10 Biggest Data Breaches That Affected U.S. Consumers

Security officer checking computer equipment

Caiaimage/Agnieszka Olek/Getty Images

Companies collect a lot of data from consumers. Depending on the nature of the business, a company may only store a username and password or it may have more sensitive information like social security number or credit card details.

Data is big business, which would explain the increased number and severity of data breaches in recent history. A data breach happens when a cybercriminal gains access to a company's files and steals user information. Here are the top 10 data breaches that have affected U.S. consumers in recent history.


500 million in September 2013 & 3 billion in December 2013

Every Yahoo user had their information exposed in the largest data breach in U.S. history to date. Initially, Yahoo initially thought that only 1 billion users were affected - which still would have made it the largest data breach. When Yahoo purchased Verizon in June 2017, the additional exposed users were uncovered. In the breach, the hackers gained access to user IDs and mail address, encrypted passwords. Credit card data and bank account information were not accessed in the breach.

Customers who suffered a financial loss from the breach - identity theft or delay in tax refunds for example - are eligible to part of a $50 million settlement as long they provide documentation of the loss. Premium Yahoo account holders will be eligible for a 25 percent refund.


500 million between 2014 - November 2018

On November 30, 2018, Marriott disclosed a data breach that affected the Starwood guest reservation system dating back to 2014. Up to 500 million guests had their personal information stolen and 327 million guests had their name, phone numbers, email address, passport numbers and date of birth stolen. Millions of other guests had their credit card number and expiration date exposed in the data breach. To date, it’s the second biggest corporate data break in history, in terms of the number of accounts compromised.


360 million, May 2016

The usernames, passwords, and email addresses from 360 million MySpace users who registered before June 11, 2013, were compromised in a data breach. MySpace has since invalidated the passwords of old users. Most people will probably never log in to the former social media giant again, but if you reuse your old MySpace password on a new website, you may be at risk.


280 million, December 2019

A customer support database holding over 280 million Microsoft customer records was left unprotected on the web. Microsoft’s exposed database disclosed email addresses, IP addresses, and support case details. Microsoft says the database did not include any other personal information.

Under Armour

150 million, February 2018

An estimated 150 million users of the food and nutrition app, MyFitnessPal which owned by Under Armour, had their usernames, email addresses, and hashed passwords stolen in the data breach––a hashed password has been coded using an algorithm. A hacker would have to figure out the key to decode passwords. Fortunately, no payment information was compromised in the data breach and the app doesn’t collect social security numbers or driver’s license numbers. The breach happened in February of 2018 and was discovered by Under Armour on March 25, 2018.


145.5 million, mid-May 2017 through July 2017

On September 7, 2017, Equifax announced it had suffered a data breach that impacted approximately 143 million consumers. The actual breach happened between mid-May through July 2017. Hackers accessed an estimated 143 million consumers' personal information including names, birth dates, addresses, social security numbers, and driver's license numbers. Additionally, hackers were able to access credit card information for 209,000 consumers and dispute documents (which contained additional personal information) for another 182,000 consumers. To date, the Equifax breach is one of the most significant in history because of the type of information stolen.


145 million, between February and early March 2014

Between late February and early March 2014, a hacker breached eBay using compromised employee log-in credentials. The hacker was able to gain access to encrypted passwords and personal information including names, email addresses, physical addresses, phone numbers, and dates of birth. There was no evidence that financial and credit card information was stolen during the data breach.


100 million in 2008 & 2,200 in 2013

Heartland Payment Systems has suffered a data breach twice in the past 10 years. The most significant occurred in 2008 when information on up to 100 million credit and debit cards were stolen. The company was breached again in 2013, this time 2,200 individuals may have had their personal information compromised when company hardware was stolen in a burglary. The compromised information may have included social security numbers and bank account information.


110 million, November 27 - December 15, 2013

Between November 27 and December 15, 2013, Target suffered a data breach that affected up to 110 million people. As many as 40 million people had their credit and debit card accounts compromised beginning Black Friday weekend of 2013. Hackers gained access to customer names, credit or debit card number, the card’s expiration date, and the card’s security code. An additional 70 million people had their names, mailing addresses, phone numbers, and email address stolen in the breach. According to the Washington Post, a hacker linked to the breach was caught and sentenced to 14 years in prison.


100 million, 2012

In 2012, LinkedIn reported a data breach that exposed 6.5 million encrypted passwords. Several years later, in May 2016, a hacker claimed to have a file with 167 million of leaked login credentials for LinkedIn users, according to Fortune. After the data breach, LinkedIn invalidated the passwords for everyone who signed up prior to the breach and alerted individuals who needed to reset their passwords.