cybersecurity laws due to ignoring red flags in 2018 and other administrative errors, they were ultimately fined roughly $500,000 by the Securities and Exchange Commission (SEC).

4. Facebook

Date: April 2021

Impact: 530 million users exposed

Although one of the world’s largest companies, Facebook is no stranger to data leaks and controversy. The social media giant has constantly dealt with security breaches of user data since the company went public in 2012.

The company’s massive data breach in April 2021 was one of its largest, leaking names, phone numbers, account names, and passwords of over 530 million people to the public. Facebook identified the problem in the platform’s tool to sync contacts, citing hackers exploiting a vulnerability to scrape user profiles for customer data.

Though Facebook maintained that no data had been compromised or misused, it’s impossible to verify since the information was public for a short period. Hackers or scammers can easily take advantage of unsuspecting users with just their names, phone numbers, and emails.

Since 2013, Facebook has faced multiple major data breaches, including:

In March 2019, information leaked that Facebook employees had access to over 600 million user accounts. Account IDs and passwords for both Facebook and Instagram were stored in plaintext files. Although Facebook claims no sensitive information was exposed, it was one more incident among many security issues.

In April 2019, the Cyber Risk team at UpGuard discovered 540 million unsecured Facebook user data records on public Amazon S3 cloud servers. Third-party app developer and Mexican media company Cultura Colectiva failed to password-protect their entire dataset, leaving the information open for anyone to access and download.

Although Facebook was not directly responsible for this incident, it brought scrutiny to how the social network managed third-party access to its database. Following a long history of data leaks, Facebook finally increased restrictions on third-party developers.

Just a few months later, more exposed records were found on a foreign server on the dark web. Further investigation found that a hacker group in Vietnam may have abused Facebook’s API and scraped the site for user IDs, names, and phone numbers. Over 300 million users were affected.

Facebook / Cambridge Analytica

Date: April 2018

Impact: 50-90 million users exposed

In 2018, a British consulting firm, Cambridge Analytica, stole and sold data from 50-90 million user accounts on Facebook in one of the most high-profile cases in recent memory. Cambridge Analytica security researcher Aleksandr Kogan accessed this data through a loophole from a third-party quiz app. This loophole in Facebook’s API (application programming interface) allowed Kogan to compile data from anyone who downloaded the app and their entire friend network.

Despite going against the terms and conditions of Facebook, Cambridge Analytica continued to sell the data illegally because there was no rule enforcement. Reports show that Facebook was aware of the issue as early as 2015 but did not take action until Christopher Wylie, a Cambridge Analytica employee, blew the whistle.

Things finally came to a head when the Federal Trade Commission (FTC) announced a historic $5 billion fine for Facebook’s continuous violation of data security and poor data protection practices. The FTC also mandated a complete restructuring from the top down to increase oversight of privacy compliance. Furthermore, the FTC filed a lawsuit against Cambridge Analytica, forcing CEO Alexander Nix to resign.

5. LinkedIn

Date: April 2021

Impact: Over 700 million user records

With about 750 million users in 2021, hackers were able to post the user identities of about 700 million people (>93% of the total user base) after performing a data scrape of the LinkedIn website. Although most of the information was publicly available, performing a data scrape by exploiting LinkedIn’s API violated the terms of service.

The scraped data included:

Full names

Phone numbers

Email addresses (not publicly available)

Usernames

Geolocation records

Genders

Details to linked social media accounts

Any email addresses exposed during a breach can potentially be subject to ransomware or phishing attacks. Though the data was publicly available, it raised concerns over information security and how third parties can use that information to create OSINT (open-source intelligence) databases.

It also provides an opportunity for bad actors to target high-profile individuals or company executives. For example, smaller hackers quickly tried to piggyback off this incident. One user claimed to sell a new set of LinkedIn data on a public forum in exchange for $7000 worth of Bitcoin.