Data Reveals 304.7M Online Accounts Breached in 2022

Data Reveals 304.7M Online Accounts Breached in 2022

With an estimated 5.3 billion people using the Internet at the beginning of 2023, digital security is becoming critical for private users, businesses, and governments. Yet, many people still use a single email and even worse, a single password for multiple accounts, making them extremely vulnerable to cyber attacks. The month of October was Cybersecurity Month all over Europe and the US, where cybersecurity firms organized various events to raise awareness of the issue. November 30 marked International Cybersecurity Day, which is recognized worldwide.

To bring awareness of the risks associated with Internet usage, the team at BonusInsider decided to look at the latest statistics about data breaches from Surfshark and discovered that in 2022, there were over 304.68 million data breaches around the world. While this figure seems massive, the number of breaches actually fell dramatically from 2021 and from 2020 when stats show three and four times as many attacks. Since 2004, the cybersecurity company has identified an astounding 15.5 billion data breaches.

Passwords Are the Most Commonly Leaked Piece of Information

It’s difficult to imagine a service or a product that is not available online and websites, apps, and social media platforms are now a massive part of our lives. This means that people have their emails, passwords, names, and addresses on the Internet, not to mention banking and credit card information, social security or national security numbers, etc. All this sensitive data is shared with private companies, and financial and government institutions. And most of it is protected by a password, or so we believe.

It turns out that of all pieces of information about a user – such as username, password, IP, last name, etc., the passwords are the most commonly breached data points. Since 2004, more than 15.5 billion accounts have been breached and 51.8 billion data points have been exposed. Of those, 15.5 billion have been email addresses and on average, each email address is leaked with 2.3 additional data points. It is estimated that for every 100 breached accounts, 88 passwords have been exposed.

Russia and the US Have the Most Data Breaches Per Capita

Looking at the number of exposed online accounts and individual data points, they seem astronomical. To put them into perspective, let’s compare them to the number of people living in a particular country. Globally, 198 accounts and 69 unique accounts are breached per 100 people on average. Of the 15.5 billion breached accounts since 2004, 5.4 billion have had unique email addresses. So, statistically, every single email address has been exposed 3 times.

Russian accounts, however, are much more likely to be exposed – the country has the highest number of breached accounts per 100 inhabitants, 1,544, which is 7.8 times more than the global average. Moreover, every Russian email has been breached roughly 15 times. The United States comes second with 743 breaches per 100 residents, followed by France (651 per 100 people), South Sudan (601 per 100 people), and the Czech Republic (558 per 100 people).

Record-High Breaches per Capita in the Cocos Islands and the Vatican

The ranking shown above includes only countries with a population of 1 million or more. One curious fact about the data set is if we consider all 250 countries and territories included in it, those with the most exposed accounts are tiny nations and remote islands. For instance, the Cocos Islands, which had a population of 593 people in 2020, also have 2.7 million breached accounts per 100 residents.

The French Southern Territories, Niue, Tuvalu, and Tokelau are in the same absurd situation, which could be explained by the specific methodology used to record the data breaches. Along with user data such as email domain, IP, country, city, and exact coordinates, many of the recorded cases include the breached website domain. Tiny nations, provinces, and dependencies often lack adequate regulation, making them the perfect destination for registering domains for hosting phishing sites.

Such sites resemble the original sites of banks, web stores, and even government institutions, and links to them are usually included in phishing emails. Once online users click on the link, they get to the fake login page, which looks identical to the page of their bank, for instance, but rather than having a .com, .uk, .eu, etc., domain, these fake websites end in .cc (Cocos Islands), .tv (Tuvalu), or .tk (Tokelau). This is probably how these small countries ended up with the most data breaches per capita.

The country code top-level domain (TLD) of the Vatican City, on the other hand, is .va and it is administered by the Internet Office of the Holy See, so you cannot register a site with this extension so easily. Due to the many restrictions, it is interesting how the Vatican has ended up with more than 78,000 breaches. Since officially, it has a population of only 801, these cases are 9,746 data breaches for every 100 residents.

Countries Affected by the Most Data Breaches in 2022

In 2022, 304,684,279 accounts have been breached around the world and roughly 114 million of these breaches occurred in the third quarter of the year. In comparison, there were approximately 82 million breaches within the first three months of 2022 and another 65 million in the second quarter. Only 43 million cases were identified between October and December, down 62% from Q3.
The countries affected the most in 2022 were Russia (103.5 million breaches), China (33.9 million), the United States (22.4 million), France (19.8 million), and Indonesia (14.7 million).

There are not many surprises in the list above since these are among the most populous countries in the world. There was a sharp decline in the number of data breaches in the last three months of the year but not for all countries. Interestingly, the cases jumped dramatically in Turkey – from a little over 133,700 in Q3 to more than 2 million breaches in Q4, which was an increase of 1,427%. North Korean accounts were also much more heavily attacked in the fourth quarter than in the rest of the year. The number of breaches rose 603% to 4,450 compared to only 633 cases in Q3.

Over a Third of All Exposed Accounts Are in the US, Russia, and China

The largest and most populous countries in the world have been targeted the most by cybercrime, at least in terms of pure numbers. The United States is the country with the most data breaches – 2.46 billion since 2004, followed by Russia with 2.24 billion exposed accounts, and China with 1.02 billion breaches. These make up 37 percent of all cases in the world.

The other nations with a huge amount of exposed accounts are Germany (450 million), France (425 million), India (264 million), the United Kingdom (257 million), Brazil (263 million), Italy (248 million), and Canada (187 million). In fact, the breaches in these 10 most affected countries account for just over half of all cases (50.5%), while the incidents in the rest of the world make up 49.5 percent.


The statistics about data breaches are published every month by Surfshark and they track the reported breaches around the world since 2004. They are based on thousands of leaked databases available online and include all cases where a hacker or intruder copied and leaked user data such as names, surnames, email addresses, passwords, etc. To compare the number of breached online accounts to a country’s population, BonusInsider used population figures by Wordometers. They are based on the latest United Nations Population Division estimates for 2020.