Data Breaches

North Korean hackers pulled off one of the biggest crypto heists ever, stealing $1.46 billion from crypto exchange Bybit. They exploited how the exchange signed transactions.

Nation-state hackers found a bug in Commvault backup software and used it to access companies' Microsoft 365 backups stored in the cloud.

Bank of America customer data was stolen not from the bank itself, but from a company they work with. This shows how one weak link can expose customer data.

Medicare data for nearly a million seniors was stolen because one of their contractors used the vulnerable MOVEit software. Social Security numbers and bank account info were exposed.

Hackers got into Ticketmaster's cloud data and stole information on 560 million customers. If you have ever bought a concert ticket, your data was probably stolen.

A hacker found a way to extract 49 million Dell customers' data through their partner website. They got names, home addresses, and info about what Dell computers people own.

Hackers used stolen passwords to log into cloud accounts at Snowflake, a data company. They got into accounts at Ticketmaster, AT&T, and many others, stealing billions of records.

Hackers got records of almost every call and text made by AT&T customers. They didn't get what you said, but they know who you talked to, when, and where you were. This metadata is incredibly revealing—it can expose affairs, identify sources for journalists, locate domestic abuse survivors, and more. The hackers got in through a cloud company AT&T was using.

A background check company got hacked and lost 2.9 billion records. Almost every American's Social Security number was exposed in one of the biggest breaches ever.

Kaiser Permanente accidentally shared health information about 13.4 million members with advertisers. Their website tracking tools collected and shared data they should not have.

A shopping site for buying stuff from China got hacked. Over a million customers' addresses and order histories were exposed.

Omni Hotels got hit by ransomware and had to shut down all their computers. Guests could not check in online and hotel staff had to use pen and paper.

Change Healthcare processes medical claims for a huge portion of US healthcare. When hackers hit them with ransomware, doctors and pharmacies couldn't process payments for weeks. The parent company paid $22 million in ransom, but the data was still leaked. If you've used healthcare in America, your medical records may be in this breach.

The company that processes payments for most US healthcare got hit by ransomware. For weeks, pharmacies could not process prescriptions and doctors could not get paid. It affected about 1 in 3 Americans.

A car company accidentally left customer data on a public cloud server. This included not just names and addresses, but also data from connected cars showing where people drove.

Hackers used stolen passwords to break into DNA testing accounts from multiple companies, stealing genetic information and health data from millions of people.

Some AI apps that read text from your screen shots were saving those pictures without good security. Private information from screenshots ended up exposed.

Hackers attacked a company that handles medical billing for many hospitals and doctors. They stole medical records on 15 million patients from hundreds of healthcare providers.

Someone collected 26 billion records from thousands of old data breaches and put them all in one place. It is the biggest collection of stolen data ever found.

AnyDesk, software used by millions to control computers remotely, got hacked. The attackers got access to the code signing keys, which could let them make fake versions of the software.

A hacker found a way to check if any email address had a Trello account and get their name. They did this 15 million times to build a database of Trello users.

Hackers tricked US Cellular store employees into giving up access to customer accounts. This type of breach can let criminals take over your phone number.

Comcast got hacked through a bug in Citrix software. 36 million Xfinity customers' data was stolen, including those security questions like "What's your mother's maiden name?"

23andMe got hacked and the full scope was worse than first reported. Nearly 7 million people's DNA and ancestry information was stolen. You can change your password, but you cannot change your DNA.

A VPN that is supposed to hide your identity had a bug that actually revealed your real location. If you visited the wrong website, it could see your real IP address.

Hackers called MGM's IT help desk, pretended to be an employee, and got them to reset a password. That simple trick let them take down slot machines, hotel systems, and more for days. The hackers (Scattered Spider) demanded ransom, but MGM refused to pay. It still cost MGM about $100 million, and customer data was stolen and leaked.

The same hackers who hit MGM also attacked Caesars casino. Caesars paid them $15 million to go away quietly, while MGM refused to pay and suffered weeks of disruption.

Freecycle, where people give away free stuff in their neighborhoods, got hacked. 7 million members' accounts were exposed.

Clorox got hacked and it messed up their factories so badly that stores ran out of cleaning products for months. The attack cost the company over $350 million.

Hackers broke into Topgolf and Callaway golf systems and stole customer information including passwords and order history from over a million people.

Someone collected data from hundreds of different website breaches and hacks, then combined them into one giant database with 400 million email addresses.

MOVEit is software that companies use to send files securely. The Clop ransomware gang found a bug that let them steal data from any company using MOVEit. They hit thousands of organizations at once—government agencies, banks, hospitals, universities. If any company you've done business with used MOVEit, your data might be in this breach.

One bug in file transfer software called MOVEit led to thousands of organizations getting hacked. The Cl0p ransomware gang stole data from government agencies, airlines, and banks all at once.

A bug in file transfer software called MOVEit let hackers break into thousands of companies at once. It was one of the biggest hacks ever, affecting 93 million people.

Chinese hackers found a bug in Barracuda email security appliances. The attack was so bad that the company told customers to throw away their devices and get new ones.

Chinese hackers stole a special key that Microsoft uses to prove emails are legitimate. They used it to make fake keys and read government emails without permission.

The FBI shut down Genesis Market, a criminal website that sold complete copies of people's browser sessions. Criminals could buy your login cookies and pretend to be you.

Hackers used passwords stolen from other websites to break into 23andMe accounts. But here's what made it worse: the site shows you genetic relatives, so hackers could see DNA data of family members who weren't even hacked directly. Your DNA is forever—you can't change it like a password. This data could be used for discrimination or identity theft decades from now.

Hackers got into an account belonging to someone who helps Discord with customer support. They could see support tickets and any files people sent when asking for help.

Western Digital, which makes hard drives and cloud storage, got hacked. Their My Cloud service was down for weeks, and hackers may have stolen customer data.

A financial company in Australia got hacked because one of their vendors was compromised. 14 million people's driver's licenses and passport numbers were stolen.

The health insurance website for Washington DC got hacked, exposing data on members of Congress and their staff. Social Security numbers and health information were stolen.

Dish Network got hit by ransomware that knocked out their entire operation. Their website, apps, and phone support all went down. Employee data including Social Security numbers were stolen.

A Reddit employee clicked a phishing link and entered their password on a fake website. Hackers used this to access Reddit's internal systems.

A Reddit employee was tricked by a fake website into entering their password and text message code. Hackers used this to access internal Reddit systems and documents.

Professional golf's biggest tour got hacked. Member information and marketing data were potentially compromised.

The company that owns KFC, Taco Bell, and Pizza Hut got hit by ransomware. They had to close 300 restaurants in the UK while fixing the problem.

Mailchimp got hacked again - their third time in less than a year. Hackers tricked employees into giving up their passwords, then stole customer data.

Hackers tricked a Mailchimp employee into giving them access to internal systems. This was the third time in a year that Mailchimp was breached using similar tactics.

T-Mobile got hacked again - for the 8th time in 5 years. This time 37 million customers were affected. The hackers were in their systems for over a month before being noticed.

Duolingo had a public door that let anyone look up user information if they knew how to ask. Hackers asked millions of times and collected data on 2.6 million users.

Hackers stole some Slack employee passwords and used them to download internal code from GitHub. Customer messages were not affected, but it shows how supply chain attacks work.

A CircleCI employee laptop got infected with malware that stole their login session. The attackers then accessed secrets that customers stored in CircleCI for building software.

Hackers used stolen passwords from other websites to break into PayPal accounts. They got access to very sensitive information like Social Security numbers.

A company that sells identity protection got hacked. Attackers used passwords stolen from other breaches to log into Norton accounts and potentially access the passwords stored inside.

Australia's biggest health insurance company got hacked. The criminals stole extremely sensitive medical information and tried to extort the company by threatening to release it.

Australia's second-biggest phone company left a door wide open on the internet. Hackers walked through and stole data on almost 10 million Australians, including passport numbers.

A teenager broke into Uber by spamming an employee with login approval requests until they gave in. The hacker then posted in Uber's Slack saying "I am a hacker."

Hackers tricked Revolut employees to get into their systems. About 50,000 customers' banking information was exposed.

The same hackers who got into Twilio tried the same trick on Cloudflare employees. But Cloudflare used special security keys that the fake websites could not fool, so the attack failed.

Hackers sent text messages to Twilio employees pretending to be IT support, tricking them into logging into a fake website. This gave attackers access to customer data.

The company protecting your passwords got hacked. While vaults are encrypted, weak master passwords could be cracked.

Hackers broke into a LastPass engineer's home computer, then used that access to steal everyone's encrypted password vaults. If your master password was weak, all your passwords could be cracked.

Hackers broke into a LastPass engineer home computer and used that to steal customer password vaults. While passwords were encrypted, the website names were not, revealing what sites people used.

Hackers tried usernames and passwords stolen from other websites on North Face accounts. When people reused passwords, the hackers got in and stole their information.

Neopets, the virtual pet website that many millennials used as kids, got hacked. 69 million accounts were stolen, including data from when users were children.

North Korean hackers tricked employees of the company behind Axie Infinity game and stole $625 million in cryptocurrency. It is one of the largest crypto thefts ever.

A bridge that lets people move crypto between Ethereum and Solana had a bug. Hackers exploited it to steal $320 million in cryptocurrency.

Teenage hackers from LAPSUS$ broke into a company that Okta hired for support. They could have accessed hundreds of Okta customers. Okta took two months to tell anyone.

Hackers found a bug in Twitter that let them figure out which email addresses and phone numbers belonged to which Twitter accounts. They used this to build a database of 5.4 million users.

Someone who used to work at Cash App kept their access after being fired. They used it to download stock trading information on 8.2 million customers.

Someone leaked Twitch's entire codebase and how much every streamer earns. A massive embarrassment.

A hacker found an unlocked door (a vulnerable API) in T-Mobile's systems and walked out with the personal data of 76 million people - that's nearly 1 in 4 Americans. Names, Social Security numbers, driver's licenses, all of it. T-Mobile has been breached multiple times, making this a pattern, not a one-time mistake.

A hacker stole $611 million from Poly Network but then gave it all back. The company called them a "white hat" and offered them a job. It was one of the strangest crypto heists ever.

The biggest meat company in the world got hit by ransomware. They had to close all their beef factories and paid $11 million to the hackers to get their systems back.

Hackers shut down the biggest fuel pipeline in America. Gas stations ran out of fuel, people panicked. The company paid $4.4 million to hackers, and the FBI later got most of it back.

Someone scraped 700 million LinkedIn profiles—basically everyone on the platform—and sold the data. LinkedIn says it wasn't a "breach" because the data was technically public. But when you put names, emails, phone numbers, and job titles together, it becomes a perfect list for scammers to target professionals with convincing phishing attacks.

Chinese hackers found secret bugs in Microsoft email servers. They broke into 250,000 organizations around the world, including government offices, before anyone could stop them.

Half a billion Facebook phone numbers leaked online. Hackers had scraped the data years earlier using a Facebook feature that let you search users by phone number.

Cit0day was a criminal service that collected stolen data from thousands of hacks. When they got raided by the FBI, all their stolen data leaked too.

A scammer tricked an Experian employee into handing over 24 million people's personal information.

Ledger makes hardware wallets for crypto. Hackers stole their customer list and then sent phishing emails to a million people pretending to be Ledger, trying to steal their crypto.

Wattpad, where people share stories and many users are teens, got hacked. 271 million accounts were stolen. At least the passwords were encrypted with bcrypt.

Russian hackers snuck into SolarWinds, a company that makes software used by thousands of organizations. They poisoned the software updates, so when companies installed updates, they also installed Russian spy tools.

A software developer at an Alibaba partner company spent 8 months secretly copying data from Taobao, China's biggest shopping site. They collected info on over a billion users.

The makers of FarmVille and Words with Friends got hacked through a basic security flaw. 173 million accounts were stolen, including password reset tokens that let hackers take over accounts.

A company that handles medical data got hit by ransomware. Over 2 million patients' medical records, including Social Security numbers, were exposed.

You could find anyone's mortgage documents just by changing numbers in the website address. 885 million documents exposed.

Hackers stole data from 137 million Canva users. But Canva did password security right - they used bcrypt, which makes passwords very hard to crack.

Facebook apps collected your data and then left it sitting on the internet for anyone to find.

A former Amazon cloud employee found a misconfiguration in Capital One's cloud security and exploited it to steal data on 106 million people. She bragged about it on social media and got caught. The breach showed that moving to the cloud doesn't automatically make you secure—you still need to configure it properly.

A company that verifies email addresses left their database completely open. 763 million email addresses and tons of personal information were exposed for anyone to take.

Hackers broke into Dubsmash and stole 162 million accounts. They sold this data along with other hacked sites in a package deal on the dark web.

Quora got hacked and 100 million users' data was stolen. This included private messages, which is especially concerning for a Q&A site where people share personal information.

The government healthcare website got hacked. While only 75,000 people were affected, the data stolen was extremely sensitive - Social Security numbers, income, and immigration status.

Hackers attacked Singapore's biggest hospital system and stole records for 1.5 million patients. They specifically targeted the Prime Minister's medical information.

A company that collects data about people left their database wide open on the internet. 340 million detailed profiles were exposed, including things like whether you own pets or smoke.

A hacker broke into Ticketfly, defaced their website, and demanded money. When Ticketfly said no, the hacker released everyone's data publicly.

Chegg, where students get homework help, got hacked. 40 million student accounts were stolen. This is especially concerning because the data includes young people.

The MyFitnessPal calorie tracking app got hacked. 150 million people's accounts were stolen, but at least the passwords were well-protected with bcrypt encryption.

India's national ID database, which has biometric data on almost every Indian citizen, was breached. For just $7, criminals could look up anyone's personal information.

Equifax, one of the three companies that tracks everyone's credit scores, got hacked because they didn't install a security update for months. Hackers stole Social Security numbers and personal info for nearly half of all Americans. The data is perfect for identity theft. Equifax paid $700 million in fines and settlements, but the damage to consumers continues.

Uber got hacked and tried to cover it up by paying the hackers to delete the stolen data and stay quiet.

A dating site for adults got hacked, exposing 412 million accounts. This is sensitive data that could be used to embarrass or blackmail people.

Hackers stole $72 million in Bitcoin from Bitfinex. Years later, the FBI caught the suspects with $3.6 billion worth of the stolen coins. They had tried to launder it using crazy schemes.

Hackers broke into a website for people having affairs and released everyone's information. This ruined marriages and careers, showing how devastating breaches of sensitive data can be.

One of America's largest health insurers was hacked, exposing Social Security numbers for nearly 80 million people.

Hackers tricked a Bitstamp employee into installing malware. They stole 19,000 Bitcoin, but the company covered the losses and is still operating today.

A company called Cambridge Analytica tricked Facebook users into taking a quiz. The quiz secretly collected data on them and all their friends, then used it to target political ads.

North Korea allegedly hacked Sony over a movie they didn't like, stealing and leaking everything from unreleased movies to embarrassing emails.

Chinese government hackers broke into Starwood Hotels' system and stayed hidden for four years. When Marriott bought Starwood, they inherited the breach without knowing. By the time anyone noticed, hackers had access to 500 million guests' data—one of the largest breaches ever. They got passport numbers, travel histories, and payment info.

Home Depot's cash registers were infected with malware for months, stealing 56 million credit card numbers.

Mt. Gox was the biggest Bitcoin exchange until hackers stole 850,000 Bitcoin. The exchange went bankrupt, and customers lost billions of dollars. Some are still trying to get their money back.

Hackers tricked some eBay employees into giving up their passwords, then used those to sneak into eBay's systems and steal information on 145 million users.

Target was hacked through their heating and cooling company. This showed everyone that small vendors can be a big security risk.

Hackers broke into Adobe and stole 153 million accounts. The passwords were encrypted but the hints were not, so if your hint was "rhymes with assword" hackers knew your password was "password".

Every single Yahoo account—3 billion of them—was compromised. Russian government hackers broke in and stayed for years. Yahoo didn't tell anyone for three years, only admitting it when they were about to be sold to Verizon. If you ever had a Yahoo account, your data was stolen. This is the biggest data breach in history.

Even though MySpace was not popular anymore, hackers sold 360 million old MySpace accounts. If you ever had a MySpace and used that password elsewhere, hackers could get into those other accounts.

A Dropbox employee used the same password at LinkedIn and Dropbox. When LinkedIn was hacked, attackers used that password to break into Dropbox and steal 68 million accounts.