Marriott data breach exposes over 5M people: Latest major security hack


The Marriott Hotel group suffered its second major data breach in two years.

Getty Images

Data breaches can still happen even in the middle of a pandemic. Hackers can take advantage of any vulnerability, like a health crisis, loopholes in institutions’ servers, or flawed security protections to steal your most personal and sensitive information: credit and debit card numbers, Social Security data, your birth date and maybe even where you live.

Though you can’t foresee an attack, you can certainly take steps to protect yourself from further harm, by avoiding fraudulent scams and being vigilant about monitoring your credit and credit card charges.

Read more: 2019 Data Breach Hall of Shame: These were the biggest data breaches of the year

Here are some, though not all, of the biggest breaches the US has experienced in recent history.



Rafael Henrique/Getty Images

When: Disclosed by Marriott International on March 31.

Number of people affected: Approximately 5.2 million guests.

What happened: Marriott international said that at the end of February, it spotted that an “unexpected amount” of guest information may’ve been accessed with the login credentials of two employees at a franchise property. The exposed information may include names, addresses, emails, phone numbers and birthdays. Loyalty account details and information like room preferences may also have been breached. This is the second major incident to impact the hotel in the last two year years. 

MGM Resorts


Rebecca Ang/ Getty Images

When: Disclosed to public early Feb. 2020

Number of people affected: More than 10.7 million guests

What happened: CNET’s sister site, ZDNet, reported that the personal information of over 10 million former MGM resort guests on a hacking forum. The information that was shared reportedly came from a security incident last year, MGM security team members told ZDNet. The leaked info included details like customers full names, home addresses, phone numbers, email addresses and birth dates. 

MGM told ZDNet that it was confident no financial, payment card or password data was involved. The hotel chain reportedly notified all affected guests and has since improved its network security. 

MGM’s hotels include the Bellagio, Aria, MGM Grand, Mandalay Bay, Park MGM, Mirage, New York New York, Luxor and Excalibur in Las Vegas.

Read more: How to protect yourself in a data breach if your bank gets hacked

Words With Friends 

Words with Friends


When: Sept. 2-29, 2019

Number of people affected: More than 200 million players

What happened: A hacker accessed more than 218 million Words With Friends player accounts before Sept. 2. The database that the hacker, Gnosticplayers, accessed included data from Android and iOS players who’d installed the game prior to Sept. 2. Gnosticplayers accessed information like players’ names, email addresses, login IDs and more. On Sept. 12, the game’s publisher, Zynga, confirmed a data breach for Draw Something and Words with Friends players had occurred. In an announcement, the publisher said the investigation is ongoing and it has taken steps to protect accounts.


In this photo illustration the DoorDash logo is seen

SOPA Images/Getty Images

When: Sept. 26, 2019

Number of people affected: 4.9 million customers, drivers and merchants

What happened: DoorDash, the popular food delivery service, confirmed that it suffered a data breach that affected almost 5 million users. The company specified that users who signed up after April 5, 2018, weren’t affected. 

An investigation into the breach determined that information like names, email addresses, delivery addresses, order history, phone numbers and passwords was accessed. The company said that the last four digits of some consumers’ credit cards and bank account numbers were also accessed. 

The food delivery company said it became aware of suspicious activity with a third-party service provider earlier this month. The investigation discovered that an unauthorized third party accessed some user data in early May.



MoviePass left customers’ credit card numbers and credit card details exposed


When: Aug. 20, 2019

Number of people affected: Tens of thousands of users and more than 160 million records

What happened: A report from cybersecurity company SpiderSilk, obtained by TechCrunch, found that 160 million MoviePass records were left unencrypted. Because the company’s database wasn’t password-protected, it left customers’ credit card numbers and credit card details exposed. The database remained online until Tuesday. MoviePass didn’t immediately respond to a request for comment.

This isn’t the first time MoviePass has landed in hot water. Earlier, the service faced criticism for changing passwords to keep users from ordering tickets. The company has also been accused of spiking prices at peak times. Last year, the company was said to be reactivating accounts and asking former customers to opt out of being subscribed again. 

Capital One 

Capital One Financial's offices in San Francisco

Capital One Financial’s offices in San Francisco

Stephen Shankland/CNET

When: July 30, 2019

Number of people affected: 100 million people

What happened: Financial corporation Capital One suffered a data breach that affected 100 million credit card applications, 140,000 Social Security numbers and 80,000 bank account numbers. If you applied for a card in the US between 2005 and 2019, you’re likely part of the breach, according to the bank. 

Capital One said that no credit card account numbers or login credentials were exposed. The breach still affected names, addresses, ZIP codes, phone numbers, email addresses and birth dates. The FBI arrested Paige A. Thompson, a tech worker who goes by the nickname “erratic.” Thompson was charged with computer fraud and abuse for the hack. 

Capital One has reached out to affected customers, but in the meantime, you can take steps to monitor your accounts for fraud. 


You can still check to see if you were affected by this hack.

SOPA Images/Getty Images

When: Approximately mid-May 2017

Number of people affected: About 143 million people

What happened: Hackers stole customer names, Social Security numbers, birthdates and addresses in a hack that stretched for three months. In addition, hackers nabbed 209,000 credit card numbers and 182,000 documents containing personal information. It’s unclear what the hackers did with the data during that time. The company estimates that half of the US population was affected, but that doesn’t include victims outside the country. It was the biggest known leak of 2017. 

You can still check to see if you were affected, worthwhile since you might get reimbursed for it. The credit reporting company agreed to pay between $575 million and up to $700 million on July 22 as part of a settlement with the Federal Trade Commission.  



The Starwood Hotels group, bought by Marriott in 2014, was hit by a hacking campaign. 

Roberto Machado Noa/Getty Images

When: 2014-2018

Number of people affected: 383 million

What happened: Malware infected the security systems of Starwood Hotels — which includes Sheraton, W Hotels, Westin, Le Meridien, Four Points by Sheraton, Aloft and St. Regis — in 2014, and the Marriott hotel group then acquired Starwood in 2016. In November 2018, Marriott discovered and revealed a four-year hacking campaign that attacked Starwood’s reservation database. Lawmakers demanded data privacy and security protections going forward.

The 500 million guests originally thought to be affected was lowered to 383 million in January. In addition to names, addresses, phone numbers, credit card information and email addresses, hackers also swiped millions of unencrypted passport numbers. 


Facebook was the victim of one of the most infamous hacks ever.

Angela Lang/CNET

When: 2016-2018

Number of people affected: 87 million

What happened: Facebook’s Cambridge Analytica scandal isn’t the most recent or the biggest, but it’s arguably the most infamous. In a nutshell, the popular social media site was tricked by researchers who gained access to Facebook user data. The researchers then misused the data for political ads during the 2016 US presidential election. 

The number of people whose data was compromised quickly rose to 87 million by April 2018.

The data firm was also linked to then-presidential candidate Donald Trump. Trump’s campaign hired Cambridge Analytica to run data operations during the 2016 election. Steve Bannon, who would become Trump’s chief strategist, was also reportedly vice president of Cambridge Analytica’s board. The company helped the campaign identify voters to target with ads, and gave advice on how best to focus its approach, such as where to make campaign stops. It also helped with strategic communication, like what to say in speeches.


Anthem Health Insurance

Anthem had to pay $115 million to settle a data breach class action lawsuit. 

Aaron P. Bernstein/Getty Images

When: 2015

Number of people affected: 80 million

What happened: The hackers that infiltrated Anthem Insurance swiped the names, dates of birth, member IDs, Social Security numbers, addresses and more of almost 80 million current (at the time) and former employees. Shortly after the hack was revealed, attorneys general accused Anthem of failing to communicate the gravity of the situation to customers. In June 2017, Anthem agreed to pay $115 million to settle the data breach class action lawsuit from the 2015 hack.  

Yahoo getty

None of Yahoo’s 3 billion accounts had gone unscathed in the original breach.

SOPA Images/Getty Images

When: 2013- 2014

Number of people affected: 3 billion

What happened: Yahoo users were urged to change their passwords after hackers stole personal information associated with about half a billion email accounts. At the time, the numbers made it the biggest data breach in history. Initially, the casualties were reported at 500 million, still making the hack the biggest in history. Yahoo slowly raised the number but reported in 2017 that none of its 3 billion accounts had gone unscathed in the original breach. That’s 3 billion names, email addresses, telephone numbers, dates of birth, encrypted passwords and unencrypted security questions. 

The culprit? A 23-year-old Russian hacker-for-hire named Karim Baratov. Baratov was sentenced to five years in prison, paid the victims restitution and $2.25 million in fines. Yahoo didn’t go without punishment either. The company had to pay $50 million in damages and provide credit monitoring for at least two years for about 200 million people who’d been hacked.

Read More: The best identity theft protection and monitoring services

Correction, Sept. 27: An earlier version of this story incorrectly stated the extent of the DoorDash security issue. The company became aware of suspicious activity this month, leading to the discovery of a single breach in May.

This story is periodically updated as new developments are announced. 

Now playing:
Watch this:

Capital One data breach: Here’s what to do