Largest Data Breaches in 2019

Chad Hammond

2019 was the worst year for cybersecurity, with 5,183 reported data breaches and 7.9 billion records exposed worldwide. An average data breach could cost up to $3.92 million, including fines, damage control, and lawsuits. Let’s have a look at the largest data breaches of 2019.


2019 was yet another difficult year for Facebook with several data breaches and more than 800 million records exposed. While it’s still the most popular social network in the world, Facebook is losing its credibility.

The biggest data breach contained 540 million records that were stored on Amazon cloud computing service for everyone to see. The data included account names, IDs, reactions, and comments. However, it’s still not clear how many users were affected.

Facebook-owned Instagram also had a fair share of cyber incidents. In April, Facebook admitted storing millions of passwords of Instagram users on its servers in a readable format. The company informed users about the flaw and assured that passwords were not accessed or misused by any wrongdoers.

First American Financial Corporation

The real estate title insurance company First American Financial Corporation leaked nearly 900 million records, including bank account numbers, statements, tax records, social security numbers, and driving license images. All the data, which dates back to 2003, was available on the First American website, and anyone could access it without any authentication.

According to the company's spokesperson, the leak happened because of design error in an application. Users were advised to freeze their credit at major credit bureaus so that no unauthorized parties could take loans in their names.


139 million users of the Sydney-based graphic design platform Canva had their passwords, usernames, real names, emails, cities, and country data stolen.

Right after the attack, a hacker group known as GnosticPlayers contacted ZDNet, a business technology news website, to claim responsibility for the hack. They’d already done that in the past: the group is known to attack major companies and put their data for sale on the dark web. Cybersecurity experts believe that media coverage helps the hackers promote the stolen databases.


Truecaller is a smartphone application for calls and messaging with more than 200 million users. The data stolen from the company, mostly of Indian citizens as they constitute two-thirds of the global user base, was found in various hacking forums on the dark web. The hackers were selling the Indian users' data for around $2,000, while the price for the data from other countries came to a much higher $27,000.

Truecaller admitted the security incident. However, it denied that any personal or financial information of their users had been extracted from the company’s databases.


In 2019, MongoDB faced two large data breaches, with almost 500 million user data exposed.

Bob Diachenko, a cybersecurity expert, found an 854-gigabyte MongoDB database on the public web. It contained 202 million records of job candidates from China, including their names, work experience, addresses, marital status, and other personal details.

Several months later, Diachenko discovered another unsecured database with sensitive information of 275 million Indians. The records included current employers, salaries, phone numbers, and employment history. However, there were no clues on who owned the database, even though it was accessible for two weeks.


Orvibo operates a smart home device management platform and supports millions of IoT devices. Security researchers discovered an open database with more than 2 billion records of its users from around the world. The information contained everything from password reset codes to camera-recorded conversations.

As Orvibo creates smart home systems for private users and businesses, the consequences of this breach could be far-reaching. As for now, there is no evidence of any criminal organization taking advantage of the leak.

Capital One

Capital One data breach affected more than 100 million people in the US and Canada. And unlike the cyber incidents mentioned above, this one was internal.

Paige Thompson, a former employee of Amazon Web Services (AWS) whose cloud hosting Capital One was using, managed to break into one of its servers. She gained access to customers’ social security numbers, names, addresses, balances, and other valuable information. She then tried to share this data online, but bank officials claim that it’s unlikely this information was used for any fraud.

How to secure your information

You are never sure when your personal data gets leaked and ends up in some unprotected database. Data breaches happen every day, and we can’t do much about it. However, we can change our password habits to cut our losses in case of any cyber incidents.

Never use the same password across different platforms as that puts all of your accounts at risk. We recommend using a password manager, like NordPass, which generates strong passwords, stores them, and autofills online forms.

If your hashed login details appear online one day, NordPass will let you be sure that wrongdoers won’t be able to crack them. And even if they did, the rest of your passwords would remain secure — as NordPass makes it so easy to make them unique for each account.

Subscribe to NordPass news

Get the latest news and tips from NordPass straight to your inbox.