Home / News & Resources / News & Updates / The 10 Biggest Data Breaches Ever

The 10 Biggest Data Breaches Ever

  • Posted on

Comparatively small-scale data breaches are an almost daily occurrence, but the 10 data breaches Legal Director Christine Sabino discusses below all affected millions of individuals.

While the personal impact for the victim of even a small-scale data security breach can be huge, it is the cybersecurity breaches affecting thousands and even millions of people that tend to make the news.

With data breaches only likely to become more common, we decided to throw a spotlight on 10 of the biggest data breaches worldwide that have occurred so far. This includes a mix of companies that have been hacked by cybercriminals and data leaks due to human error, both of which can be catastrophic for the organisations responsible for the breach and the people whose data becomes exposed as a result.

This list is based on the number of records exposed and gives a clear picture of various ways data breaches can occur and the types of information that is often exposed.

Clearview AI

Year: 2020

Type of breach: Hack of company client list

Number of records exposed: 3 billion+ photos (potentially)

Facial recognition software developer Clearview AI was hacked in early 2020. The hackers gained access to the company’s client list, which includes US law enforcement agencies, but Clearview AI stated that their servers were not breached.

The company has complied a database of more than three billion photos from sources such as Facebook, YouTube and Twitter. This would make the Clearview AI data breach have potentially the widest reaching impact of any data breach so far if the company’s photo database had been compromised.

First American Corporation

Year: 2019

Type of breach: Accidental data leak through company website

Number of records exposed: 885 million

Property title insurance giant First American Corporation were responsible for accidentally leaking 885 million documents related to mortgage deals going back to 2003.

The records, which included bank account numbers, bank statements, mortgage records, tax records, social security numbers and drivers licence images were available unencrypted through First American’s website.

The company had placed the records online and anyone could view them if they knew the right URL with no authentication required.


Year: 2019

Type of breach: Accidental data leak by third party app developers

Number of records exposed: 540 million

In 2019, it came to light that more than 540 million records relating to Facebook users were accidentally leaked by two third-party Facebook app developers.

The apps in question posted the records in plain sight on Amazon’s cloud computing service. These records included Facebook users’ account names, IDs, friends, photos, location check ins and passwords.

Marriott International

Year: 2018

Type of breach: Hacking attack on guest reservation database

Number of records exposed: 500 million

In 2018, Marriot International revealed that hackers had broken into the guest reservation database of its subsidiary Starwood Hotels group. The hack affected as many as 500 million guest records, involving as many as 7 million former guests in the UK.

The hack took place from July 2014-September 2018 with the data exposed including guests’ names, home addresses, email addresses, telephone numbers, passport details and credit card details.

The hotel brands affected by the Marriot data hack include W Hotels, Sheraton Hotels & Resorts and Le Meridien Hotels & Resorts.

Friend Finder Networks

Year: 2016

Type of breach: Suspected hack of company databases

Number of records exposed: 412 million

Adult-orientated social networking company FriendFinder Networks Inc. is suspected to have been the victim of a hack targeting six of its databases prior to 20 October 2016.

Personal user details from the databases were discovered online in October 2016, with the exposed data including usernames, email addresses and passwords. The records related to various of the FriendFinder’s websites, including AdultFriendFinder.com, Cams.com and Penthouse.com.


Year: 2018

Type of breach: Accidental data leak online

Number of records exposed: 340 million

Marketing and data aggregation company Exactis accidentally exposed a database it held containing nearly 340 million individual records. The company had placed the database on a publicly accessible server, meaning anyone who knew where to look could view the data.

The data exposed included names, phone numbers, home addresses, email addresses, and other highly personal characteristics for millions of US citizens. The information on the database was intended for highly targeted marketing purposes, so is much more detailed and personal than much of the information exposed in a typical data breach.


Year: 2019

Type of breach: Data exposed due to security flaws in mobile app API 

Number of records exposed: 320 million

India’s third largest mobile network operator, Bharti Airtel, was responsible for a massive data breach affecting around 320 million users of its mobile app. Security flaws were discovered in the app’s API (application programming interface), which meant users’ data was accessible.

The data exposed included users’ names, email addresses, birthdays, home addresses and the IMEI number of devices onto which the app had been installed. While it is not known whether this data was accessed by anyone unauthorised to do so, the extent of the records involved make this potentially very serious for Bharti Airtel and its users.


Year: 2019

Type of breach: Unclear

Number of records exposed: 299 million

In May 2019, independent security researcher Rajshekhar Rajaharia claimed that personal data of nearly 300 million users of the Truecaller caller ID app were available for sale on the dark web.

However, the app’s developer, Stockholm-based True Software Scandinavia AB, claims its database has not been breached. The allegedly exposed data includes users’ mobile phone number, as well as some users’ email addresses, photos, company names, job titles and more.

Truecaller stated: "It has been recently brought to our attention that some users have been abusing their accounts. In light of this event, we would like to strongly confirm at this stage that there has been no sensitive user information being accessed or extracted, especially our users' financial or payment details."

At this time, the reason for the data being exposed remains unclear.


Year: 2019

Type of breach: Unsecured online database

Number of records exposed: 202 million

MongoDB is a cross-platform database program, mainly used for storing, index and processing documents and various types of data. It is used by a wide range of companies worldwide to store millions of records.

MongoDB has been hit by a number of data breaches where companies used the service to store records online without any form of password protection. This meant they were accessible to anyone who knew where to look. One of the main reasons these breaches have occurred is that MongoDB has no default password protection in place, so it is up to the companies using the service to put password protection in place.

The biggest data breach to affect MongoDB users so far came in 2019, where an 854Gb MongoDB database was left open, with no password or login details required for access. As a result, 202million CVs from Chinese job seekers were exposed, containing a range of personal data, including names, addresses, phone numbers, emails and more.

Facebook (again)

Year: 2019

Type of breach: Unsecured online database

Number of records exposed: 267 million

In December 2019, it was discovered that the names, phone numbers and user IDs of 267 million Facebook users had been exposed in an online database. The database was completely unsecured, meaning anyone who knew where it was could access the data it contained without needing to enter a password or any other kind of security details.

The database was discovered by a security researcher and is believed to have been created by cybercriminals who ‘scraped’ the data from Facebook users’ profiles. Facebook claims it has since made security changes to its platform to prevent this kind of data scraping.

How Hayes Connor can help with data breach claims

At Hayes Connor, we specialise in helping people to claim compensation when their data has been exposed in a breach of data protection regulations. This could be due to a cyberattack, human error or any other reason.

We are one of the largest teams of data breach claims specialists in the country, with decades of combined experience in securing compensation for victims of data breaches. We can advise you on whether you are likely to have grounds for a claim, the level of compensation you may be entitled to and what you need to do to start a claim.

Our goal is to ensure that anyone who is affected by a data breach is able to get the compensation they deserve, while making the claims process as simple and stress-free as possible.

You can find out more about our expertise and how we handle data breach claims here.

To start a claim, you can use our online claim form and we will get back to your shortly to let you know if we believe you have grounds for compensation.

If you would like to speak to a member of our team, please do not hesitate to give us a call on 0330 041 5137.