So much private data was siphoned off by hackers or leaked due to negligence in 2018 that we’ll dub it “The Year of the Data Breach.” It’s a terrible name, too: not only is it as catchy as a Doctoral thesis statement, but it’s also stupid – who here doubts that next year will also be the year of the data breach?

Anyway, in the hope that we can hammer some sense into the heads of large database administrators through endless repetition, we are sharing our rundown on the top 10 biggest data leaks and breaches of 2018.
Top 10 - Facebook

The “View As” vulnerability

  • Number of users affected: 30 million
  • When it happened: started 2017; discovered 2018

This year has been one of the worst for Facebook: share prices between last year and now fell by almost 25%. And with good reason! It’s been scandal after scandal and the end probably isn’t even close. Just a few days ago there was news about Android apps sharing data with Facebook for no valid reason.

But this is the big one – approximately 30 million people’s private information was stolen as a result of a complex and coordinated attack. The type of data exposed varied from account to account and in some cases included the person’s username, contact details, gender, language, relationship status, religion, hometown, current city, birthdate, devices used to access Facebook, education, work, the last 10 places they checked into, website, pages followed, and 15 recent searches.
Top 9 - Panera bread

The website leaks

  • Number of users affected: 37 million
  • When it happened: started 2017; disclosed 2018

Not the most devastating leak in number terms, but particularly notable due to the level of negligence. Halfway through 2017 Panera Bread was contacted by security researched Dylan Houlihan, who informed the company that their website leaks user data in plain text, including names, email addresses, street addresses, dates of birth, and parts of the card number used to make a purchase. Anyone who had created an account to order food through Panera’s website was exposed.

That’s bad enough, but what’s even worse is that instead of taking action or at least investigating the issue Panera wrote it off as some sort of scam. The result – private data of 37 million people exposed.

Top 8 - Chegg

Database hacked

  • Number of users affected: 40 million
  • When it happened: April – September 2018

Chegg is an education technology company and generally seen as “one of the good guys,” which, on all accounts, they are. However, in this cut-throat world, not even the good guys are safe from cybercriminals. And so it came to pass that a database containing Chegg (and related product) data was hacked.

The hack affected the data of approximately 40 million users and included usernames, passwords (, names, email addresses, and street addresses. According to Chegg, the passwords were not stored in plaintext, but it isn’t clear what cipher was used for encryption, so it’s also unclear whether they are safe or not. The hack was noticed in September of this year.
Top 7 - google+

API bugs shuffle off the social network’s mortal coil

  • Number of users affected: 52.5 million
  • When it happened: started as early as 2015; discovered 2018

The troubled social media network, Google Plus, will close in April 2019. Some might say it was born in a coma and they would be right as rain. Either way, the demise of Google Plus comes in the wake of a couple of huge data breaches due to API bugs. Collectively, the vulnerabilities have exposed the data of approximately 52.5 million users. The data includes contact details and lots of profile information.
Top 6 - MyHeritage

The service sings the song of its people (to hackers)

  • Number of users affected: 92 million
  • When it happened: 2017; disclosed May 2018

The actual breach occurred on 26 October 2017 but was only noticed when a security expert sent the Israel-based company a file containing the usernames and hashed passwords of 92,283,889 people. Fortunately, other kinds of personal information you might expect to leak from MyHeritage were on a different database. It is uncertain how the breach happened.
Top 5 - Quora

Interesting personal answers on Quora

  • Number of users affected: 100 million
  • When it happened: discovered November 2018

According to Quora, the 100 million users affected do not constitute the Q&A giant’s entire user base, but experts say it must be awfully close. Quora data breach, which was noticed on November 30. This is one of the worse breaches for user privacy due to how much user data was exposed – names, usernames, emails, IP addresses, encrypted passwords, account settings, personalization data, public actions and content, data imported from linked networks, etc.
Top 4  - myfitnesspal

Under the armour of Under Armour

  • Number of users affected: 150 million
  • When it happened: February 2018

One of the top data breaches in 2018, but it could have been a lot worse. Under Armour, the company behind the nutrition app MyFitnessPal noticed that an “unauthorized party” had managed to access user data on 25 March, but the breach seems to have happened in February. That doesn’t give the hackers too much time to work the data of those 150 million affected users. Also, it was only usernames, email addresses, and hashed passwords, rather than the more sensitive data types. The most unfortunate detail is that some of the passwords had been hashed using the SHA-1 function, which isn’t very difficult to break.
Top 3 - Exactis

Identity theft for dummies with Exactis

  • Number of users affected: 340 million
  • When it happened: noticed June 2018

The Exactis leak is quite the wake-up call. We have serious doubts that the overwhelming majority of people has ever even heard the name “Exactis,” and yet they have data on almost every person in the United States. This isn’t a breach, but Exactis had “left” data on hundreds of millions of people and millions of businesses on a publicly accessible server. The data included email addresses, street addresses, contact details, interests, various personal details, etc. While it’s unclear whether anyone malicious actually got their hands on the data, it’s still terrifying that they could have.
Top 2 - Marriot Starwood

Your Marriott Starwood reservation has been confirmed… and stolen

  • Number of users affected: 500 million
  • When it happened: perhaps as early as 2014; discovered September 2018

One of the worst breaches of 2018, although part of the reason it’s so bad is that it began as far back as 2014. Hackers gained access to a database containing the Marriott Starwood hotel reservations of around 500 million customers – that’s a lot of rich people. That’s not even the worst part, either. Get this: the information included names, addresses, dates of birth, gender information email addresses, passport numbers, encrypted credit card numbers and perhaps even the key to decrypt them.
Top 1 - Aadhaar

Unlocking the mysteries of India

  • Number of users affected: 1.1 billion
  • When it happened: unclear; discovered in March 2018

Cybersecurity writers love Aadhaar because it has been the source of many an embarrassing story over the years. Most recently, data on the national ID service’s 1.1 billion (yes, BILLION) users became available to anyone through a data leak on Indane, a state-owned utility company. The data in question includes names, unique 12-digit ID numbers, and other sensitive personal details. Needless to say, someone is having a lot of fun with all that juicy data as we speak!

Final thoughts

In the end, there are a few things left to ponder. Firstly, we could‘ve gone to #20 and stayed in the millions. Secondly, the situation is going to get worse as the internet envelops ever more of our daily lives. Most importantly, this is only the visible part of these data breach/leak situations – it’s important to realize that people are not engaging in cybercrime for no reason. All this user data is being used in various schemes, making real money for real people. The sooner this image is alive in our public imagination, the sooner we can take cyber security seriously.