What Is the Largest Data Breach in History?

Key Takeaways

• The MOAB leads: The Mother of All Breaches (2024) is the largest aggregate leak, containing 26 billion records.
• Yahoo’s record: Yahoo remains the largest single-organization breach with 3 billion accounts compromised.
• Volume vs. sensitivity: Massive record counts often involve older data, while smaller breaches like Equifax can be more damaging due to sensitive PII.
• The supply chain factor: Modern mega-breaches like MOVEit show that one vendor’s vulnerability can compromise thousands of organizations simultaneously.
• Hygiene over hacking: Most historic breaches stem from misconfigurations and poor access control rather than sophisticated exploits.

What Is the Largest Data Breach in History?

Determining the largest data breach in history depends on how you define the event. If you are looking at the sheer volume of records circulating in a single dataset, the Mother of All Breaches (MOAB) discovered in 2024 is the current record holder with 26 billion records. However, the MOAB is an aggregate leak, a massive compilation of data from thousands of previous breaches rather than a single successful hack on one entity.

In cybersecurity, we measure magnitude by records exposed, which can range from email addresses to sensitive government IDs. It is important to distinguish between three specific types of events. Confirmed user accounts refer to data stolen directly from one organization, such as the Yahoo breach. Aggregated leaks are “super-compilations” of multiple historical breaches. Finally, single-organization breaches represent a specific failure of one company’s security perimeter. While aggregate leaks have higher numbers, single-organization breaches often represent more significant, fresh risks to the affected users.

The Largest Data Breaches Ever Recorded (Ranked)

1. Mother of All Breaches (MOAB) (2024)

Records Exposed: 26 billion 

Type: Aggregate Leak

The MOAB is an unprecedented collection of data discovered by security researchers in early 2024. It is not the result of a single hack but a massive, searchable database containing 26 billion records organized into thousands of folders. The root cause is the systematic collection of previous leaks and scraped datasets from platforms like LinkedIn, Twitter, and various government agencies. The primary impact is a significant spike in credential stuffing attacks, as hackers use this volume to automate logins across other services. Because this involves data from thousands of sources, it represents a massive systemic risk for organizations whose employee data may have been compromised years ago. It serves as a reminder that data never truly disappears from the dark web once it is leaked.

2. CAM4 (2020)

Records Exposed: 10.8 billion 

Type: Cloud Misconfiguration

In 2020, the adult website CAM4 suffered a massive exposure when an ElasticSearch database was left open to the public internet. The root cause was a basic cloud misconfiguration; the database lacked password protection, allowing anyone with the IP address to access 10.8 billion records. The vulnerability was a simple failure of access control. The impact was severe because the data was highly sensitive, including sexual orientation, chat transcripts, and email logs, making it a goldmine for extortion and phishing. This incident highlights how third-party cloud hosting without continuous monitoring can lead to catastrophic exposure. It remains one of the largest examples of how a lack of basic security hygiene can result in a record-breaking leak.

3. RockYou2021 (2021)

Records Exposed: 8.4 billion 

Type: Credential Dump

RockYou2021 is a massive password compilation that surfaced on a popular hacking forum, containing 8.4 billion entries. This was a direct expansion of the original 2009 RockYou breach, compiled into a single plaintext file. The root cause was the aggregation of leaked passwords from thousands of different breaches over more than a decade. It is essentially a dictionary for brute-force attacks. The impact was global, as it provided attackers with the tools to bypass standard password-based authentication. Third-party risk played a massive role here, as many of the passwords came from smaller, less secure apps that users integrated with their primary social or work accounts. It effectively ended the era of password-only security for most enterprises.

4. Yahoo (2013–2014)

Records Exposed: 3 billion 

Type: State-Sponsored Attack

The Yahoo breach remains the largest single-organization breach in history. Initially reported as a smaller incident, Yahoo eventually confirmed that all 3 billion user accounts had been compromised. The root cause was a persistent intrusion by state-sponsored actors who used sophisticated spear-phishing to gain access to the internal network. The vulnerability stemmed from a failure to detect a long-term presence within the company’s infrastructure. The impact was both financial and reputational, leading to a 350 million dollar reduction in Yahoo’s sale price to Verizon and significant legal settlements. While not a supply chain attack, the breach provided attackers with a gateway to users’ recovery emails, creating a ripple effect across the entire digital ecosystem.

5. Aadhaar (India ID Database) (2018)

Records Exposed: 1.1 billion 

Type: ID Database Exposure

India’s national biometric ID system, Aadhaar, faced a massive exposure when reports emerged that access to the database was being sold through unauthorized channels. The root cause was not a direct hack of the central database but vulnerabilities in the APIs used by third-party state-owned utility companies. This was a classic case of third-party risk where a secure central system was compromised through an insecure partner. The impact was massive, as it involved the personal and biometric data of over 1 billion citizens. Because biometric data cannot be changed like a password, the long-term risk of identity theft is permanent. It serves as a stark warning about the risks of centralized data without strict third-party API controls.

6. Shanghai National Police Database (2022)

Records Exposed: 1 billion 

Type: Unsecured Database

In 2022, an anonymous user offered to sell 23 terabytes of data allegedly stolen from the Shanghai National Police for 10 Bitcoin. The records included names, addresses, ID numbers, and criminal records for approximately 1 billion Chinese citizens. The root cause was an unsecured management dashboard that was left open on the public internet without a password. This vulnerability was a total failure of basic access control for a highly sensitive government asset. The impact was a massive national security embarrassment and an unprecedented exposure of PII. Third-party risk was a factor as the data was hosted on a public cloud platform, proving that even government-grade data is only as secure as its cloud configuration.

7. Facebook (Meta) (2019/2021)

Records Exposed: 533 million 

Type: Scraped Datasets

A dataset containing the personal information of 533 million Facebook users from over 100 countries was leaked for free on a hacking forum. The root cause was a vulnerability in a “contact importer” feature that Facebook had patched in 2019, but the scraped data remained in circulation. The vulnerability allowed attackers to query the Facebook database at scale using phone numbers. The impact included a surge in smishing (SMS phishing) and a significant regulatory fine under GDPR. This incident shows how third-party integrations and public-facing features can be weaponized to harvest data. It also highlights the “long tail” of data breaches, where data stolen years ago continues to cause reputational damage.

8. Marriott / Starwood (2014–2018)

Records Exposed: 500 million 

Type: Persistent Intrusion

This breach involved the guest reservation database of the Starwood hotel group, which Marriott acquired in 2016. The intrusion went undetected for four years. The root cause was unauthorized access to the Starwood network that Marriott failed to identify during its due diligence process. The vulnerability was a lack of visibility into a newly acquired network’s security posture. The impact was the theft of 5 million unencrypted passport numbers and millions of credit card details, leading to an 18.4 million dollar fine. This is a primary example of M&A risk, where a company inherits the third-party vulnerabilities of its acquisition, proving that you are only as secure as the companies you buy.

9. LinkedIn (2012)

Records Exposed: 165 million 

Type: External Hack / Credential Breach

LinkedIn’s 2012 breach is a case study in how delayed disclosure compounds damage. The incident initially appeared contained, but LinkedIn announced that 6.5 million hashed passwords had surfaced on a Russian hacker forum and prompted affected users to reset credentials. The real scale didn’t emerge until 2016, when the same threat actor offered 165 million LinkedIn email and password combinations for sale on the dark web for just 5 bitcoin. The four-year gap left the vast majority of affected users completely unaware that their credentials had been circulating.

The root cause was weak cryptographic practice. Passwords were hashed using unsalted SHA-1, an algorithm already considered inadequate by 2012 standards. Without salt, identical passwords produce identical hashes, making large-scale cracking trivial through pre-computed lookup tables. This wasn’t a sophisticated failure; it was a known, avoidable one.

The downstream impact extended well beyond LinkedIn itself. Millions of users who reused their LinkedIn password across other platforms became vulnerable to account takeovers across their entire digital footprint, a classic credential stuffing risk that persisted for years. The breach forced a mandatory password reset and became a landmark case for why proper credential storage practices aren’t optional, even for enterprise-grade platforms.

10. Equifax (2017)

Records Exposed: 147 million 

Type: Unpatched Vulnerability

The Equifax breach is one of the most significant due to the sensitive nature of the data: Social Security numbers and credit histories. The root cause was a failure to patch a known vulnerability in the Apache Struts web framework. Even though a patch had been available for months, Equifax’s internal processes failed to apply it. The impact was massive, resulting in a 575 million dollar settlement and a permanent blow to the company’s reputation. Third-party risk played a role through the use of open-source components (Nth-party risk). It remains the definitive case study on why a robust patching lifecycle and visibility into third-party software components are critical for preventing large-scale financial exposure.

11. MOVEit Transfer (2023)

Records Exposed: 60 million+ 

Type: Supply Chain / Zero-Day

The MOVEit breach is a landmark supply chain attack where a zero-day vulnerability in a popular file-transfer software was exploited by the Cl0p ransomware group. The root cause was an SQL injection vulnerability in the third-party tool itself. Because MOVEit was used by thousands of organizations, the impact cascaded across the globe, hitting government agencies, banks, and healthcare providers simultaneously. This is the ultimate example of how a single vendor’s failure can compromise an entire ecosystem. It proved that organizations must monitor not just their own servers, but the security health of every software tool they integrate into their operations to prevent massive, multi-tenant data exposure.

12. RockYou (Original) (2009)

Records Exposed: 32 million Type: SQL Injection

Though small by modern standards, the 2009 RockYou breach was a foundational event in cybersecurity history. The root cause was a simple SQL injection that allowed hackers to access the company’s database. The vulnerability was exacerbated by the fact that RockYou was storing all 32 million passwords in plaintext. The impact was the creation of the first major “mega-dump” of real-world passwords, which fueled credential stuffing attacks for the next decade. This incident highlighted the danger of third-party applications on social platforms and forced a global shift in how companies store and encrypt user credentials. It remains the case study for the “original sin” of data security: failing to encrypt at rest.

Largest Data Breaches by Records vs. Impact

A high record count often grabs the headlines, but it is a poor metric for the actual damage caused by a breach. To understand the severity of an incident, organizations must distinguish between data quantity and data sensitivity. For example, a breach of 500 million email addresses from a decade ago is often less damaging than a breach of 100,000 active credit card numbers or Social Security numbers.

The Equifax breach involved fewer records than Yahoo’s, but its financial cost and the long-term risk to victims were significantly higher because the data could be used to open fraudulent accounts. Similarly, operational disruption is a major factor. A supply chain attack that shuts down a hospital’s ability to process patients has a higher human and financial impact than an aggregate leak found on a forum. When evaluating the largest breaches, we must look at the financial cost, the regulatory fines, and the systemic risk to the business. Quantitative data tells you how many people were affected; qualitative data tells you how much it actually cost the organization to recover.

What Causes the Largest Data Breaches?

Cloud Misconfiguration

The rush to digital transformation often leaves security as an afterthought. Many billion-record leaks occur because a cloud database was stood up without a password or left open to the public internet by mistake.

Stolen Credentials

Hackers frequently bypass security perimeters by using passwords stolen in previous breaches. Without multi-factor authentication, a single set of administrative credentials can give an attacker total access to an organization’s most sensitive datasets.

Third-Party & Supply Chain Vulnerabilities

Your organization is part of an interconnected ecosystem. If a vendor with access to your data has weak security, your records are at risk. Attackers increasingly target these “hubs” to gain access to multiple companies at once.

API Exposure

APIs are designed for data sharing, but they are often poorly secured or lack rate-limiting. This allows attackers to scrape millions of records through automated tools, turning a functional feature into a massive data leak.

Unsecured Databases

Shadow IT remains a major threat. Old or forgotten databases that aren’t under the supervision of the security team often lack modern patches and monitoring, making them easy targets for attackers looking for massive record sets.

The Rise of Supply Chain Breaches

The modern enterprise is no longer a self-contained unit; it is a sprawling network of vendors, contractors, and software providers. This shift has made supply chain breaches the most effective way for attackers to scale their impact. Instead of attacking one company, a hacker targets a service provider like MOVEit or a software vendor. When that single point of failure is compromised, the impact cascades through thousands of organizations simultaneously.

This trend shows that systemic risk is the new reality. A vendor compromise doesn’t just affect one department; it can lead to a multi-tenant disaster that exposes data across different industries and continents. As companies outsource more of their critical infrastructure to SaaS and cloud providers, they are essentially outsourcing their attack surface. These breaches are becoming larger because the “hubs” of the digital economy are becoming more centralized. Managing this risk requires moving beyond internal security and gaining full visibility into the security posture of every third party in your network.

How Organizations Can Prevent Large-Scale Data Breaches

Preventing a record-breaking breach requires a strategic shift from static defense to continuous monitoring.

• Vendor monitoring: Moving beyond annual questionnaires to real-time security scores is essential. You need to know the moment a vendor’s security posture changes to prevent a supply chain attack.
• Access control hygiene: Implementing the principle of least privilege ensures that even if a credential is stolen, the attacker’s movement is restricted.
• Continuous exposure monitoring: Automatically scanning your external attack surface helps identify unsecured databases and misconfigured cloud buckets before they are discovered by hackers.
• Encryption & segmentation: Data should be encrypted at rest and in transit. Segmenting your network prevents an attacker from moving horizontally from a low-risk vendor portal to your core databases.
• Incident response planning: You must have a clear plan for third-party incidents, including predefined communication channels with your legal and PR teams.
• Compliance mapping: Aligning your security controls with global standards ensures that you are meeting the minimum regulatory requirements to avoid massive post-breach fines.

Why Record-Breaking Data Breaches Are Becoming More Common

The scale of data breaches is increasing because the volume of data stored by organizations is growing at an exponential rate. As companies move to the cloud and adopt more SaaS tools, they create larger “honeypots” for attackers to target. Additionally, the rise of the “aggregator” hacker has changed the landscape. Attackers no longer just steal data; they compile it into mega-leaks that distort historical comparisons.

This environment makes continuous monitoring more critical than ever. The centralization of data in the cloud means that when a breach happens, the record counts are naturally higher than they were in the era of on-premise servers. Organizations must accept that their data is part of a larger, interconnected web. Protecting it requires a unified strategy that addresses both direct vulnerabilities and the cascading risks posed by an ever-expanding third-party ecosystem.

The common thread across today’s largest breaches is not sophistication, it’s visibility. Whether it’s an exposed database, an unpatched dependency, or a compromised vendor, organizations are often blind to the risk until it’s too late. As supply chain attacks continue to scale, point-in-time assessments are no longer enough. Continuous third-party monitoring has become a requirement, not a luxury.

By adopting a continuous approach to third-party risk management, organizations can gain real-time insight into vendor security posture, reduce exposure to cascading failures, and strengthen overall resilience. This shift enables security teams to move from reactive response to proactive risk mitigation across their entire vendor ecosystem.

Ready to improve visibility across your third-party risk landscape? Request a personalized demo to see how Panorays helps you automate vendor assessments, monitor supply chain risk, and prevent small vulnerabilities from becoming large-scale incidents.

Largest Data Breaches in History FAQs