The 7 Biggest Data Breaches of All Time, and What to Do If You’re Exposed

If you invest online, you already know the obvious risks. Stocks fall. Crypto melts down. A hot trade at market open turns into a lesson in humility by lunch.

The less obvious risk is that your financial life now lives across a ridiculous number of platforms. Your bank has part of it. Your employer has part of it. Your health insurer has part of it. Your hotel loyalty account has part of it. That investing app you downloaded during a bull market and forgot about has part of it too. So does your old email account, which is still quietly serving as the reset key for everything else.

And this is not some niche cybersecurity problem for people who say “infrastructure” with a straight face. In 2024, consumers reported losing more than $12.5 billion to fraud, and investment scams alone accounted for $5.7 billion, the biggest category. Public companies now generally have to disclose material cyber incidents quickly, and SEC Chair Gary Gensler said, “Whether a company loses a factory in a fire or millions of files in a cybersecurity incident, it may be material to investors.”

That is why the old breach headlines still matter. Each one gave up a different piece of normal life people assume is boring and therefore safe: an old inbox, a credit file, a hotel profile, a health-insurance record, a linked bank account, a brokerage customer list, a crypto account file. Read them back to back and the pattern gets pretty uncomfortable. These are not just giant corporate mistakes. They are case studies in how regular people end up spending their weekends freezing credit, changing passwords, and explaining to customer support that no, they did not authorize that. The SEC has specifically warned that details such as Social Security numbers, phone numbers, email addresses, account numbers, and usernames and passwords can all be used to compromise financial accounts.

1. Yahoo: The dead inbox that still has access to your adult life

Yahoo’s 2013 breach remains one of the most absurd numbers in tech history. In 2017, the company said all 3 billion accounts had been affected. Reuters reported that the stolen data included backup email addresses and security questions, and Verizon later cut $350 million from the price it paid for Yahoo’s core business after the fallout. Bank data was not exposed, but that is not really the point. Yahoo was sitting on the kind of account-recovery information that becomes useful the second somebody else gets hold of it.

This is why Yahoo still matters to ordinary people. Email is not just email. It is the reset button for half your adult life. A dusty old inbox you have not checked in years can still be the recovery address for your bank, your tax software, your streaming subscriptions, your phone account, or the email account that protects everything else. So when people hear “Yahoo breach” and think “ancient history,” what they should really hear is “there may still be a back door into something important.” That is a much less relaxing sentence. This is an inference from the kinds of recovery details Yahoo lost and the SEC’s warning that email addresses and usernames tied to sensitive accounts are valuable targets.

2. Equifax: The company that lost your identity and kept the branding somehow

Equifax is still the cleanest example of why a data breach is not just a bad headline with a settlement attached. In 2017, the company disclosed that attackers had compromised the personal information of 147 million people, including Social Security numbers. Reuters later reported that Equifax agreed to pay up to $700 million to settle the fallout.

The important part is not just the scale. It is the type of information. A name, date of birth, address, and Social Security number are not passive facts. They are permissions. They can help someone impersonate you, answer verification questions, open accounts, or sound legitimate enough to get past a support script. That is why Equifax still hangs over breach coverage years later. Once enough identity data is out there, the next problem may not look like a dramatic “hack” at all. It may look like fraud paperwork, a fake loan application, a new account you never opened, or somebody else being treated like you by systems that really should know better.

3. Marriott: Turns out your hotel profile was not harmless

Marriott’s Starwood breach looked like a hotel story right up until people noticed what was actually stolen. Reuters reported that the breach ultimately exposed fewer than 383 million customer records, and that compromised data for 327 million guests could include passport details, phone numbers, and email addresses. Reuters also reported that 25.55 million passport numbers were involved, including 5.25 million stored in plain text.

Why does this matter to everyday people? Because travel data is incredibly useful. It can reveal how you travel, where you stay, how to reach you, and in some cases hand over passport information too. That makes targeted scams much more believable. A generic fraud attempt is annoying. One that knows your travel habits, your email, and your phone number is much harder to brush off. Marriott mattered because it showed that some of the most valuable fraud material lives in places people do not think of as financially dangerous. Your hotel profile may look boring. To a scammer, it is research.

4. Anthem: Proof that “not financial data” is one of corporate America’s favorite half-truths

Anthem’s 2015 breach compromised personal information tied to about 79 million people. Reuters reported that the exposed data included names, birthdays, Social Security numbers, addresses, email addresses, and employment and income information. Anthem later agreed to a record $115 million class-action settlement.

This is where companies love to say something soothing like “no credit card data was exposed,” as if that settles it. It does not. If someone has your Social Security number, date of birth, address, email, and employment details, they do not need your debit card to start causing trouble. They already have the raw material. Anthem mattered because it showed how fast so-called non-financial data becomes a financial problem. Identity theft does not care whether the source was a health insurer, a bank, or an app you downloaded because the sign-up flow looked clean. If the information helps somebody impersonate you, it matters.

5. Capital One: The one that got uncomfortably close to the money

Capital One’s 2019 breach still lands harder than most because the data stack feels so familiar. Reuters reported that the incident affected more than 100 million people in the U.S. and Canada, including about 140,000 Social Security numbers, 80,000 linked bank account numbers, and about 1 million Canadian Social Insurance numbers. Reuters also reported that the OCC later fined the bank $80 million, saying it had failed to adequately manage risk as it moved some operations to the cloud.

This is the breach that feels closest to the way modern life actually works. You open an account. You upload documents. You link your bank. You connect outside services. You let apps talk to each other because everything is designed to feel frictionless right up until friction would have been extremely useful. Capital One showed how convenience can turn into exposure very quickly. Application data, identity details, linked-bank information, and cloud infrastructure all sitting together is great when everything works. It is less charming when it does not.

6. Robinhood: One support employee, five million email addresses

If the first five breaches feel a little historical, Robinhood is where the story starts to feel very current. Reuters reported that in 2021, a third party obtained the email addresses of about 5 million customers and the full names of about 2 million more after socially engineering a customer-support employee. Robinhood said it believed no Social Security numbers, bank account numbers, or debit card numbers were exposed.

That is still plenty bad for regular people. You do not need a full password dump for your life to get more complicated. Names and email addresses tied to a financial account are useful because they make future phishing attempts more credible. They tell an attacker which inbox to target and how to sound official when they show up pretending to be “security.” Robinhood mattered because it showed how one human weak point can create a very modern headache for millions of people who now have to wonder whether the next alert in their inbox is real or just somebody trying their luck.

7. Coinbase: the breach that made the follow-up scam the real event

Coinbase pushed the story forward in 2025. Reuters reported that the company warned of a potential $180 million to $400 million hit from a cyberattack in which criminals stole some customer data, including names, addresses, and emails, after bribing contractors and employees in support roles outside the U.S. Reuters also reported that Coinbase said login credentials and passwords were not accessed, but that it would reimburse customers who were tricked into sending funds to attackers.

That last detail is the whole story. Sometimes the breach is not the full loss event. Sometimes the breach just gives criminals enough information to run a much better scam afterward. That is what makes the Coinbase case so useful for ordinary readers. It makes the modern fraud chain visible. First comes the data leak. Then comes the targeted outreach. Then comes the attempt to get the victim to do something irreversible. It is less “mastermind cracks vault” and more “stranger knows just enough about you to sound official on the phone,” which is somehow both less dramatic and more insulting.

Welcome to the unpaid risk manager era

This is the part companies always undersell. A breach does not just threaten your identity. It gives you chores.

The Identity Theft Resource Center said the U.S. recorded a record 3,322 data compromises in 2025, up 79 percent over five years, and that financial services was the most-breached industry, with 739 compromises. It also found that 80 percent of surveyed consumers had received at least one breach notice in the previous 12 months, and 88 percent of those who received a notice reported at least one negative consequence, including more phishing attempts, more spam, or attempted account takeover. James E. Lee, the ITRC’s president, put it neatly: “Consumers must move from reacting to acting.” He is right. It is also hard to miss the subtext, which is that millions of normal people are now expected to become the part-time security department for data they never asked to manage in the first place.

The time cost is real too. Javelin said the average amount of time consumers spent resolving identity-fraud issues in 2023 jumped to nearly 10 hours. That may not sound dramatic until you remember what those hours actually are: password resets, fraud alerts, support calls, statement reviews, and proving you are yourself to systems that should probably have figured that out already. It is not cinematic. It is just deeply annoying, which is almost worse.

That is the hidden bill. Not just the money. The admin. The lost time. The fact that your Saturday disappears because a company you barely remember using sent you a carefully sanitized email about “suspicious activity involving your information.”

What to do if you get the email

At some point, a lot of people are going to get it.

A company recently became aware of suspicious activity involving your information.

The tone will be calm. The wording will be sterile. The timing will be terrible.

When that email lands, do not treat it like one more corporate apology to skim and ignore. The FTC says that if your personal information was exposed in a data breach, you should go to IdentityTheft.gov for steps to protect your identity, and it says credit freezes and fraud alerts can help protect you by making it harder for scammers to open new credit accounts in your name.

Start with the basics. Change the password for the affected account, and if you reused that password anywhere else, change those too. Then consider freezing your credit if high-value identity data was exposed. That is not overreacting. It is maintenance. The FTC explicitly says credit freezes and fraud alerts can help stop people from opening new accounts in your name. The ITRC also says freezing your credit is one of the “foundational requirements for digital safety.”

Treat your email like a financial account. If your main inbox is also the recovery email for your bank, phone carrier, tax software, and everything else, you have concentrated too much risk in one place. Tighten the inbox security. Review recovery settings. Be suspicious of any “urgent” security message that wants you to click first and think later. This is a practical inference from how account recovery works and from the SEC’s warning that email addresses, phone numbers, usernames, passwords, and financial account details all matter in breach scenarios.

Move away from text-message verification where you can. The FTC warns that text verification may not stop a SIM-swap attack and says people concerned about SIM swapping should use an authentication app or a security key for sensitive accounts. In 2026, relying on text messages alone to protect important accounts is starting to feel a little optimistic.

Watch for account changes, not just missing money. The SEC tells people to monitor their accounts for suspicious activity and to look for changes they do not recognize, including a new address, phone number, email address, account number, or external banking information. That matters because the damage often starts before money disappears. First the contact info changes. Then the reset requests start. Then the real mess begins.

And if somebody asks for your verification code, the FTC’s guidance is refreshingly blunt: “Anyone who asks you for your account verification code is a scammer.” That is one of the few modern slogans that deserves universal adoption. Hang up. Block the number. Do not negotiate with the chaos.

The bottom line

The seven breaches above are not memorable just because the numbers were huge. They matter because each one exposed a different weak point in ordinary life. Yahoo exposed the old inbox that still controls your resets. Equifax exposed the identity details that let people pretend to be you. Marriott and Anthem showed that “non-financial” companies can still hold exactly the information a fraudster wants. Capital One got disturbingly close to the banking layer. Robinhood and Coinbase showed how easily modern scams can be personalized once customer data is loose.

You can recover from a bad trade. Recovering from compromised access is usually slower, more invasive, and much more annoying. It also tends to begin with the driest email imaginable. A company recently became aware of suspicious activity involving your information. By the time you read it, the inconvenience has already started.

Sources

• https://www.ftc.gov/news-events/news/press-releases/2025/03/new-ftc-data-show-big-jump-reported-losses-fraud-125-billion-2024
• https://www.sec.gov/newsroom/press-releases/2023-139
• https://www.investor.gov/introduction-investing/general-resources/news-alerts/alerts-bulletins/investor-alerts/investor-alert-identity-theft-data-breaches-and-your-investment-accounts
• https://www.reuters.com/article/technology/yahoo-says-all-three-billion-accounts-hacked-in-2013-data-theft-idUSKCN1C82NV/
• https://www.reuters.com/article/technology/equifaxs-700-million-data-breach-settlement-spurs-criticism-calls-for-new-rul-idUSKCN1UH16Y/
• https://www.reuters.com/article/legal/marriotts-starwood-database-hacked-500-million-may-be-affected-idUSKCN1O02VG/
• https://www.reuters.com/article/legal/anthem-to-pay-record-115-mln-to-settle-us-lawsuits-over-data-breach-idUSL1N1JK1WV/
• https://www.reuters.com/article/business/capital-one-to-pay-80-million-fine-after-data-breach-idUSKCN2522D8/
• https://www.reuters.com/technology/robinhood-says-email-addresses-5-mln-customers-exposed-data-security-incident-2021-11-08/
• https://www.reuters.com/business/coinbase-says-cyber-criminals-stole-account-data-some-customers-2025-05-15/
• https://www.idtheftcenter.org/post/2025-annual-data-breach-report-record-number-compromises/
• https://javelinstrategy.com/press-release/identity-fraud-flourishes-amid-consumers-growing-digital-presence-costing-them-time
• https://consumer.ftc.gov/media/79862
• https://consumer.ftc.gov/articles/credit-freezes-and-fraud-alerts
• https://consumer.ftc.gov/consumer-alerts/2019/10/sim-swap-scams-how-protect-yourself
• https://consumer.ftc.gov/consumer-alerts/2024/03/whats-verification-code-why-would-someone-ask-me-it

Market Munchies and Mode Mobile communications are for informational purposes only, and are not a recommendation, solicitation, or research report relating to any investment strategy, security, or digital asset. All investments involve risk including the loss of principal and past performance does not guarantee future results.

Any information contained in this commentary does not purport to be a complete description of the securities, markets, or developments referred to in this material. The information has been obtained from sources considered to be reliable, but we do not guarantee that the foregoing material is accurate or complete. There is no guarantee that any statements or opinions provided herein will prove to be correct.