10 Biggest Data Breaches That Affected U.S. Consumers

Security officer checking computer equipment

Caiaimage/Agnieszka Olek/Getty Images

Companies collect a lot of data from consumers. Depending on the nature of the business, a company may only store a username and password or it may have more sensitive information like social security numbers or credit card details.

Data is big business, which would explain the increased number and severity of data breaches in recent history. A data breach happens when a cybercriminal gains access to a company's files and steals user information. Here are the top 10 data breaches that have affected U.S. consumers in recent history.


3 billion in August 2013 & at least 500 million in late 2014

Every Yahoo user had their information exposed in the largest data breach in U.S. history to date. Initially, Yahoo initially thought that only 1 billion users were affected - which still would have made it the largest data breach. When Verizon purchased Yahoo in June 2017, the additional exposed users were uncovered – all three billion Yahoo accounts that existed in 2013. In the breach, the hackers gained access to user IDs, email addresses and encrypted passwords.

Customers who suffered a financial loss from the breach - identity theft or delay in tax refunds for example - were eligible to part of $117.5 million settlement, as long as they could provide documentation of the loss. Premium Yahoo account holders will be eligible for a 25% refund.


500 million between 2014 - November 2018

On November 30, 2018, Marriott disclosed a data breach that affected the Starwood guest reservation system dating back to 2014. Up to 500 million guests had their personal information stolen, and 327 million guests had their names, phone numbers, email addresses, passport numbers and dates of birth stolen. Millions of other guests had their credit card numbers and expiration dates exposed in the data breach. To date, it’s one of the biggest corporate data breaches in history, in terms of the number of accounts compromised.


360 million, May 2016

The usernames, passwords, and email addresses from 360 million MySpace users who registered before June 11, 2013, were compromised in a data breach. MySpace has since invalidated the passwords of old users. Most people will probably never log in to the former social media giant again, but if you reuse your old MySpace password on a new website, you may be at risk.


250 million, December 2019

A customer support database holding nearly 250 million Microsoft customer records was left unprotected on the web. Microsoft’s exposed database disclosed email addresses, IP addresses, and support case details. Microsoft says the database did not include any other personal information.

Under Armour

150 million, February 2018

An estimated 150 million users of the food and nutrition app MyFitnessPal, which was previously owned by Under Armour through late 2020, had their usernames, email addresses, and hashed passwords stolen in the data breach. Fortunately, no payment information was compromised in the data breach, and the app doesn’t collect social security numbers or driver’s license numbers. The breach happened in February 2018 and was discovered by Under Armour on March 25, 2018.


147 million, mid-May - July 2017

In September 2017, Equifax announced it had suffered a data breach that impacted approximately 147 million consumers. The actual breach happened between mid-May through July 2017. Hackers accessed consumers' personal information including names, birth dates, addresses, social security numbers, and driver's license numbers. Additionally, hackers were able to access credit card information for 209,000 consumers and dispute documents (which contained additional personal information) for another 182,000 consumers. To date, the Equifax breach is one of the most significant in history because of the type of information stolen.


145 million, between February and early March 2014

Between late February and early March 2014, a hacker breached eBay using compromised employee log-in credentials. The hacker was able to gain access to encrypted passwords and personal information including names, email addresses, physical addresses, phone numbers, and dates of birth. There was no evidence that financial and credit card information was stolen during the data breach.


130 million in 2008 & 2,200 in 2015

Heartland Payment Systems has suffered a data breach twice since the 2000s. The most significant occurred in 2008 when information on up to 130 million credit and debit cards were stolen. The company was breached again in 2015. That time 2,200 individuals may have had their personal information compromised when company hardware was stolen in a burglary. The compromised information may have included Social Security numbers and bank account information.


110 million, November 27 - December 15, 2013

Between November 27 and December 15, 2013, Target suffered a data breach that affected up to 110 million people. As many as 40 million people had their credit and debit card accounts compromised beginning the weekend of November 27, 2013. Hackers gained access to customer credit or debit card numbers, the card’s expiration dates, and the card’s security codes. An additional 70 million people had their names, mailing addresses, phone numbers, and email address stolen in the breach.


More than 100 million, 2012

In 2012, LinkedIn reported a data breach that exposed over 100 million encrypted passwords. Several years later, in May 2016, a hacker claimed to have a file of the leaked login credentials for LinkedIn users. After the data breach, LinkedIn invalidated the passwords for everyone who signed up prior to the breach and alerted individuals who needed to reset their passwords.