• Discounts and special offers
  • Subscriber-only articles and interviews
  • Breaking news and trending topics

Already a subscriber?

By signing up, you accept Moneywise's Terms of Use, Subscription Agreement, and Privacy Policy.

Not interested ?

A report from cybersecurity experts at CSO reveals the most damaging data breaches seen so far in the 21st century.

We count them down to the worst hack of all, one that exposed the personal information of a staggering number of consumers.

The worst data breaches

10. JPMorgan Chase

People walking by Chase Bank, owned by JPMorgan Chase & Co.
Northfoto / Shutterstock
People walking by Chase Bank, owned by JPMorgan Chase & Co.

Accounts affected: 76 million households, 7 million small businesses

In the summer of 2014 — at a time when JPMorgan Chase was spending $250 million a year on digital security — a group of hackers managed to find their way past the banking giant's safeguards.

The interlopers were able to gain access to more than 90 of the bank's servers.

Though the bank claimed there was no evidence that any money was stolen, the personal information of over half the households in the U.S. was compromised, including names, addresses, phone numbers and more.

In the aftermath, JPMorgan Chase doubled its security spending to half a billion dollars a year.

9. Uber

Uber's ride share app is everywhere -- and they have your data
Alexey Boldin / Shutterstock
Uber's ride share app is everywhere -- and it has your data

Accounts affected: 57 million Uber users, 600,000 drivers

The only thing worse than Uber's 2016 data breach was the way the ride-hailing company handled the situation.

Uber discovered that two hackers had gained access to the names, emails and phone numbers of millions of its riders — as well as the driver license numbers of hundreds of thousands of its drivers.

The company waited a year to inform the public about what had happened. In the meantime, it paid the hackers $100,000 to delete the stolen data, though there was no way to prove they ever complied.

Uber later paid a $148 million settlement over the breach and its ensuing cover-up.

8. TJX Companies

A busy TJ Maxx store, owned by TJX
Roman Tiraspolsky / Shutterstock
A busy TJ Maxx store owned by TJX

Consumer accounts affected: 94 million

TJX Companies owns major retail chains including TJ Maxx, HomeGoods and Marshalls, and it runs its own rewards credit card program.

In 2006, millions of credit card numbers were stolen from TJX by hackers led by Albert Gonzalez — a young man who was working simultaneously as a paid informant on cybercrimes for the Secret Service.

An agent told The New York Times, "It seemed he was trying to do the right thing." But that assessment was obviously wrong.

The theft cost companies, banks and insurers almost $200 million, and Gonzalez was convicted and sentenced to 20 years in prison. Eleven other hackers were arrested.

7. Target

Target processes millions of credit cards every year
Ken Wolter / Shutterstock
Target processes millions of credit cards every year

Consumer accounts affected: 110 million

Target initially announced in 2013 that hackers had gained access to about 40 million customer credit and debit card numbers.

It took several months for the retailer to admit that nearly three times as many accounts had been compromised.

While most of the stolen information was payment-related, the hackers also swiped addresses and contact information.

In the fallout over the breach, Target’s chief information officer resigned, and the company made major changes to its security infrastructure.

6. Heartland Payment Systems

Heartland processes payments from major cards like Visa and Mastercard
Seksan 99 / Shutterstock
Heartland processes payments from major cards like Visa and Mastercard

Consumer accounts affected: 134 million

Heartland Payment Systems processes payments from major credit card networks such as Visa and Mastercard. The company was running 100 million payments a month when it got hacked in March 2008.

The firm fell prey to an attack that installed spyware throughout its data systems. The hack was the work of none other than Albert Gonzalez, who had been responsible for the earlier TJX hack.

Ten months passed before the Heartland breach was discovered, in January of 2009. The company eventually paid out $145 million in compensation.

It also was found in violation of industry security standards and was barred from processing credit card payments for several months.

5. Equifax

The Equifax breach affected over a hundred million customers
dennizn / Shutterstock
The Equifax breach affected over a hundred million customers

Consumer accounts affected: 147.9 million

Equifax, one of America's three major credit bureaus, announced in July 2017 that it uncovered a major data breach that had likely begun a few months earlier.

The hackers were able to work around a weak point in the company's systems to gain access to the Social Security numbers, birth dates, addresses and drivers license numbers of tens of millions consumers.

Some 290,000 of the victims also had their credit card information compromised. Consumers were urged to keep watch on their credit reports.

Equifax disclosed in a recent filing with federal securities regulators that it expects to face expensive penalties from the Federal Trade Commission and the Consumer Financial Protection Bureau.

4. eBay

eBay 's headquarters in Silicon Valley
JHVEPhoto / Shutterstock
eBay 's headquarters in Silicon Valley

Consumer accounts affected: 145 million

In 2014, hackers were able to use the credentials of three eBay employees to tap into the online marketplace's user database.

In the 229 days before the breach was discovered, the hackers gained access to the personal information of all eBay users. Names, addresses, birthdates and passwords were stolen.

The company assured consumers that credit card and other financial data was not compromised and urged users to change their account passwords.

3. FriendFinder

AdultFriendFinder website
Sharaf Maksumov / Shutterstock
AdultFriendFinder website

Consumer accounts affected: 412.2 million

In October 2016, a hacker in Thailand launched a revenge attack on Adult FriendFinder, part of the Friend Finder Networks' family of adult content and casual meet-up websites.

The hack compromised the personal data and identities of millions of users, leaking their IP addresses, emails, online handles, addresses and more.

The breach was particularly troubling for users who were married or who worked in public positions — and left them open to potential extortion schemes.

2. Marriott International

Marriott Hotel in San Diego, CA
Cassiohabib / Shutterstock
Marriott Hotel in San Diego

Consumer accounts affected: 500 million

In 2018, Marriott International announced it had discovered a data breach that ran all the way back to 2014.

The breach began when the compromised systems were still being operated by the Starwood hotel company and remained in effect after the it was acquired by Marriott in 2016.

Some customers had personal information exposed, including contact information, passport numbers and travel details. More than 100 million customers also had their credit card information stolen.

Investigators suspect the hack was orchestrated by a Chinese intelligence group.

1. Yahoo

Yahoo's updated notice of its data breach, 2017
dennizn / Shutterstock
Yahoo's updated notice of its data breach, 2017

Consumer accounts affected: 3 billion

Yahoo was one of the internet’s first giants — but the brand was seriously tarnished after the company fell prey to the worst data breach in history.

As Yahoo was in the midst of being acquired by Verizon in 2016, executives revealed that Yahoo had suffered a number of data breaches in 2013 and 2014 that affected billions of user accounts.

The hack revealed users’ real names, email addresses, birthdays, phone numbers, passwords and security questions.

Because of the breaches, Verizon trimmed its purchase price for Yahoo by $350 million, to $4.48 billion.

More: Use Efani to protect your cell phone service with military-grade verification, encryption, and up to $5 million in insurance coverage.

What to read next

Esther Trattner Freelance Contributor

Esther was formerly a freelance contributor to Moneywise.


The content provided on Moneywise is information to help users become financially literate. It is neither tax nor legal advice, is not intended to be relied upon as a forecast, research or investment advice, and is not a recommendation, offer or solicitation to buy or sell any securities or to adopt any investment strategy. Tax, investment and all other decisions should be made, as appropriate, only with guidance from a qualified professional. We make no representation or warranty of any kind, either express or implied, with respect to the data provided, the timeliness thereof, the results to be obtained by the use thereof or any other matter. Advertisers are not responsible for the content of this site, including any editorials or reviews that may appear on this site. For complete and current information on any advertiser product, please visit their website.