27 Biggest Data Breaches, Hacks, and Exposures of 2022

As more businesses perform their operations online, there has been an upsurge in cybersecurity breaches. As a result, firms must guard against missteps that could lead to data theft.  We’ve compiled a list of the 27 biggest data breaches of 2022 to assist organizations in understanding the ramifications of not safeguarding data from security breaches. To begin, we discuss the top ten data breaches of all time, followed by the largest data breaches of 2022.

Top 10 Data Breaches of all time

1. Yahoo – 3 Billion records lost

In 2013, hackers broke into Yahoo’s infrastructure and stole information from over 3 billion accounts. Fortunately, the stolen material did not contain sensitive information like payment details, unhashed passwords, or bank account numbers.

2. River City Media – 1.37 Billion records lost.

In March 2017, a spam email operator accidentally leaked data of 1.37 billion records, making it one of the most substantial data breaches in history. This incident occurred when River City Media published an unprotected backup snapshot from January 2017.

3. Aadhaar – 1.1 Billion records lost

A leak at a state-owned utility organization in March 2018 compromised India’s biometric database, Aadhaar. This compromise affected every registered Indian citizen, exposing their identity numbers, bank details, and names. The compromised data was sold on WhatsApp for less than £6.

4. Spambot – 711 Million records lost.

Due to a misconfiguration, a spambot exposed passwords and emails in August 2017. As a result, nearly 700 million records were exposed, roughly equivalent to one email address for each man, woman, and child in Europe. However, this data leak includes numerous duplicate and bogus accounts.

5. Facebook – 533 Million records lost

Due to a vulnerability addressed in 2019, hackers scraped the social media behemoth Facebook in March 2021. On a hacking forum, 533 million user records from 106 countries were shared. Among them were full names, phone numbers, user locations, personal information, and email addresses.

6. Syniverse – 5 Million records lost

Syniverse, a vital component of the global telecommunications infrastructure, reported in a filing with the US Securities and Exchange Commission (SEC) on September 27, 2021, that hackers obtained access to 500 million records.

Syniverse is used by many telecommunications firms throughout the world, including AT&T, Verizon, T-Mobile, China Mobile, and Vodaphone. Personal information about its workers, trade secrets, intellectual property, sensitive information about its suppliers, customers, vendors, and other vital financial information were all disclosed.

The company also learned that hackers could access its system for years, which means that millions of mobile customers worldwide and more than 200 of its clients may have been affected by the data leak.

7. Yahoo – 5 Million records lost

A state-sponsored actor stole 500 million documents from Yahoo in September 2016, including names, dates of birth, and security details. This was the largest data leak in recorded history at the time.

8. MySpace – 4.27 Million records lost

Over 400 million records were stolen from MySpace in May 2016 by a hacker and a search engine for stolen data. According to both parties, the data came from an earlier, unreported data security breach. Emails, passwords, usernames, and backup passwords were among the information that was exposed. The hacker attempted to sell the data on the dark web for $2,800 or 6 Bitcoin.

9. Friend Finder Network – 4.12 Million records lost.

Cybercriminals targeted the adult dating and entertainment business Friend Finder Network in November 2016. Over 412 million accounts were exposed as a result. Additionally, the hackers were able to get their hands on 339 million AdultFriendFinder.com user accounts, including 15 million “deleted” accounts that were never erased from the website’s server.

10. Marriott International – 3.83 Million records lost.

In September 2018, hackers breached the reservation systems of all Starwood properties, including Westin, Le Meridien, and Sheraton, causing Marriott International to lose 383 million records. They grabbed personal data from 2014, including passport and credit card numbers.

Biggest Data Breaches in 2022

1. Neopets

• Date: July 2022

• Impact: 69 Million Users

Hackers gained access to Neopets’ database and took 460 MB of source code and the personal information of potentially 69 million users (both current and previous). From January 3, 2022, through July 19, 2022, the hackers had access to this database. Neopets discovered this breach because the perpetrators tried to sell the data for four bitcoins.

Users’ names, usernames, email addresses, IP addresses, gender, dates of birth, PINs for Neopets, hashed passwords, details about their pets and gaming, and other personally identifiable information were among the data hacked.

2. SuperVPN, GeckoVPN, and ChatVPN

• Date: May 2022

• Impact: 21 million Users

Attackers stole the private data of 21 million members of the networks SuperVPN, GeckoVPN, and ChatVPN in May 2022. Users’ full names, email addresses, nationalities, passwords, payment information, and account statuses were all included in the hacked resources. Additionally, it contained 10GB of private data. The stolen information was subsequently published on a Telegram group for public download.

3. Singtel Optus Pty Limited

• Date: September 2022

• Impact: 9.8 million customers

Australian telecom provider Optus is based there. It revealed a severe online breach in September 2022 that may have hacked the personal information of 9.8 million consumers. Optus swiftly stopped the attack after learning about it, and its CEO, Kelly Bayer Rosmarin, thinks fewer than 9.8 million consumers were impacted.

Customers’ names, phone numbers, dates of birth, and email addresses may have been revealed by hackers. Additionally, the addresses and document numbers of specific consumers, such as those on their driver’s licenses or passports, were made public. Payment information and account passwords, however, were not exposed.

4. Cash App Data Breach

• Date: April 2022

• Impact: 8.2 million customers

Mobile payment startup Cash App’s proprietors reported that a former employee had accessed their system in December 2021 and downloaded 8.2 million users’ personal information in April 2022. Customers’ entire identities, portfolio values, stock trading information, and brokerage account numbers were among the data the hacker took. However, customers’ usernames, passwords, social security numbers, or bank account information were not among the stolen data.

5. Twitter

• Date: July 2022

• Impact: 5.4 million

Due to a now-fixed system vulnerability, a hacker amassed data from 5.4 million Twitter users in July 2022. Email and phone details that the attacker took were used to access user accounts. Although Twitter insisted that no passwords had been obtained, it recommended that all users utilize two-factor authentication.

6. Medibank

• Date: October 2022

• Impact: 3.9 million

Australian private health insurance provider Medibank disclosed a data breach on October 12, 2022. The hacker got in touch with it and said he had stolen 200GB of data.

Medibank revealed the data breach affecting 3.9 million consumers on October 25. Personal information stolen includes names, addresses, dates of birth, Medicare card numbers, and clients’ genders. Claim codes submitted by customers made up the stolen health information.

7. FlexBooker

• Date: January 2022

• Impact: 3.7 million

FlexBooer, a booking software company, disclosed in January 2022 that it had found evidence that 3.7 million accounts had been compromised in December 2021. The storage system was accessed and downloaded during this period. Due to a security flaw in the cloud server, consumers could not access their accounts, and FlexBooker failed to administer the customers’ accounts.

The full names, email addresses, and phone numbers of clients were among the information exposed, according to FlexBooker. There was no theft of payment information.

8. Nelnet Servicing LLC

• Date: July 2022

• Impact: 2.5 million

The student loan servicer Nelnet faced a data breach in August 2022 when an unidentified hacker accessed the information of 2.5 million persons who had loans with EdFinancial or the Oklahoma Student Loan Authority. Full names, phone numbers, addresses, and Social Security numbers were exposed.

Nelnet is currently the target of class action lawsuits for failing to report the incident promptly and securing the loan borrowers’ data. Although the hack happened in July, Nelnet only notified the US Department of Education or the impacted borrowers in August.

9. Woolworths – MyDeal

• Date: October 2022

• Impact: 2.2 million customers

An Australian retail company reported a breach in its MyDeal online store in October 2022. Hackers gained access using stolen user credentials and exposed the private data of 2.2 million clients. Customers’ names, birth dates, phone numbers, email addresses, and delivery addresses were among the information that was disclosed.

10. Shields Health Care Group

• Date: March 2022

• Impact: 2 million people

On March 28, 2022, hackers broke into Shields Health Care Group, a Massachusetts-based provider of medical services. An examination found that the attack impacted 56 facilities and 2 million patients between March 7 and March 21, 2022.

Patients’ full names, social security numbers, dates of birth, home addresses,  patient diagnosis, provider information, billing information, insurance information, medical records, patient identification numbers, and other medical information were all accessible to hackers.

11. Texas Department of Insurance

• Date: May 2022

• Impact: 1.8 million people

According to a state audit revealed in May 2022, the personal information of 1.8 million persons who made insurance claims with the Texas Department of Insurance was compromised. According to the investigation, the hacked material remained publicly available for nearly three years – from March 2019 to January 2022. 

The leak was caused by a bug in the programming code, which gave access to sensitive information. During a routine audit in January 2022, an auditor discovered the leaked material and reported it. Addresses, phone numbers, dates of birth, social security numbers, and details regarding work accidents were among the personal information disclosed.

12. Flagstar Bank Data Breach

• Date: June 2022

• Impact: 1.5 million people

Over 1.5 million clients were affected by a data breach at Flagstar Bank. The breach is thought to have occurred in December 2021; however, it was noticed in June 2022. The hackers gained access to sensitive client data such as names, personal identification numbers, and social security numbers. Flagstar Bank emphasized that there is no proof that this information has been exploited.

13. Illuminate Education

• Date: January 2022

• Impact: 820,000 students

A data breach was the cause of an outage that the school administration platform Illuminate Education encountered in January 2022, according to an inquiry. The NYC education system uses the platform to facilitate teacher-parent communication and grade checking.

It was eventually revealed that 820,000 present and former students’ personal information was accessible, despite the original denial that any personal information had been released. Data such as student names, dates of birth, student ID numbers, genders, nationalities, and languages spoken were accessible to hackers.

14. Red Cross

• Date: January 2022

• Impact: 515,000 people

Hackers gained access to the International Committee of the Red Cross computers by exploiting a vulnerability in an authentication module, allowing them to masquerade as genuine users and administrators to obtain access to the data.

The initial attack is considered to have occurred in November 2021, although it was found on January 18, 2022, following an investigation. It is unknown who was behind the hack, but they acquired access to over 500,000 people’s personal information, including names, addresses, and phone numbers. Many of the casualties were missing people, detainees, and those receiving Red Cross and Red Crescent Movement assistance due to armed conflict, natural disasters, or migration.

15. Avamere Health Services, LLC

• Date: July 2022

• Impact: 380,000 people

Avamere is a network of senior post-acute care facilities. An investigation discovered that from January 19, 2022, to March 17, 2022, an unauthorized third party got access to and removed folders and files from Avamere’s network.

The breach impacted 380,000 patients across 96 organizations. Among the information, stolen were patient names, addresses, driver’s license numbers, state identity numbers, claim information, lab results, medical information, social security numbers, bank account numbers, and medical diagnosis numbers.

16. Toyota

• Date: October 2022

• Impact: 300,000 people

Toyota suffered a data breach in December 2017 when the source code for its “T-Connect” app was exposed on GitHub, a software development platform. Toyota reset the access code, but the leak exposed 300,000 consumers’ emails. However, the automaker assured that no other personal information had been compromised. On the other hand, Toyota didn’t learn the source code was public until September 15, 2022 – nearly five years later.

17. Keystone Health

• Date: July 2022

• Impact: 235,000 patients

An investigation revealed that an unauthorized person hacked into Keystone Health’s computer network on July 28, 2022, and remained there until August 19, 2022, when Keystone Health discovered its presence. Patients’ names, health information, and social security numbers for 235,000 patients were compromised.

18. Service Employees International Union, Local 32BJ

• Date: February 2022

• Impact: 230,487 people affected

This data security event was held by this US-based union, consisting mainly of property maintenance workers, window cleaners, and school and food service workers in various Eastern Seaboard states. A third party with unauthorized access gained access to multiple computers on the union’s network. As a result, they gained access to files, including the addresses, names, and Social Security numbers of up to 230,487 people.

19. Logan Health Medical Center

• Date: February 2022

• Impact: 213,543 people affected

On February 22, 2022, this medical hospital in Kalispell, Montana, experienced a data breach. An unknown entity acquired unauthorized access to one file server containing shared folders. As a result, it may have gained access to personal information about business associates, patients, and workers. Individuals’ access to information varies, but it typically includes names, dates of birth, and Social Security numbers.

20. North Face

• Date: September 2022

• Impact: 200,000 people

The North Face clothing store was the subject of a credential stuffing assault, in which usernames, email addresses, and passwords were stolen to breach other websites’ accounts. The attack theory is that users utilize the same login data for many accounts.

Hackers launched the attack at the end of July 2022, but it was identified and shut down in mid-August. The hackers gained access to over 200,000 user accounts and got information such as full names, purchase histories, billing addresses, shipping addresses, phone numbers, account creation dates, genders, and rewards records.

21. Omnicell, Inc.

• Date: May 2022

• Impact: 126,000 patients

Omnicell, a company that provides drug management services to hospitals, other medical facilities, and pharmacies, was recently targeted by ransomware. Hackers obtained sensitive patient information such as the patient’s name, credit card information, driver’s license numbers, financial account information, social security numbers, health insurance details, and other protected health information.

Omnicell first reported that the hack had affected over 62,000 patients. However, that number increased by 64,000 patients in October 2022, bringing the total number of patients affected by the data breach was more than 126,000.

22. South Shore Hospital Corporation

• Date: February 2022

• Impact: 115,670 people affected

The IT network of Chicago, Illinois’ South Shore Hospital, a nonprofit hospital that treats patients with Medicaid or Medicare services, revealed unusual behavior. It was found that certain workers’ and patients’ protected health information had been compromised. First and last names, dates of birth, medical data, financial data, health insurance policy numbers, diagnoses, and Medicare and Medicaid data are among the data that have been leaked.

23. GiveSendGo System

• Date: February 2022

• Impact: 93,000 donors

The Freedom Convoy, a group of Canadian truckers protesting the COVID laws, had a page on GiveSendGo, a Christian fundraising website. Hackers gained access to GiveSendGo and started a series of attacks on the Freedom Convoy donation website. Nearly 93,000 contributors’ personal information was leaked online. The disclosed information included the donors’ names, identification numbers, email addresses, and donated amounts. Due to threats, some donors were forced to close their firms, while others lost their employment.

24. Alameda Health System

• Date: June 2022

• Impact: 90,000 patients

The Alameda Health System discovered unusual behavior in its workers’ email accounts. Alameda investigated and found that an unauthorized entity had stolen the email accounts between May 2020 and March 2022. It is estimated that 90,000 patients were affected, with names, dates of birth, ids, claims information, health insurance information, social security numbers, clinical or treatment information, or driver’s license numbers potentially compromised.

25. Revolut

• Date: September 2022

• Impact: 50,000 customers

An unauthorized third party hacked into the Fintech Revolut database in September 2022, gaining access to data from over 50,000 clients. Customers’ names, email addresses, home addresses, and credit cards are examples of information taken (partial).

26. Deakin University

• Date: July 2022

• Impact: 47,000 students

An authorized third party obtained access to the Deakin University server by utilizing a staff member’s username and password and acquired access to private student information. If students engaged in the campaign, they were required to provide personal information, including credit card information.

27. Ethos Technologies, Inc.

• Date: January 2022

• Impact: 13,300 people affected

Ethos Technology, a San Francisco-based digital business that makes it easier for people to obtain life insurance plans, discovered that in a cyber attack, hackers attacked the online system it uses to create life insurance policies. After examining the incident, they found that between July 15, 2021, and January 12, 2022, an unauthorized third party may have gotten specific clients’ driver’s licence numbers. The hackers would also access the client’s address, state of issuance, name, and date of birth. Approximately 47,000 pupils were affected, with approximately 10,000 victims of an SMS phishing effort.