The biggest data breaches of 2019

As the famous idiom goes: “Nothing is certain but death and taxes.” Now, in our digital age, we can add one more certainty: data breaches.

This year we’ve already seen quite a long list of data breaches from all around the world. While most of the focus usually falls on financial data breaches, many hackers are now going after softer targets, such as healthcare and social services. In fact, 2019 has already seen multiple data breaches related to the healthcare field.

In fact, 2019 has already seen multiple data breaches related to the healthcare field.

The number one danger of data breaches is identity theft. With just a few details, like your date of birth, social security number, etc., scammers can use your information to take out loans, get credit cards, or use it for more sophisticated phishing attempts.

Beyond that, they can also access the account that was hacked, collecting private messages, videos and images. In general, what hackers can do with your data is often limited to how creative they are. In order to keep yourself safe, you not only have to practice your own safety, but you need to be aware if your data is out there right now, in some hacker’s hands or being traded on hacker forums.

Our list below is updated from the newest to the oldest data breaches for 2019.

September 29 – Popular social gaming maker Zynga has data stolen

• Affected users: 218 million
• Industry or type: mobile game
• Cause of breach: hack

A Pakistani hacker, alias Gnosticplayers, claimed that he was able to breach the popular word-puzzle game Words With Friends. Through that hack, he accessed 218 million users’ data on both Android and iOS users that installed the game before September 2, 2019.

Zynga admitted in early September that players of Words With Friends and Draw Something had their information leaked, but didn’t give a number for how many.

The hacker claims that the breach included the following information:

• names and email addresses
• login IDs
• passwords (salted and hashed)
• phone numbers
• Facebook IDs

• Zynga account IDs
• password reset tokens

September 26 – Food delivery service DoorDash gets hacked

• Affected users: 4.9 million
• Industry or type: restaurant
• Cause of breach: hack

DoorDash learned in September that an unauthorized third party was able to access its user data on May 4, 2019. Many of the food delivery app’s users were affected, totaling almost 5 million. The hack affected only those people who joined before April 5, 2018.

The hacker was able to access the following information:

• profile information
• names
• email addresses
• delivery addresses
• order history
• phone numbers
• passwords (hashed and salted)
• last four digits of payment cards (for consumers)
• last four digits of bank accounts (for Dashers and merchants)
• driver’s license numbers (for roughly 100,000 Dashers)

September 18 – Indonesian airline Malindo Air suffers massive breach

• Affected users: millions (exact number unknown)
• Industry or type: airline
• Cause of breach: hack

Malindo Air, which is a subsidiary of Indonesia’s low-cost airline Lion Air, reported that they had suffered a massive data breach. The breach affects million of passengers that was leaked on various forums in October.

The airline stated that important customer payment details were not stored on the hacked server. Included in the breach was the following customers’ information:

• names
• passport details
• addresses
• phone numbers

September 16 – Ecuador citizens have their data leaked

• Affected users: 20.8 million (some duplicates)
• Industry or type: unknown (contains government and private information)
• Cause of breach: unsecured database

Security researchers discovered a misconfigured database that exposed most of Ecuador’s population – 20.8 million records in total, including 6.7 million records of children.

The number is larger than the population of the country, which means that there is some duplicate content there, as well as older entries. Nonetheless, it’s proven to be one of the biggest data breaches in the small South American country’s history.

The exposed data includes:

• names
• civil registration data
• family members and family trees
• financial information
• employment information
• car ownership data

September 6 – French site Option Way data leak

• Affected users: unknown (100GB of user data)
• Industry or type: online travel site
• Cause of breach: unsecured database

Security researchers recently discovered a treasure trove of unsecured data from French travel site Option Way. The researchers were able to access 100GB worth of customers data mainly located in France, Belgium, Switzerland, Algeria, and Australia.

While Option Way claims on its website that it process data in an encrypted manner, according to data regulation body CNIL’s recommendations, the researches found large amounts of unencrypted and unprotected data.

This data includes:

• names and email addresses
• date of birth
• gender
• phone numbers
• addresses and postcodes
• destinations and flight prices
• flight departure and return dates

September 3 – Aliznet/Yves Rocher data breach

• Affected users: 2.5 million
• Industry or type: consulting services
• Cause of breach: unsecured database

The Canadian consulting company Aliznet was recently caught exposing 2.5 million Yves Rocher customers’ data. Security researchers discovered that Aliznet, which provides consulting services for its client Yves Rocher, due to multiple vulnerabilities in Aliznet’s systems.

Yves Rocher is a popular brand that produces cosmetics and other beauty products. One major vulnerability in Aliznet’s system was an unprotected API interface for an app that Aliznet seems to have developed for Yves Rocher.

The security researchers were able to discover the following information:

• names and email addresses
• phone number
• date of birth
• zip code

August 21 – Hosting web hosting data breach

• Affected users: 14 million
• Industry or type: web hosting services
• Cause of breach: hack

Popular web hosting service Hostinger has been hit by a major data breach affecting roughly 14 million user records. According to their blog post, Hostinger discovered the breach after it received an alert about unauthorized access to one of its servers.

The hacker used an access token found on the server which gave the person system access without requiring a username or password. After that, the hacker was able to get into the company’s systems, which included the API database. The database contained sensitive customer data which had been scrambled with the SHA-1 algorithm, which is vulnerable to spoofing. Hostinger has since upgraded to the better SHA-2 algorithm.

The breached data includes:

• usernames
• email addresses
• passwords (scrambled with SHA-1)

The company emphasized that no customer payment information, website files or other website data had been involved in the leak.

August 20 – Luscious porn leak

• Affected users: 1.2 million
• Industry or type: online entertainment
• Cause of breach: unsecured database

Privacy and security researchers discovered an unsecured database for Luscious, the Hentai (animated pornography) content-sharing platform. On Luscious, where users upload and share their content, has roughly 20 million monthly visits.

The site has nearly 1.2 million registered users that upload, share, and comment about this content, supposedly anonymously. But in the data breach, researchers were able to discover the following information:

• usernames and emails
• gender and location
• user activity logs
• video uploads
• blog posts, comments and favorites
• and much more behavior

August 14 – Biostar 2 fingerprint and facial recognition breach

• Affected users: 27.8 million
• Industry or type: biometrics
• Cause of breach: unsecured database

Security researchers were able to uncover a treasure trove of unsecured biometrics data held by security company Suprema’s biometrics lock system, known as Biostar 2. Biostar 2 is used by police organizations, defense contractors, banks, and many more organizations all around the globe.

The unsecured database included the unhashed fingerprint. This is particularly dangerous because, once a fingerprint has been stolen, the user can’t change or alter it like he can with a password.

The database also contained, alarmingly, unhashed passwords and usernames. Put together, hackers could potentially edit the files, add their own fingerprints, usernames, and password, and enter these facilities with no problem.

All in all, the data includes:

• unencrypted fingerprints
• unhashed usernames, passwords and IDS
• facial recognition (both information and images) for users
• entry and exit records for secure areas
• employee security levels, clearances, and start dates
• personal details, such as emails and home addresses
• access to dashboards, admin panels, permissions, and more

August 7 – CafePress’ undisclosed data breach

• Affected users: 23 million
• Industry or type: ecommerce
• Cause of breach: unknown

CafePress, the major online T-shirt store, has had 23 million of their customers’ data stolen in a February hack. However, users were not made aware of the hack until Have I Been Pwned, the popular data breach tracker, sent out notifications to certain users.

CafePress, on the other hand, still have not admitted to having been hacked, with the company requiring users to change their passwords because of a password policy “update.”

The leaked data includes:

• email addresses
• names
• phone numbers
• physical addresses

August 5 – Massive US & South Korean credit card breach

• Affected users: 1 million
• Industry or type: banking and finance
• Cause of breach: POS (point-of-sales) hack

Since May 29, 2019, a group of hackers has stolen the credit card details of more than 1 million people, mostly from the US and South Korea. Security researchers first discovered the credit card details for sale on the dark web in May, with 42,000 compromised South Korean cards. June saw 230,000 records, while July went up to 890,000 records for sale.

The researchers believe the group to come from a Russian speaking country, since the credit card details were posted in a mostly Russian-speaking part of the dark web. While the hack affected mostly South Korean cards, US cardholders visiting South Korea were also affected.

The leaked data includes:

• names
• credit card numbers
• expiration dates
• banking information

August 3 – StockX data breach

• Affected users: 6.8 million
• Industry or type: ecommerce
• Cause of breach: hack

The popular online sneaker and streetwear apparel marketplace StockX was recently hacked, affecting more than 6.8 million of its customers. According to the company, a hacker was able to get access to their customer data. The hack originally took place in May.

Instead of notifying their customers of the breach, StockX simply asked users to reset their passwords due to “system updates.” However, on August 3, the company came forward with the notification that customer data had been breached.

The leaked data includes:

• names and email addresses
• shipping addresses
• usernames
• shoe sizes
• hashed passwords
• purchase histories

July 30 – Capital One suffers largest banking data breach

• Affected users: 100 million
• Industry or type: banking and finance
• Cause of breach: hack

Capital One, the major US banking institution, suffered possibly the largest banking data breach in history. Between March 12 – July 17, Paige A. Thompson, a former software engineer, was able to access a cloud-based Amazon server and steal the data of 100 million Capital One customers and applicants.

The largest group of information came from those applicants who had applied to get Capital One credit cards between 2005-2019.  After the breach was discovered on July 19, the company immediately fixed the vulnerability that allowed Thompson to access the data.

The leaked data includes:

• names and addresses
• phone numbers
• email addresses
• dates of birth
• self-reported income
• Social Security numbers (140,000 affected)
• bank account numbers (80,000 affected)

July 20 – Russia’s FSB spies get hacked

• Affected users: unknown (7.5 TB of data)
• Industry or type: government
• Cause of breach: hack

Russia’s Federal Security Service (FSB), which functions as its main intelligence agency, was the target of a successful hack attempt. The hacking group under the name 0v1ru$ was able to breach a major FSB contractor, SyTech, and steal 7.5 terabytes of data.

The group then passed on this stolen data to the major hacking group Digital Revolution, which then shared the files with various media publications and on Twitter.

The leaked data shows that FSB was working on:

• de-anonymizing Tor browsing
• scraping social media
• helping split off the state internet from the global internet

This hack has been called “the largest data leak in the history of Russian intelligence services.”

July 17 – Clinical Pathological Laboratores (from AMCA breach)

• Affected users: 2.2 million
• Industry or type: healthcare
• Cause of breach: hack

As part of the earlier AMCA data breach that affected Quest Diagnostics (below), Clinical Pathology Laboratories (CPL) reported that 2.2 million of their US patients also had their personal data stolen. CPL reports that AMCA had failed to provide them with enough information to identify potentially affected patients.

The breached data includes:

• names and addresses
• phone numbers
• dates of birth
• dates of service
• account balance information
• treatment provider

Aside from that, another 34,500 patients had their credit card or banking information stolen. So far, besides CPL and Quest Diagnostics, LabCorp and BioReference Laboratories have also been affected by the AMCA data breach.

July 16 – The great Bulgarian data leak

• Affected users: 5 million
• Industry or type: government
• Cause of breach: hack

A mysterious hacker stole millions of Bulgarians’ personal details, emailing those files to local news publications. The hack affected Bulgaria’s National Revenue Agency (NRA), which falls under the country’s Ministry of Finance.

While the hacker claimed to have stolen 5 million users’ data contained in 110 databases, they’ve only shared 57 databases. Some of the data also seems to come from the Department of Civil Registration and Administrative Services, which is similar to the Social Security system in the US.

The leaked data includes:

• names
• home address
• personal ID numbers (PINs)
• financial earnings

July 1 – Orvibo Smart Home’s wide-open database

• Affected users: likely 1 million
• Industry or type: IoT/smart devices
• Cause of breach: unsecured database

Independent security researchers recently discovered an open database that was linked to the popular IoT maker, Orvibo Smart Home. The database was said to contain more than 2 billion logs, although Orvibo claims to only have around 1 million users.

These users include both private individuals with connected homes, as well as hotels or other businesses that incorporate these smart devices. The exposed data includes:

• email addresses and passwords
• usernames
• account reset codes
• geolocation and IP addresses
• family name and ID
• much more

Orvibo is a Chinese company based in Shenzhen. Weak security on IoT devices is a continuing problem, and more data breaches related to smart devices is predicted.

June 3 – Quest Diagnostics’ massive data breach

• Affected users: almost 12 million
• Industry or type: healthcare
• Cause of breach: hack

Quest Diagnostics, a major US clinical laboratory, reported that the billings collections provider that works with them – American Medical Collection Agency (AMCA) – had suffered a major data breach. An unauthorized user had gained access to AMCA systems, allowing them ample opportunity to steal patient data. The hacker had access from August 1, 2018, to March 30, 2019.

The exposed data included:

• Names and biographical data
• Medical information
• Social Security numbers
• Financial data

Besides Quest Diagnostics, the breach also impacted LabCorp, Carecentrix, BioReference Laboratories, and Sunrise Laboratories.

May 31 – Flipboard’s major breach

• Affected users: possibly 1 billion+
• Industry or type: news aggregation app and site
• Cause of breach: hack

The most popular news aggregation site and app, Flipboard, has just revealed a major data breach. It is currently unknown how many users have been affected, but seeing as Flipboard has more than 1 billion download from Google Play alone (and that it’s pre-installed on many phones), it is most likely major.

The data stolen in the data breach includes:

• names
• usernames
• email addresses
• protected passwords (salted and hashed with bcrypt)

Users (not logged in on their phones) have since had their passwords reset and will have to change them. Smartphone users will have to log out by themselves.

May 28 – UK’s Investment Week breach

• Affected users: 330,000+
• Industry or type: online publication
• Cause of breach: unsecured server

One of UK’s largest business online publications, Investment Week, has leaked the data of 330,000+ users. Independent security researchers first contacted them on April 29, but after only a muted response, posted a Reddit thread on May 28.

They then contacted VPNpro for an exclusive on what the leak contained, and why Investment Week’s parent company, Incisive Media, gave a subpar response.

The leaked data includes:

• phone numbers
• names and email addresses
• subscription information
• city and country
• company information

Read our exclusive story on Investment Week’s breach here.

May 24 – Canva data breach

• Affected users: 139 million
• Industry or type: online graphic design service
• Cause of breach: hack

The popular graphic design online tool, Canva, reported that user data was compromised in a cyber attack. Canva, which now also owns popular image sharing sites Pexels and Pixabay, reports that the following information was accessed:

• usernames
• email addresses
• demographic information
• protected passwords (salted and hashed with bcrypt)
• part credit card and payment data

Users have been urged to change their passwords.

May 20 – Instagram data scraping

• Affected users: 49 million+
• Industry or type: social media
• Cause of breach: unsecured database

Millions of Instagram influencers had their personal data scraped and stored on an unsecured database by a Mumbai-based marketing firm. Many high-profile influencers were included in the database, including celebrities, food bloggers, and other popular personalities.

The personal data includes the following:

• bio
• profile information
• personal phone number
• personal email addresses

Facebook, which owns Instagram, disputes that users’ personal contact information could have been scraped.

May 15 – WhatsApp hack affects 1.5 billion users

• Affected users: 1.5 billion
• Industry or type: messaging app
• Cause of breach: hack

In a sophisticated breach, WhatsApp, the popular messaging app owned by Facebook, reported a huge vulnerability in its systems. This breach could allow hackers to completely access users’ phones by simply calling the victim on WhatsApp.

The victim wouldn’t even need to answer it: the malicious could would be implanted by simply making a call. A WhatsApp spokesperson hinted that the malicious code could be from a private company Israeli cyber called NSO group.

However, they have denied the allegations. It is unsure how many users have been affected so far.

May 15 – Evite’s major data breach

• Affected users: 101 million
• Industry or type: online services
• Cause of breach: hack

The popular online invitation platform, Evite, notified its users that it had suffered a major data breach. Starting on February 22, 2019, an “unauthorized third-party” was able to gain access to their servers.

However, the invitation service states that no financial information or social security numbers were exposed. They also claim that no user information more recent than 2013 was held in the exposed file.

The breached user data includes:

• names and usernames
• email addresses and passwords
• phone numbers
• mailing addresses
• dates of birth

May 1 – Failed Citycomp blackmail turned data breach

• Affected users: unknown (more than 516 GB of data)
• Industry or type: IT services
• Cause of breach: hack

After failing to blackmail the German IT company Citycomp, which provides crucial IT services to many enterprise companies, a hacking group published a large set of data of some of its customers, including very well known enterprises.

Citycomp has more than 70,000 services and storage systems for its customers, including cash register systems and printers. The cyberattack happened in early April, and was able to fight off the attack with the help of the German police. However, some of their customers’ data was stolen nonetheless.

The financial and private information of some popular client were stolen, including:

• Ericsson
• MAN
• Toshiba
• UniCredit
• British Telecom
• VAG
• Leica
• Hugo Boss
• Porsche
• many other

April 29 – Unknown Microsoft Cloud server breach

• Affected users: 80 million
• Industry or type: online service
• Cause of breach: unsecured database

Security researchers discovered an unsecured database that is hosted on a Microsoft cloud server. At the moment, the owner of this data is not known.

Nonetheless, the database contains the data of more than 80 million US households. This information includes:

• names
• addresses
• age
• dates of birth
• geographic location

Other demographic information was also included. Hackers can use this information (in combination with other data stolen in various breaches) to steal money, do social hacking, or engage in other malicious  activities.

April 25 – Atlanta Hawks ecommerce hack

• Affected users: unknown
• Industry or type: online store
• Cause of breach: malicious code

The Atlanta Hawks’ online shop was compromised by hackers, who implemented credit card skimming code on the football team’s ecommerce site. The hackers were able to steal data from any purchases made  on or after April 20, 2019. The code was identified by security researches a few days later.

The data that was stolen includes:

• customer name
• customer address
• credit card details

April 22 – Bodybuilding.com data breach

• Affected users: 30 million
• Industry or type: online store and forum
• Cause of breach: phishing scam

The internet’s biggest online forum and ecommerce shop for bodybuilders and fitness enthusiasts, Bodybuilding.com, fell victim to a phishing attack that possibly ended up with more than 30 million of its monthly users’ data exposed.

The company wasn’t sure whether any of its customers’ or users’ data was stolen, but decided to notify its users anyways. The hack came from a successful phishing email received in July 2018. The hackers first gained access in February 2019 and Bodybuilding.com finished its investigation on April 12.

The data that could have been stolen includes:

• name and email address
• billing and shipping addresses
• phone number
• order history
• biographical data
• Bodybuilding.com communications

April 15 – Microsoft Email Services breach

• Affected users: unknown
• Industry or type: online service
• Cause of breach: hack

According to a Microsoft email, a “limited” number of people using Microsoft’s web email services – including those with @msn.com or @hotmail.com – had their accounts hacked. The breach, which occurred between January 1 and March 28, has since been solved. But in that time, hackers were able to view users’:

• email address
• folder names
• email subject lines
• email contacts

The hackers were luckily unable to read any of the users’ email addresses, however. Nonetheless, the company is recommending that affected users should change their passwords.

April 4 – Facebook’s massive breach (again)

• Affected users: 540 million
• Industry or type: social media
• Cause of breach: unsecured server (via third-party developers)

Deja vu in the modern era: Facebook (yes, them again) revealed that the records of 540 million of its users had been publicly exposed on Amazon’s cloud computing service. The breach was discovered by the UpGuard Cyber Risk team, who reported that multiple third-party Facebook apps had posted the records in plain sight.

The leaked data includes:

• user IDs
• friends data
• photos
• location data
• check ins, etc.

April 4 – Georgia Tech data breach

• Affected users: 1.3 million
• Industry or type: university
• Cause of breach: vulnerable web application

The world-renowned George Institute of Technology (commonly referred to as “Georgia Tech”) revealed in early April that 1.3 million students and employees had their information exposed in a data breach.

The fault has been placed on a vulnerability in a web application. A hacker was able to access the database connected to the web app. The stolen information includes:

• first and last names
• Social Security numbers
• addresses
• dates of birth

April 3 – Toyota’s multiple breaches

• Affected users: 3.1 million
• Industry or type: automotive
• Cause of breach: hack

Within the span of 5 weeks, the popular Japanese car company Toyota suffered two major data breaches. Toyota reports that hackers were able to breach its IT systems and thereby access information that belongs to some of its sales subsidiaries. The previous hack affected 1.3 million Toyota car buyers.

It isn’t clear what kind of information was stolen, although Toyota promises that no financial information was exposed.

March 31 – Earl Enterprise credit card leak

• Affected users: 2.15 million
• Industry or type: restaurant
• Cause of breach: malware on POS systems

Earl Enterprise, the parent company for popular restaurants including Planet Hollywood, Mixology and Buca di Beppo revealed that more than 2 million of their customers’ credit card numbers had been stolen. Security researches KrebsOnSecurity discovered that those numbers were being sold online. It is believed that malware was installed on the restaurants’ point-of-sale systems.

The stolen data includes:

• credit card numbers
• debit card numbers
• expiration dates
• some cardholder names

March 21 – Facebook password leak

• Affected users: 100 million+
• Industry or type: social media
• Cause of breach: unencrypted passwords

On March 21, Facebook admitted that the passwords of hundreds of millions of its users had been stored in plain text on the company’s internal servers. While they claimed that their systems were supposed to encrypt passwords, more than 2,000 Facebook engineers and developers had easy access to hundreds of millions of users’ passwords.

The company said that it hadn’t found any evidence that this was abused by its employees. However, given the struggling social media giant’s years-long problems with transparency and truth, it’s best to assume that if yours is one of those exposed passwords, you should probably change it just to be safe.

March 14 – Gearbest (Chinese shopping giant)

• Affected users: 1.5 million+
• Industry or type: online shopping
• Cause of breach: unsecured server

The Chinese online shopping giant, Gearbest, has apparently been storing user data on an unsecured server. Cybersecurity researcher Noam Rotem found an Elasticsearch server (the same as ones from above) that was leaking millions of users’ data each week.

Some of the leaked information includes:

• purchased products
• shipping address
• customer information (name, email, phone number)
• payment information
• order numbers
• account passwords
• national IDs and passport information

Since being contacted about the unsecured server, however, Gearbest hasn’t responded or secured their server yet. This means that the true number of affected users is likely much more than 1.5 million.

March 7 – Verifications.io’s email marketing leak

• Affected users: 809 million
• Industry or type: financial
• Cause of breach: unsecured server

Security researchers Bob Diachenko and Vinny Troia found an unprotected database that contained 809 million users’ personal information. The 150 gigabytes’ worth of data comes from an email marketing company called Verifications.io, which helps companies verify the email addresses they need for their email marketing campaigns. The data is a mix of individual customer and business intelligence information.

Leaked data includes standard user information (like usernames, email addresses, names, genders, etc.) to company names, revenue figures, and so on.

March 1 – Dow Jones Watchlist possible leak

• Affected users: 2.4 million
• Industry or type: financial
• Cause of breach: unsecured server

The Dow Jones Watchlist that lists PEPs – “politically exposed persons,” or prominent individuals that have a higher financial risk for embezzlement, bribery or money laundering – was recently discovered to be hosted on an unsecured server. Security researcher Bob Diachenko found the sensitive information on a database that was available anyone able to use an IoT search engine.

2.4 million records were contained in the database. Data included their connections, linked companies, national and government sanctions lists, related or connected crimes, and citations from federal institutions or law enforcement agencies.

February 22 – UConn Health

• Affected users: 326,000
• Industry or type: healthcare
• Cause of breach: phishing

The University of Connecticut’s UConn Health fell victim to a data breach, when it was discovered that 326,000 users’ information was leaked. The breach was discovered on Christmas Eve. The leaked data includes names, birthdates, addresses, and some medical information as well as billing and appointment information.

1,500 users’ social security numbers were also leaked. UConn Health is also offering free identity theft protection for affected patients.

February 20 – UW Medicine

• Affected users: 1 million
• Industry or type: healthcare
• Cause of breach: unknown (generic hack)

More health patients had their data stolen in 2019 – this time in a breach at University of Washington Medicine. In total, nearly 1 million (974,000) patients had their medical record numbers and other information leaked. Luckily, this healthcare-related breach wasn’t as severe as the others on this list: no medical records, financial information or social security numbers were included in the leak.

February 20 – Coinmama

• Affected users: 450,000
• Industry or type: cryptocurrency
• Cause of breach: unknown (generic hack)

The Israeli-based crypto exchange platform Coinmama informed their users in February of a larger hack that began in August 2017. (Yes, this is also part of the larger, 30-company hack.) 450,000 users’ names, emails and hashed (protected) passwords were stolen as part of the breach.

The hack, however, impacts only those users that signed up before August 5, 2017. No credit card details were included in the hack, since Coinmama doesn’t store those financial details.

February 20 – Advent Health Medical Group

• Affected users: 42,000
• Industry or type: healthcare
• Cause of breach: unknown (hack)

Yet another data breach affecting a medical group. This time, the Advent Health Medical Group had 42,000 users’ sensitive personal medical data exposed in a 16-month breach that started in August 2017. Personal data that was leaked includes social security numbers, medical data, names, phone numbers and email addresses.

To help alleviate the possibility of identity theft, AdventHealth gave a year of free identity monitoring services.

February 15 – 500px

• Affected users: 14.8 million
• Industry or type: photo-sharing website
• Cause of breach: hack

500px, a popular photo-sharing site, reported in February that someone had hacked their servers in July 2018. Nearly every account on the 500px service was affected, totaling 14.8 million accounts. The breach included the users’ first and last names, usernames, email addresses, and the following optional information: birth date, location, and gender.

Fortunately, no payment information or photos were included in the hack, since they aren’t stored on 500px servers. This hack is part of the larger hack affection users from 30 companies.

February 14 – Coffee Meets Bagel

• Affected users: 6 million
• Industry or type: dating app
• Cause of breach: unknown/hack

The popular dating app Coffee Meets Bagel had 6 million of its users impacted by a data breach. Apparently, the breach was part of a larger one that affected 841 million users of 30 websites or apps (many of whom are on this list).

Luckily, while the breach is large in scope of how many were affected, only the names and email addresses were leaked. Coffee Meets Bagel reports that they don’t store financial information or passwords.

January 23 – Alaska DHSS

• Affected users: 100,000
• Industry or type: healthcare
• Cause of breach: malware

Alaska’s Department of Health and Social Services (DHSS) revealed in January that more than 100,000 Alaskans had their personal data stolen from an April 2018 cyberattack. This is one of the many instances in which users’ data was stolen due to weak medical/healthcare security.

The stolen information includes health information, benefit information, income, dates of birth, social security numbers, names and much more.

January 17 – Collection #1

• Affected users: 773 million
• Industry or type: multiple sources
• Cause of breach: unknown

Considered one of the largest data breaches of all time, the Collection #1 data breach affected nearly 773 million users. Have I Been Pwned’s Troy Hunt first informed the world about the mega data breach. What’s worst about it is that some of the more than 22 million unique passwords had been “dehashed,” meaning they had been decrypted and converted back to regular, plain text.

January 11 – Manged Health Services of Indiana

• Affected users: 865
• Industry or type: healthcare
• Cause of breach: phishing

More than 30,000 Indiana patients had their protected health data compromised after a third-party contractor fell victim to a phishing attack. The employee worked at LCP transportation, which is a partner for Managed Health Services (MHS) of Indiana.

Having gained access to LCP email accounts, the hackers were able to see MHS patient data, which included email addresses, names, insurance ID numbers, addresses, medical condition information, and dates of birth.

January 3 – German government breach

• Affected users: 865
• Industry or type: government officials
• Cause of breach: weak passwords

One of the highest-reaching data breaches affected Germany in the first few days of 2019. Victims of the hack include German Chancellor Angela Merkel herself, whose fax number and email addresses had been leaked. The leak also impacted more than 860 politicians, most of whom are from Merkel’s party.

The hacker, who was later arrested, said that the passwords made his job much easier. Passwords included “ILoveYou,” 1,2,3,” etc.

January 3 – Town of Salem

• Affected users: 7.6 million
• Industry or type: browser-based gaming
• Cause of breach: unsecured server/weak admin password

The browser-based game Town of Salem by BlankMediaGames (BMG) revealed that 7.6 million users’ personal details had been stolen. According to a Reddit post, one of the hackers stated that it was pretty easy to get into the server by exploiting a weakness in a server, as well as one of the admins reusing an already exposed username and password.

The stolen information includes usernames, email addresses, passwords, IP addresses, game activity, and premium features (without payment information).

January 2 – Blur

• Affected users: 2.4 million
• Industry or type: cybersecurity
• Cause of breach: unsecured file or server

Blur, the password manager that’s supposed to help keep your data safe and secure, had 2.4 million users’ information leaked. Users affected were those who registered with Blur before January 6, 2018. The exposed information includes email addresses, names, password hints, IP addresses, and encrypted passwords.

Users have been urged to change their passwords and enable two-factor authentication.

January 1 – Australian government gets phished

• Affected users: 30,000
• Industry or type: government
• Cause of breach: phishing

Less than one day after the New Year began, it was reported that approximately 30,000 Australian government officials had their information stolen. A government employee in the Australian state of Victoria was the victim of a phishing attack, leading to a directory being downloaded by a hacker.

The data that was stolen includes work emails, phone numbers, and job titles. Luckily, the directory didn’t have any financial information. Therefore, the severity level is low.