Data Breaches#

Reference catalog of consequential data breaches an operator should recognize. The list isn’t exhaustive, public trackers (haveibeenpwned.com, DataBreaches.net, Privacy Rights Clearinghouse) catalog thousands more, but each entry below shaped how the industry talks about breach response, regulation, or attacker tradecraft.

For lookup of a specific breach by company / date, use the references at the end. For a search of credentials in known breaches, haveibeenpwned.com is the standard interactive tool.

Largest by record count#

Breach

Year

Records (approx.)

Yahoo

2013-14

3 billion accounts (all users).

Aadhaar

2018

1.1 billion Indian biometric IDs.

First American Financial

2019

885 million records (real estate).

Facebook

2019/21

533 million users (scraped + leaked).

LinkedIn

2021

700 million scraped profiles.

Marriott / Starwood

2018

500 million guest records.

Adult FriendFinder

2016

412 million accounts.

MySpace

2013/16

360 million accounts.

Exactis

2018

340 million consumer records.

Twitter

2022

200 million email-to-handle pairs.

Friend Finder Networks

2016

412 million accounts.

NetEase

2015

234 million accounts.

LinkedIn (original)

2012

165 million accounts.

Dubsmash

2018

162 million.

Adobe

2013

153 million accounts.

MyHeritage

2018

92 million accounts.

T-Mobile USA

2021

77 million customer records.

Equifax

2017

147 million U.S. consumers.

Most consequential#

Breach

Year

Why it mattered

TJX Companies

2007

86M cards via WEP-broken WiFi; first mega-breach in public consciousness.

Heartland Payment Systems

2008

130M cards via SQLi; PCI DSS overhaul.

RSA SecurID

2011

APT seeded with stolen seeds; entered Lockheed Martin.

Sony PSN

2011

77M PSN accounts; PS network down 23 days.

Target

2013

40M cards via HVAC vendor compromise; vendor risk becomes board-level topic.

Sony Pictures

2014

Lazarus Group; full corp wipe + leak; The Interview fallout; Wiper malware mainstream.

JPMorgan Chase

2014

76M households / 7M small businesses.

OPM

2015

22M U.S. govt clearance records (SF-86 forms); attributed to China.

Anthem

2015

78.8M health records; HIPAA enforcement spike.

Ashley Madison

2015

Affair-site breach; suicides; lessons in encryption-at-rest and breach response.

Mossack Fonseca (Panama)

2016

11.5M docs; Panama Papers; ICIJ.

Yahoo

2016 disc.

3B accounts (all of Yahoo); Verizon $350M discount.

Equifax

2017

147M US consumers via unpatched Apache Struts; one of the first major CFPB / FTC breach settlements.

WannaCry

2017

200K systems / 150 countries via EternalBlue; NHS England impacted.

NotPetya

2017

Sandworm via M.E.Doc supply chain; Maersk, Merck, FedEx; ~$10B damages.

Uber

2016 / 2022

cover-up + ransom; CISO criminally convicted (US v. Sullivan).

Equifax (CFPB)

2017

set the regulatory tempo for breaches.

Marriott / Starwood

2018

500M guests; APT-attributed (China).

Capital One

2019

100M cards via SSRF + IAM misconfig in AWS; ex-AWS engineer convicted.

SolarWinds (SUNBURST)

2020

APT29 supply-chain compromise; ~18K customers downloaded backdoored Orion; US gov + Microsoft.

Microsoft Exchange ProxyL.

2021

HAFNIUM; ~250K servers; mass-exploitation event.

Colonial Pipeline

2021

DarkSide ransomware; East Coast fuel; $4.4M ransom (much later recovered).

Kaseya VSA

2021

REvil supply-chain ransomware; ~1,500 downstream MSPs.

Log4Shell

2021

CVE-2021-44228; “every Java app in the world”; multi-year tail of compromise.

Microsoft / Storm-0558

2023

Forged tokens; US gov mailboxes accessed; key exfiltrated from a crash dump.

MOVEit

2023

Cl0p mass-exploitation of CVE-2023-34362; thousands of orgs (BBC, Shell, BA, U.S. agencies).

LastPass

2022

Source code + customer vault data; long-tail crypto theft.

T-Mobile US

2021-2024

multiple incidents; SIM-swap risk surface.

Optus (Australia)

2022

9.8M Australians; API auth bug; nation-scale fallout.

Medibank (Australia)

2022

9.7M; ransom refused; full leak.

Microsoft signing key (CN)

2023

Storm-0558 token forgery scandal.

Change Healthcare

2024

ALPHV; ~$22M ransom; massive US prescription / claims outage; congressional scrutiny.

Snowflake customer set

2024

Stolen creds without MFA on 100+ tenants (AT&T, Ticketmaster, Santander, etc.). UNC5537.

Salt Typhoon (US telecoms)

2024

CN-attributed; Verizon, AT&T, Lumen; CALEA wiretap-system access.

Categories worth knowing#

Category

Notes

Credit-card / payment breaches

Heartland (2008), Target (2013), Home Depot (2014), TJX (2007). Drove PCI DSS revisions.

Healthcare / PHI

Anthem (2015), Premera (2015), Excellus (2015), LabCorp (2019), Change Healthcare (2024).

Government / clearance

OPM (2015), Equifax credit reports (2017), DoD contractor leaks (multi).

Identity / KBA

Equifax (2017), Aadhaar (2018), Experian, Onfido.

Source-code leaks

Microsoft (2022, Lapsus$), Nvidia (2022), Samsung (2022), Okta (2022), Rockstar GTA6 (2022).

Cred-stuffing source corpora

“Collection #1” (773M; 2019), “Collection #2-5” (2.2B; 2019), CL0UD9 / RockYou2024.

SaaS / vault breaches

LastPass (2022), Okta (2022 / 2023 / 2024), 1Password (2023, contained), CircleCI (2023).

Cloud control-plane

Capital One (SSRF -> IMDSv1, 2019), MOVEit (2023), Snowflake customer-credential breaches (2024).

Telecom / CALEA

T-Mobile (multi), Optus (2022), Salt Typhoon (2024).

ICS / OT

Stuxnet (2010), Ukraine grid (2015 / 2016), TRITON (2017), Colonial Pipeline (IT-side, 2021).

By Name (A-Z)#

Breach

Records

Target

Attacker

Ngrams for searching

1Password

n/a (no vault data exfil)

1Password (password manager)

Scattered Spider (Okta cross-incident)

“1password okta 2023”, “1password incident report”

Aadhaar

1.1B

UIDAI (Indian biometric ID authority)

Web-portal misconfiguration; broker resellers

“aadhaar leak 2018”, “UIDAI breach”

Adobe

153M

Adobe Systems

Unknown intruder; weak 3DES-ECB password store

“adobe 2013 breach”, “adobe password hints”

Adult FriendFinder

412M

FriendFinder Networks (adult dating)

Unknown; SHA-1 and plaintext stores

“adult friendfinder 2016”, “friendfinder networks breach”

Anthem

78.8M

Anthem Inc. (health insurer)

Deep Panda / Black Vine (China-attributed)

“anthem 2015 breach”, “deep panda anthem”

Ashley Madison

32M

Avid Life Media / Ashley Madison

“The Impact Team” (hacktivist)

“ashley madison leak 2015”, “impact team avid life”

Capital One

100M

Capital One Financial

Paige Thompson (ex-AWS engineer)

“capital one 2019 ssrf”, “paige thompson capital one”

Change Healthcare

~190M PHI

Change Healthcare (UnitedHealth subsidiary)

ALPHV/BlackCat ransomware

“change healthcare 2024 ransomware”, “ALPHV change healthcare”

CircleCI

secret material

CircleCI (CI/CD SaaS)

Infostealer on engineer laptop (actor not named)

“circleci 2023 incident”, “circleci infostealer”

Colonial Pipeline

operational (5,500 mi pipeline halt)

Colonial Pipeline Co.

DarkSide ransomware

“colonial pipeline 2021”, “darkside ransomware colonial”

Dubsmash

162M

Dubsmash (video-clip app)

Sold on Dream Market by “Gnosticplayers”

“dubsmash 2018 breach”, “gnosticplayers dubsmash”

Equifax

147M

Equifax (credit bureau)

Indictment names four PLA officers (China-attributed)

“equifax 2017 apache struts”, “equifax PLA indictment”

Exactis

340M

Exactis (data broker)

Exposed Elasticsearch (no actor)

“exactis 2018 elasticsearch leak”, “vinny troia exactis”

Excellus

10M

Excellus BlueCross BlueShield

APT (long dwell; not publicly attributed)

“excellus 2015 breach”, “excellus blueshield 10 million”

Experian

multi

Experian (credit bureau)

Various: T-Mobile reseller breach 2015; Brazil 2021 leak

“experian breach 2015 tmobile”, “experian brazil 2021”

Facebook

533M

Meta / Facebook

Scraped via contact-import enumeration (no actor named)

“facebook 533 million leak 2021”, “facebook contact import scrape”

First American Financial

885M

First American Financial Corp. (title insurer)

IDOR-discovered by independent researcher

“first american financial 2019 IDOR”, “EagleProMA leak”

Heartland Payment Systems

130M cards

Heartland Payment Systems

Albert Gonzalez crew (SQLi)

“heartland 2008 SQL injection”, “albert gonzalez heartland”

Home Depot

56M cards

The Home Depot

FIN6-aligned actors (BlackPOS malware)

“home depot 2014 POS”, “BlackPOS home depot”

JPMorgan Chase

76M households / 7M SMB

JPMorgan Chase & Co.

Aratov / Shalon / Orenstein crew (later indicted)

“jpmorgan 2014 breach”, “shalon orenstein jpmorgan”

Kaseya VSA

~1,500 downstream MSPs (see campaign table)

Kaseya (RMM vendor)

REvil / Sodinokibi

“kaseya VSA 2021 REvil”, “kaseya CVE-2021-30116”

LabCorp

7.7M

LabCorp (via AMCA collector)

AMCA web-portal compromise (actor unspecified)

“labcorp 2019 amca”, “AMCA breach quest labcorp”

LastPass

source + vault metadata + encrypted vaults

LastPass (password manager)

Single actor; DevOps engineer’s home plex exploit

“lastpass 2022 breach”, “lastpass plex CVE”

LinkedIn

165M (2012) / 700M (2021)

LinkedIn

2012: Yevgeniy Nikulin; 2021: scraped by “Tom Liner”

“linkedin 2012 nikulin”, “linkedin 700 million scrape 2021”

Log4Shell

global (mass exploitation; see campaign table)

Apache Log4j (CVE-2021-44228)

Mass: ransomware, cryptominers, nation-state

“log4shell CVE-2021-44228”, “log4j JNDI exploit”

Marriott / Starwood

500M

Marriott International (Starwood reservation DB)

APT10/APT41-adjacent (China-attributed)

“marriott starwood 2018”, “marriott APT China indictment”

Medibank

9.7M

Medibank (Australian insurer)

REvil-linked Aleksandr Ermakov (sanctioned)

“medibank 2022 leak”, “ermakov medibank sanctions”

Microsoft Exchange (ProxyLogon)

~250K servers (mass exploitation; see campaign table)

On-prem Microsoft Exchange

HAFNIUM (China-attributed) + mass copycats

“proxylogon HAFNIUM 2021”, “exchange CVE-2021-26855”

Microsoft / Storm-0558

government mailboxes

Microsoft 365 cloud (token signing key)

Storm-0558 (China-attributed)

“storm-0558 token forgery”, “microsoft signing key crash dump”

Mossack Fonseca (Panama Papers)

11.5M documents (2.6TB)

Mossack Fonseca (Panamanian law firm)

“John Doe” leaker; ICIJ publication

“panama papers 2016”, “mossack fonseca ICIJ leak”

MOVEit

thousands of downstream orgs (see campaign table)

Progress MOVEit Transfer (CVE-2023-34362)

Cl0p ransomware

“moveit CVE-2023-34362”, “cl0p moveit mass exploitation”

MyHeritage

92M

MyHeritage (genealogy)

Unknown; SHA-1 hashes on third-party server

“myheritage 2018 breach”, “myheritage 92 million emails”

MySpace

360M

MySpace

Sold by “Tessa88” / “Peace_of_mind”

“myspace 2016 breach”, “tessa88 myspace dump”

NetEase

234M

NetEase Mail (China)

Unknown

“netease 2015 mail breach”, “163.com leak”

NotPetya

global ($10B est.)

M.E.Doc patient zero; downstream multiple (see campaign table)

Sandworm / GRU Unit 74455 (Russia-attributed)

“notpetya 2017 sandworm”, “M.E.Doc notpetya supply chain”

Nvidia

source + signing certs

Nvidia

Lapsus$

“nvidia 2022 lapsus”, “nvidia signing certificate leak”

Okta

support / session tokens

Okta (identity provider)

2022: Lapsus$; 2023: HAR-file token theft

“okta 2022 lapsus sitel”, “okta 2023 har file”

Onfido

multi

Onfido (identity verification)

Various deepfake / KYC bypass actors

“onfido KYC bypass”, “onfido deepfake liveness”

OPM

22M

Office of Personnel Management (clearance records / SF-86)

APT (China-attributed)

“OPM 2015 breach”, “SF-86 clearance leak China”

Optus

9.8M

Optus (Australian telecom)

“OptusData” extortionist

“optus 2022 breach”, “optusdata extortion api”

Premera

11M

Premera Blue Cross

APT (China-attributed; tied to Anthem campaign)

“premera 2015 health records”, “premera blue cross APT”

Rockstar GTA6

source / pre-release video

Rockstar Games

Lapsus$ (Arion Kurtaj)

“rockstar gta6 leak 2022”, “arion kurtaj rockstar”

RSA SecurID

SecurID seed material

RSA Security (then EMC)

APT1 / Comment Crew (China-attributed)

“RSA securid 2011”, “comment crew RSA seeds”

Salt Typhoon

lawful-intercept access (see campaign table)

Multiple telecom carriers

Salt Typhoon (China-attributed)

“salt typhoon telecom 2024”, “salt typhoon CALEA wiretap”

Samsung

source code

Samsung Electronics

Lapsus$

“samsung 2022 lapsus source code”

Snowflake customer set

165 orgs (see campaign table)

Multiple Snowflake tenants

UNC5537 (Connor Moucka et al.)

“snowflake 2024 ticketmaster”, “UNC5537 snowflake breach”

SolarWinds (SUNBURST)

18K downloaded; ~100 exploited (see campaign table)

SolarWinds Orion + downstream tenants

APT29 / Cozy Bear (Russia-attributed)

“solarwinds sunburst 2020”, “APT29 orion compromise”

Sony PSN

77M

Sony PlayStation Network

Anonymous / LulzSec adjacent (claim disputed)

“sony psn 2011”, “playstation network outage 2011”

Sony Pictures

corp-wipe + leak

Sony Pictures Entertainment

Lazarus Group (DPRK-attributed)

“sony pictures 2014”, “lazarus the interview wiper”

Stuxnet

1,000+ centrifuges damaged

Natanz enrichment facility (Iran)

Equation Group / Unit 8200 (joint attribution)

“stuxnet 2010 natanz”, “stuxnet siemens S7-300”

Target

40M cards / 70M PII

Target Corp.

FIN7-aligned (Fazio HVAC vendor pivot)

“target 2013 fazio HVAC”, “BlackPOS target”

TJX Companies

94M cards

TJX (subsidiaries; see campaign table)

Albert Gonzalez crew (WEP-broken WiFi)

“TJX 2007 breach”, “albert gonzalez TJX”

T-Mobile

40-100M per incident

T-Mobile USA

John Binns (2021); other incidents unattributed

“tmobile 2021 john binns”, “tmobile breach 100 million”

TRITON

safety controllers (Schneider Triconex)

Petrochemical plant (Saudi Arabia)

XENOTIME / TEMP.Veles (Russia-attributed)

“TRITON triconex 2017”, “xenotime TRISIS malware”

Twitter

200M / 5.4M

Twitter (now X)

Single actor via API enumeration (Devil / Ryushi)

“twitter 2022 200 million”, “twitter API leak Devil”

Uber

57M (2016) / internal (2022)

Uber Technologies

2016: extortion + cover-up; 2022: Lapsus$

“uber 2016 sullivan cover up”, “uber 2022 lapsus teapotuberhacker”

Ukraine grid

230k customers / 1.5h outage

Ukrenergo / Prykarpattyaoblenergo (electric utilities)

Sandworm / GRU Unit 74455

“ukraine power grid 2015”, “sandworm crashoverride 2016”

WannaCry

200K systems / 150 countries (see campaign table)

Global (see campaign table)

Lazarus Group (DPRK-attributed)

“wannacry 2017 eternalblue”, “lazarus wannacry NHS”

Yahoo

3B (all accounts)

Yahoo

FSB-tasked Karim Baratov + Alexsey Belan (Russia-indicted)

“yahoo 2013 3 billion”, “FSB baratov belan yahoo”

Multi-Target Campaigns#

Kaseya VSA (2021)#

Target

Notes

~50 direct MSP victims

Initial REvil deployment via VSA on-prem.

~1,500 downstream organizations

Encrypted via the compromised MSPs.

Coop Sweden

Most-publicized downstream; ~800 stores closed.

Synnex (USA)

IT distributor; downstream pivot risk.

Various MSPs (Huntress / Datto telemetry)

Distributed across SMBs.

Log4Shell (2021)#

Target

Notes

Apache Log4j (CVE-2021-44228)

The vulnerability itself; “JNDI lookup” feature.

Minecraft (mass)

First in-the-wild proof; chat-string trigger.

VMware Horizon

Mass-exploited by Conti, AvosLocker, ransomware crews.

Cisco Webex

Vendor-confirmed exposure.

iCloud, Steam, Tesla, etc.

Confirmed-exposed surfaces (vendor disclosures).

Belgian Ministry of Defence

First public state-attributed compromise via Log4Shell.

Vietnamese / Iranian / Chinese clusters

Cited by Microsoft Threat Intelligence as active exploitation.

Microsoft Exchange — ProxyLogon (2021)#

Target

Notes

On-prem Exchange (mass)

~250K servers worldwide.

European Banking Authority

Publicly disclosed.

Norwegian Parliament

Publicly disclosed.

~30K organizations (Krebs estimate)

Compromised in the first wave.

HAFNIUM-cluster operations

Initial; followed by 9+ copycat groups.

MOVEit (2023)#

Target

Notes

Progress MOVEit Transfer

The vulnerable product (CVE-2023-34362).

BBC

25K UK employees (via Zellis payroll).

British Airways

Employee PII (via Zellis).

Aer Lingus

Employee PII (via Zellis).

Shell

Vendor data.

IHG (Holiday Inn)

Customer data.

Ernst & Young

Client data.

Maximus

11M U.S. Medicare/Medicaid records.

Oregon DMV

3.5M licenses.

Louisiana OMV

6M licenses.

2,700+ organizations

Per Emsisoft tracking by Q4 2024.

NotPetya (2017)#

Target

Notes

M.E.Doc (Linkos Group)

Ukrainian accounting software; supply-chain patient zero.

Maersk

Shipping; near-total IT loss; ~$300M.

Merck

Pharma; ~$1.4B; long insurance war (war-exclusion ruling).

FedEx (TNT Express)

Logistics; ~$300M.

Reckitt Benckiser

Consumer goods; ~$100M.

Mondelez

Snacks; insurance precedent.

Saint-Gobain

Construction; ~$380M.

WPP

Advertising; multi-day outage.

Rosneft / Bashneft

Russian oil firms (collateral on initial Ukraine vector).

Chernobyl monitoring

Lost telemetry briefly; manual readings.

Salt Typhoon (2024)#

Target

Notes

Verizon

Lawful-intercept-relevant access.

AT&T

Lawful-intercept-relevant access.

Lumen Technologies

Long-haul carrier; transit-pipe access.

T-Mobile

Wireless carrier; mitigation reported successful.

Charter Communications

Reportedly affected.

Consolidated Communications

Reportedly affected.

Windstream

Reportedly affected.

Snowflake customer set (2024)#

Target

Notes

AT&T

109M customer call/text metadata.

Ticketmaster (Live Nation)

560M customer records.

Santander

30M customers (Spain, Chile, Uruguay).

Advance Auto Parts

380M records.

Pure Storage

Telemetry; contained.

Anheuser-Busch

Confirmed.

Lending Tree

Confirmed.

Neiman Marcus

64M customers.

Los Angeles Unified School District

Stolen creds via infostealer pipeline.

165 total tenants (UNC5537 dataset)

All without MFA on the affected accounts.

SolarWinds — SUNBURST (2020)#

Target

Notes

SolarWinds Orion build pipeline

The supply-chain pivot itself.

Microsoft

Source-code repo access.

FireEye / Mandiant

Discovered the campaign via own compromise.

Treasury Department

Email tenant access.

Commerce Department / NTIA

Email tenant access.

DHS

Internal disclosure.

State Department

Confirmed access.

National Nuclear Security Admin (NNSA)

Reported access.

Intel, Cisco, Nvidia, VMware, Belkin

Confirmed downloaded backdoor; varying impact.

~100 high-value tenants

Out of 18K who downloaded, per CISA estimate.

TJX (2007)#

Target (subsidiary)

Notes

T.J. Maxx

Primary brand; original WEP-broken Minnesota store.

Marshalls

Same parent infrastructure.

HomeGoods

Same parent infrastructure.

A.J. Wright

Same parent infrastructure (then-owned).

Bob’s Stores

Same parent infrastructure (then-owned).

Winners (Canada)

TJX Canada brand.

HomeSense (Canada / UK)

TJX international brand.

T.K. Maxx (UK / Ireland)

European brand.

WannaCry (2017)#

Target

Notes

NHS (UK)

80 trusts disrupted; ~19K appointments cancelled.

Telefónica

Spain telecom; first major public report.

Renault

Auto plants stopped (France, Slovenia).

Nissan (Sunderland)

Production halted.

Deutsche Bahn

Information-board displays.

FedEx (TNT)

International parcel ops.

Hitachi

Mail and other internal systems.

Honda (Sayama)

Japan plant halted briefly.

PetroChina

Gas-station payment terminals offline.

Boeing

Limited production-area infection (2018, late spread).

Cuban Ministry of Information

Public sector hit.

Russian Interior Ministry

1,000 computers hit.

Search Queries#

OSINT entry points for hunting a specific breach, attribution, and downstream victim datasets.

Hosted lookup#

Service

Pattern

Have I Been Pwned

https://haveibeenpwned.com/ (per-email).

HIBP domain search

https://haveibeenpwned.com/DomainSearch (per-domain, verified).

DeHashed

https://dehashed.com/search?query=<term>

IntelX

https://intelx.io/?s=<term>

LeakCheck

https://leakcheck.io/search?query=<term>

MITRE ATT&CK Groups

https://attack.mitre.org/groups/ (attribution lookup).

SecurityScorecard / RiskRecon

vendor portals; enterprise.

Google / Bing dorks#

Goal

Dork

Primary reporting

"<breach>" intext:"breach" site:krebsonsecurity.com OR site:bleepingcomputer.com OR site:therecord.media

SEC 8-K disclosure

site:sec.gov "<company>" "cybersecurity"

Mandiant / FireEye writeup

"<breach>" site:mandiant.com OR site:fireeye.com

Vendor PIRs / IRs

"<breach>" intext:"incident response" filetype:pdf

State AG / regulator notices

"<company>" site:oag.ca.gov OR site:ago.vermont.gov "data breach"

HIBP-confirmed dumps

"<breach>" "haveibeenpwned.com"

CISA advisory

"<breach>" site:cisa.gov

Reuters / FT timeline

"<breach>" site:reuters.com OR site:ft.com timeline

Court / indictment lookup#

Goal

Query

DOJ press release

site:justice.gov "<actor or breach>"

PACER / CourtListener

"<actor>" site:courtlistener.com

Sanctions

site:treasury.gov OFAC "<actor>"

Indictment PDFs

"<actor>" indictment filetype:pdf

Actor / TTP pivot#

Goal

Query

Attribution

"<actor>" attribution OR APT site:mandiant.com OR site:crowdstrike.com

Indicators of compromise

"<breach>" IOC OR YARA OR Sigma

Sandbox runs

site:any.run OR site:tria.ge OR site:joesandbox.com "<hash>"

C2 / infrastructure

"<C2 domain>" passivetotal shodan censys

References#