In today\u2019s data-driven world, data breaches can affect hundreds of millions or even billions of people at a time. Digital transformation has increased the supply of data moving, and data breaches have scaled up with it as attackers exploit the data-dependencies of daily life. How large cyberattacks of the future might become remains speculation, but as this list of the biggest data breaches of the 21st Century indicates, they have already reached enormous magnitudes.\n\nFor transparency, this list has been calculated by the number of users impacted, records exposed, or accounts affected. We have also made a distinction between incidents where data was actively stolen or reposted maliciously and those where an organization has inadvertently left data unprotected and exposed, but there has been no significant evidence of misuse. The latter have purposefully not been included in the list.\n\nSo, here it is \u2013 an up-to-date list of the 15 biggest data breaches in recent history, including details of those affected, who was responsible, and how the companies responded (as of July 2021).\n\n1. Yahoo\n\nDate: August 2013Impact: 3 billion accounts\n\nSecuring the number one spot \u2013 almost seven years after the initial breach and four since the true number of records exposed was revealed \u2013 is the attack on Yahoo. The company first publicly announced the incident \u2013 which it said took place in 2013 \u2013 in December 2016. At the time, it was in the process of being acquired by Verizon and estimated that account information of more than a billion of its customers had been accessed by a hacking group. Less than a year later, Yahoo announced that the actual figure of user accounts exposed was 3 billion. Yahoo stated that the revised estimate did not represent a new \u201csecurity issue\u201d and that it was sending emails to all the \u201cadditional affected user accounts.\u201d\n\nDespite the attack, the deal with Verizon was completed, albeit at a reduced price. Verizon\u2019s CISO Chandra McMahon said at the time: \u201cVerizon is committed to the highest standards of accountability and transparency, and we proactively work to ensure the safety and security of our users and networks in an evolving landscape of online threats. Our investment in Yahoo is allowing that team to continue to take significant steps to enhance their security, as well as benefit from Verizon\u2019s experience and resources.\u201d After investigation, it was discovered that, while the attackers accessed account information such as security questions and answers, plaintext passwords, payment card and bank data were not stolen.\n\n2. Aadhaar [tie with Alibaba]\n\nDate: January 2018Impact: 1.1 billion Indian citizens\u2019 identity\/biometric information exposed\n\nIn early 2018, news broke that malicious actors has infiltrated the world\u2019s largest ID database, Aadhaar, exposing information on more than 1.1 billion Indian citizens including names, addresses, photos, phone numbers, and emails, as well as biometric data like fingerprints and iris scans. What\u2019s more, since the database \u2013 established by the Unique Identification Authority of India (UIDAI) in 2009 \u2013 also held information about bank accounts connected with unique 12-digit numbers, it became a credit breach too. This was despite the UIDAI initially denying that the database held such data\n\nThe actors infiltrated the Aadhaar database through the website of Indane, a state-owned utility company connected to the government database through an application programming interface that allowed applications to retrieve data stored by other applications or software. Unfortunately, Indane\u2019s API had no access controls, thus rendering its data vulnerable. Hackers sold access to the data for as little as $7 via a WhatsApp group. Despite warnings from security researchers and tech groups, it took Indian authorities until March 23, 2018, to take the vulnerable access point offline.\n\n2. Alibaba [tie with Aadhaar]\n\nDate: November 2019Impact: 1.1 billion pieces of user data\n\nOver an eight-month period, a developer working for an affiliate marketer scraped customer data, including usernames and mobile numbers, from the Alibaba Chinese shopping website, Taobao, using crawler software that he created. It appears the developer and his employer were collecting the information for their own use and did not sell it on the black market, although both were sentenced to three years in prison.\n\nA Taobao spokesperson said in a statement: \u201cTaobao devotes substantial resources to combat unauthorized scraping on our platform, as data privacy and security is of utmost importance. We have proactively discovered and addressed this unauthorized scraping. We will continue to work with law enforcement to defend and protect the interests of our users and partners.\u201d\n\n4. LinkedIn\n\nDate: June 2021Impact: 700 million users\n\nProfessional networking giant LinkedIn saw data associated with 700 million of its users posted on a dark web forum in June 2021, impacting more than 90% of its user base. A hacker going by the moniker of \u201cGod User\u201d used data scraping techniques by exploiting the site\u2019s (and others\u2019) API before dumping a first information data set of around 500 million customers. They then followed up with a boast that they were selling the full 700 million customer database. While LinkedIn argued that as no sensitive, private personal data was exposed, the incident was a violation of its terms of service rather than a data breach, a scraped data sample posted by God User contained information including email addresses, phone numbers, geolocation records, genders and other social media details, which would give malicious actors plenty of data to craft convincing, follow-on social engineering attacks in the wake of the leak, as warned by the UK\u2019s NCSC.\n\n5. Sina Weibo\n\nDate: March 2020Impact: 538 million accounts\n\nWith over 600 million users, Sina Weibo is one of China\u2019s largest social media platforms. In March 2020, the company announced that an attacker obtained part of its database, impacting 538 million Weibo users and their personal details including real names, site usernames, gender, location, and phone numbers. The attacker is reported to have then sold the database on the dark web for $250.\n\nChina\u2019s Ministry of Industry and Information Technology (MIIT) ordered Weibo to enhance its data security measures to better protect personal information and to notify users and authorities when data security incidents occur. In a statement, Sina Weibo argued that an attacker had gathered publicly posted information by using a service meant to help users locate the Weibo accounts of friends by inputting their phone numbers and that no passwords were affected. However, it admitted that the exposed data could be used to associate accounts to passwords if passwords are reused on other accounts. The company said it strengthened its security strategy and reported the details to the appropriate authority.\n\n6. Facebook\n\nDate: April 2019Impact: 533 million users\n\nIn April 2019, it was revealed that two datasets from Facebook apps had been exposed to the public internet. The information related to more than 530 million Facebook users and included phone numbers, account names, and Facebook IDs. However, two years later (April 2021) the data was posted for free, indicating new and real criminal intent surrounding the data. In fact, given the sheer number of phone numbers impacted and readily available on the dark web as a result of the incident, security researcher Troy Hunt added functionality to his HaveIBeenPwned (HIBP) breached credential checking site that would allow users to verify if their phone numbers had been included in the exposed dataset.\n\n\u201cI\u2019d never planned to make phone numbers searchable,\u201d Hunt wrote in blog post. \u201cMy position on this was that it didn\u2019t make sense for a bunch of reasons. The Facebook data changed all that. There\u2019s over 500 million phone numbers but only a few million email addresses so >99% of people were getting a miss when they should have gotten a hit.\u201d\n\n7. Marriott International (Starwood)\n\nDate: September 2018Impact: 500 million customers\n\nHotel Marriot International announced the exposure of sensitive details belonging to half a million Starwood guests following an attack on its systems in September 2018. In a statement published in November the same year, the hotel giant said: \u201cOn September 8, 2018, Marriott received an alert from an internal security tool regarding an attempt to access the Starwood guest reservation database. Marriott quickly engaged leading security experts to help determine what occurred.\u201d\n\nMarriott learned during the investigation that there had been unauthorized access to the Starwood network since 2014. \u201cMarriott recently discovered that an unauthorized party had copied and encrypted information and took steps towards removing it. On November 19, 2018, Marriott was able to decrypt the information and determined that the contents were from the Starwood guest reservation database,\u201d the statement added.\n\nThe data copied included guests\u2019 names, mailing addresses, phone numbers, email addresses, passport numbers, Starwood Preferred Guest account information, dates of birth, gender, arrival and departure information, reservation dates, and communication preferences. For some, the information also included payment card numbers and expiration dates, though these were apparently encrypted.\n\nMarriot carried out an investigation assisted by security experts following the breach and announced plans to phase out Starwood systems and accelerate security enhancements to its network. The company was eventually fined \u00a318.4 million (reduced from \u00a399 million) by UK data governing body the Information Commissioner's Office (ICO) in 2020 for failing to keep customers\u2019 personal data secure. An article by New York Times attributed the attack to a Chinese intelligence group seeking to gather data on US citizens.\n\n8. Yahoo\n\nDate: 2014Impact: 500 million accounts\n\nMaking its second appearance in this list is Yahoo, which suffered an attack in 2014 separate to the one in 2013 cited above. On this occasion, state-sponsored actors stole data from 500 million accounts including names, email addresses, phone numbers, hashed passwords, and dates of birth. The company took initial remedial steps back in 2014, but it wasn\u2019t until 2016 that Yahoo went public with the details after a stolen database went on sale on the black market.\n\n9. Adult Friend Finder\n\nDate: October 2016Impact: 412.2 million accounts\n\nThe adult-oriented social networking service The FriendFinder Network had 20 years\u2019 worth of user data across six databases stolen by cyber-thieves in October 2016. Given the sensitive nature of the services offered by the company \u2013 which include casual hookup and adult content websites like Adult Friend Finder, Penthouse.com, and Stripshow.com \u2013 the breach of data from more than 414 million accounts including names, email addresses, and passwords had the potential to be particularly damning for victims. What\u2019s more, the vast majority of the exposed passwords were hashed via the notoriously weak algorithm SHA-1, with an estimated 99% of them cracked by the time LeakedSource.com published its analysis of the data set on November 14, 2016.\n\n10. MySpace\n\nDate: 2013Impact: 360 million user accounts\n\nThough it had long stopped being the powerhouse that it once was, social media site MySpace hit the headlines in 2016 after 360 million user accounts were leaked onto both LeakedSource.com and put up for sale on dark web market The Real Deal with an asking price of 6 bitcoin (around $3,000 at the time).\n\nAccording to the company, lost data included email addresses, passwords and usernames for \u201ca portion of accounts that were created prior to June 11, 2013, on the old Myspace platform. In order to protect our users, we have invalidated all user passwords for the affected accounts created prior to June 11, 2013, on the old Myspace platform. These users returning to Myspace will be prompted to authenticate their account and to reset their password by following instructions.\u201d\n\nIt\u2019s believed that the passwords were stored as SHA-1 hashes of the first 10 characters of the password converted to lowercase.\n\n11. NetEase\n\nDate: October 2015Impact: 235 million user accounts\n\nNetEase, a provider of mailbox services through the likes of 163.com and 126.com, reportedly suffered a breach in October 2015 when email addresses and plaintext passwords relating to 235 million accounts were being sold by dark web marketplace vendor DoubleFlag. NetEase has maintained that no data breach occurred and to this day HIBP states: \u201cWhilst there is evidence that the data itself is legitimate (multiple HIBP subscribers confirmed a password they use is in the data), due to the difficulty of emphatically verifying the Chinese breach it has been flagged as \u201cunverified.\u201d\n\n12. Court Ventures (Experian)\n\nDate: October 2013Impact: 200 million personal records\n\nExperian subsidiary Court Ventures fell victim in 2013 when a Vietnamese man tricked it into giving him access to a database containing 200 million personal records by posing as a private investigator from Singapore. The details of Hieu Minh Ngo\u2019s exploits only came to light following his arrest for selling personal information of US residents (including credit card numbers and Social Security numbers) to cybercriminals across the world, something he had been doing since 2007. In March 2014, he pleaded guilty to multiple charges including identity fraud in the US District Court for the District of New Hampshire. The DoJ stated at the time that Ngo had made a total of $2 million from selling personal data.\n\n13. LinkedIn\n\nDate: June 2012Impact: 165 million users\n\nWith its second appearance on this list is LinkedIn, this time in reference to a breach it suffered in 2012 when it announced that 6.5 million unassociated passwords (unsalted SHA-1 hashes) had been stolen by attackers and posted onto a Russian hacker forum. However, it wasn\u2019t until 2016 that the full extent of the incident was revealed. The same hacker selling MySpace\u2019s data was found to be offering the email addresses and passwords of around 165 million LinkedIn users for just 5 bitcoins (around $2,000 at the time). LinkedIn acknowledged that it had been made aware of the breach, and said it had reset the passwords of affected accounts.\n\n14. Dubsmash\n\nDate: December 2018Impact: 162 million user accounts\n\nIn December 2018, New York-based video messaging service Dubsmash had 162 million email addresses, usernames, PBKDF2 password hashes, and other personal data such as dates of birth stolen, all of which was then put up for sale on the Dream Market dark web market the following December. The information was being sold as part of a collected dump also including the likes of MyFitnessPal (more on that below), MyHeritage (92 million), ShareThis, Armor Games, and dating app CoffeeMeetsBagel.\n\nDubsmash acknowledged the breach and sale of information had occurred and provided advice around password changing. However, it failed to state how the attackers got in or confirm how many users were affected.\n\n15. Adobe\n\nDate: October 2013Impact: 153 million user records\n\nIn early October 2013, Adobe reported that hackers had stolen almost three million encrypted customer credit card records and login data for an undetermined number of user accounts. Days later, Adobe increased that estimate to include IDs and encrypted passwords for 38 million \u201cactive users.\u201d Security blogger Brian Krebs then reported that a file posted just days earlier \u201cappears to include more than 150 million username and hashed password pairs taken from Adobe.\u201d Weeks of research showed that the hack had also exposed customer names, password, and debit and credit card information. An agreement in August 2015 called for Adobe to pay $1.1 million in legal fees and an undisclosed amount to users to settle claims of violating the Customer Records Act and unfair business practices. In November 2016, the amount paid to customers was reported to be $1 million.