Top 10 Biggest Cybersecurity Breaches of All Time

A data broker called National Public Data suffered a breach exposing approximately 2.9 billion records in 2024, including Social Security numbers, names, addresses, and family relationships for nearly every US citizen. Sold on the dark web for $3.5 million, the breach prompted congressional calls for comprehensive data broker regulation.

India's national biometric ID database was breached, exposing the personal details and Aadhaar numbers of 1.1 billion citizens. Journalists demonstrated that anonymous operators could sell access to the database for as little as $7 via WhatsApp, raising grave concerns about the security architecture of government biometric systems at scale.

Data from 700 million LinkedIn profiles — 92% of the platform's user base — was scraped and posted on a hacking forum in 2021. The dataset included email addresses, phone numbers, workplace information, and inferred salaries, enabling sophisticated spear-phishing campaigns targeting executives and IT professionals.

Over 533 million Facebook records were scraped and published publicly in 2019, including phone numbers linked to account IDs that Meta had collected for two-factor authentication. The data resurfaced on hacking forums in 2021, fueling a wave of SIM-swapping attacks. Ireland's DPC fined Meta €265 million for the violation.

Credit bureau Equifax exposed the Social Security numbers, birth dates, addresses, and credit card details of 147 million Americans due to an unpatched Apache Struts vulnerability. The breach triggered a $575 million FTC settlement — the largest ever for a privacy violation — and resulted in criminal indictments of four Chinese military officers.

Hackers — later attributed to Chinese state-sponsored group APT41 — maintained access to Starwood's reservation system for four years, exfiltrating 500 million guest records including passport numbers, travel itineraries, and encrypted payment data. The breach was discovered only after Marriott completed its $13.6 billion Starwood acquisition in 2018.

Russian intelligence agency SVR inserted malicious code into SolarWinds' Orion software update, compromising 18,000 organizations including the US Treasury, State Department, and Microsoft. The supply-chain attack — active for nine months before discovery — was described by Microsoft President Brad Smith as "the most sophisticated and large-scale cyberattack" ever conducted.

DarkSide ransomware group's attack on Colonial Pipeline forced a six-day shutdown of the largest fuel pipeline in the US, causing gas shortages across the Southeast and price spikes to $3/gallon. Colonial paid $4.4 million in Bitcoin ransom, $2.3 million of which was subsequently recovered by the FBI, demonstrating a new era of critical infrastructure cyberwarfare.

The 2024 ransomware attack on UnitedHealth Group's Change Healthcare subsidiary disrupted prescription drug processing across the entire US healthcare system for weeks, affecting 94% of US hospitals. The company paid a $22 million ransom to ALPHV/BlackCat, and the breach ultimately exposed records for approximately 190 million Americans — the largest healthcare breach ever.

A data broker called National Public Data suffered a breach exposing approximately 2.9 billion records in 2024, including Social Security numbers, names, addresses, and family relationships for nearly every US citizen. Sold on the dark web for $3.5 million, the breach prompted congressional calls for comprehensive data broker regulation.

India's national biometric ID database was breached, exposing the personal details and Aadhaar numbers of 1.1 billion citizens. Journalists demonstrated that anonymous operators could sell access to the database for as little as $7 via WhatsApp, raising grave concerns about the security architecture of government biometric systems at scale.

Data from 700 million LinkedIn profiles — 92% of the platform's user base — was scraped and posted on a hacking forum in 2021. The dataset included email addresses, phone numbers, workplace information, and inferred salaries, enabling sophisticated spear-phishing campaigns targeting executives and IT professionals.

Over 533 million Facebook records were scraped and published publicly in 2019, including phone numbers linked to account IDs that Meta had collected for two-factor authentication. The data resurfaced on hacking forums in 2021, fueling a wave of SIM-swapping attacks. Ireland's DPC fined Meta €265 million for the violation.

Credit bureau Equifax exposed the Social Security numbers, birth dates, addresses, and credit card details of 147 million Americans due to an unpatched Apache Struts vulnerability. The breach triggered a $575 million FTC settlement — the largest ever for a privacy violation — and resulted in criminal indictments of four Chinese military officers.

Hackers — later attributed to Chinese state-sponsored group APT41 — maintained access to Starwood's reservation system for four years, exfiltrating 500 million guest records including passport numbers, travel itineraries, and encrypted payment data. The breach was discovered only after Marriott completed its $13.6 billion Starwood acquisition in 2018.

Russian intelligence agency SVR inserted malicious code into SolarWinds' Orion software update, compromising 18,000 organizations including the US Treasury, State Department, and Microsoft. The supply-chain attack — active for nine months before discovery — was described by Microsoft President Brad Smith as "the most sophisticated and large-scale cyberattack" ever conducted.

DarkSide ransomware group's attack on Colonial Pipeline forced a six-day shutdown of the largest fuel pipeline in the US, causing gas shortages across the Southeast and price spikes to $3/gallon. Colonial paid $4.4 million in Bitcoin ransom, $2.3 million of which was subsequently recovered by the FBI, demonstrating a new era of critical infrastructure cyberwarfare.

The 2024 ransomware attack on UnitedHealth Group's Change Healthcare subsidiary disrupted prescription drug processing across the entire US healthcare system for weeks, affecting 94% of US hospitals. The company paid a $22 million ransom to ALPHV/BlackCat, and the breach ultimately exposed records for approximately 190 million Americans — the largest healthcare breach ever.