Millions of Americans fell victim to data breaches in 2024. 689 million records were leaked as the number of global data breaches was eight times higher than in 2023.
One of the best VPNs, Surfshark, has released research highlighting the steep rise in the occurrence of data breaches and which countries were impacted the most.
Surfshark defined a "breached or leaked email address used for online services as a separate user account, counting each instance as an individual breach."
Having your personal data breached is a horrible situation to experience and we will share what types of data were leaked and how to protect yourself going forward.
The numbers in detail
Global data breaches topped 5.5 billion in 2024, eight times higher than the 730 million recorded in 2023 – this equates to nearly 180 accounts being breached every second.
The US recorded 689 million breaches alone, up from the 496 million experienced in 2023. However, unlike in 2023, the US was only third highest on the list of affected countries, having been first in 2023.
Russia ranked second, with 921 million, and China topped the list with 939.5 million. The three countries combined accounted for nearly half of the world's data breaches (46%).
Although a trio of countries dropped places in the global rankings – the US, UK, and India – the total number of accounts breached in these countries rose. The US recorded a rise of 39%, while India saw five times as many accounts breached.
The UK saw a 14-fold surge in breaches, recording 57 million in 2024. Despite this, the country dropped to 9th in the global rankings, and this raises worrying questions over the state of global data security.
China saw the most dramatic increase, with 340 times more breaches, and this propelled it from 12th in 2023 to 1st in 2024. 939.5 million breaches were recorded, working out at nearly 1,800 breached accounts per minute.
This was not the only case of countries breaking into the top 10 for the first time, as Germany's almost 135 million breaches saw it rise from 16th in 2023 to 5th in 2024. With 49 million breaches, Poland was a new entry at number 10, having ranked 17th in 2023.
European density
The density of data breaches is a strong indicator that a country's population may be more at risk of data breaches than others – even if its total number of breaches is smaller.
Europeans are clearly at the greatest risk, as 70% of the top 15 breached countries by density were located in the continent.
Russians are most at risk, with 6,365 data breaches occurring per 1,000 people. France came second with a recorded 2,260 breaches per 1,000 people, and the US third, with 2,031 per 1,000 people.
This is not the first time Russian data has been at high risk. Back in December 2024, the government disrupted the internet connection across several regions in an apparent test of its rumoured "sovereign internet."
3 billion email addresses leaked
The largest data breach in 2024 involved a collection of over 3 billion unique email addresses. This leak included the addresses of 790 million Russians and 310 million Americans, accounting for a majority of the two countries' total data breaches.
The scale of this leak resulted in a huge pool of potential targets for cybercriminals. But, according to Surfhark, the hacker behind the leak claimed all the emails were obtained by already publicly available information.
Commenting on the rise in data breaches, Emilija Kucinskaite, Senior Researcher at Surfshark, said: "As we reflect on 2024, the data breach landscape has dramatically shifted, with the number of compromised accounts increasing nearly eightfold compared to the previous year."
"This surge underscores the critical importance of effective cybersecurity practices. In an era where cyber threats are constantly evolving, taking proactive steps to protect your personal information is crucial. Individuals should use complex passwords, enable two-factor authentication, and stay informed about potential threats.
How to protect yourself
VPNs
Protecting yourself from data breaches shouldn't feel like a daunting task and there are numerous, and fairly simple, ways of doing it.
Using a VPN is an ideal first step. VPNs protect you online by routing your internet traffic through an encrypted tunnel, concealing it from third-parties and hackers. They mask your IP address, hiding the true origin of your browsing, and all the VPNs featured on our best VPN list don't store any of your personal information – following what is known as a no-logs policy.
Many VPNs include additional features such as ad-blockers, malware protection, and antivirus, meaning your defence is bolstered against the threats of hackers, cybercriminals, and phishing attempts.
VPNs aren't a silver bullet, and using one won't protect you from absolutely everything, but they do go a long way in protecting you and your data online.
Consent
Outside of VPNs, adopting good practices and behaviours can go a long way in protecting yourself online. Almost every website you visit will ask you if you want to "accept cookies," but what does this actually mean?
Cookies are how your information is tracked online, and this data is sold to advertisers who can then target you with personalised ads. You should always reject cookies where possible and try to read the policies you're consenting to.
More often than not, people are handing over their data without realising, and VPNs can't do a lot to protect you once you've consented. So read privacy policies and agreements, and understand what you're consenting to. If it seems excessive or you're not 100% comfortable, then don't consent and search for alternative sites or companies that adopt different data practices.
Phishing scams
Phishing scams are one of the most common threats posed by hackers and cybercriminals. Fake messages or emails, pretending to be from relatives, friends, or businesses, can trick us into clicking on malicious links and inadvertently handing over our data.
Fake online shops utilise similar URLs and websites to convince shoppers they're accessing the real site. Subtle changes can make the scams harder to spot but look out for typos, poor site quality, and too-good-to-be-true offers.
If you receive a link asking you to click on it, claim a prize, or submit your financial information, treat it with a high level of caution. Only click on links you're 100% sure are safe and always contact the organisation who appear to have sent the link to double check.
Strong passwords
123456 is the world's most popular password, and many of these popular passwords can be cracked in under a second. Strong passwords are the first line of defence against hackers and should be unique, and contain a mixture of letters, numbers, and symbols.
You should have a different, completely novel password for every account you have and although this may seem to adopt, the best password managers are here to help. They can generate and store complex and unique passwords, meaning all the hard work is done for you.
What if my data is breached?
If you are the unfortunate victim of a data breach then don't panic. Once you've secured your cards and any other sensitive information, there are mitigating steps that can be taken.
ExpressVPN and NordVPN both offer a form of identity theft protection which can assist you in recovering stolen information. ExpressVPN's Identity Defender is included in its plans at no extra cost and includes ID Alerts, ID Theft Insurance, and data removal.
Its ID Alerts monitor the internet for your data, identifying and alerting you to any risks. If you are impacted, then its ID Theft Insurance provides up to $1 million in coverage for any expenses incurred during the breach.
Data removal services, like that included with Identity Defender or Incogni, search the web for data brokers who hold records of your data. They then submit removal requests to identified brokers on your behalf and request deletion of your data. This process is constantly repeated, ensuring your data is always protected.
NordVPN's NordProtect also offers identity theft protection, although it is only available with its top-tier Nord VPN Ultimate plan. Up to $1 million in cyber insurance is also offered, along with a dedicated case manager. There's cyber extortion protection of up to $100,000 and a 24/7 dark web monitoring service.
Alternative ID and Alternative Number
One way of not suffering a data breach is not putting your data out there at all, and this is where Surfshark's Alternative ID and Alternative Number come in.
Alternative ID is included with all Surfshark VPN plans and it generates you a completely new identity. You can create a fake name, age, email address, home address and more, allowing you to access and sign up for sites or newsletters without risking your real information.
You can delete your Alternative ID as many times and as often as you like, meaning you'll always be protected.
Alternative Number is a paid add-on and this generates you a dummy phone number, meaning you no longer have to give out your real phone number online.
It doesn't give you all the freedoms of a real number but you can receive texts and calls and, in some cases, reply to text messages. It works all over the world and is linked to your existing Alternative ID. For added security, you can delete and regenerate a new number, for free, every 30 days.
Disclaimer
We test and review VPN services in the context of legal recreational uses. For example: 1. Accessing a service from another country (subject to the terms and conditions of that service). 2. Protecting your online security and strengthening your online privacy when abroad. We do not support or condone the illegal or malicious use of VPN services. Consuming pirated content that is paid-for is neither endorsed nor approved by Future Publishing.
