The 20 Biggest Data Breaches of 2018
Originally published:|Last updated:
The digital information that we save and share online—our private, personal data—is sought after not only by hackers and cybercriminals, but even by foreign governments. Why? Because data is the new oil. Our information has value, and we need to collectively begin behaving as such. We need to stop reusing passwords, stop saving personal and payment information online as much as possible, and most importantly, we need to fight for our data. Big companies we trust are getting breached more often and on a larger scale than ever before.
In 2018, newsworthy data breaches occurred, seemingly, every other week. We not only had more mega-breaches last year—including several with over 100 million people affected—but also more breaches of mega-companies like Marriott, Facebook, Google, Twitter, and Under Armour.
Let’s count down 2018’s biggest data breaches, hacks, leaks, bugs, and abuses to see what we can learn about improving security practices in 2019.
How: A known hacking group injected malicious code onto a poorly secured webpage on British Airways’ website in order to covertly capture personal and payment data.
What was included:
How: An attacker accessed a legacy company system (not Orbitz.com), which compromised customer data.
What was included:
How: An “international group” of hackers accessed company servers through an API that “didn’t contain any financial data or other very sensitive data.” The attack was caught the same day.
What was included:
How: Hacking group JokerStash was able to infect the retailers’ point-of-sale systems with malware that was likely installed through phishing emails and steal credit card numbers. The hackers announced that they planned to sell the credit card numbers on the dark web.
What was included:
How: Cathay Pacific discovered “unauthorized access to some of its information system[s].” They provided no further explanation.
What was included:
How: A hacker seized a voter registration database the Bee had obtained from the state for reporting purposes and another of personal information of Bee subscribers.
What was included:
How: An attacker gained access to Timehop’s cloud computing environment, because it wasn’t protected with two-factor authentication. Timehop has since added two-factor authentication to secure access.
What was included:
How: A hacker gained access to the Ticketfly platform through a “malicious cyber attack.” They provided no further explanation.
What was included:
How: Hackers exploited a flaw in Facebook’s “view as” feature that allowed hackers to “steal Facebook access tokens which they could then use to take over people’s accounts.”
What was included:
How: A database leak led to the plaintext exposure of customer records. Panera was notified on August 2, 2017, but ignored repeated requests by security researchers to fix the database leak. Eight months later, they secured the leak.
What was included:
How: An “unauthorized party” gained access to a database of user data. The company reset passwords for all 40 million customers. Interestingly, Chegg publicly disclosed the breach to the SEC, not to the affected customers.
What was included:
How: An initial breach affecting 500 thousand Google+ users was first reported on October 8, 2018. That breach was disclosed by Google several months after it was discovered, in part because of fears that disclosing the breach would draw regulatory scrutiny and cause reputational damage, according to the Wall Street Journal. Then in December, Google revealed a second data breach that exposed the personal information of 52.5 million Google+ accounts for six days to third-party Google+ apps.
What was included:
How: Cambridge Analytica exploited a loophole in Facebook’s API that allowed third-party developers to collect data not only from users of their apps but from all the people in those users’ friends network on Facebook. It’s important to note that this isn’t really a breach, but more a misuse of user data.
What was included:
How: A security researcher found a file containing email addresses and hashed passwords on a private server outside of MyHeritage. MyHeritage added two-factor authentication options for users to protect against account takeover.
What was included:
How: A “malicious third party” accessed Quora’s systems and compromised user data. They provided no further explanation.
What was included:
How: An “unauthorized party” acquired data associated with MyFitnessPal user accounts. No further explanation was provided.
What was included:
How did it happen: Twitter discovered a bug that stored passwords unmasked in an internal file. Though this isn’t really a breach, it’s inexcusable for any company—especially one as well-equipped as Twitter—to store user passwords in plaintext. Twitter asked all of its users to reset their passwords as a result.
What was included:
How did it happen: Exactis was notified of a comprehensive collection of leaked data by security researcher Vinny Troia. Exactis secured the database after Troia notified them but never publicly addressed the leak. Morgan & Morgan, a national law firm headquartered in New York, filed a class action lawsuit against Exactis.
What was included:
How: Marriott received an alert from an internal security tool about an attempt to access the Starwood guest reservation database. During the investigation, Marriott learned that there had been unauthorized access to the Starwood network since 2014, and that an unauthorized party had copied and encrypted information and had taken steps to remove it.
What was included:
How: The Indian government, which manages the ID database “Aadhaar,” ignored repeated attempts by security researchers to secure a database leak caused by an unsecured API endpoint connected to a state-owned utility company. It was only after the vulnerability was publicly disclosed that the government secured the database.
What was included:

Click to enlarge
Let’s count down 2018’s 20 biggest breaches:
20. British Airways: 380 thousand

- Names
- Addresses
- Email addresses
- Sensitive payment card details
19. Orbitz: 880 thousand

- Names
- Addresses
- Phone numbers
- Email addresses
- Other personal information
- Payment card information
18. T-Mobile: 2 million

- Names
- Email addresses
- Account numbers
- Billing information
- Encrypted passwords
17. Saks and Lord & Taylor: 5 million

- Payment card numbers
16. Cathay Pacific: 9.4 million

- Names
- Nationalities
- Dates of birth
- Addresses
- Email addresses
- Phone numbers
- Frequent flier numbers
- Some passport numbers
- Some credit card numbers
15. Sacramento Bee: 19.5 million

- Names
- Addresses
- Email addresses
- Phone numbers
- Party affiliations
- Dates of birth
- Places of birth
14. Timehop: 21 million

- Names
- Email addresses
- Dates of birth
- Phone numbers
- Other personal information
13. Ticketfly: 27 million

- Names
- Addresses
- Email addresses
- Phone numbers
12. Facebook 29 million

- Names
- Phone numbers
- Email addresses
- Some other personal information collected by Facebook
11. Panera Bread: 37 million

- Names
- Addresses
- Email addresses
- Dates of birth
- Last four digits of customer credit card numbers
10. Chegg: 40 million

- Names
- Shipping addresses
- Email addresses
- Usernames
- Passwords
9. Google +: 52.5 million

- Names
- Email addresses
- Dates of birth
- Some other personal information collected by Google+
8. Facebook (via Cambridge Analytica): 87 million

- Facebook user profile data
- Facebook user preferences and interests
7. MyHeritage: 92 million

- Email addresses
- Encrypted passwords
6. Quora: 100 million

- Names
- Email addresses
- Encrypted passwords
- Data imported from linked networks when authorized by users
5. Under Armour (MyFitnessPal): 150 million

- Usernames
- Email addresses
- Encrypted passwords
4. Twitter: 330 million

- Plaintext passwords
3. Exactis: 340 million

- Names
- Addresses
- Email addresses
- Phone numbers
- Other personal information including habits and hobbies, and the number, ages, and genders of the person’s children
2. Marriott: 500 million

- Names
- Addresses
- Phone numbers
- Email addresses
- Passport numbers
- Dates of birth
- Other personal information
1. Aadhaar: 1.1 billion

- Names
- Unique 12-digit identity numbers
- Information about services they are connected to, such as bank details and other private information
Takeaways:
- Any company can be breached. Securing user data is highly complex and requires a tremendous investment. And even with sizable security investments, behemoths like Facebook and Google are still failing. Which leads us to takeaway number two…
- Assume that your user data is exposed. This isn’t to scare you or make you think that identity theft is imminent—this is just a reality check. There have been too many hacks, breaches, leaks, data abuses, and misuses across too many services to honestly believe that your data isn’t available somewhere it shouldn’t be. It’s why we’re so adamant about eliminating password reuse. Yet, despite the data in question being our own, we currently have very limited control over it, which leads us to our final takeaway…
- New and improved legislation around data privacy is critical. To truly own our personal data, we first must demand legislation that punishes those that store it unnecessarily, insecurely, or without our explicit consent. The E.U.’s recent GDPR legislation is a good blueprint. It requires companies who collect data on E.U. residents to explain what they plan to use it for, to get explicit consent from each consumer in order to use their data, and to delete any data associated with an individual if requested. If it’s the government’s imperative to protect its citizens, then keeping our private data out of the hands of hackers, criminals, and foreign governments is a good place to start.
Sign up to receive news and updates about Dashlane