Balloon Race: Data Breaches - LATEST
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

View only
Entityalternative namerecords lostYEARstorySECTORMETHODinteresting storyDATA SENSITIVITYDISPLAYED RECORDSsource name1st source link2nd source link
(use 3m, 4m, 5m or 10m to approximate unknown figures) year story broke1. Just email address/Online information
2 SSN/Personal details
3 Credit card information
4 Health & other personal records
5 Full details
WordPress76,500,0002018Aug 2018. According to security researchers, WordPress was notified of a security vulnerability over a year ago, but did not address it. No reports have been received which suggest the exploit is being actively used in the wild.webpoor security1ZDNet
Google+52,500,0002018Dec 2018. A new vulnerability could have exposed users' personal details to developers, even if their profiles were set to private. Google will now shut down the consumer version of the social network 4 months earlier than planned. webpoor security2The Verge
Quora100,000,0002018Dec 2018. Compromised: logins for around 100m visitors who use the site to ask and answer questions about politics, faith, calculus, unrequited love, the meaning of life and morewebhacked1100,000,000NY Times
Marriott Hotels500,000,0002018Nov 2018. Sensitive data on customer to all Starwood hotels (including Sheraton, Regis, W Hotels) leaked since 2014. Credit card details and some passport info.retailhacked4500,000,000NY Times
NMBSBelgian national railway operator1,460,0002018Dec 2018. Data stored on a non-secure server, making it possible to access names, gender, DOB, email and postal address data of customers externally by means of a simple search engine query. Most of the data belong to customers in Belgium, France and the UK, including thousands of Commission and Parliament employees. Caused, the NMBS said, by a data worker “clicking on the wrong button”.transportoops!2Flanders Today
Facebook50,000,0002018Mar 2018. Cambridge Analytica, headed at the time by Steve Bannon, harvested 50m profiles in early 2014 to build a system that could profile US voters and target them with political adverts. webhackedy150,000,000Guardian
Panerabread37,000,0002018Apr 2018. Customer records were available via the bakery chain's site for at least 8 months. Panerabread were alerted to the leak in Aug 2017, but didn't pull the site until Apr 2018. Panerabread claims 10k records were leaked, but security researchers put the figure at over 37 million. retailpoor security2Krebsonsecurity, Medium
Aadhaar1,000,000,0002018Jan 2018. The personal information of more than a billion Indians stored in the world’s largest biometric database can be bought online for less than £6, according to an investigation by an Indian newspaper. The reporter who broke the story has been named in a criminal complaint filed by government agency responsible for the data. governmentoops!3Guardian
Dixons Carphone10,000,0002018Jun 2018. Dixons Carphone revealed personal info for 10 million customers was stolen sometime in 2017. telecomshacked1Dixons Carphone
MyHeritage92,283,8892018Jun 2018. Email addresses and encrypted passwords were stolen. As yet there is no evidence that the hackers have used the data. webhacked1Bloomberg
Saks and Lord & TaylorBoth owned by Hudson's Bay Company5,000,0002018Apr 2018. A known ring of cybercriminals implanted software into store cash registers, siphoning off payment card details. The company has not divulged the full extent of the breach. Researchers estimate 5m records.retailhacked3NYTimes
CareemDubai-born ride hailing service14,000,0002018Apr 2018. Careem's official blog stated there was no evidence of payment info having been stolen, but it did admit that names, email address, phone numbers, and trip data were hacked. apphacked2Khaleej Times
Texas voter records14,800,0002018Aug 2018. A single file containing 14.8 million records was left on an unsecured server without a password. Data exposed included name, address, gender, and voting history. webpoor security2TechCrunch
British Airways380,0002018Sep 2018. Personal and financial details of customers making bookings between Aug 21st and Sep 5th were compromised. transporthacked4Guardian
T-Mobile2,000,0002018Aug 2018. T-Mobile initially said that personal data was stolen, but no passwords or financial info. They later admitted that encrypted passwords had been stolen. telecomshacked1Motherboard
MyFitnessPalUnderArmour150,000,0002018Mar 2018. Usernames, email addresses, and hashed user passwords were stolen. apphacked1150,000,000Guardian
Health South EastHealth authority responsible for 10 Norwegian counties.3,000,0002018Feb 2018. Health data was stolen from more than half of Norway's population. healthcarehacked4It Governance
NametestsFacebook quiz app owned by Social Sweethearts120,000,0002018Jun 2018. A security failure in a popular quiz app on Facebook left millions of people’s data exposed for almost two years. The data exposed included pictures, status updates, friends lists etc.apppoor security1120,000,000Medium
Ticketmaster40,0002018Jun 2018. Malicious software on third-party customer support product Inbenta Technologies caused the hack, and was likely to have affected UK customers who bought tickets between Feb and June 2018. webhacked3BBC News
FirebaseA service from Google100,000,0002018Jun 2018. Thousands of iOS and Android mobile applications are exposing over 113 GBs of data via 2,271+ misconfigured Firebase databases.apppoor security5100,000,000Bleeping Computer
AadhaarIndia's national, biometric government ID database1,100,000,0002018Mar 2018. A security researcher discovered a system vulnerability which means that anybody could download private info on all Aadhaar users. The govt. department that deals with the database has denied the breach. governmentpoor security41,100,000,000ZDNet
Grindr3,000,0002018Mar 2018. A third-party tool that allows users to see who blocked them on Grindr was able to access non-public personal info, including exact locations of users who had opted out of location sharing. apppoor security3NBC News
Orbitz880,0002018Mar 2018. An old version of the travel website was hacked, exposing personal details and payment card info. Orbitz is now owned by Expedia. webhacked3US News
MBM CompanyLimogés Jewellery1,300,0002018Mar 2018. Negligent storage of a customer database exposed full postal addresses, email addresses, IP addresses and plain-text passwords. retailpoor security4NextWeb
LocalBloxdatasearch service48,000,0002018May 2018. A cloud storage repository was left publically accessible. Data included names, addresses, DOBs, social media info etc. webpoor security2UpGuard
Twitter330,000,0002018May 2018. A glitch caused some passwords to be stored in readable text, visible on the internal computer system. apppoor security1330,000,000Reuters
ViewFinesSouth African traffic fines database934,0002018May 2018. Data published included names, ID numbers, cell numbers, email addresses and plain text passwords.transportoops!4iAfrikan
TicketFly27,000,0002018Aug 2018. Names, addresses, email addresses and phone numbers were stolen. webhacked2TicketFly
Amazon5,000,0002018Nov 2018. Customer names & email addresses were disclosed on its website. Amazon hasn't confirmed how many records were exposed. retailoops!1Guardian
Amazon100,0002018Nov 2018. Customer names and email addresses accidentally disclosed on its website, just two days ahead of Black Friday. No of users affected not released.techpoor security1The Guardian
Urban MassageHome massage app309,0002018Nov 2018. Database contained over 351,000 booking records, and more than 2,000 records on Urban massage therapists, including their names, email addresses and phone numbers.apppoor security2Tech Crunch
Dell 100,0002018Nov 2018. Dell detected & disrupted unauthorized activity on its network attempting to extract Dell customer information, which was included names, email addresses & hashed passwordstechhacked1Dell
High Tail Hallerotic role-playing site411,0002018Nov 2018. Hackers were able to obtain email addresses, names, order histories, hashed passwords, & both physical and IP addresses for 411,000 High Tail Hall players.webhacked2Daily Mail
SKY Brasil32,000,0002018Nov 2018. Poorly configured Elastisearch servers exposed customer details including payment methods. telecomspoor security1Bleeping Computer
Vision DirectUK opticians100,0002018Nov 2018. User numbers not revealed. The attackers made away with personal information, passwords and CVV security codes. retailhacked4It Pro
Healthcare.gov75,0002018Oct 2018. "Sensitive" information on applicants for health insurance was hacked.healthcarehacked4GizModo
CMSCenters for Medicare & Medicaid Services93,6892018Nov 2018. CMS states that no protected health info, banking or tax details were breached, but personal info, insurance, income etc might have been exposed. healthcarehacked2HCA News
Facebook29,000,0002018Oct 2018. Malicious third-party scrapers collected profile information from many Facebook users. webhacked2Business Insider, Facebook
Newegg45,000,0002018Sep 2018. Hackers injected 15 lines of card skimming code on the Australian online retailer's payments page which remained for more than a month between Aug 14 and Sep 18. With over 45m monthly visitors, it's unclear how many customers were breached.retailhacked3Slashdot
Disqus17,500,0002017Dec 2017. Hackers stole 17.5m email addresses in 2012. About a third of those accounts contained passwords, which were hashed using the dated SHA-1 algorithmwebhacked4ZD Net
RootsWeb300,0002017Dec 2017.'s community-driven site RootsWeb was exposed after passwords, email addresses and usernames were leaked from the server. webpoor security4Threat Post
Yahoo32,000,0002017Mar 2017. User accounts have been hacked using forged cookies to log in without a password over a 2 year period.webhacked4CNet
Uber57,000,0002017Nov 2017. Uber paid the hackers $100,000 to delete the stolen data. Chief security officer Joe Sullivan has resigned.apphacked157,000,000Bloomberg
Wonga270,0002017Apr 2017. Customers from the UK and Poland look to have been affected. financialhacked4The Guardian
Snapchat1,700,0002017Apr 2017. Indian hackers apparently leaked data they stole last year in response to Snapchat CEO allegedly stating they had no plans to expand to 'poor countries' like India. Snapchat have yet to confirm any leak.apphacked1BGR
Spambot711,000,0002017Aug 2017. A misconfigured spambot has leaked over 700m records, although many of them are likely to be fake or repeated accounts.webpoor security4The Guardian
CEX2,000,0002017Aug 2017. A misconfigured spambot leaked full contact info & financial details, although the newest financial data dates to 2009. retailoops!3The Guardian
Al.type31,000,0002017Dec 2017. The app's developer failed to secure the database server. apppoor security4ZDNet
Cellebrite3,000,0002017Jan 2017. Cellebrite's main product is a device that rips data from mobile phones. 900GB of data was stolen from Cellebrite. The hackers got hacked. The number of records taken is unknown.
WaterlyApp for paying water bills1,000,0002017Jan 2017. Israel-based app contained a vulnerability in the sign-in process that could potentially expose user account details. The problem was fixed within 2 weeks of being identifiied. apppoor security3Data Breaches
Swedish Transport Agency3,000,0002017Jul 2017. Information about all vehicles in the country (including military and police), made available to IT workers who hadn't been through usual security checks. The question of whether or not Sweden's national security was harmed is censored in the Säpo (Sweden's security police) report.governmentpoor securityy5The Local
Hong Kong Registration & Electoral Office3,700,0002017Mar 2017. "the personal information of the city’s 3.7 million voters was possibly compromised after the Registration and Electoral Office reported two laptop computers went missing at its backup venue for the chief executive election."governmentlost device 2SCMP
River City MediaSpam operator1,370,000,0002017Mar 2017. A dodgy backup has allegedly resulted in over a billion leaked email addresses, plus other personal info in some cases, and has exposed RCM's business plans & operations. weboops!21,370,000,000Guardian
DaFontFont sharing site700,0002017May 2017. Apparently the hacker found out others were selling the site's database, so he decided to get in on the action himself.webhacked4ZD Net
Bell1,900,0002017May 2017. Somebody claiming to be behind the attack has threatened Bell with more leaks if they don't cooporate. telecomshacked1CBC
ZomatoRestaurants & events17,000,0002017May 2017. The hacker is selling the stolen dataset for around $1000. webhacked4HackRead
Imgur1,700,0002017Nov 2017. Imgur are still investigating how the breach took place. The data was stolen in 2014, but Imgur claim they only discovered it in Nov 2017. apphacked4Imgur
TIO NetworksOwned by Paypal1,600,0002017Dec 2017. The company has not revealed what type of information was stolen. financialhacked4Bleeping Computer
Malaysian telcos & MVNOs46,200,0002017Oct 2017. Data from numerous Malaysian telco & MVNO providers, including Celcom, Digi, Umobile, Maxis, Friendi, Merchantrade Asia, Tunetalk, Redtone, XOX, Altel, PLDT & EnablingAsia has been leaked.telecomshacked4LowYat
Malaysian medical practitioners81,3092017Oct 2017. Databases belonging to the Malaysian Medical Council (MMC), the Malaysian Medical Association (MMA), and the Malaysian Dental Association (MDA) have been leaked. The data is from 2014.healthcarehacked4LowYat
Instagram6,000,0002017Sep 2017. A bug exposed user's contact information. Instagram initially said it affected only verified accounts, but has now admitted non-verified users were also affected. Instagram hasn't confirmed numbers, but hackers say they have info from 6m accounts.webhacked1The Verge
Viacom3,000,0002017Sep 2017. A misconfigured Amazon Web Server S3 cloud storage bucket was left wide open and public facing.webhacked4The Hacker News
Equifax143,000,0002017Sep 2017. If you have a credit report, there’s a good chance that you’re one of the 143 million American consumers whose sensitive personal information was exposed in a data breach at Equifax, one of the nation’s three major credit reporting agencies.financialhackedy4143,000,000UK Gov
SVR TrackingVehicle tracking540,0002017Sep 2017. The leaked passwords were stored using SHA-1, a weak 20yr old hash program.apppoor security4The Hacker News
LinkedIn117,000,0002016May 2016. What initially seemed to be a theft of 6.5 million passwords has actually turned out to be a breach of 117 million passwords.webhacked1117,000,000CNN
Tumblr65,000,0002016May 2016. Tumblr claimed it just found out about a 2013 data breach, which independent researchers claim affected 65m users. webhacked1Motherboard
Yahoo500,000,0002016Sep 2016. Happened in 2014, but no. records stolen was originally thought to be much smaller. Yahoo revealed the real numbers in 2016.webhacked2500,000,000Business Insider
Mossack FonsecaPanamanian law firm 11,500,0002016Apr 2016. 2.6TB of data on politicians, criminals, professional athletes etc leaked from law firm Mossack Fonseca, including emails, contracts, scanned documents, transcripts...legalhackedy5PanamaPapers
Philippines’ Commission on ElectionsCOMELEC55,000,0002016Apr 2016. After a message was posted on the COMELEC website by hackers from Anonymous, warning the government not to mess with the elections, the entire database was stolen and posted online. governmenthacked5Trend Micro
Syrian government274,4772016Apr 2016. Hacking outfit calling itself 'Cyber Justice Team' leaked 10GB of data from the government and private websites. Seems to be just data from old leaks, though.governmenthacked1Softpedia
MinecraftLifeboat' community7,000,0002016Apr 2016. Players using the Lifeboat servers have had their email addresses and passwords leaked.gaminghacked1Motherboard
Turkish citizenship database49,611,7092016Apr 2016. Turkish citizenship database has allegedly been hacked and leaked online.governmenthacked2Business Insider
Banner Health3,700,0002016Aug 2016. Hackers gained access to payment card data via food outlets at Banner Health locations.healthcarehacked3Healthcare Informatics
Mail. ruGame-related forums25,000,0002016Aug 2016. Two hackers attacked three game-related forums hosted by Russian company webhacked2ZD Net
Dropbox68,700,0002016Aug 2016. User credentials were stolen in a 2012 hack, but the number affected has only just come to light. webhacked168,700,000The Telegraph
PayAsUGym300,0002016Dec 2016. Fitness website hacked & email address published online.webhacked1BBC News
Lynda.comowned by LinkedIn9,500,0002016Dec 2016. Hackers breached a database that held records of contact info and courses viewed. No official statement yet on how many records were actually stolen, and no evidence yet of them having been published anywhere.webhacked1Neowin
Linux Ubuntu forums2,000,0002016Jul 2016. 2 million usernames, email addresses, and IP addresses associated with the Ubuntu Forums were taken by an unnamed attacker. The attacker was able to exploit an SQL injection vulnerability in an add-on used by older vBulletin forum software.webhacked1ZDnet
Wendy'sRestaurant chain1,0252016Jul 2016. Malware has been used in 1025 of Wendy's restaurants to steal credit card data from customers. It's currently unknown how many individuals have been impacted.retailhacked3Forbes
Clinton campaign5,000,0002016Jul 2016. The computer network used by Democratic presidential candidate Hillary Clinton's campaign was hacked as part of a broad cyber attack on Democratic political organizationsgovernmenthacked2Reuters
uTorrent 35,0002016Jun 2016. It's unclear what data has been breached, exactly, but uTorrent has advised passwords are probably compromised. webhacked1Torrent Freak
World CheckRun by Thompson Reuters2,200,0002016Jun 2016. 2014 version of World-Check, a database of suspected terrorists and criminals, leaked online. It's unclear what data the records include.mediapoor security3The Stack
Mutuelle Generale de la PoliceFrench police health insurance112,0002016Jun 2016. Files uploaded to Google Drive by a 'malicious' employee. Data included home addresses. The leak came two weeks after a French police officer was murdered by ISIS-inspired attack.healthcareinside job5BBC News
VKRussia's Facebook100,544,9342016Jun 2016. Over 100m user accounts were hacked and the data put up for sale online. A VK spokesperson has denied that the site was breached, claiming the data for sale is old details no longer in use.webhacked4100,000,000Motherboard
87 & NivalNews site and email provider/Videogame maker1,500,0002016Mar 2016. A teen hacker has randomly hacked several Russian websites. In a statement, he claims the hack was revenge for the MH17 crash. The companies affected have not commented, however Troy Hunt, a security researcher, has confirmed its legit. Nival and were both hacked. webhacked4Motherboard
FlingDating site40,000,0002016May 2016. A hacker claims to be selling info on sexual desires & preferences, as well as generic personal info, stolen from the dating site Fling. The data is allegedly from 2011. webhacked4IBTimes
MySpace164,000,0002016May 2016. The same hacker who was selling LinkedIn user data now claims to have MySpace user data too, and lots of it. webhacked1164,000,000Motherboard
ThreeThree mobile company in the UK200,0002016Nov 2016. Hackers broke into Three's customer database with the intention of fraudulently ordering handsets to sell on. They stole personal details, but no financial records or passwords were stored on the hacked system. telecomshacked2Three
Red Cross Blood Service550,0002016Oct 2016. Info leaked includes data about 'at risk sexual behaviours'healthcareoops!4ABC News
Telegram Instant messaging service15,000,0002016Aug 2016. Despite Telegram's claims of super security, they've been hacked by a group called Rocket Kitten. apphacked1Venture Beat
Dailymotionvideo sharing site85,200,0002016Dec 2016. 85.2m email addresses extracted, but only 18.3m had associated passwords.webhacked1ZDNet
Weebly43,000,0002016Oct 2016. Usernames, passwords and IP addresses stolen, although passwords secured with bcrypt. webhacked4Tech Crunch
Interpark10,000,0002016July 2016. South Korean police are blaming North Korea for stealing data in an attempt to obtain foreign currency. webhacked2NY times
Quest Diagnostics34,0002016Dec 2016. The stolen data contained names, DOBs, lab results and some telephone numbers.healthcarehacked4Newsroom
Friend Finder NetworkParent company of Adult Friend Finder , and Penthouse.com412,000,0002016Nov 2016. Usernames, email addresses, passwords for sites including Adult Friend Finder and Passwords encrypted, but LeakedSource claims to be able to crack 99% of them.webhacked1412,000,000ZDNet
BrazzersPorn site790,7242016Sep 2016. 'The data contains 790,724 unique email addresses, and also includes usernames and plaintext passwords. (The set has 928,072 entries in all, but many are duplicates.'webhacked4Motherboard
ClixSense6,600,0002016Sep 2016. The information stolen contains usernames, passwords, home addresses, payment histories, and other banking details.webhacked5Digital trends
CarefirstBlue Cross, Blue Shield US medical insurer1,100,0002015May 2015. Evidence suggests the attackers could have potentially acquired member-created user names created by individuals to access CareFirst’s website, as well as members’ names, birth dates, email addresses and subscriber identification number.healthcarehacked1Carefirst
Main menu