Data breach year in review: The people, places and info exposed in 2018

A young woman takes a break from the office to work in a coffee shop and checks if she was exposed in a data breach last year.Image: A young woman takes a break from the office to work in a coffee shop and checks if she was exposed in a data breach last year.

In a Nutshell

According to a new Credit Karma analysis, tens of millions of consumers were victims of at least one public data breach in 2018. Regardless of whether you were impacted by another company’s public data breach last year, there are always steps you can take to reduce your risk online.

Editorial Note: Credit Karma receives compensation from third-party advertisers, but that doesn’t affect our editors’ opinions. Our marketing partners don’t review, approve or endorse our editorial content. It’s accurate to the best of our knowledge when posted. Availability of products, features and discounts may vary by state or territory. Read our Editorial Guidelines to learn more about our team.
Advertiser Disclosure

We think it's important for you to understand how we make money. It's pretty simple, actually. The offers for financial products you see on our platform come from companies who pay us. The money we make helps us give you access to free credit scores and reports and helps us create our other great tools and educational materials.

Compensation may factor into how and where products appear on our platform (and in what order). But since we generally make money when you find an offer you like and get, we try to show you offers we think are a good match for you. That's why we provide features like your Approval Odds and savings estimates.

Of course, the offers on our platform don't represent all financial products out there, but our goal is to show you as many great options as we can.

Public data breaches impacted tens of millions last year.

With so much personal information at risk, we offer our members a free ID monitoring tool so they can check if their information has been exposed in another company’s public data breach. In our analysis of this data, we found that about 48 million members — a large portion of the U.S. population — had their information exposed in another company’s public data breach in 2018. What’s more, the overall number of public data breaches affecting Credit Karma members in 2018 grew by 37% from 2017, to a total of 320 reported breaches during the year.

The information that was hit the hardest belonged to members living in Alaska, Louisiana and Connecticut. And hackers who were able to access data had an array of info to choose from. More than half of public data breaches we analyzed contained physical addresses, and usernames and passwords were also common. (Learn more about our methodology.)

With public data breaches on the rise, we have some tips and tools to help people reduce their risk online. But first, let’s review who and what was exposed in 2018.

Key findings

Credit Karma members were affected by 320 different public data breaches in 2018, a 37% increase in public data breaches from 2017.
Some types of data were more vulnerable than others, with more than half of the data breaches in 2010–2018 containing physical addresses (58.24%), and around a quarter containing usernames (26.47%) or passwords (24.77%).
We also found that hackers sometimes have access to data you might not expect, including job titles, physical attributes and eating habits.
Of the Credit Karma members who experienced a public data breach between 2010 and 2018, each member has had their information exposed in an average of about 3.4 breaches.
In 2018, some U.S. states had a higher percentage of their Credit Karma members exposed in other companies’ public data breaches. The states where the most members experienced public data breaches were Alaska (55.33%), Louisiana (53.09%) and Connecticut (52.44%).

How many Americans were impacted by public data breaches?

Our analysis shows that 48 million Credit Karma members were impacted by another company’s public data breach in 2018.

There were 320 public data breaches that impacted members in 2018, a 37% increase from 2017.

What info is most at risk?

When it comes to data that hackers can uncover on the Internet, some personal details are more prevalent than others. Here’s a look at 10 of the top types of information exposed in other companies’ public data breaches that affected Credit Karma members specifically from 2010 to 2018.

Type of information Found in % of breaches
1. Physical address 58.24%
2. Name 54.58%
3. Phone number 44.26%
4. IP address 40.36%
5. Date of birth 32.38%
6. Username 26.47%
7. Gender 25.06%
8. Password 24.77%
9. Full name 17.95%
10. Credit status information 17.35%


We also found that public data breaches also exposed things like eating habits, physical attributes, personal descriptions, browsing histories, SMS messages, address book contacts, email messages, job titles and geographic locations — though the exposure level on these items were fairly low.

Who was hit hardest by public data breaches?

Last year, certain U.S. states had a larger percentage of their Credit Karma member population exposed in another company’s public data breach. Below are the top 10 states where the most Credit Karma members had their information exposed in 2018.

A list of the top 10 states that had the highest percentage of Credit Karma members with data exposed in a breach last year

How can you reduce your risk online?

Credit Karma data show that 48 million members were impacted by another company’s public data breach in 2018 — a significant segment of the U.S. population. What’s more, with 37% more public data breaches reported in 2018 than in 2017, there’s never been a more important time to keep your online data secure.

Here are some tips and tricks to reduce your risk online.

Change your passwords regularly

Even if you weren’t among the many Americans affected by a data breach in 2018, it’s always a good idea to change your passwords on a regular basis. When changing your passwords, make sure they’re strong and hard to guess. Generally, using a mix of letters, numbers, cases and symbols works best.

Avoid using the same password across multiple sites. If you’re worried you’ll have trouble remembering your various passwords, you could try using a password manager to keep track of them.

Enable multifactor authentication

Even if you have a strong password, some websites may not store their data securely. For an added layer of protection, think about enabling two-factor authentication on any site or account that offers it.

Typically, this will involve entering in a code sent to you via a separate channel (like your phone number). This extra step means that you or anyone else trying to log in to your accounts would need to have more than just a username and password to gain access.

Monitor your credit reports, and consider freezing your credit

If you’re worried that your information may have been compromised in a data breach, you can ask the three major consumer credit bureaus — Experian, Equifax and TransUnion — to freeze or place a fraud alert on your credit reports.

Freezing your credit is free and makes it tougher for anyone with access to your data to open new financial accounts in your name. A credit freeze restricts access to your credit report.

Alternatively, you might want to consider placing a fraud alert on your credit reports, which gives potential lenders and creditors a heads-up that you may be the victim of identity theft and they should contact you before opening an account in your name.

If you’re a Credit Karma member, you can also sign up for our free credit monitoring service. We’ll notify you if we notice important changes on your Equifax and TransUnion credit reports so you can check for suspicious activity.


To conduct this study, Credit Karma analyzed Credit Karma members that had information exposed in other companies’ public data breaches from 2010 to 2018. For the purposes of this analysis, the date of each breach is the estimated date the breach occurred, but if it was unclear or unknown when the breach occurred then it’s the date the provider or company was made aware of the breach. To determine the percentage of Credit Karma members impacted by state, we looked at the total number of members we have in each state and compared it to the number of members in each state whose data had been exposed in another company’s public data breach in 2018.

About the author: Paris Ward is a content strategist at Credit Karma, providing readers with the latest news that will aid their financial progress. She has more than a decade of experience as a writer an… Read more.