10 Biggest Data Breaches in the USA [2025]

Data breaches in the United States have increased in the past few years, becoming a critical concern for organizations, individuals, and governmental bodies alike. The number of reported incidents reached 3,158 in 2024 alone, impacting over 1.35 billion people. This is an alarming increase from 2021 considering only 1,862 breaches were recorded in that year. Industries such as financial services, healthcare, and professional services have been particularly hit hard, highlighting their vulnerability and attractiveness to cybercriminals. Healthcare breaches, in particular, have proven notably severe and persistent. In 2023, a staggering 725 healthcare-related data breaches exposed more than 133 million records, with the largest incident alone affecting 11.3 million individuals. By April 2024, just 54 healthcare breaches managed to impact over 15 million patients.

In this blog, we analyse the ten most significant data breaches in U.S. history, uncovering how they occurred, their impacts, and the lessons organizations must learn to safeguard against future threats.

Having the largest economy in the world, the USA is an attractive target for cyber criminals because of a few distinct criteria that are given:

The U.S. stands as the world’s largest economy and a global hub for sectors including technology, finance, healthcare, and retail, each generating and storing enormous amounts of sensitive data. Such vast data repositories represent lucrative targets for attackers seeking financial gain, valuable intellectual property, or personal information for identity theft and fraud.

As a global economic powerhouse, the U.S. hosts many Fortune 500 companies, multinational corporations, and critical government agencies that are responsible for infrastructure and national security. These organizations manage extensive databases containing sensitive customer, employee, and operational data. The critical nature of this information increase both the likelihood and severity of breaches, amplifying the potential damage inflicted by cyber incidents.

The fragmented regulatory landscape across U.S. states and industries creates inconsistent cybersecurity standards, resulting in potential gaps in data protection and enforcement. Compared to countries with uniform and stringent cybersecurity regulations, this patchwork approach lowers the barriers for cybercriminals, making it easier for them to identify and exploit vulnerabilities.

Collectively, these factors position the U.S. as an especially vulnerable and attractive environment for cyber threats, necessitating proactive cybersecurity measures.

In the following, you find a list of the largest data breaches in the USA. The data breaches are sorted by the number of impacted accounts in descending order.

In a series of cyberattacks between 2013 and 2016, Yahoo suffered what remains the largest data breach in US history, compromising around 3 billion user accounts. The stolen information included names, email addresses, phone numbers, dates of birth, hashed passwords (using MD5, considered insecure), and unencrypted security questions and answers. The breach was linked to state-sponsored actors, with suspicions pointing toward Russian operatives.

The impact was big: Yahoo’s reputation suffered severe damage, and its pending acquisition by Verizon in 2017 was discounted by $350 million as a direct consequence. Criticism centered around Yahoo’s delayed public disclosure and outdated security practices, particularly the use of weak password hashing algorithms and failure to encrypt critical security data properly.

Prevention methods:

• Use stronger encryption standards like bcrypt for passwords and sensitive information
• Establish rapid breach notification protocols
• Employ multi-factor authentication (i.e passkeys) to mitigate the impact of credential theft

In March 2024, National Public Data (NPD), a major data broker, experienced one of the largest breaches in US history, exposing sensitive information on approximately 1.3 billion individuals. A misconfigured database allowed unauthorized access to highly detailed personal records, including full names, physical addresses, dates of birth, social security numbers, phone numbers, and email addresses. The breach resulted in nearly 2.9 billion data records being compromised overall.

The exposed data posed severe risks of identity theft and fraud, leading to the collapse of NPD’s operations within months. Investigations revealed the company lacked fundamental security measures such as proper database access controls and regular vulnerability assessments. The event reignited public debate over the regulation and oversight of data brokers handling massive volumes of personal information without sufficient security obligations.

Prevention methods:

• Implement strict access controls and authentication mechanisms for sensitive databases
• Regularly audit and test systems for vulnerabilities and misconfigurations
• Encrypt personal information at rest and in transit to minimize exposure risk

In September 2023, the Real Estate Wealth Network (REWN), a property data aggregator, suffered a massive breach due to an unsecured database left exposed to the internet without authentication. Approximately 1.5 billion data records were accessed, including names, home addresses, ownership records, phone numbers, and sensitive property-related details, involving well-known public figures and celebrities.

The breach attracted significant media attention because of the exposure of high-profile individuals’ real estate holdings, raising concerns about personal safety and targeted attacks. Experts criticized REWN for failing to implement basic cybersecurity protocols, such as database authentication, encryption, and access logging.

Prevention methods:

• Require authentication for all databases, even those containing publicly sourced data
• Perform regular penetration testing and security audits
• Monitor exposed assets continuously to detect misconfigurations early

In 2019, cybercriminals exploited Facebook’s contact importer feature to scrape the personal information of approximately 533 million users across 106 countries. Although Facebook initially restricted mass data scraping later that year, the compiled dataset resurfaced publicly in April 2021 when it was posted on a hacking forum for free access.

Unlike a traditional breach where attackers directly access internal systems, this incident involved mass-automated data harvesting using available platform functionalities. The leaked dataset included names, phone numbers, email addresses, and location information, creating serious risks for phishing, SIM-swapping attacks, and other forms of identity exploitation. Facebook faced widespread criticism for underestimating the implications of scraped data and for its slow response to the disclosure.

Prevention methods:

• Limit data exposure through stricter API and feature access controls
• Monitor for unusual scraping behavior using automated detection tools
• Proactively notify users and regulators when large-scale data scraping occurs

In June 2021, LinkedIn experienced a major data scraping incident, exposing information from around 700 million users (roughly 92% of its user base at the time). Attackers exploited the LinkedIn API to systematically collect public profile information, including names, emails, phone numbers, geolocation data, and professional histories. The scraped dataset was later posted for sale on a dark web forum.

While LinkedIn asserted that no private data was breached and that the information was publicly viewable, cybersecurity experts emphasized that the volume and aggregation of data still had significant risks for targeted phishing, social engineering, and identity theft. The incident highlighted the blurred line between scraping “public” data and serious privacy violations when aggregated at scale.

Prevention methods:

• Implement rate limiting and CAPTCHA protections on APIs to deter automated scraping
• Enhance anomaly detection systems to identify large-scale data harvesting
• Educate users about limiting publicly visible information on their profiles

In June 2018, Exactis, a US-based data aggregation and marketing company, inadvertently exposed a database containing approximately 340 million individual and business records. The breach was discovered by a security researcher who found the database accessible online without any password protection. The exposed data included names, home addresses, phone numbers, email addresses, and highly detailed personal attributes such as interests, habits, and financial information.

Although there was no confirmation that malicious actors accessed the data before it was secured, the breadth and granularity of the leaked information posed high risks for identity theft, phishing, and other targeted attacks. The incident drew attention to the largely unregulated practices of data brokers and fueled calls for stronger data privacy legislation in the United States.

Prevention methods:

• Always require authentication for database access
• Limit the amount of sensitive personal information collected and stored
• Conduct regular audits and security reviews to ensure proper data protection measures are in place

In May 2019, First American Financial Corporation, one of the largest providers of title insurance and settlement services in the United States, exposed approximately 885 million sensitive records through a website vulnerability. Due to improper access control, anyone with a valid URL link to a document could view other unrelated documents simply by modifying digits in the URL, without authentication.

The leaked documents included critical financial and personal information, such as Social Security Numbers, bank account details, mortgage records, and tax documents, putting customers at significant risk of fraud and identity theft. The breach was particularly alarming given the highly sensitive nature of real estate transaction records, and it underscored major gaps in web application security practices across the financial sector.

Prevention methods:

• Implement robust access controls and authentication checks for document repositories
• Conduct thorough security testing (e.g., penetration tests) before deploying applications publicly
• Monitor and audit application access patterns to detect abnormal behavior early

In May 2024, Ticketmaster, one of the world’s largest ticketing companies, suffered a massive data breach affecting around 560 million customers globally, with a significant proportion based in the United States. Attackers reportedly gained unauthorized access via a compromised third-party cloud storage environment, exposing customer names, home and email addresses, phone numbers, and, in some instances, partial payment card details.

The breach reignited concerns about third-party vendor risks and cloud security, especially for large-scale consumer platforms handling financial transactions. It also raised questions about the company’s compliance with modern data protection standards such as PCI DSS and GDPR. Ticketmaster faced multiple class-action lawsuits and regulatory investigations following the incident.

Prevention methods:

• Strengthen vendor risk management and audit third-party providers regularly
• Encrypt all stored customer information, especially payment-related data
• Implement zero-trust access models for cloud environments to limit attack surface

In May 2016, a hacker known as “Peace” listed a large amount of MySpace user data for sale on the dark web, comprising approximately 427 million accounts. Although the data appeared to originate from a breach that took place in or before 2013, it wasn’t discovered until years later. The exposed records included usernames, email addresses, and passwords that were weakly protected with unsalted SHA-1 hashing, making them highly vulnerable to cracking.

Although MySpace had already declined in popularity by the time the breach surfaced, the incident still posed risks because many users recycled passwords across multiple platforms. As a result, credentials from the MySpace breach could be used for credential stuffing attacks on other services. The event underscored the critical need for strong password hashing practices and timely breach detection.

Prevention methods:

• Use modern, secure password hashing algorithms like bcrypt or Argon2
• Regularly rotate cryptographic practices and migrate away from outdated algorithms
• Monitor for credential leaks and alert users to reset passwords promptly after breaches

In 2014, JPMorgan Chase disclosed one of the most significant breaches ever to hit the US financial sector, affecting approximately 76 million households and 7 million small businesses. Attackers gained access through a compromised employee account, exploiting weaknesses in the bank’s network infrastructure. Although no financial information such as account numbers, passwords, or Social Security Numbers was stolen, the attackers did obtain names, addresses, email addresses, and phone numbers.

The breach drew major attention due to the bank’s critical role in the US economy and raised alarms across the financial services industry regarding cybersecurity readiness. It led to heightened regulatory scrutiny and prompted many financial institutions to reevaluate their cybersecurity frameworks, especially concerning employee account protections and network segmentation.

Prevention methods:

• Enforce multi-factor authentication (MFA) for all internal and external accounts
• Implement robust network segmentation to limit lateral movement in case of compromise
• Regularly test and update security protocols for employee access management

After looking at the biggest data breaches that happened in USA up to 2025, we notice a few observations that reoccur across these breaches:

A common thread across many of the largest data breaches is that they were not the result of highly sophisticated attacks but rather of basic misconfigurations and overlooked vulnerabilities. Open databases without password protection, weak access controls, and improperly secured APIs repeatedly allowed attackers easy entry. In cases like the National Public Data and Real Estate Wealth Network breaches, simply scanning the internet for unsecured systems was enough to gain access to billions of records. This highlights that investing in basic cybersecurity hygiene, such as access controls, proper encryption, and system hardening, would have prevented many of these incidents.

Another notable trend is the consistent targeting and exposure of sensitive personal information. Across virtually all breaches, data sets included names, addresses, dates of birth, email addresses, phone numbers, and, in the most damaging cases, Social Security Numbers. The breadth of exposed personal details dramatically increases the risk of identity theft, phishing attacks, and financial fraud. Organizations, even those outside of regulated industries like finance or healthcare, need to treat any collection of personal data with the highest security standards because its value to attackers remains consistently high.

Poor password management practices and outdated cryptographic protections further worsened the consequences of several breaches. In incidents such as Yahoo and MySpace, passwords were either stored using weak hashing algorithms like MD5 and SHA-1 or were not sufficiently salted, making them easily crackable once stolen. This significantly expanded the impact by enabling attackers to reuse passwords across other services through credential stuffing. E when passwords are stolen, robust encryption methods and modern cryptographic standards can greatly limit the downstream risk to users and companies.

An important evolution in breach tactics is the growing reliance on API exploitation and data scraping instead of traditional hacking techniques. Breaches like LinkedIn and Facebook demonstrated that attackers increasingly take advantage of poorly secured APIs or public-facing features to harvest large volumes of user data. While companies often downplay scraping by pointing to the public nature of the data, the aggregation and combination of scraped information can create powerful, dangerous databases. This trend emphasizes the need for organizations to apply strict rate limiting, monitoring, and authentication controls on all APIs and public interfaces, treating them with the same rigor as back-end systems.

The largest data breaches in US history reveal a clear and consistent pattern: most incidents were preventable. Rather than being the result of highly advanced cyberattacks, many breaches stemmed from basic errors: unsecured databases, outdated cryptographic standards, insufficient API protections, and underestimation of the value of personal information. These failures allowed attackers to access massive volumes of sensitive data with relative ease, exposing individuals to risks like identity theft, financial fraud, and targeted attacks.

For organizations of all sizes and industries, the lessons that cybersecurity fundamentals cannot be neglected are clear. Securing personal data requires not only strong technical measures but also a proactive approach to system configuration, cryptographic standards, vendor risk management, and breach detection. As the amount of data collected grows exponentially, so does the responsibility to protect it