/ Case Studies, Security

The Biggest U.S. Data Breaches of 2023–2025

What happened & what can we learn?

Introduction

If it feels like data breaches have been making headlines almost every week, it’s because they have. Over the past three years, the United States has seen some of the largest and most damaging cyber incidents in its history, breaches that have exposed hundreds of millions of personal records, crippled supply chains, and forced companies to pay multimillion-dollar ransoms.

From massive healthcare ransomware attacks to telecom giants leaking customer data, these breaches are more than just numbers on a spreadsheet, they represent stolen identities, financial loss, reputational damage, and, in some cases, the downfall of entire companies.

The scope of these incidents is staggering. Between early 2023 and mid-2025, billions of records have been compromised. Some attacks targeted single organizations, others struck third-party providers in a way that rippled across dozens, or even hundreds, of clients. The causes range from unpatched vulnerabilities and misconfigured cloud storage to sophisticated ransomware campaigns and credential-stealing malware.

In this article, we’ll break down the most significant U.S. data breaches of the last three years, explore what caused them, review how the affected organizations responded, and highlight the lessons every business, and every consumer, should take away.

The State of Data Breaches in the U.S. (2023–2025)

Over the past three years, data breaches in the United States have not only grown in number, they’ve evolved in complexity, scale, and impact. The era of isolated, one-off hacks is over. Today’s breaches often involve multi-layered attacks, exploitation of trusted vendors, and the theft of vast quantities of sensitive information in a matter of hours.

1. Ransomware Still Dominates, but Tactics Have Shifted

Ransomware groups like LockBit, Clop, and ALPHV have continued to lead high-profile attacks, but their playbooks have changed. Instead of simply encrypting files, attackers increasingly focus on data exfiltration, stealing sensitive records and threatening public release if payment isn’t made. This “double extortion” model gives them leverage even when victims have reliable backups.

2. Third-Party and Supply Chain Risks Are the Weak Link

Some of the largest breaches in recent years, including the MOVEit Transfer mass exploitation, the Snowflake credential thefts, and the Change Healthcare ransomware incident, originated through third-party vendors. These supply chain breaches can cascade across multiple organizations, amplifying damage and making incident response more complex.

3. Credential Theft Is Fueling Mega-Leaks

While ransomware dominates headlines, credential theft, often via infostealer malware, has quietly become a leading cause of breaches. Massive compilation leaks, such as the 2024 “RockYou2024” dataset of nearly 10 billion unique passwords and the early-2024 “Mother of All Breaches (MOAB)/Naz.API” compilation of roughly 26 billion records from past breaches, illustrate how aggregated data creates a global pool of credentials that cybercriminals can exploit for years.

4. Highly Regulated Sectors Remain Prime Targets

Healthcare, finance, and telecom continue to suffer some of the costliest and most disruptive breaches. These sectors store vast amounts of sensitive personal information, making them lucrative targets, and because of regulatory requirements (HIPAA, GLBA, FCC rules), breaches here carry heavy compliance and legal consequences.

5. Public and Regulatory Pressure Is Increasing

The SEC’s cybersecurity disclosure rules, combined with state-level privacy laws like the California Consumer Privacy Act (CCPA), are pushing organizations to report breaches more quickly and transparently. This is driving earlier public awareness but also putting companies under intense scrutiny, sometimes before they’ve had time to fully understand the scope of an incident.

Case Studies of Major Breaches (2023–2025)

In this section, we’ll examine some of the most impactful U.S. data breaches over the last three years. For each, we’ll cover the scope, cause, data compromised, and how the organization responded.

MOVEit Transfer Supply Chain Breach — 2023

Impact: More than 62 million individuals affected across hundreds of organizations, including U.S. federal agencies, healthcare providers, and financial institutions.

Cause: Clop ransomware group exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer tool.

Data Compromised: Personally identifiable information (PII) such as names, Social Security numbers, dates of birth, and in some cases, medical and financial data.

Response: Progress Software issued patches quickly, but the attack had already cascaded through supply chains. Many victim organizations were forced to notify customers and regulators. The incident is now considered one of the largest and most damaging supply chain breaches in U.S. history.

T-Mobile API Breach — January 2023

Impact: 37 million customer accounts exposed.

Cause: An attacker exploited an API endpoint to obtain customer data without authentication.

Data Compromised: Names, billing addresses, phone numbers, account numbers, and plan details (no passwords or payment data).

Response: T-Mobile blocked the malicious activity within 24 hours of discovery, notified impacted customers, and committed to a $150 million multi-year cybersecurity plan (initiated after prior breaches). This was the company’s second major breach in less than two years.

HCA Healthcare Data Breach — July 2023

Impact: 11.27 million patients affected.

Cause: Data was stolen from an external storage location used to automate email communications.

Data Compromised: Patient names, addresses, phone numbers, dates of birth, and service locations, no clinical or payment data.

Response: HCA worked with law enforcement and offered identity theft protection to affected individuals. However, the scale of the breach highlighted ongoing vendor security risks in healthcare.

Key Takeaways & Lessons Learned

Looking at the major breaches of 2023–2025, clear patterns emerge about where organizations are most vulnerable, how attackers are adapting, and what’s required to reduce the risk.

1. Third-Party and Supply Chain Risk Is the Achilles’ Heel

Breaches like MOVEit, Snowflake, and Change Healthcare underscore how dependent organizations are on vendors. A single vulnerability or compromised credential at a third party can quickly cascade to dozens, or even hundreds, of client organizations. Vendor security assessments and ongoing monitoring can no longer be a compliance checkbox; they’re a critical part of operational resilience.

2. Credential Theft Is Fueling Larger-Scale Attacks

The credential compilation mega-leaks show how infostealer malware and credential reuse can create long-term, global risk. Stolen usernames and passwords often resurface years later in credential-stuffing attacks, like what happened at 23andMe. Multi-factor authentication (MFA) and the move toward passkeys can significantly reduce this risk.

3. Ransomware Groups Have Shifted to Data Extortion First

Attackers like LockBit and BlackCat/ALPHV increasingly focus on stealing sensitive data before encrypting systems. This “double extortion” approach means even organizations with robust backups can still be blackmailed. Quick breach detection and containment are critical.

4. High-Value Data = High-Value Target

Healthcare, telecom, and financial organizations remain prime targets because they store vast amounts of sensitive personal and financial data. Attacks on these sectors carry heavier compliance, legal, and reputational costs, yet often rely on outdated or fragmented security controls.

5. Incident Response Speed Matters More Than Ever

The faster an organization detects and responds to a breach, the smaller the fallout. Rapid patching, public disclosure, and customer notification can limit reputational harm and regulatory penalties. Delays, whether due to lack of visibility, slow decision-making, or legal debate, can make the damage worse.

6. Regulatory Pressure Is Forcing Transparency

The SEC’s cybersecurity disclosure rules and evolving state-level privacy laws are making it harder for organizations to hide breaches or delay notifications. Transparency is becoming the norm, and companies that get ahead of the story often fare better in public perception and legal standing.

Recommendations for Organizations

Every breach in the last three years reinforces the same truth: cybersecurity is not just an IT function, it’s a business-critical capability. Based on the patterns we’ve seen, here are the key steps organizations should take now.

1. Strengthen Vendor and Supply Chain Security

• Perform rigorous due diligence before onboarding vendors, especially those with access to sensitive data or systems.

• Require vendors to adhere to your security standards, including MFA, encryption, and regular security testing.

• Continuously monitor vendor security posture, not just at the start of the relationship.

2. Move Beyond Passwords

• Deploy multi-factor authentication (MFA) everywhere possible, especially for privileged accounts and remote access.

• Start migrating to passkeys or other passwordless authentication methods to reduce reliance on static credentials.

• Implement credential monitoring to detect when employee or customer passwords appear in known breaches.

3. Invest in Real-Time Threat Detection

• Use endpoint detection and response (EDR) or managed detection and response (MDR) services to spot malicious activity quickly.

• Enable logging and monitoring across critical systems, and ensure alerts go to trained staff or a 24/7 SOC.

• Regularly test your detection and response playbooks through tabletop exercises and simulated attacks.

Recommendations for Consumers

While large-scale breaches often target organizations, the fallout almost always affects individuals. Whether it’s stolen login credentials, financial data, or health records, consumers can take proactive steps to reduce their personal risk.

1. Use Strong, Unique Passwords for Every Account

• Avoid reusing the same password across multiple sites, this is the primary way credential stuffing attacks succeed.

• Use a reputable password manager to create and store complex passwords.

2. Enable Multi-Factor Authentication (MFA)

• Turn on MFA wherever it’s available, especially for email, banking, and social media accounts.

• Prefer app-based or hardware token MFA over SMS codes, which are more vulnerable to interception.

3. Consider Moving to Passkeys

• Passkeys are more resistant to phishing and data breaches because they don’t rely on a password stored on a server.

• Many major services (Google, Apple, Microsoft) now support them, and they can be synced securely across devices.

4. Monitor Your Credit and Accounts

• Check your credit reports regularly via AnnualCreditReport.com.

• Consider placing a credit freeze if you’re not applying for new credit—it’s free and prevents new accounts from being opened in your name.

• Watch bank and credit card statements for unusual activity.

The Road Ahead

If the last three years have shown us anything, it’s that data breaches are becoming larger, faster, and more interconnected. The next wave of cybersecurity threats will likely push these trends even further, and both organizations and individuals will need to adapt.

1. AI Will Make Attacks Smarter and Faster

Artificial intelligence isn’t just a tool for defenders, attackers are already using AI to automate phishing campaigns, generate convincing social engineering scripts, and even identify vulnerabilities at scale. Expect attacks to become more targeted and more believable.

2. Supply Chain Compromise Will Remain the Top Risk

From MOVEit to Snowflake, supply chain breaches have demonstrated their ability to impact hundreds of organizations in a single incident. As companies increasingly outsource services and store data in shared environments, attackers will continue to look for that one weak link that opens many doors.

3. Credential Theft Will Keep Feeding Mega-Leaks

Aggregated datasets like RockYou2024 and MOAB show that password-based authentication remains a major risk. Expect continued emphasis on phishing-resistant authentication.

4. Regulations Will Get Stricter

State privacy laws and federal rules like the SEC’s cybersecurity disclosure requirements will likely expand, pushing companies toward faster breach reporting, higher security standards, and harsher penalties for noncompliance.

5. The Push Toward Passwordless Authentication Will Accelerate

With each mega-leak, consumer trust in passwords erodes. Expect broader adoption of passkeys, biometric authentication, and hardware-based security keys, driven by both user demand and corporate risk reduction.

Conclusion

The last three years have proven that no organization is too large, too small, or too well-known to be immune from a data breach. From massive supply chain compromises like MOVEit to unprecedented credential compilations exposing billions of logins, the scale and frequency of these incidents are only increasing.

For organizations, this is a clear call to strengthen defenses, not just within your own network, but across your entire vendor and partner ecosystem. For individuals, it’s a reminder to take control of your personal security habits, from using unique passwords and MFA to staying alert for phishing scams in the wake of high-profile breaches.

Cybersecurity isn’t a one-time project, it’s a continuous process of monitoring, adapting, and improving. The attackers will keep innovating. So must we.

If you found this breakdown helpful, consider sharing it with your network. And if your organization needs guidance in strengthening its cybersecurity posture or preparing for the next inevitable incident, we can help. Let’s connect and start building your resilience today.

More notable breaches

National Public Data Breach — 2024

Impact: Reports cited approximately 2.9 billion records exposed, affecting data on a very large number of individuals.

Cause: Cybercriminal activity in late 2023 with data later posted online in 2024.

Data Compromised: Personal identifiers such as names, addresses, dates of birth, and Social Security numbers were reportedly included; estimates of unique SSNs varied across analyses.

Response: National Public Data faced multiple lawsuits and later filed for bankruptcy, citing the breach’s fallout. It is considered among the largest U.S. data exposures.

AT&T Customer Data & Call Metadata Breaches — 2024

Impact: Customer Data Breach: 73 million customer records exposed. Call Detail Records: A separate incident via a third-party vendor affected “nearly all” customers, with very large volumes of call metadata reportedly exposed.

Cause: Source details varied; some data traced back to 2019. Call records were stolen via a third-party vendor breach.

Data Compromised: Names, addresses, account passcodes, and detailed call records.

Response: AT&T reset account passcodes, notified affected individuals, and offered credit monitoring. Investigations continue into the full scope and origins of both incidents.

Change Healthcare Ransomware Attack — February 2024

Impact: Widely described as the largest healthcare breach in U.S. history, impacting a substantial portion of Americans.

Cause: BlackCat/ALPHV ransomware gang accessed systems between February 17–20, exfiltrating massive amounts of data before encrypting files.

Data Compromised: Health insurance information, PII, and possibly medical records tied to UnitedHealth Group’s Change Healthcare systems.

Response: UnitedHealth reportedly paid a ransom (widely cited at approximately $22 million) to secure a decryption key and prevent data release. The incident disrupted pharmacy transactions nationwide and triggered congressional hearings on healthcare cybersecurity.

Credential Compilation Mega-Leaks — 2024–2025

Impact: Massive compilations rather than a single-company breach, notably: “RockYou2024”: nearly 10 billion unique passwords compiled from historical breaches. “Mother of All Breaches (MOAB)/Naz.API”: roughly 26 billion records aggregated from past breaches.

Cause: Aggregation of past breaches and infostealer malware logs into centralized datasets.

Data Compromised: Usernames, passwords, session tokens, and associated metadata across hundreds of services.

Response: No single company could mitigate the impact; security experts urged widespread password resets, MFA adoption, and migration to passkeys.

Ticketmaster / Snowflake Breach — 2024

Impact: Hacking group ShinyHunters claimed to have stolen data for up to 560 million Ticketmaster customers; dataset allegedly 1.3 TB in size.

Cause: Compromise of Snowflake-hosted data via stolen credentials from an infostealer malware infection on a third-party contractor’s system. MFA was not enabled on the account.

Data Compromised: Names, addresses, email addresses, phone numbers, ticket purchase details, and partial payment card data.

Response: Live Nation confirmed “unauthorized activity” in a third-party cloud environment, notified regulators, and coordinated with law enforcement. Data was reportedly offered for sale online for $500,000.

Evolve Bank & Trust — 2024

Impact: 7.6 million individuals affected.

Cause: LockBit ransomware gang compromised systems and exfiltrated sensitive data.

Data Compromised: Names, account numbers, routing numbers, Social Security numbers, and contact details.

Response: Evolve notified victims, offered 24 months of TransUnion credit monitoring, and worked with federal law enforcement. LockBit leaked portions of the stolen data on its dark web site.

Dell Partner Portal API Breach — 2024

Impact: 49 million customer records stolen.

Cause: Unauthorized access to Dell’s partner portal API, which exposed order details.

Data Compromised: Customer names, physical addresses, and hardware order information.

Response: Dell began contacting affected customers, engaged law enforcement, and worked to tighten API security. No payment or financial data was exposed.

23andMe Credential-Stuffing Attack — 2023

Impact: 6.9 million users affected.

Cause: Attackers used credentials from other breaches (credential stuffing) to gain access to 23andMe accounts, particularly targeting DNA Relatives profiles.

Data Compromised: Names, profile information, genetic ancestry data, and in some cases health-related details.

Response: 23andMe reset passwords, implemented MFA requirements, and faced multiple lawsuits over the breach and its handling.

Patelco Credit Union Ransomware Attack — 2024

Impact: 726,000 members affected.

Cause: Ransomware attack disrupted core banking operations, ATMs, and online services.

Data Compromised: Names, contact details, account information, and potentially sensitive financial data.

Response: Patelco worked with the FBI, engaged cybersecurity forensics, restored services over several weeks, and offered free credit monitoring to members.