14 of the Biggest Data Breaches

As a leader in payment security, Bluefin has long analyzed the causes and consequences of cyberattacks, uncovering staggering statistics that reveal just how widespread and damaging data breaches have become. For example, Verizon’s 2025 Data Breach Investigation Report — covering 22,000 incidents and 12,195 confirmed breaches — found a 100% increase in attacks involving third parties, including vendors and supply chain partners.

Numbers like these make one thing clear: even the most secure organizations remain at risk. From misconfigured databases to unencrypted data, attackers are exploiting every vulnerability. The following roundup of major breaches shows why, in today’s landscape, it’s not a matter of if a cyberattack will happen, but when.

1. Yahoo

Records Breached: 3 billion

Over the course of 2013 and 2014, 3 billion records from Yahoo were compromised in what is considered one of the biggest data breaches in history. According to the company, bad actors stole Yahoo’s proprietary source code, which allowed them to bypass login pages and steal user information.

As a result of the breach, Verizon bought Yahoo for $350 million less than initially proposed.

2. Real Estate Wealth Network

Records Breached: 1.5 billion

In late 2023, cybersecurity researcher Jeremiah Fowler discovered an unprotected database online containing 1.5 billion real estate records, including property ownership data for multiple celebrities. While Real Estate Wealth Network, the database’s owner, quickly restricted access, this breach exposed their customers to risks like property fraud, where attackers impersonate homeowners to seize ownership of their property.

3. River City Media

Records Breached: 1.37 billion (339 million unique email addresses)

In 2017, River City Media accidentally leaked 1.37 billion email addresses due to a faulty backup system. The breach also contained other important information, such as names and IP addresses. Once deduplicated, 339 million unique email addresses remained in the dataset.

4. First American Financial

Records Breached: 885 million

In 2019, 885 million documents containing information such as driver’s license photos, social security numbers, and tax documents were stored on First American Financial’s website without any password protection.

Hackers could use bots to crawl the website to eventually find this information. However, this information didn’t have to be maliciously exposed. In some cases, it was indexed by search engines doing routine crawls of the site.

5. Ticketmaster Entertainment, LLC

Records Breached: 560 million

In May 2024, over 560 million customer records, including order history, payment information, name, address, and email data, were leaked online and offered for sale by hackers who infiltrated Ticketmaster’s systems. The company sent emails to its customers, advising users to monitor their accounts and credit statements.

6. Facebook

Records Breached: 533 million

In April 2021, personally identifiable information from 533 million Facebook users — including IDs, phone numbers, and birthdays — was posted to a hacking forum. According to Facebook, the data had actually been stolen years earlier, when hackers took advantage of a security flaw to scrape Facebook’s database.

According to Facebook, this issue was fixed in 2019, when the breach was reported. However, the information continues to circulate online.

7. Marriott

Records Breached: 500 million

In 2018, Marriott announced that a reservation system used by several of its hotel brands had been compromised. The breach exposed up to 500 million customer records, including passport information and other sensitive data. The hotel chain ultimately paid $52 million in fines for security lapses that led to this and other incidents.

8. Myspace

Records Breached: 360 million

Information from over 360 million Myspace accounts, including usernames and birth dates, was posted on the dark web in 2016. Although the data had been encrypted, hackers were able to crack it. Myspace stated that the breach involved data from 2013, predating a security upgrade. The company still required all affected users to reset their passwords to secure their accounts.

9. Microsoft

Records Breached: 250 million

In December 2019, security researchers reported Microsoft was storing 250 million customer support records in a publicly available database that could be accessed online without authentication or a password. The exposed data spanned over 10 years, and included customer email addresses and IP addresses.

Once Microsoft was alerted of the public cloud configuration issue, they were able to address it within 24 hours. However, this incident highlights how even big companies struggle to protect and store data.

10. Equifax

Records Breached: 143 million

In 2017, 40% of Americans had their personal data stolen during the Equifax data breach, which resulted from a flaw in Apache Struts. Apache had posted a fix for the vulnerability, but Equifax had not applied it, leaving them open to attack. As a result, hackers were able to exfiltrate sensitive data including social security numbers and financial data from Equifax’s servers.

After the breach, Equifax spent an estimated $1.4 billion upgrading its security protections.

11. MOVEit

Records Breached: 77 million

MOVEit, a Managed File Transfer (MFT) application that provides secure file transfer services to thousands of organizations and government agencies, was hit with one of the largest breaches of 2023.

The Clop malware gang was able to exploit a security flaw and deploy ransomware, leaking confidential data of 77 million individuals and over 2,600 companies globally. 78% of breached organizations were in the U.S., including the U.S. Department of Energy, Johns Hopkins, and the University System of Georgia. The Louisiana Office of Motor Vehicles announced that anyone with a state-issued driver’s license or ID card could have had their data stolen in the breach.

Total damages globally are estimated at up to $12 billion.

12. AT&T

Records Breached: 7.6 million current and 65.4 million former customers

In March 2024, AT&T announced that hackers had breached its systems, stealing personal data of current and former customers, including sensitive information like social security numbers, account numbers, and passcodes.

The dataset appeared to be from 2019 or earlier, but only surfaced on the dark web in 2024. The announcement came upon the heels of a previous January 2023 breach, which affected nine million AT&T users.

AT&T eventually settled a class action lawsuit related to the breach for $177 million.

13. Dell

Records Breached: 49 million

In May 2024, Dell was hit with a massive cyberattack that affected as many as 49 million customers. Menelik, the threat actor behind the attack, openly revealed to TechCrunch that he extracted large amounts of data by setting up partner accounts within Dell’s company portal.

After partner accounts were authorized, the hacker launched brute-force attacks against pages containing sensitive information, sending over 5,000 requests per minute continuously for nearly three weeks. Astonishingly, Dell remained oblivious to these activities. Following the barrage of nearly 50 million requests and successful data scraping, Menelik proceeded to alert Dell by sending multiple emails about the security vulnerability.

Menelik claims to have sold the data on a hacking forum, but did not disclose the sum he received. Dell acknowledged that while no financial details were breached, sensitive customer information such as home addresses and order data might have been compromised.

14. Tile

Records Breached: 450,000

Life360, the company behind the Tile tracker device, announced in June 2024 that its database had been breached. Hackers used an internal tool meant to process law enforcement requests to access data including names, addresses, email addresses, phone numbers, and purchase order details. Hackers attempted to extort Life360 for a ransom, which the company reported to law enforcement.