Data has become one of the most treasured resources in the world. Businesses that rely on cybernetic technology driven by data are perhaps the most influential companies in the world, triggering continuing discussions about anti-trust regulation, digital privacy and more.

With data breaches, personal information is compromised, uncovered and/or stolen without permission. Big companies such as Marriott and Yahoo have become the topic for controversial discussion over cyber risk exposure. At the end of the day, data breaches can alter the outcome for businesses of all sizes in a wide array of ways.

Regardless of the tremendous value controlled by these big corporations, even companies such as Facebook are susceptible to the side effect of cybercrime. Given the value of data and the predictability of cyber risk, the best thing companies can do to mitigate the consequences of a data breach is to execute a comprehensive risk management process for the recognition, control and acknowledgment of a data breach. Here is a list of ten top of the worst data breaches in 2019:

Top 10 Biggest 2019 Data Breaches

  • Facebook

Facebook is considered one of the biggest data breaches of 2019 with more than 500 million records exposed after uncovering user names, IDs and passwords on unprotected servers. Facebook acknowledged to storing millions of Instagram users’ passwords in precariously unconfident text format. This data breach was due to two third-party developed Facebook app databases, one of them exposed through Amazon S3 bucket.

  • WhatsApp

It is still unclear how many users were actual victims of this attack. Cyber attackers installed surveillance technology on the phones of WhatsApp users who responded their phone calls through the app. The company released a new update to fix this issue and protect their 1.5 billion worldwide users from future attacks.

  • Capital One

The Capital One attack involved over 100 million users who had applied for credit cards. The data breach reported personal information stolen from American and Canadian citizens. The company says the applications the hacker gained access to contained the personal information of consumers including names, addresses, mail addresses, phone numbers and dates of birth. Social Security numbers were conceded for roughly 140,000 U.S. credit card users who had linked their bank account numbers.

  • Dubsmash

Dubsmash, a video messaging app, revealed that hackers stole the approximately 160 million users including email addresses and hashed passwords. Passwords are encrypted, so they must be snapped before they can be used. This breach included over 600 million accounts from 16 hacked websites.

  • Canva

The graphic design app Canva’s data breach affected 137 million users. The unprotected data included email addresses, names, usernames and passwords. Graphic design app Canva tried to fix this issue by recommending users to change their login credentials. The attack impacted up to 139 million users globally. Their teams continue to study engaging forensic experts to investigate this attack.

  • Fortnite

At the beginning of this year, the virtual game Fortnite impacted nearly 200 million gamers worldwide due to numerous vulnerabilities in the online platform. Hackers retrieved information through a cross-site scripting (XSS) attack, allowing them to access information when users clicked on the link. The game contained personal account information including payment methods gamers used to purchase tokens for the game.

  • Quora

The popular Q&A site Quora impacted more than 100 million users’ personal information. The data breach comprised personal information such as names, email addresses, coded passwords, user accounts linked to Quora, plus public questions and answers posted by users. There was no sign revealed that anonymously posted questions and answers were influenced by the breach.

  • State Farm

State Farm, the insurance provider in the US, was exposed in a credential cyber-attack uncovering a list of user IDs and passwords attained from a dark web source. The investigation revealed that the hacker had access to the State Farm online account. It was also found that no scam was detected, and it is still unknown if the attacker was even logged into the accounts.

  • Biometric Records

Biometric records holding more than a million fingerprints impacted nearly 27.8 million records that featured facial images, encrypted usernames, passwords, employee records and other delicate information. The data belonged to a security company called Suprema and they were contacted days after this vulnerability was found.

  • DoorDash

DoorDash suffered a gigantic data breach, concerning the personal information of more than 4 million customers. DoorDash claims they became mindful of unfamiliar activity including a third-party service provider. They quickly blocked further access by the unlicensed third party to improve security across their platform. The data accessed included names, email addresses, phone numbers and hashed passwords. Some credit card information was compromised as well but their CVV was not accessed. As a security method, DoorDash added protective layers around the customers data to increase the ability to identify and mitigate threats.

Protect Your Data From a Breach With ThreatModeler

As the digital world keeps advancing, organizations are responsible for making sure data is entirely secured. Threat modeling allows organizations to:

  • Map out their threats and vulnerabilities
  • Identify, prioritize and prevent threats while improving their overall risk management activities
  • Visualize applications for a holistic view of the entire attack surface

ThreatModeler has created an automated platform for developers and security teams to better understand their attack surface. Equipped with the Threat Intelligence Framework, ThreatModeler content comes from threat intelligence authorities such as CIS, OWASP and CAPEC. Moreover, ThreatModeler provides components mapped out for AWS and Azure cloud infrastructures with security requirements based on their respective guidelines.

To learn more about how ThreatModeler™ can help your organization build a scalable threat modeling process, book a demo to speak to a ThreatModeler expert today.


ThreatModeler revolutionizes threat modeling during the design phase by automatically analyzing potential attack surfaces. Harness our patented functionalities to make critical architectural decisions and fortify your security posture.

Learn more >


Threat modeling remains essential even after deploying workloads, given the constantly evolving landscape of cloud development and digital transformation. CloudModeler not only connects to your live cloud environment but also accurately represents the current state, enabling precise modeling of your future state

Learn more >


DevOps Engineers can reclaim a full (security-driven) sprint with IAC-Assist, which streamlines the implementation of vital security policies by automatically generating threat models through its intuitive designer.

Learn more >