organisationalternative namerecords lostyear datestorysectormethodinteresting storydata sensitivitydisplayed recordssource name1st source link2nd source linkID
visualisation here:
pink = new
(use 3m, 4m, 5m or 10m to approximate unknown figures) year story brokeweb
poor security
lost device
inside job
1. Just email address/Online information
2 SSN/Personal details
3 Credit card information
4 Health & other personal records
5 Full details
Plex15,000,0002022Aug 2022Intruders access password data, usernames, and emails for at least half of its 30 million users.web hacked1Ars technica
Twitter5,400,0002021Dec 2021Zero day vulnerability allowed a threat actor to create profiles of 5.4 million Twitter users inc. a verified phone number or email address, and scraped public information, such as follower counts, screen name, login name, etcwebhacked2Bleeping Computer
Shanghai Police500,000,0002022Jul 2022A database containing records of over a billion Chinese civilians – allegedly stolen from the Shanghai Police. Addresses, police records and national ID numbers. Potentially one of the largest data breaches in history. Details repressed and censored by Chinese media.financialhacked5"one billion"The Register
City of Amagasaki, Japan500,0002022Jun 2022An unnamed government official lost his bag after a night's drinking. It contained a USB stick with sensitive data of the entire city's residents. USB stick was encrypted and passworded.governmentoops!3BBC
Dubai Real Estate Leak800,0002022May 2022Data leak exposes how criminals, officials, and sanctioned politicians poured money into Dubai real estate including more than 100 members of Russia's political elite, public officials, or businesspeople close to the Kremlin, as well as dozens of Europeans implicated in money laundering and corruptionfinancialinside joby1E24
Heroku50,0002022Apr 2022A compromised token was used by attackers to exfiltrate customers' hashed and salted passwords from "a database." on the Salesforce-owned cloud platform.techhacked2Bleeping Computer
Mailchimp106,5862022Apr 2022Hackers gained access to internal customer support and account management tools of the email marketing company to steal audience data and conduct phishing attacks.techhacked1Bleeping Computer
PayHere1,580,2492022Mar 2022Sri Lankan payment gateway PayHere suffered a data breach exposing more than 65GB of payment records including over 1.5M unique email addresses. (IP and physical addresses, names, phone numbers, purchase histories and partially obfuscated credit card data (card type, first 6 and last 4 digits plus expiry date).financialhacked3Pay Here
CDEK18,218,2032022Mar 2022UNVERIFIED. Russian courier service CDEK was hacked by Ukrainian hacker group "IT Army" - including 19M unique email addresses along with names and phone numbers. retailhacked319,000,000Have I Been Pwned
Washington State Dpt of Licensing257,0002022Feb 2022The Washington State Department of Licensing said the personal information of potentially millions of licensed professionals may have been exposed after it detected suspicious activity on its online licensing system.governmenthacked3Seattle Times
Red Cross500,0002022Jan 2022A network intrusion at the International Committee for the Red Cross (ICRC) in January led to the theft of personal information on more than 500,000 people receiving assistance from the group. KrebsOnSecurity has learned that the email address used by a cybercriminal actor who offered to sell the stolen ICRC data also was used to register multiple domain names the FBI says are tied to a sprawling media influence operation originating from Iran.NGOhacked4Arsetechnia
Open Subtitles100,0002022Jan 2022webhacked1Open Subtitles
FlexBooker3,700,0002022Jan 2022appointment scheduling servicewebhacked33,700,000Bleeping Computer
LINE Pay133,0002021Dec 2021financialpoor security 2The Register
Robinhood5,000,9372021Nov 2021a malicious hacker had socially engineered a customer service representative over the phone November 3 to get access to customer support systems. That allowed the hacker to obtain customer names and email addresses, but also the additional full names, dates of birth and ZIP codes of 310 customers.financialhacked25,000,000Tech Crunch
GoDaddy1,200,0002021Nov 2021Security Incident Affecting Managed WordPress Servicwebhacked1SEC
Travelio471,3762021Nov 2021The Indonesian real estate website Travelio suffered a data breach of over 470k customer accounts. The data included email addresses, names, password hashes, phone numbers and for some accounts, dates of birth, physical address and Facebook auth tokens. mischacked2470,000HaveIBeenPwned
Acer3,000,0002021Oct 2021techhacked1Hot Hardware
Brewdog200,0002021Oct 2021BrewDog, one of the world's largest craft beer brewers, has exposed personally identifiable information (PII) belonging to more than 200,000 of its shareholders and customers,retailpoor security1Tech Radar
Nvidia100,0002021Mar 2021techhacked2CNN Business
Okta100,0002021Jan 2021Identity and access management provider Oktatechhacked1The Verge
Experian SASouth Africa24,000,0002020 Jul 2020Handed over personal information of their South African customers to a fraudulent client.weboops!3Uni of Hawaii,local%20businesses%20(Cimpanu%202020).402
Royal Enfield420,8732020 Jan 2020Motorcycle maker Royal Enfield left a database publicly exposed that resulted in the inadvertent publication of over 400k customers. (Email and physical addresses, names, motorcycle information, social media profiles, passwords, and other personal information)transportpoor security3The Quint
Avvo4,101,1012019Dec 2019A data breach of the lawyer directory service released 4.1M unique email addresses alongside SHA-1 hashes, most likely representing user passwords. legalhacked14,100,000HaveIBeenPwned
Aimware305,4702019May 2019Video game cheats website "Aimware" suffered a data breach of subscribers' personal information (email and IP addresses, usernames, forum posts, private messages, website activity and passwords stored as salted MD5 hashes)gaminghacked3HaveIBeenPwned396
Twitch10,000,0002021Oct 2021Full source code breach of the streaming gaming site revealed a trove of internal data & documents including core config packages, devtools, and payments to top streamers. gaminghackedy4unknownBBC
Syniverse500,000,0002021Sep 2021"A company that is a critical part of the global telecommunications infrastructure used by AT&T, T-Mobile, Verizon and several others around the world such as Vodafone and China Mobile, quietly disclosed that hackers were inside its systems for years, impacting more than 200 of its clients and potentially millions of cellphone users worldwide."telecomshacked4unknownVice
Pandora Papers11,900,0002021Oct 2021Millions of documents reveal offshore deals and assets of more than 100 billionaires, 30 world leaders and 300 public officialsgovernmenthackedy4Guardian
Neiman Marcus4,600,0002021Sep 2021Occurred sometime in May 2020 after "an unauthorized party" obtained the personal information of some Neiman Marcus customers from their online accounts.retailhacked3Ars Technica
Epik15,000,0002021Sep 2021An Internet-services company for concealing online identities, popular with the far right retailhackedy5Ars Technica
Thailand visitors100,000,0002021Sep 2021Any foreigner who has travelled to Thailand in the last decade ‘might have had their information exposed’governmentpoor security 2100,000,000South China Morning Post
T-Mobile 76,000,0002021Aug 2021Exposed the names, date of birth, Social Security number and driver’s license/ID information of more than 40 million current, former or prospective customers who applied for credit with the company. T-mobile paid a $500m settlement.telecomshacked3Krebson Security
Contact tracing data38,000,0002021Aug 2021A thousand web apps mistakenly exposed 38 million records on the open internet, including data from a number of Covid-19 contact tracing platforms, vaccination sign-ups, job application portals, and employee databases.telecomshacked338,000,000Wired
Estonian gov280,0002021Jul 2021A hacker was able to obtain over 280,000 personal identity photos following an attack on the state information system last Friday.governmenthacked4News ERR
GuntraderUK firearms sales website111,0002021Jul 2021Criminals have hacked into a Gumtree-style website used for buying and selling firearms, making off with a 111,000-entry database containing names, mobile phone numbers, email addresses, user geolocation data, and more including bcrypt-hashed passwords used by gun shops across the UK.retailhacked2The Register
Linkedin700,000,0002021Jul 2021The hacker appears to have misused the official LinkedIn API to scrape the data, the same method used in a similar breach back in April. User details, but no passwords.web hacked1700,000,0009 to 5 mac
VW3,300,0002021Jun 2021Phone numbers, email addresses and some sensitive credit data. Nearly all those impacted were current or potential customers of Audi, one of the German automaker's luxury brandstransporthacked2Reuters
MacDonalds10,000,0002021Jun 2021Unknown detailretailhacked2unknownWall St Journal
Air India4,500,0002021May 2021Passenger’s name, date of birth, contact information, passport information, ticket information, frequent flyer data and credit card information.transporthacked2Indian Express
Omiai dating appJapanese dating app1,710,0002021May 2021Addresses and dates of birth from identification, including passports, drivers’ licenses and health insurance cards, provided to the company.apphacked2Japan Times
Amazon Reviews13,124,9622021May 2021Database exposing an organized fake reviews scam affecting Amazon. The server contained a treasure trove of direct messages between Amazon vendors and customers willing to provide fake reviews in exchange for free productswebpoor security y2Safety Detectives
Peloton3,000,0002021May 2021techpoor security 2Ars Technica
Digital Ocean10,000,0002021Apr 2021techpoor security unknownTech Crunch
Park Mobilemobile parking app21,000,0002021Apr 2021Customer email addresses, dates of birth, phone numbers, license plate numbers, hashed passwords and mailing addresses.transporthacked2Krebson Security
Ubiquiti16,000,0002021Feb 2021Unknown amount of user data breachedtechhacked2ZDNet
Meet Mindful2,240,0002021Feb 2021Dating site user data includes real names, phone numbers, Facebook account codes, latitude & longtitude. Thankfully private messages were not leaked.techhacked4ZDnet
Experian Brazil220,000,0002021Feb 2021Details hazyfinancehacked2220,000,000ZDNet
Gab4,000,0002021 Mar 2021Over 70GB of data from the far-right social media site was hacked. Alll posts, messages, passwords from all users were breached.techhackedy3100,000Wired
Star Alliance16,000,0002021 Mar 2021The Star Alliance of airlines including Singapore Airlines, Lufthansa and United, said on Thursday it had been the victim of a cyber attack leading to a breach of passenger data. Lufthansa, Cathay Pacific and Air New Zealand were also affected. Breached data was limited to "name, tier status and membership number”transporthacked1The Guardian
Facebook533,000,0002021 Mar 2021Phone numbers, full names, locations, email addresses, and biographical information on 533 million users from 106 countries. Scraped due to a vulnerability "patched in 2019".techhackedy1533,000,000Business Insider
Ledger270,0002020 Dec 2020A threat actor has leaked the stolen email and mailing addresses for Ledger cryptocurrency wallet users on a hacker forum for free.financehacked2Bleeping Computer
T-mobile200,0002020 Dec 2020The information exposed in this breach includes phone numbers, call records, and the number of lines on an account.telecomshacked1Bleeping Computer
The Hospital Group1,000,0002020 Dec 2020Hackers compromised the plastic surgery firm and threatened to release over 900 gigabytes of private surgery photographs. health hackedy4BBC
SolarWinds50,000,0002020 Dec 2020Suspected Russian hackers compromised network monitoring software used by the Pentagon, intelligence agencies, nuclear labs and many Fortune 500 companies. A tainted software update acted as a trojan horse. An unknown number of companies and individuals might be affected.apphackedy3New York Times
Ho Mobile2,500,0002020 Dec 2020Italian mobile operator owned by Vodaphone is now taking the rare step of offering to replace the SIM cards of all affected customers. Data hacked full names, telephone numbers, social security numbers, email addresses, dates and places of birth, nationality, and home addresses.telecomshacked2ZD Net
Spotify500,0002020 Dec 2020Undisclosed number of users had their email addresses and passwords left open online. Spotify said the vulnerability existed as far back as April 9 but wasn’t discovered until November 12.appoops!1Tech Crunch
Drizly2,400,0002020 Sep 2020Alcohol delivery service hacked with email addresses, DOB, hashed passwords and some home addresses leaked. apphacked2Tech Crunch
GEDmatch1,400,0002020 Sep 2020DNA data on up to 1.4m users of this geneaology site may have been hacked.misc, healthhackedy5New York Times
Call of Duty / Activision500,0002020 Sep 2020Login data for users of the popular video games may have compromised. Activision refutes the claim. gaminghacked1Forbes
Zhenhua2,400,0002020 Sep 2020Personal details of millions of notable people around the world found in a leaked database compiled by a Chinese tech company with reported links to the country’s military and intelligence networks. Mostly compiled from social media profiles.miscoops!y1The Guardian
Cense AI2,500,0002020 Aug 2020Medical records from an artificial intelligence company were left open, healthpoor security4PC Mag
Nintendo300,0002020 Apr 2020Unauthorised access to thousands of Nintendo Switch accounts. Hackers were able to use saved payment details to make purchases.gaminghacked3300,000Tech Crunch
Pakistani mobile operators115,000,0002020 Apr 2020Personal details stolen from Jazz and other mobile networks were put up for sale for $2.1m in bitcoin.telecomshacked2115,000,000ZDNet
US Marshals Service387,0002020 May 2020Prisoners had sensitive personal data stolen in December 2019. They were notified five months later.governmenthacked2287,000NextGov
db8151dd"mystery breach"22,000,0002020 May 2020Aggregated data from multiple websites was discovered in an open database. It included addresses, job titles, phone numbers and social media profiles. The breach was dubbed 'db8151dd'.webhacked222,000,0009 to 5 Mac
EasyJet9,000,0002020 May 2020The airline became aware of a hack in January, but didn't notify customers until April. Email addresses, travel details and credit card details were stolen. transporthacked39,000,000BBC
Microsoft250,000,0002020 Jan 2020Customer support records spanning 14 years were left online without password protection. webpoor security1250,000,000Forbes
Dutch Government6,900,0002020 Mar 2020Two hard drives with data from 6.9m registered organ donors went missing. They contained contact details, ID numbers & signatures.governmentlost device46,900,000ZDNet
Virgin Media900,0002020 Mar 2020A poorly-configured database left names, email addresses and phone numbers exposed for 10 months. retailpoor security1900,000BBC
Boots Advantage Card150,0002020 Mar 2020Hackers accessed Advantage Card records, but no financial data was stolen. Payment using points was suspended.retailhacked1150,000Which
Tesco Clubcard600,0002020 Mar 2020Details of accrued loyalty points were accessed, but financial details weren't exposed.retailhacked1600,000Tech Radar
Marriott Hotels5,200,0002020 Mar 2020Guest records were accessed using the logins of two employees between mid-Jan and end of Feb. retailinside job25,200,000Marriott
Zoom500,0002020 Apr 2020Email addresses, passwords and personal meeting URLs were sold on the dark web. It led to a host of zoom-bombing pranks. apphacked1500,000We Live Security
Israeli government6,500,0002020 Feb 2020Names, addresses, and ID card numbers of every Israeli voter were found on an insecure website belonging to Elector, a political communications app.governmentpoor security26,500,000NYTimes
MGM Hotels10,600,0002020 Feb 2020Data stolen during an 2019 hack of an MGM server was published on a hacking forum.retailhacked210,600,000ZDNet
Buchbinder Car Rentals5,000,0002020 Jan 2020Correspondence, invoices and contracts containing personal details were left exposed on an unsecured company server. transportpoor security25,000,000Teller Report
Wawafuel & convenience store chain30,000,0002019 Dec 2019Card-stealing malware was installed, and remained undiscovered for nine months. retailhacked330,000,000Krebs on Security
Desjardins Group4,200,0002019 Jun 2019An employee of the Canadian financial firm leaked customer information outside the organisation: names, addresses, birthdates, social insurance numbers & transaction habits.financeinside job2CBC
US Customs and Border Protection100,0002019 Jun 2019Photos of faces and license plates taken at an US border crossing were stolen in a cyberattack on a surveillance contractor.governmenthackedy2Washington Post
Quest Diagnostics20,000,0002019 Jun 2019For an 8 month period, a hacker group stole personal and payment information from a firm providing billing services for the US healthcare poor security4ZDNet
Australian National University200,0002019 Jun 2019A hacker accessed personal information including addresses, bank account details, payroll information and academic records. Staff, students and visitors were affected.academichacked4Guardian
Canva139,000,0002019 May 2019 Names, email addresses and location data belonging to users of an Australian graphic design service were stolen by a hacker.webhacked2139,000,000ZDNet
ChtrboxInstagram Influencers49,000,0002019 May 2019Contact details for millions of Instagram influencers, celebrities and brand accounts was left exposed in an online database for at least six days.miscpoor securityy1Techcrunch
WiFi FinderA hotspot finder app2,000,0002019 Apr 2019An Android app for finding local WiFi passwords inadvertently provided access to the entire database, including domestic WiFi points.apppoor security1Techcrunch
Toyota3,100,0002019 Apr 2019A security breach of Toyota subsidiaries' IT systems may have leaked personal customer information.transporthacked2Bleeping Computer
UnknownOpen database in China1,800,0002019 Mar 2019A Dutch researcher found women's personal information in an open Chinese database. It included phone numbers, addressed and their "BreedReady" status, whatever that might be.webpoor securityy4The Guardian
VårdguidenSweden's healthcare hotline2,700,0002019 Feb 2019170,000 hours of sensitive calls to Sweden's healthcare hotline were stored on an open web server with no encryption or authentication. The breach was blamed on subcontractor poor securityy5ComputerSweden
Dubsmash162,000,0002019 Feb 2019Part of the theft of 617 million online account details from 16 hacked websites, put up for sale on the dark web.web hacked1162,000,000The Register
ShareThis41,000,0002019 Feb 2019Part of the theft of 617 million online account details from 16 hacked websites, put up for sale on the dark web.webhacked1The Register
HauteLook28,000,0002019 Feb 2019Part of the theft of 617 million online account details from 16 hacked websites, put up for sale on the dark web.retailhacked1The Register
Animoto25,000,0002019 Feb 2019Part of the theft of 617 million online account details from 16 hacked websites, put up for sale on the dark web.webhacked1The Register
EyeEm22,000,0002019 Feb 2019Part of the theft of 617 million online account details from 16 hacked websites, put up for sale on the dark web.webhacked1The Register
8fit20,000,0002019 Feb 2019Part of the theft of 617 million online account details from 16 hacked websites, put up for sale on the dark web.webhacked1The Register
Whitepages18,000,0002019 Feb 2019Part of the theft of 617 million online account details from 16 hacked websites, put up for sale on the dark web.webhacked1The Register
Fotolog16,000,0002019 Feb 2019Part of the theft of 617 million online account details from 16 hacked websites, put up for sale on the dark web.webhacked1The Register
Armor Games11,000,0002019 Feb 2019Part of the theft of 617 million online account details from 16 hacked websites, put up for sale on the dark web.gaminghacked1The Register
BookMate8,000,0002019 Feb 2019Part of the theft of 617 million online account details from 16 hacked websites, put up for sale on the dark web.webhacked1The Register
CoffeeMeetsBagel6,000,0002019 Feb 2019Part of the theft of 617 million online account details from 16 hacked websites, put up for sale on the dark web.webhacked1The Register