Skip to main content
Security Scorecard

A Look Back at the Top Data Breaches of 2021

Posted on December 23rd, 2021

This past year was a banner year for cybercriminals. By the end of September, the Identity Theft Resource Center (ITCR) reported that the number of breaches that had taken place over the first three quarters of 2021 had exceeded the total number of breaches in 2020.

Among those breaches were some big ones, most notably the Colonial Pipeline ransomware attack which took place in May, causing gas shortages throughout parts of the U.S., a LinkedIn breach that impacted 700 million users, and a state-sponsored attack on Microsoft in early spring.

What were the top breaches in 2021? Let’s look back at the top 20 cyber attacks that made headlines in the last year (that we know about so far) and the records that were impacted. The below 20 breaches are by no means a comprehensive list. Reports of breaches for the last quarter of the year are still being compiled, and some attacks may not have been identified yet. The list also doesn’t take into account incidents like the SolarWinds attack of 2020, the impact of which is still being felt.

1. Socialarks

Number of records impacted: 214 million

In January, Chinese social media management company, Socialarks suffered a huge data leak leading to the exposure of over 400GB of personal data from social media platforms including Facebook, Instagram, and LinkedIn. The breach included the information of several celebrities and social media influencers.

2. Accellion

Organizations affected: More than 100

Accellion released four fixes in January to address weaknesses that had been used by malicious attackers to attack clients via their File Transfer Appliance service. This happened a month after Accellion identified a zero-day weakness in the same service and published a patch to remedy it.It turned out to be too little, too late. Criminals — including ransomware group Clop and financial crime group FIN11 — leveraged the vulnerabilities both before the patch was released and afterward, when some organizations didn’t apply the patches right away. It’s difficult to know exactly how many organizations have been impacted to date because although 17 clients came forward early to announce they’d been breached, others — like managed service provider Guidehouse, Inc. — are also vendors. Their clients were breached as well. Organizations were coming forward as late as July to say that they too have been breached. Among the affected organizations are Shell, Kroger, Morgan Stanley, and other companies and government agencies.

3. ShinyHunters: Wave 3

Records leaked: 129.4 million

In late January, a cybercriminal group going by ShinyHunters started posting stolen databases from at least 10 companies in hacker forums. The January breaches included Pixlr, a free web-based photo-editing application, dating site MeetMindful, tee shirt site TeeSpring, and at least seven other organizations. While ShinyHunters has made headlines for selling information on the Dark Web, the stolen databases were leaked for free. The stolen information contained user data, such as names, email addresses, hashed passwords, dates of birth, and financial information.

4. The Astoria Company

Number of records impacted: 30 Million

It’s uncertain whether this breach is related to ShinyHunters or simply coincided with the ShinyHunters Hack, but in January, 10 million customers of lead generation firm The Astoria Company had their Social Security numbers, bank accounts, and driver’s license numbers exposed. In addition, more than 10 million Astoria customers had information from other fields exposed in the breach such as credit history, medical data, home, and vehicle information. Likely perpetrated by a malicious insider, the leaked Astoria data also contained email transaction logs showing sensitive user information being transferred, unencrypted, via email.

5. Microsoft

Servers affected: 250,000

On March 2, Microsoft announced that it had been the target of a state-sponsored cyber-attack by the Chinese hacker organization Hafnium. The attack, which started in January, targeted Microsoft Exchange. Attackers spent about three months with access to the email inboxes of millions of people. The attack affected more than 30,000 organizations in the United States, including government agencies, 7,000 servers in the United Kingdom, as well as the European Banking Authority, the Norwegian Parliament, and Chile's Commission for the Financial Market (CMF).

6. Twitch

Number of records leaked: 5 Billion

Another long-running attack affected Amazon’s streaming Twitch. The attack started when criminals saw an opportunity in a human error made by personnel configuring a server. Between January and June 5 billion private business records were leaked.

7. ParkMobile

Number of records impacted 21 Million

Mobile parking app ParkMobile announced in March that, due to a vulnerability in a third-party software that the company uses, they’d experienced a breach. The records of 21 million users, including license plate numbers, email addresses, phone numbers, and vehicle nicknames – were accessed and shared on a Russian language crime forum.

8. IDC Games

Number of records impacted: 4 million

In March a database of IDC games was shared in a dark web forum. The leak included 4 million records, including usernames, email addresses, and hashed passwords.


Number of records impacted: 15 million

Market research survey company ClearVoice learned in April that an unauthorized user had posted a database online containing profile information of survey participants from August and September 2015 and was offering information to the public for purchase. The stolen data included 15 million unique email addresses across more than 17 million rows of data that also included names, physical and IP addresses, genders, dates of birth, and plain text passwords.

10. Reverb

Number of individuals affected: 5.6 million

In April, a database from Reverb, an online marketplace for musical instruments was discovered on the dark web. The database included user data such as names, email accounts, geographical addresses, contact information, order count, PayPal account emails, and IP addresses.

11. Colonial Pipeline

States reporting fuel shortages: 5

In May, Colonial Pipeline, one of America’s largest oil and gas companies, was breached in a ransomware attack that temporarily halted the pipeline’s operations, causing an energy crisis in five U.S. states, with people waiting in line at gas stations and stockpiling fuel throughout the Southeast U.S. The airline industry was also affected, thanks to a related shortage of jet fuel. The attack, which was initiated by criminals affiliated with Darkside, was declared a public security threat.

12. Android

Number of records impacted: 100 million

In May, the personal information of more than 100 million Android users was exposed, thanks to configuration errors of the company’s cloud services.

13. JBS

Impact: Worldwide beef shortage

In May, JBS, a Brazilian meat processor and America’s largest source for beef and pork discovered that ransomware group REvil had compromised its networks. The attack forced a shutdown of all the company’s plants and drove up meat prices worldwide. JBS reportedly paid the $11 million ransom.

14. Volkswagen & Audi

Number of records impacted: 3.3 million

In June, it was announced that the personally identifiable information of 3.3 million customers of Volkswagen and Audi had been exposed. This information included addresses, email accounts, mobile numbers, and information regarding automobiles purchased, leased, or inquired about, as well as vehicle reference numbers, makes, types, years, colors, and trim packages. Additional information, including driver’s license numbers, dates of birth, social security information, and financial information, was exposed for 90,000 people in the United States.

15. LinkedIn

Number of records impacted: 700 million

In June, data associated with 700 million LinkedIn users was posted on a dark web forum by a criminal calling themselves “God User.” The breach impacted more than 90% of LinkedIn’s users, although God User claimed to be selling the full 700 million LinkedIn customer database. LinkedIn claimed no sensitive data had been impacted, but samples showed that email addresses, phone numbers, geolocation records, genders, and other social media details were included in the breach. The breach prompted a government investigation.

16. T-Mobile

Number of records impacted:40 million

In August, millions of T-Mobile customer records were put up for sale on the dark web. The leaked records included names, dates of birth, Social Security numbers, and driver’s license/ID information of current, former, or prospective T-Mobile customers.

17. IndiaMART

Number of records impacted: 38 million

In August, 38 million records from Indian e-commerce company IndiaMART were discovered on a popular hacking forum. The data included over 20 million unique email addresses, names, phone numbers, and physical addresses.

18. Neiman Marcus Group

Number of records impacted: 4.35 million

In September, Neiman Marcus Group learned that cybercriminals had obtained the personal information of 4.35 million customers after an attack. According to the department store, approximately 3.1 million payment and virtual gift cards were affected, more than 85 percent of which are expired or invalid.

19. CoinMarketCap

Number of records impacted: 3.1 million

In October it was discovered that 3.1 million email addresses with accounts on the cryptocurrency market capitalization website CoinMarketCap were being traded on hacking forums. It's unclear how the information was obtained, and CoinMarketCap is currently conducting an investigation.

20. CyberServe

Number of records impacted: 1.1 million

Israeli hosting provider CyberServe was breached and ransomed in October before their customer data was publicly released by a group known as "Black Shadow". Because multiple different sites were involved in the breach, including LGBTQ dating site Atraf and the Machon Mor Medical Institute, the impact of this breach was widespread.

How can SecurityScorecard help?

One thing many of the above breaches have in common is that they were discovered by third parties. These people blew the whistle on breaches after seeing hacker chatter and leaked credentials on the dark web. In some cases, those reports were lucky accidents – right place, right time. Fortunately, you don’t need luck to detect leaked information.

SecurityScorecard’s ratings platform collects publicly available data from across the internet and aligns that information to ten groups of factors, including IP reputation, DNS health, web application security, endpoint security, network security, patching cadence, leaked credentials, social engineering, and hacker chatter. SecurityScorecard’s continuous monitoring capabilities provide meaningful alerts that enable you to mitigate threats and strengthen your cybersecurity posture.

Incorporate security ratings into your 2022 plans to stay ahead of risk. Claim your free Scorecard and see your organization's security posture.

Return to Blog
Join us in making the world a safer place.