To keep the lights on, we receive affiliate commissions via some of our links. Our review process.
From government organizations to major retailers, headlines about data breaches seem to be the new norm. Hackers continue to put millions of consumers at risk. If you’re reading this, you’ve most likely experienced an attack at some point.
- What Is The Best Way To Protect Yourself From Data Breaches?
- Data Breaches By Company Name (Alphabetical)
- Recent Data Breaches (Chronological By Year)
- 2023 Data Breaches
- 2022 Data Breaches
- 2021 Data Breaches
- 2020 Data Breaches
- 2019 Data Breaches
- 2018 Data Breaches
- 2017 Data Breaches
- 2016 Data Breaches
- 2015 Data Breaches
- 2014 Data Breaches
- 2013 Data Breaches
- Important Update For COVID-19
- Where Are Most Data Breaches Happening In The U.S.?
- How Can I Find Out If I've Been Compromised?
Identity theft can happen even to the most cautious of us. As you can see from the list of security breaches below, millions of people have had their personal information stolen. And in most security breaches, the hacked company offered affected customers an identity theft protection service. But that’s not as helpful when your information was already compromised.
We recommend considering a secure password management solution, such as Dashlane, that can also safely store financial account information and other sensitive data. Read our best password managers article to learn more.
Was Hulu Breached?
While many people speculate that Hulu’s database was hacked into, there have been no formal reports of an actual attack on the streaming platform. In 2019, user names and passwords were posted on the black market for sale. The login information was obtained by a series of sophisticated phishing and scams. Hackers can break into smaller sites with weaker security and guess usernames and passwords. They might also send fake emails or texts to try and get users to change their passwords. As an extra precaution, Hulu tracks the devices and locations for every sign-in attempt. You can check under the “Managed Devices” section of the account settings of Hulu. If you are worried someone accessed your account, you should update your password and username to something unique to any other sites and ensure it’s difficult to guess.
Data Breaches By Company Name (Alphabetical)
- Adobe Systems
- Air France / KLM Airlines
- Alaska Airlines
- American Airlines
- American Bar Association (ABA)
- Anthem Health Insurance
- Ashley Madison
- Bank Of America
- Capital One Financial Corporation
- Carnival Cruise Lines
- Cash App (Block)
- Caesars Entertainment
- Clubillion Casino/Gambling App
- Congress Health Benefit Exchange
- Connexin Software Inc.
- Consumer Financial Protection Bureau (CFPB)
- Democratic National Committee (DNC)
- DoorDash (2022 | 2019)
- Earl Enterprises
- Expedia, Hotels.com & Booking.com
- Facebook (2019 | 2019 | 2018)
- FEMA (Federal Emergency Management Agency)
- Forever 21
- Home Chef
- Home Depot
- Independent Living Systems (ILS)
- Instagram, TikTok, & YouTube
- JPMorgan Chase
- LastPass (2023 | 2022)
- Marriott (2020 | 2018)
- MyFitnessPal App By Under Armour
- Neiman Marcus (2021 | 2013)
- Nelnet Servicing
- NextGen Healthcare
- NYC Schools
- Office Of Personnel Management
- OpenAI ChatGPT
- Panera Bread
- PurFoods (Mom’s Meals)
- Quest Diagnostics
- Robinhood Financial Service Company
- Saks And Lord & Taylor
- State Farm
- T-Mobile (2023 | 2021 | 2020 | 2018)
- Texas Department of Insurance (TDI)
- TMX Finance (TitleMax)
- Uber Employees
- Verizon (2019 | 2017)
- Woolworths MyDeal
Trying to keep up with all the latest data breach news and which companies have been affected can be overwhelming. We’ve put together this comprehensive guide to help you stay on top of what’s happening with the latest data breaches.
Here is an alphabetical list of companies breached with the years they experienced the breaches. Click on a year for more information on that specific breach.
Check back for the latest, as this list is updated regularly with the most recent breaches. These recent credit card and data breaches are listed in chronological order of when they happened, with the most recent appearing at the top of the list.
Sony Interactive Entertainment
- When It Happened: May 28, 2023. Sony was aware of the security flaw in early June, but the breach was announced on October 4, 2023
- Who It Affected: 6,791 current and former employees. No customer information.
- What Was Compromised: 3.14 GB of personal data (exact info not reported).
- Resolution: Sony launched an investigation, notified law enforcement, and offered credit monitoring services through Equifax through February 2024.
- When It Happened: On September 7th, 2023 Caesars discovered attackers stole its loyalty program database and the breach was announced a week later.
- Who It Affected: Number of loyalty members was not reported or known. Caesars customers who do not have loyalty accounts were not impacted.
- What Was Compromised: Names, driver’s license numbers and social security numbers. No bank account info, passwords or pins.
- Resolution: Caesars paid the roughly half of the $30 million ransom demanded by attackers to prevent the leak of stolen data. There is no guarantee the information might still be leaked but the company is taking security measures to prevent the spread of the stolen data and is notifying customers who were impacted.
- When It Happened: The breach was announced in August 2023 that took place starting in January 2023 for around 3 months.
- Who It Affected: 539,207 current and former employees.
- What Was Compromised: Names, date of birth, bank account number, social security number, employees health play, and more.
- Resolution: People have been notified and Forever 21 has taken steps to assure that the unauthorized third party no longer has access to the data.
- When It Happened: The breach was announced in August 2023 that originally took place in May 2023. The incident was the result of former disgruntled employees rather than a traditional cyber attack.
- Who It Affected: Approximately 75,000 individuals.
- What Was Compromised: Names, contact information, employment-related records (for former and current employees), social security numbers.
- Resolution: Impacted individuals were offered credit monitoring and identity protection services. The German media outlet that obtained the files assured Tesla it does not plan to publish the data provided. Tesla has filed lawsuits against the former employees responsible for the breach and has obtained their electronic devices that contained the information.
USPTO (United States Patent And Trademark Office)
- When It Happened: The data security incident was announced in June 2023 and happened between February 2020 and March 2023.
- Who It Affected: Anyone who filed a trademark in the time period above could have been impacted.
- What Was Compromised: Domicile addresses that are legally required to have on file with any application. The information was accidentally exposed through APIs and said there is no reason to believe that the incident was malicious or that information was misused.
- Resolution: They replaced the affected data files with new versions, blocked access to all non-critical API’s and notified applicants via email of the incident. They warned to be aware of USPTO-related scams and on the look out for anyone impersonating them (including where to report).
- When It Happened: The breach was announced June 1, 2023 and says data was exposed between February 2015 and May 2023.
- Who It Affected: 260,000 Toyota car owners who purchased vehicles as early as December 2007.
- What Was Compromised: No sensitive data was leaked.
- Resolution: Toyota is reaching out to customers to notify them of the breach and any necessary next steps.
- When It Happened: The breach occurred on March 29, 2023 and lasted until April 24, 2023. It was discovered on April 24, 2023 and those impacted by the incident were notified on April 28, 2023.
- Who It Affected: 1 million patient record.
- What Was Compromised: Names or other identifiers in combination with Social Security Numbers.
- Resolution: NextGen notified impacted users and filed a report with Maine’s Attorney General. The company took steps to investigate and is working with cybersecurity experts to remediate.
American Bar Association (ABA)
- When It Happened: The hacker was detected on March 17, 2023 and the unauthorized third party gained access to the ABA network around March 6, 2023.. ABA began notifying members on April 20, 2023.
- Who It Affected: 1,466,000 ABA members.
- What Was Compromised: Usernames and hashed passwords. No corporate or personal data was stolen.
- Resolution: ABA recommends users change their passwords and other sites utilizing the same credentials. They also advised people to watch out for phishing emails impersonating the ABA.
Consumer Financial Protection Bureau (CFPB)
- When It Happened: Announced in mid-April 2023 (CFPB learned of the breach on February 14, 2023).
- Who It Affected: 250,000 consumers.
- What Was Compromised: Names and transaction-specific account numbers.
- Resolution: CFPB fired the employee that is responsible for the breach and is under investigation with congress and the Financial Services Committee. The agency followed safety protocols and required steps to resolve the misconduct.
TMX Finance (TitleMax)
- When It Happened: Suspicious activity was detected on February 13, 2023 (and dated back to December 2022), and the breach was disclosed in early April 2023.
- Who It Affected: 4,822,580 customers (current and former) of TitleMax, TitleBucks, and InstaLoan.
- What Was Compromised: Names, dates of birth, social security numbers, passport numbers, driver’s license numbers, Tax ID numbers, federal and state ID card numbers, financial account details, phone numbers, home addresses, and email addresses.
- Resolution: TMX Finance notified the FBI of the incident and rolled out additional security measures, including endpoint protection and monitoring.
Open AI ChatGPT
- When It Happened: March 20, 2023 between 1 a.m. and 10 a.m. Pacific time.
- Who It Affected: Approximately 1.2% of the ChatGPT Plus subscribers who were active during the nine-hour window.
- What Was Compromised: Active user’s first and last name, email address, payment address, the last four digits of credit card number, and credit card expiration date.
- Resolution: Shortly after the bug, users started to report seeing other people’s chat history and contact info on their accounts. ChatGPT immediately responded by temporarily shutting down the service to investigate. The bug was identified quickly and fixed. All affected ChatGPT users who had their payment information exposed were contacted. OpenAI CEO Sam Altman apologized on Twitter and the company put out a blog post explaining what happened and the actions taken.
- When It Happened: The breach happened in January 2023 and was announced in March 2023.
- Who It Affected: More than 9 million customer accounts.
- What Was Compromised: Full names, email addresses, wireless phone numbers. Some additional data include monthly payment amounts, rate plans, minutes spent, and more.
- Resolution: They acknowledged the breach, and a spokesperson said they are working with federal law enforcement in accordance with the Federal Communications Commission.
- When It Happened: The D.C. Health Benefit Exchange Authority discovered the breach in March 2023, and it was announced shortly after.
- Who It Affected: More than 56,415 employees of congress members.
- What Was Compromised: Full names, email addresses, phone numbers, social security numbers, dates of birth, health plan information, home addresses, ethnicity, citizenship, and more.
- Resolution: Congress leaders and Capitol Police are working with the FBI, and staff members who were compromised were notified.
- When It Happened: The breach was announced in March 2023 of a breach that occurred between December 18, 2022 and February 12, 2023.
- Who It Affected: Undisclosed number of customers and app users.
- What Was Compromised: Full names, email addresses, membership numbers, mobile pay numbers, amount of credit or gift card balance, month and day of birth, phone number, address, and last four digits of payment card number.
- Resolution: Immediate action took place upon discovery, including requiring customers to reset passwords, removing any stored payment methods, and they temporarily froze pre-paid funds in accounts. In addition, they loaded loyalty rewards to accounts as a thank you and is enhancing its security measures.
- When It Happened: The breach was confirmed in February 2023 of a backup database from 2019 that was leaked in January 2023.
- Who It Affected: PeopleConnect, is the parent company of TruthFinder and Instant Checkmate background check services. The leak allegedly contains records from 20.22 million customers who used the services up to April 16, 2019.
- What Was Compromised: 2.9 GB worth of CSV files containing customer information, including emails, hashed passwords, first and last names, and phone numbers.
- Resolution: PeepleConnect is still investigating the incident but has engaged with a third-party cybersecurity firm to investigate the incident. They also warn customers to be on the lookout for phishing attacks.
- When It Happened: There was a breach and settlement from 2021, but they announced another breach again in January 2023 that occurred around November 25, 2022. Then on May 1, 2023 they disclosed a 2nd data breach of 2023 that began in February 2023.
- Who It Affected: Approximately 37 million accounts. (May 2023 breach was only 836 customers)
- What Was Compromised: T-Mobile customer data, including names, birth dates, phone numbers, billing addresses, and T-Mobile services.
- Resolution: T-Mobile traced the source of the malicious activity and fixed the API exploit within a day of detection. They are conducting an investigation and notified those who may have been impacted.
When It Happened: Announced in January 2023 that a credential stuffing attack occurred between December 6-8, 2022.
Who It Affected: Approximately 34,942 PayPal user accounts.
What Was Compromised: Full account names, date of birth, postal addresses, social security numbers, individual tax identification numbers, transaction histories, connected debit, credit card details, and invoicing data.
Resolution: PayPal took immediate action to limit intruders’ access and reset passwords of confirmed accounts that were breached. They also enhanced security measures and encourage users to activate two-factor authentication.
Air France / KLM Airlines
When It Happened: Announced in January 2023.
Who It Affected: Approximately 17 million Flying Blue frequent flyer customers on KLM, Air France, Transavia, Aircalin, Kenya Airways, and Tarom.
What Was Compromised: Frequent flyer account holders’ first and last names, phone numbers, email addresses, recent transaction history, Flying Blue frequent flyer numbers, status level, and mile balance. No credit card or payment information was exposed.
Resolution: The airline has implemented corrective action to prevent further exposure and notified the relevant data protection authorities in the Netherlands and France.
2022 Data Breaches
When It Happened: November 2022, announced in December 2022
Who It Affected: 67,000 customers.
What Was Compromised: The attackers could have accessed account holder’s name, address, phone number, email address, last four digits of payment card, profile photo, transaction history, account balance, date of last password change. Expiration date and CVV numbers are not stored in their database.
Resolution: DraftKing reset passwords for affected accounts and implemented additional fraud alerts. They also refunded up to $300,000 in refunds withdrawn as a result of the attack.
When It Happened: September 2022, announced in December 2022
Who It Affected: 77,000 Uber and Uber Eats employees.
What Was Compromised: Worker’s names, email addresses, and location details.
Resolution: Uber encouraged employees to be on the lookout for phishing attempts and emails from people attempting to be Uber IT support.
Connexin Software Inc.
When It Happened: August 2022, announced in December 2022
Who It Affected: 2.2 million individuals.
What Was Compromised: Patient’s name, guarantor name, parent/guardian name, address, email address, date of birth, social security number, health insurance information, medical information, and billing claims.
Resolution: Connexin is offering free identity monitoring for eligible patients.
When It Happened: August 2022, announced on November, 30 2022. On December 22, 2022 LastPass CEO provided an updated statement saying that they learned from the investigation the breach was actually more extensive than originally reported.
Who It Affected: Undisclosed number of LastPass password manager customers.
What Was Compromised: Originally it was reported that no personal data was compromised. On November 30, 2022 they said during the incident an unauthorized party obtained certain elements of customers’ information and that passwords are always encrypted due to Zero Knowledge technology. On December 22, 2022 they said encrypted password vaults were also exposed.
Resolution: LastPass and its parent company LogMeIn issued a statement and continue to notify customers via email and their website with the latest. They also encourage people to change and use strong master passwords and multi-authentication.
When It Happened: Announced in October 2022
Who It Affected: 2.2 million customers.
What Was Compromised: Names, email addresses, phone numbers, delivery addresses, and birthdays.
Resolution: Affected customers were notified via email and users were encouraged to update passwords and be on the lookout for phishing attacks.
- When It Happened: Discovered in July 2022 and announced in September 2022 after reporting to authorities and investigating.
- Who It Affected: A reported “very small number” of customers and employees.
- What Was Compromised: Date of birth, driver’s license, passport numbers, and medical information.
- Resolution: Contacted impacted people to warn them of phishing campaigns and put an additional technical safeguard in place to prevent future breaches. Also offered two years of identity theft protection to those who had information compromised.
- When It Happened: Announced in September 2022, discovered in August 2022, and breach took place for rental contracts between November 5, 2021 and April 5, 2022.
- Who It Affected: U-Haul drivers (undisclosed amount).
- What Was Compromised: Driver’s license or state identification numbers. No credit card information.
- Resolution: Provided affected customers a year of identity theft protection via Equifax.
- When It Happened: Announced in September 2022 that the breach took place in July 2022.
- Who It Affected: Some but not all Samsung customers (undisclosed amount).
- What Was Compromised: Name, contact and demographic information, date of birth, and product registration information.
- Resolution: They notified customers, engaged with a leading cybersecurity firm, and are working with law enforcement officials. They are encouraging anyone with a Samsung account to remain cautious of unsolicited communications, avoid clicking on malicious links, and review account info for any suspicious activity.
- When It Happened: August 2022.
- Who It Affected: 2.5 million student loan borrowers from Edfinancial and OSLA (who contracted with Nelnet for an online portal to view accounts online).
- What Was Compromised: Social security numbers, emails, phone numbers, and addresses.
- Resolution: They filed a report with the Maine Attorney General and issued a statement saying that no financial account numbers or payment information were compromised.
- When It Happened: August 2022.
- Who It Affected: No customers’ accounts or personal information was impacted.
- What Was Compromised: An authorized party accessed portions of the developer code and took proprietary technical information.
- Resolution: The company issued a statement to customers and the public saying they were evaluating further mitigation techniques to strengthen their environment.
- When It Happened: August 2022.
- Who It Affected: An undisclosed number of customers.
- What Was Compromised: Names, genders, email addresses, and phone numbers. No travel records or payment information.
- Resolution: The airline added more extensive protocols to prevent further breaches and shut down elements of the system that were accessed.
- When It Happened: Originally in 2019 and again in August 2022.
- Who It Affected: An undisclosed number of customers.
- What Was Compromised: Names, emails, delivery addresses, phone numbers, and partial payment card numbers for customers and drivers.
- Resolution: DoorDash has cut off access to third-party vendors and hired a cybersecurity expert to investigate and help strengthen systems.
- When It Happened: July 2022 a hacker posted for sale in a form the database of Twitter data for $30,000. The data was obtained through a known (and now fixed) vulnerability in the social media platform.
- Who It Affected: The hacker claims they have information for 5.4 million accounts (including celebrities and companies).
- What Was Compromised: Twitter handles, phone numbers, email addresses.
- Resolution: Twitter is investigating the threat and sale of records and the seller has since removed the advertisement.
Twitter Update: In late November 2022, the original data breached was leaked in hacker forums for free. In addition, a second set of data containing 1.4 million suspended accounts was also shared bringing the total number of users impacted to 7 million.
Independent Living Systems (ILS)
- When It Happened: Between June 03 and July 5, 2022.
- Who It Affected: 4.2 million people.
- What Was Compromised: full names, Social Security Numbers, medical and health insurance details, and tax identification numbers.
- Resolution: ILS detected the intrusion on July 5, 2022 and reported the incident to the FBI and authorities. The company is undergoing five class-action lawsuits as a result of the breach.
- When It Happened: July 2022 (also suffered a data breach in 2013)
- Who It Affected: 69 million users.
- What Was Compromised: Gender, zip code, full name, address, nationality, IP address, date of birth, email address, password hashes.
- Resolution: The company urged users to change their passwords, launched an investigation, engaged with law enforcement, and are enhancing their system’s protections.
- When It Happened: June 2022
- Who It Affected: Potentially 1.5 million customers of worl’ds largest NFT (non-fungible token) marketplace.
- What Was Compromised: Email addresses.
- Resolution: Opensea is working with their email delivery company Customer.io to investigate and reported the incident to law enforcement. Impacted users were warned of potential phishing emails from third party spoof domains and were cautioned not to download attachments or share any sensitive data with others.
- When It Happened: Announced in April 2022 that the breach occurred in early 2022 (and became aware of the issue on January 4, 2022).
- Who It Affected: Approximately 1,800,000 Texans.
- What Was Compromised: Names, addresses, social security numbers, and medical information.
- Resolution: TDI worked with a forensic company to investigate the nature and scope and reviewed and enhanced policies, procedures, and security efforts. Offered 12 months of credit monitoring and identity protection services for free.
- When It Happened: Announced in April 2022 that a former employee accessed the records on December 10, 2021.
- Who It Affected: The app’s 8.2 million customers in the United States only.
- What Was Compromised: Customer names, brokerage account numbers, portfolio holdings, stock trading activity, and more. It didn’t include usernames, passwords, SSN, payment, or bank information.
- Resolution: Took steps to remediate the issue and launched an investigation.
- When It Happened: Announced in March 2022.
- Who It Affected: Approximately 820,000 current and former students in New York City Public School System.
- What Was Compromised: Names, birthdates, state student ID numbers, genders, ethnicities, languages spoken, and more.
- Resolution: NYC Department of Education sent letters to families impacted with what information was accessed and what steps they can do to rectify the situation. They are also reviewing its security measures and undergoing a security assessment by an independent company. Additional measures were put in place to meet legally required security standards.
- When It Happened: Announced in early November 2021.
- Who It Affected: Approximately 7 million Robinhood customers, with a smaller subset having additional personal information revealed.
- What Was Compromised: Either full names or email addresses.
- Resolution: Robinhood users are urged to change their passwords as a preventative measure. This information, if exposed, could lead to other vulnerabilities putting personal information at risk.
- When It Happened: Announced in early October 2021.
- Who It Affected: The leak appears to have focused on Twitch’s company tools and information, vs the personal data of its 140 million users.
- What Was Compromised: Source code, creator payouts, and other company information was leaked. It is possible that user information such as passwords were also part of the breach.
- Resolution: Twitch users are urged to change their passwords as a preventative measure. This information, if exposed, could lead to other vulnerabilities putting personal information at risk.
- When It Happened: Announced on 30 September 2021, data breach to have taken place in May 2020.
- Who It Affected: 4.6 million Neiman Marcus customers.
- What Was Compromised: Names and contact information, payment card numbers and expiration dates, and virtual gift card numbers. Cyber thieves may have also stolen usernames, passwords, and security questions and answers associated with Neiman Marcus online accounts.
- Resolution: We recommend changing your credentials for any online account that is similar to those used for your Neiman Marcus account, if you have one.
- When It Happened: Announced in late January 2021. Some of the data leaked was as old as 2014.
- Who It Affected: Up to 1.8 million Bonobos customers who shopped directly with them (versus third-party retailers like Walmart or Jet).
- What Was Compromised: Names, telephone numbers, last four digits of credit card numbers, and account info.
- Resolution: No evidence of fraud was identified. Bonobos notified all customers via email about the breach and forced password resets for compromised accounts.
- When It Happened: Announced December 9, 2020, the data exposure took place April 9-November 12, 2020. A few high-profile accounts fell victim to hijackings in December 2020, and there was another attack in late November.
- Who It Affected: 380 user records were open and vulnerable.
- What Was Compromised: Passwords and login IDs. Other information with the chance of exposure includes email address, display name, gender, and birth date.
- Resolution: Spotify initiated rolling password resets and urged users to update passwords for other accounts tied to the service.
- When It Happened: Announced November 2020, the leak exposed data as far back as 2013.
- Who It Affected: More than 10 million hotel guests worldwide who booked through Expedia, Hotels.com, Booking.com, Agoda, Amadeus, Hotelbeds, Omnibees, Sabre, and more.
- What Was Compromised: Full names, email addresses, national ID numbers, credit card numbers, CVV numbers, phone numbers, and hotel guests’ reservation info (dates of stay, rates, and more).
- Resolution: Since Prestige Software (the company responsible for the reservation system) became aware of the incident, they have worked with their technical teams to assess the situation, adopt corrective measures, and ensure there are no future risks.
- When It Happened: Announced September 13, 2020, Staples learned of the breach around September 2, 2020.
Who It Affected: Undisclosed number of customers.
- What Was Compromised: Customer names, addresses, emails, phone numbers, last four numbers of credit cards, and more.
- Resolution: The company assures there is no security threat, but concerned customers can call Staples and select option 3 to speak to a representative during business hours.
- When It Happened: The company did not disclose when the hack took place, but they announced it in late August 2020.
- Who It Affected: 3.77 million users.
- What Was Compromised: Emails and hashed passwords.
- Resolution: Freepik notified law enforcement and impacted users with emails on what to do, depending on what was compromised.
- When It Happened: Reported in late August 2020, the data scrape was discovered on August 1, 2020 (how long or when the exposure took place is currently unknown).
- Who It Affected: 235 million user profiles.
- What Was Compromised: Names, ages, genders, profile photos, and user data associated with their account (likes, engagement).
- Resolution: Social networks have implemented legal and technology solutions to prevent web scraping, but it’s not foolproof.
- When It Happened: It was discovered on June 12, 2020, and was leaking information for up to nine days. They announced the breach on July 28, 2020.
- Who It Affected: Up to 19 million records of customers and potential employees.
- What Was Compromised: Names, phone numbers, date of births, emails, home addresses, and GPS coordinates. No credit card information was likely affected.
- Resolution: Avon is continuing to investigate the extent of the breach.
- When It Happened: Promo.com became aware of the incident on July 21, 2020.
- Who It Affected: 22 million user records.
- What Was Compromised: Names, email addresses, IP addresses, genders, and encrypted, hashed passwords. No financial data was exposed (including credit card or billing information).
- Resolution: Promo.com has removed any third-party vulnerabilities and hired a cybersecurity firm to decrease the possibility of future breaches.
- When It Happened: On May 5, 2020, the database was breached. It was investigated in mid-May 2020 and announced in early June 2020.
- Who It Affected: Approximately 5 million customers, a digital marketplace for sending cards, announcements, and invitations.
- What Was Compromised: Customer names, email addresses, hashed passwords, phone numbers, billing and shipping address. There is no indication that credit card information, user’s photos, or address books were accessed.
- Resolution: All Minted customers are encouraged to reset their passwords regardless of their account impact. The company also set up a hotline to answer questions about the breach.
- When It Happened: Took place April 22, 2020, and was announced on May 27, 2020.
- Who It Affected: A “small number” of Bank Of America’s 305,000 Paycheck Protection Program (PPP) applicants (Coronavirus Aid, Relief, and Economic Security Act’s business loan program).
- What Was Compromised: Business names, addresses, tax ID numbers, business owner’s addresses, phone numbers, email addresses, and citizenship status. There is no indication that the information was misused or that the data is visible to the public or other applicants.
- Resolution: Bank Of America (BOA) and the Small Business Administration (SBA) removed the exposed data from their databases and launched an investigation to find how the breach occurred. BOA is offering affected clients two years free access to Experian’s identity theft protection program.
- When It Happened: Discovered and announced in late May 2020.
- Who It Affected: 8 million customers (this is not all of their customers).
- What Was Compromised: Names, email addresses, phone numbers, scrambled passwords, mailing addresses and last four digits of credit cards.
- Resolution: Home Chef notified affected customers.
- When It Happened: Announced early May 2020, but the breach started in October 2019.
- Who It Affected: 24,000 of the 19 million GoDaddy users.
- What Was Compromised: Usernames and passwords.
- Resolution: GoDaddy has reset passwords for impacted customers to prevent further access.
- When It Happened: It was discovered on March 19, 2020, and made public around April 5, 2020.
- Who It Affected: Up to 200 million records and up to 50 GB of data per day (10,000+ user accounts, mostly in the U.S.).
- What Was Compromised: User’s Personally Identifiable Information (PII), including IP and email addresses, private messages, amount won, and more.
- Resolution: iOS and Android users who downloaded the app should reset their account passwords and use software to block malware downloads to their devices.
- When It Happened: In April 2020, several security vulnerabilities were discovered in the popular video conferencing software.
- Who It Affected: Over 500,000 Zoom user account data was sold on the dark web. Also, reports of Zoom “bombers” (uninvited meeting guests) and exposed (not encrypted) video recordings leaked.
- What Was Compromised: Email addresses, password, personal meeting URLs and more.
- Resolution: Announced on April 8, 2020, Zoom added several features to enhance the security for hosts. This includes a “security” icon in the meeting control, offering the ability to lock participants or restrict screen sharing (see video below). By default, the service now requires meeting passwords and a Waiting Room function, preventing unwanted users from entering a meeting. Further, Zoom no longer displays the meeting ID on the title toolbar to avoid hacking.
- When It Happened: The breach happened between mid-January and February 2020 and was announced on March 31, 2020.
- Who It Affected: 5 million worldwide customers.
- What Was Compromised: Names, birth date, mailing address, email address, phone numbers, loyalty number and more.
- Resolution: Marriott sent notifications to impacted guests and disabled credentials. The company is also investigating with authorities.
- When It Happened: T-Mobile released a statement on March 5, 2020, but they did not say when the breach actually occurred.
- Who It Affected: T-Mobile employees’ email accounts (and some of its customers).
- What Was Compromised: Names, addresses, social security numbers, financial information, government identification numbers, phone numbers, billing and account information, rate plans and features.
- Resolution: T-Mobile has notified impacted customers and is offering them free credit monitoring and identity theft detection services via TransUnion. They are also encouraging all customers to update their personal identification numbers (PINs) on their accounts by dialing 611 from their T-Mobile phone.
- When It Happened: The hack took place in April 2019 and was made public March 4, 2020.
- Who It Affected: Online shoppers of J.Crew, J.Crew Factory and Madewell.
- What Was Compromised: Last four digits of credit card numbers stored in accounts, credit card expiration dates, card types, billing addresses, order numbers, shipping confirmation numbers and shipping status.
- Resolution: A notice of the data breach was sent to affected customers. The company disabled impacted accounts and asked those users to contact J.Crew customer care to reset their passwords.
- When It Happened: Between April 11 and July 23, 2019. Suspicious activity was detected in late May 2019, and the announcement occurred on March 4, 2020.
- Who It Affected: Employees and guests of Carnival Cruise lines. We don’t know yet how many people were impacted, but the company employs around 100,000 people shipboard and has an estimated 325,000 daily passengers.
- What Was Compromised: Depending on the guest, hackers accessed customer names, addresses, social security numbers, government identification numbers (passport number or driver’s license number), credit card/financial data, and health-related information.
- Resolution: Upon identifying the threat, Carnival Corporation engaged with cybersecurity forensic experts and initiated an investigation to determine what happened, who was impacted, and what data was affected.
- When It Happened: The error was first discovered in January 2020, and it was reported to the public in late February 2020.
- Who It Affected: Users of Walgreens mobile app’s messaging feature. The exact number is unclear, but they believe it was a small percentage of customers.
- What Was Compromised: Health-related data, including names, prescription numbers, shipping addresses, and store numbers. No financial data was exposed.
- Resolution: Upon discovery, Walgreens temporarily disabled message viewing to prevent further exposure. They also implemented a technical correction that resolved the issue.
- When It Happened: The breach took place in the summer of 2019 and was made public on February 19, 2020. In the Summer of 2020, reports indicated that it was actually much worse than originally expected.
- Who It Affected: More than 10.6 million users who stayed at MGM Resort hotels, including celebrity, tech CEOs, reporters, government officials and other notable guests. Then in 2020, at least 30 million customers’ information was found on a hacker forum.
- What Was Compromised: Full names, home addresses, phone numbers, emails and dates of birth. No financial/payment information or password data.
- Resolution: The hotel chain notified all impacted guests and hired two cybersecurity firms to investigate.
- When It Happened: September 2019 and announced in December 2019.
- Who It Affected: 172-218 million users of the popular gaming developer (Words With Friends, Farmville, etc.).
- What Was Compromised: Email addresses, usernames and passwords.
- Resolution: None yet. But, if you have played one of Zynga’s games on your phone or via Facebook, we recommend to reset your user data with a unique and strong password.
- When It Happened: Between March 4 and April 22, 2019. The breach was discovered December 10th and announced on December 19, 2019.
- Who It Affected: The breach impacted 30 million customers and occurred at all of its 850+ locations.
- What Was Compromised: Credit and debit card numbers, expiration dates and cardholder names.
- Resolution: If you may have shopped at a Wawa during the breach, monitor your credit or debit card for any unusual activity. Wawa is also offering one year of free credit monitoring to those affected.
- When It Happened: A large, unprotected file of Facebook user data was discovered on a hacker forum on December 12th. On December 14th, Facebook contacted the database’s host ISP (internet service provider). They eliminated it from the site on December 19th.
- Who It Affected: 267 million Facebook users.
- What Was Compromised: Names, phone numbers, and user IDs.
- Resolution: None has been announced yet.
Update Your Facebook Privacy Settings
We recommend that social media users cultivate more control over how their profile information is shown to others by fine-tuning their account privacy settings.
- Go to “Settings and Privacy.”
- Then go to “Privacy Shortcuts” and click “See more privacy settings.”
- Set most (if not all) fields to Only me or Friends
- And select No under “Do you want search engines outside of Facebook to link to your profile.”
- When It Happened: It was discovered in early November 2019 and reported at the end of the same month. The company did not disclose the length of exposure time.
- Who It Affected: 1 million pre-paid customer records (less than 1% of their 75 million users).
- What Was Compromised: User names, billing addresses, phone numbers, account numbers and plan information. No financial information, social security numbers or passwords were exposed.
- Resolution: Nothing has been shared yet about how the company will resolve the matter.
- When It Happened: Web.com, the parent company to Network Solutions and Register.com, says they became aware of the breach on October 16, 2019, but the break took place in late August 2019.
- Who It Affected: Roughly 2.2 million customer records.
- What Was Compromised: Names, email addresses, phone numbers and services used by the customer.
- Resolution: The incident was reported to law enforcement, and an outside security agency will contact impacted customers. All users are encouraged to change their passwords.
- When It Happened: CenturyLink first learned about the breach on September 15, 2019, but didn’t announce it in late-October 2019. The breach happened over 10 months.
- Who It Affected: 2.8 million customer records.
- What Was Compromised: Names, email addresses, phone numbers, physical addresses, CenturyLink account numbers, notification logs and conversation logs.
- Resolution: The company says they are conducting a thorough investigation of the incident and are communicating with customers (our own team member who is also a customer received their email).
- When It Happened: Announced in late-September 2019.
- Who It Affected: 4.9 users and merchants who joined on or before April 5, 2018.
- What Was Compromised: Profile information including names, emails, delivery address, order history, phone number and hashed passwords. Some credit card info (last four digits only).
- Resolution: The company says they’ve added additional security layers around their data, improved security protocols and brought in outside expertise to help prevent future threats. They also encourage users to reset their passwords.
- When It Happened: August 2019.
- Who It Affected: Have not disclosed how many people were impacted.
- What Was Compromised: State Farm usernames and passwords (from another company’s data breach) to gain access to accounts.
- Resolution: The company has reset passwords for accounts whose login credentials were compromised.
- When It Happened: August 2019.
- Who It Affected: Did not disclose, but they have more than 50 million users.
- What Was Compromised: Names, usernames, genders, city data, email addresses, size preferences and scrambled passwords.
- Resolution: The company retained outside forensics to investigate and rolled out enhanced security measures.
- When It Happened: Between February and August 2019.
- Who It Affected: Over 23.2 million accounts were exposed.
- What Was Compromised: Email addresses, phone numbers and hashed passwords.
- Resolution: The company has sent out password resets and updated its password policy.
- When It Happened: Between March 22-23, 2019, and includes data from as far back as 2005. Announced July 29, 2019.
- Who It Affected: 100 million Capital One customers and credit card applicants.
- What Was Compromised: 140,000 Social Security numbers, 1 million Canadian Social Insurance numbers, 80,000 bank account numbers, people’s full names, addresses, phone numbers, birth dates, email, income, credit scores and more.
- Resolution: The company has fixed the vulnerability and is investigating the incident. Capital One will notify people affected by the breach and will offer free credit monitoring and identity protection.
- Additional Notes: Although the records were exposed, Capital One says it’s “unlikely that the information was used for fraud or disseminated by this individual.”
- When It Happened: Between August 1, 2018 and March 30, 2019.
- Who It Affected: 11.9 million patients.
- What Was Compromised: Certain medical and financial information and social security numbers.
- Resolution: Patients were notified and an investigation was opened to look into what happened.
- When It Happened: Between May 2018 and March 2019.
Who It Affected: 100 locations of their restaurants including Buca di Beppo, Planet Hollywood, Earl of Sandwich, Chicken Guy!, Mixology, and Tequila Taqueria. Online orders were not impacted.
- What Was Compromised: It’s reported that more than 2 million credit cards were compromised and being sold on the dark web.
- Resolution: The company launched a website for customers to check if the location they visited was impacted (update: that website is no longer accessible).
- Earl Enterprises Brands:
- Asian Street Eats By Chef Hung Huynh
- Bertucci’s Italian Restaurant
- Bravo! Italian Kitchen
- The Breakfast Club
- Brio Italian Grille
- Buca Di Beppo Italian Restaurant
- Cafe Hollywood
- Chicken Guy!
- Earl Of Sandwich
- Planet Hollywood
- Rock & Reilly’s
- Seaside On The Pier
- When It Happened: On March 22, 2019, the Federal Emergency Management Agency (FEMA) acknowledged that they improperly handled Personal Identifiable Information (PII) with an outside contractor who manages their Transitional Sheltering Assistance Program.
- Who It Affected: 2.5 million natural disaster survivors.
- What Was Compromised: 1.8 million victims’ banking information and personal addresses revealed and about 725,000 people had just their addresses shared.
- Resolution: The Inspector General report told FEMA it needed to take measures to ensure data won’t be shared again with contractors and that the shared data is promptly destroyed.
- When It Happened: Already exposed 50 million accounts in 2018. Then, in March 2019, Facebook admitted yet another security incident.
- Who It Affected: Estimated 200 to 600 million users.
- What Was Compromised: Passwords (that Facebook improperly stored on its servers).
- Resolution: Facebook notified affected users.
- When It Happened: The company announcement came on December 4, 2018. Quora discovered the breach on November 30, 2018.
Who It Affected: Approximately 100 million of its 300 million users.
- What Was Compromised: Names, email addresses, encrypted passwords and public content (questions, answers and comments). No sensitive data (credit card, SSN) is collected on the site.
- Resolution: Quora is alerting affected users to update their passwords, working rapidly to investigate the situation and taking appropriate steps to prevent future incidents.
- When It Happened: On or before September 10, 2018. Announcement did not happen until November 30, 2018.
- Who It Affected: As many as 500 million guests from Marriott International hotel properties (Sheraton, Westin, W Hotels, St. Regis, Four Points, Aloft, Meridien, Tribute, Design Hotels, Elements and the Luxury Collection). Breached data may go back to 2014.
- What Was Compromised: Names, addresses, dates of birth, passport numbers, email addresses, phone numbers, encrypted credit-cards.
- Resolution: Marriott has a dedicated website and call center to deal with questions and has notified legal and regulatory authorities. The company is also attempting to reach out to affected customers and offer them one year of free web watcher service that monitors sites where hackers swap and sell stolen personal information.
- When It Happened: Between October 4-14, 2018.
- Who It Affected: Fewer than 1% of the firms’ U.S. clients.
- What Was Compromised: Full name, mailing address, phone number, email address, date of birth, account numbers, account types, account balances, transaction history, payee account information, and statement history.
- Resolution: HSBC sent notifications to those who were compromised and offered them one year of free credit monitoring and identity theft protection.
- When It Happened: September 28, 2018, Facebook announced it learned of an attack on its computer network.
- Who It Affected: First updated that 50 million of its users were impacted but later reduced the number to 30 million.
- What Was Compromised: Hackers took over users accounts gaining access to their names, email addresses and phone numbers.
- Resolution: Facebook fixed the vulnerability and notified law enforcement officials. They also logged 90 million users out of their accounts, forcing them to log back in and reset their passwords.
Since Facebook owns Instagram and WhatsApp, we recommend you change your password for these services as well.
- When It Happened: In the Summer of 2018, Macy’s informed customers of a two-month data breach that happened between April 26th and June 12th.
- Who It Affected: Online customers of Macys.com and Bloomingdales.com (they didn’t specify how many but said it was a “small number of customers.”).
- What Was Compromised: Login details, including usernames and passwords which could mean full names, addresses, birthday, phone numbers, email address and credit card numbers and expiration (no security codes were stored).
- Resolution: Macy’s has contacted and is providing consumer protection services for customers who were potentially impacted.
- When It Happened: On June 28, 2018, Adidas says it became aware of a potential security breach that happened on June 26th.
- Who It Affected: A “few million” consumers.
- What Was Compromised: Names, usernames and encrypted password (no credit card or fitness information).
- Resolution: Began taking steps to alert relevant consumers and is working with data firms and law enforcement to investigate the issue.
- When It Happened: On May 11, 2018, Chili’s parent company Brinker learned about a data breach which happened between March and April 2018.
- Who It Affected: Customers who dined in certain restaurants (as of May they haven’t identified which of their 1,600 locations or how many people it affected).
What Was Compromised: Credit card information and names from payment systems.
- Resolution: They are working with law enforcement officials to investigate the issue. The company also said they are working to provide credit monitoring services for customers who may have had their data stolen.
- When It Happened: On April 3, 2018, it was reported that customer information may have been compromised on Panera Bread’s website for 8 months.
- Who It Affected: 37 million customers who signed up to order food via PaneraBread.com.
- What Was Compromised: Names, email addresses, phone numbers, physical addresses, birthdays, ordering habits, food preferences, last four digits of payment card numbers.
- Resolution: The data has been removed from Panera’s website.
- When It Happened: Saks Fifth Avenue became aware of a security issue on April 1, 2018.
- Who It Affected: More than 5 million Saks Fifth Avenue and Lord & Taylor customers in North America.
- What Was Compromised: Hackers staged an attack to steal debit and credit card information but it is not confirmed if such a breach took place.
Resolution: The company has looked into and taken steps to contain the issue and believes there is no risk to shoppers.
- When It Happened: Under Armor was notified on March 25, 2018, that the breach took place during February of 2018.
- Who It Affected: Approximately 150 million user accounts.
- What Was Compromised: Usernames, email addresses, and passwords with the hashtag function called bcrypt used to secure passwords.
- Resolution: Under Armour is requiring all MyFitnessPal users to change their password and update any accounts which use similar passwords to the app. They are also encouraging users to monitor suspicious activity and are working with law enforcement officials and a data security firm to investigate the breach.
- When It Happened: July 2017.
- Who It Affected: 6 million confirmed, but could be as many as 14 million Verizon subscribers.
- What Was Compromised: Log files that were generated when Verizon customers called customer support. Each file includes the customer’s name, email address, phone number and PIN associated with their account. With this information, some experts say that online accounts could be logged into, allowing access to phones and social media accounts.
- Resolution: Verizon customers were encouraged to change their passwords immediately and be aware of any phishing emails or scammy phone calls requesting personal information to verify identity (like zip code).
- When It Happened: Mid-May to July 2017, caught by Equifax July 29, 2017, and announced to public September 7, 2017.
- Who It Affected: Around 147 million Americans and some Canadians. (March 1, 2018, they announced that an additional 2.4 million Americans were impacted).
- What Was Compromised: Social Security numbers, birth dates, addresses, email addresses and some driver’s license and credit card numbers.
- Resolution: They set up a website for users to check if they were impacted and are working with a independent cybersecurity firm to conduct an assessment and provide recommendations on prevention from future hackings.
- When It Happened: Late 2016, announced fall 2017 (Uber executives knew about the breach for over a year and paid $100,000 in ransom to keep it secret from the public).
- Who It Affected: 57 million rider and driver accounts.
- What Was Compromised: The names and driver’s license numbers of around 600,000 drivers in the United States and other personal information including email addresses, names and mobile phone numbers of riders and drivers around the world. They do not believe that social security numbers, credit card or bank info or dates of birth were compromised.
- Resolution: According to Uber’s website, they do not feel that further action is needed since there has been no fraud or misuse tied to the incident. They are continuing to monitor the situation and encourage users to change passwords and report any unusual activity. But in 2018 it was reported that they will pay $148 million to settle claims.
In June 2016, the Democratic National Committee’s (DNC) entire database was hacked by the Russian government. The hackers gained access to the DNC’s computer network which gave them access to the research database for the Republican presidential candidate, Donald Trump. However, according to the DNC no financial, donor or personal information appears to have been stolen. The breach was purely for espionage and consumer data is at risk.
- When It Happened: Between Sept. 1, 2013 and Sept. 16, 2015 and again in 2018.
- Who It Affected: Potentially exposed personal information of 15 million customers and potential customers (the 2018 breach was approximately 2.3 million customers).
- What Was Compromised: Social Security numbers and birthdays of those who might have applied for T-Mobile cell service.
Resolution: Two years of free credit monitoring and identity protection.
- When It Happened: July 2015
- Who It Affected: Users of Ashley Madison, a commercial website that enables extramarital affairs.
What Was Compromised: Hackers obtained 60 gigabytes of personal information and threatened to publicly share the names of users unless Ashley Madison agreed to shut down its site.
- Resolution: Those users whose details were exposed are filing a $567 million class-action lawsuit against the parent company of Ashley Madison.
- When It Happened: April – June 2015
- Who It Affected: 21.5 million federal employees.
- What Was Compromised: Social Security numbers, names, dates and places of birth, email addresses, mailing addresses as well as security clearance info.
Resolution: Employees and dependent minor children who were under the age of 18 as of July 1, 2015 were offered credit and identity monitoring, identity theft insurance, and identity restoration services for the next three years through ID Experts.
Are you a federal employee? Get more info on OPM’s Cybersecurity.
- When It Happened: February 2015.
- Who It Affected: Originally reported that it was as many as 37.5 million insurance customers but later raised the number to 78.8 million people.
- What Was Compromised: Records including Social Security numbers, birthdays, email addresses and physical addresses.
- Resolution: AllClear ID identity protection for two years at no cost to customers and in 2018 they reached an agreement with regulators to pay out $16 million to the Department of Health and Human Services.
- When It Happened: 2013 and again in late 2014 (both announced in 2016).
- Who It Affected: 3 billion in 2013 and 500 million user accounts in 2014.
- What Was Compromised: Names, email addresses, telephone numbers, dates of birth, user names, hashed passwords and encrypted or unencrypted security questions and answers.
- Resolution: Encouraged customers to update passwords and security questions and in 2018 it was reported they would pay $50 million in damages as part of the settlement. If you think your Yahoo account was part of the breach, you can visit their settlement site to file a claim.
- When It Happened: September 2014.
- Who It Affected: 83 million accounts, 76 million households, 7 million small businesses.
- What Was Compromised: Email and postal addresses, names and phone numbers of account holders.
- Resolution: JPMorgan says it spends $250 million a year on online security and intends to double that amount.
- When It Happened: April 2014 – September 2014.
- Who It Affected: 56 million customers.
- What Was Compromised: Credit card information and names.
- Resolution: Offered the affected customers a free year of identity theft protection from AllClear ID. In 2017 the retailer agreed to pay $25 million for damages they incurred as a result of the breach.
- When It Happened: Late 2013 and early 2014, announced in October 2015 and again in 2017.
- Who It Affected: 4.6 million customers (and another 20,000 customers in 2017).
- What Was Compromised: Names and street addresses (possibly Social Security numbers, email addresses and other sensitive data). The smaller breach in 2017 exposed credit profiles including SSN, names, addresses, phone numbers and more.
- Resolution: Offered customers identity theft protection services
- When It Happened: November to December 2013.
- Who It Affected: About 40 million customer’s credit and debit card information and 70 million customer’s email and addresses.
- What Was Compromised: Credit/debit card information, names, addresses, phone numbers and email addresses.
- Resolution: Customers who shopped during that time were offered a free year of Protect My ID. In 2017 Target agreed to pay a bulk settlement of $18.5 million to be distributed among 47 state governments and Washington, D.C.
- When It Happened: Announced in October 2013.
- Who It Affected: At least 38 million Adobe users.
- What Was Compromised: Credit/debit card records stolen, users’ Adobe IDs and encrypted passwords.
- Resolution: Notified users to change passwords and offered a year’s worth of credit monitoring to customers whose encrypted credit card data was stolen in the breach.
- When It Happened: Between July 16 and October 30, 2013 but the investigation is ongoing.
- Who It Affected: Originally reported that 1.1 million Neiman-Marcus customers’ credit card info in 77 stores nationwide but the number has since been reduced to roughly 370,000 credit cards were used.
- What Was Compromised: Credit/debit card information.
- Resolution: Customers affected received one free year of credit monitoring. In January 2019 it was announced that Neiman Marcus will pay $1.5 million to 43 states in a settlement over the breach.
Important Update For COVID-19
In April 2020, the Treasury Department announced automatic economic payments to taxpayers as part of the stimulus bill for Coronavirus (COVID-19) relief. The Internal Revenue System (IRS) is urging Americans to stay on the lookout for phishing scams related to these distributions.
Phrases like “stimulus check” or “stimulus payment” are warning flags (the correct phrase is “economic impact payment”). Also, the IRS will not be calling to verify financial information. Visit the official economic impact payment page on IRS.gov to find out if you are eligible and how your funds will be sent to you (via direct deposit or check). And if you suspect potential fraud, report it to the Federal Trade Commission (FTC) on their fraud report website.
Since 2012, we’ve monitored security breach breaking news and tracked those having the biggest impact on Americans. Remember the big Target breach from 2013? That seems like ages ago, with 10,000+ violations in the U.S. since January 2018 alone, resulting in 10.7 billion exposed records1. That makes Target’s 40-70 million affected customers seem like peanuts in comparison.
Data breaches are expected to continue increasing in 2023.
Where Are Most Data Breaches Happening In The U.S.?
Ironically, California, home to Silicon Valley, suffers the worst magnitude and frequency of breaches (double the next hardest-hit states: New York, Texas, and Florida). On the flip side, the Dakotas, Wyoming, and West Virginia remain relatively in the clear with the fewest breaches (under 30 total).1
Enter your email or phone number at www.haveibeenpwned.com to find out if they’ve been exposed in a leak. And learn what you can do to protect yourself from future breaches in our Don’t Be A Victim of Cybercrime: What You Need To Know article.
Sources:  ComparitechTagged With: