The 10 biggest data hacks of the decade


Since 2010, data breaches have exposed over 38 billion records, according to the cybersecurity firm Risk Based Security.

That sounds like a lot — and it is. Consider this: There are roughly 327 million Americans, according to the latest Census estimate. That means the average person has had 116 of their accounts compromised over the past decade.

Overall, Risk Based Security tells CNBC Make It that there have been at least 40,650 data hacks since the beginning of 2010. And while many were smaller data breaches, there were a few mega hacks that will likely remain records for years to come.

The Identity Theft Resource Center provided CNBC Make It with a ranking of the biggest data breaches announced since 2010, based on the number of accounts compromised. ITRC ranked only breaches that it could confirm the number of records affected.

Several companies, such as 7-Eleven, WhatsApp and Fortnite, reported security flaws in the past year that could have exposed millions of customers' data, but the extent of the accessed data was not reported.

Here's a look at the data hacks that will go down in history as the biggest of the past decade.

10. UnderArmour (MyFitnessPal)

  • Number of records hacked: 143.6 million
  • Announced: March 2018

Fitness clothing company UnderAmour announced in March 2018 that hackers had accessed the backend database for its popular diet and fitness app MyFitnessPal. Hackers were able to retrieve usernames, email addresses and hashed passwords. Hashed passwords are encrypted, so they must be cracked before they can be used.

Credit reporting company Equifax Inc. corporate offices are pictured in Atlanta, Georgia.
Tami Chappell | Reuters

9. Equifax

  • Number of records hacked: 147 million
  • Announced: September 2017

The Equifax data breach was one of the largest in history. The company announced the data breach in September 2017, eventually reporting that 147 million consumers were affected, about 56% of Americans. Hackers were able to get access to people's names, Social Security numbers, dates of birth, credit card numbers and even driver's license numbers.

During the investigation into the breach, Equifax admitted the company was informed in March that hackers could exploit a vulnerability in its system, but failed to install the necessary patches.

In July, Equifax agreed to pay $700 million to settle federal and state investigations into how it handled the massive data breach. A spokesperson from Equifax said at the time of the settlement that data from the 2017 breach had yet to be discovered for sale on the dark web.

8. Dubsmash

  • Number of records hacked: 161.5 million
  • Announced: February 2019

In February, video messaging app Dubsmash announced that hackers nabbed nearly 162 million users' account holder names, email addresses and hashed passwords.

The breach actually occurred in December 2018, but cyber thieves posted that the data was for sale on the dark web in February. It was part of a data dump that included over 600 million accounts from 16 hacked websites.

7. Republican National Committee (Deep Root Analytics)

  • Number of records hacked: 198 million
  • Announced: June 2017

Independent cyber experts found voter information for 198 million Americans on a publicly accessible server in June 2017. It turned out that the Republican National Committee had hired conservative marketing firm Deep Root Analytics, which failed to keep voter information secure.

Deep Root's cloud server was publicly accessible for about 12 days and contained personal information on voters, including home addresses, birthdays, phone numbers and opinions on political issues.

Source: Zygna

6. Zynga

  • Number of records hacked: 218 million
  • Announced: September 2019

Mobile game producer Zynga announced in October that a hacker had accessed account log-in information on Sept. 12 for customers who play the popular "Draw Something" and "Words with Friends" games.

In addition to the log-in credentials, the hacker accessed usernames, email addresses, log-in IDs, some Facebook IDs, some phone numbers and Zynga account IDs of about 218 million customers who installed iOS and Android versions of the games before Sept. 2, 2019.

5. Exactis

  • Number of records hacked: 340 million
  • Announced: June 2018

Most Americans had not heard of the marketing and data aggregation firm Exactis before June 2018, but the company had quietly built a database consisting of personal information on hundreds of millions of Americans and businesses.

But that database was built on an unsecure server, a flaw security researcher Vinny Troia discovered in early June 2018. Exactis exposed about two terabytes worth of data that included email addresses, home addresses, phone numbers and other personal information such as hobbies and information on any children in the household.

4. Marriott (Starwood)

  • Number of records hacked: 383 million
  • Announced: November 2018

The names, addresses, contact information and passport numbers of over 300 million people who stayed at a Starwood hotel property were accessed in a major data hack, Marriott hotels reported in November 2018. Marriott acquired the Starwood hotel chain in 2016.

Marriott's data team confirmed that the Starwood guest reservation database — which contains up to 500 million accounts — had been compromised, and the hacking may have been ongoing since 2014.

CNBC Investigates: The hacking threat hiding in plain sight
CNBC Investigates: The hacking threat hiding in plain sight

3. Veeam

  • Number of records hacked: 445 million
  • Announced: September 2018

It's not good when a data management firm makes news for mishandling customer data. But that's exactly what happened to Switzerland-based Veeam. The company said in a statement that one of its "marketing databases was mistakenly left visible to unauthorized third parties."

Due to "human error," about 445 million records containing names, emails and IP addresses in the database were visible for about 10 days. But Veeam said many of those records were duplicates and only about 4.5 million unique email addresses ended up exposed.

2. River City Media

  • Number of records hacked: 1.37 billion
  • Announced: March 2017

An email marketing company, River City Media, made headlines in 2017 for leaking 1.4 billion records. The company improperly configured a backup that accidentally placed the entire database online, which contained details like IP addresses, names and even physical addresses.

Chris Vickery, a MacKeeper security researcher, said at the time of the data breach discovery that River City Media was able to gather the information through a spam operation that involved sending emails promising "credit checks, education opportunities and sweepstakes."

1. Yahoo!

  • Number of records hacked: up to 3 billion
  • Announced: September and December 2016

Currently, the title for the largest data breach in history goes to Yahoo. The company — which Verizon announced plans to acquire in July 2016 — disclosed it was the victim of multiple major hacks over the years that exposed the names, email addresses, telephone numbers and dates of birth of over a billion people who used Yahoo.

Yahoo told the public in September 2016 it had experienced a breach in 2014 that affected at least 500 million accounts. It followed that announcement up with another in December of that same year that detailed a 2013 attack on its network that exposed at least one billion user accounts.

After the sale of Yahoo closed in 2017, Verizon noted that the 2013 attack affected all three billion of Yahoo's users. Yahoo eventually agreed to pay $117.5 million to settle a class-action lawsuit in April 2019 over how it handled communications around the hacks.

Like this story? Subscribe to CNBC Make It on YouTube!

Don't miss: Here's everything a cyber criminal can do if they steal your credit card

Ex-con artist: Here are the only items you need in your wallet
Ex-con artist: Here are the only items you need in your wallet