Top 10 Data Breaches Affecting Ukrainian Users (2024-2026)

Top 10 Data Breaches Affecting Ukrainian Users (2024-2026)

Ukraine has become one of the most cyber-targeted nations on Earth. According to CERT-UA, the country faced 4,315 cyber incidents in 2024 alone — a staggering 70% increase compared to 2023. Microsoft's Digital Defense Report ranks Ukraine 5th globally for cyberattack volume. For ordinary Ukrainian citizens, this means their personal data — names, passport numbers, phone numbers, banking details — has been exposed, sold, and weaponized on a scale few other populations have experienced.

This article examines the ten most significant data breaches and leaks that have affected Ukrainian users from 2013 through 2026, combining both global mega-breaches and Ukraine-specific incidents tied to the ongoing cyberwar.

Why Ukraine Is a Prime Target

Before diving into specific breaches, it is important to understand the context. Ukraine sits at the intersection of several threat vectors:

• Active cyberwar: Since Russia's full-scale invasion in February 2022, Russian state-sponsored groups (Sandworm, Gamaredon, UAC-0006, XakNet) have systematically targeted Ukrainian infrastructure.
• Critical digital adoption: Over 21 million Ukrainians use the Diia e-government app, creating a massive digital attack surface.
• Global platform exposure: Millions of Ukrainians use Facebook, LinkedIn, and other platforms whose breaches have global reach.
• Financial targeting: PrivatBank (the country's largest bank) and monobank are constant targets for phishing and data theft operations.

CERT-UA reports that government agencies were targeted in 58% of all cyberattacks in 2024, up from 20-25% in previous years. The most common attack types remain malware distribution, phishing, malicious connections, and account compromises.

The Top 10 Breaches

1. Kyivstar Attack (December 2023)

Date: December 12, 2023
Affected: 24.3 million mobile subscribers + 1.1 million home internet users
Data exposed: Internal systems wiped; potential access to subscriber data
Attribution: Sandworm (Russian GRU)

The Kyivstar attack was the most destructive cyberattack on Ukrainian civilian infrastructure since the full-scale invasion. Russian military intelligence hackers infiltrated Ukraine's largest mobile operator as early as May 2023, achieving full network access by November. On December 12, they detonated their payload — wiping over 10,000 computers, 4,000+ servers, and all cloud storage and backup systems.

Approximately 40% of Kyivstar's infrastructure was destroyed. Services went dark for millions of users, and critically, air raid alert systems were disrupted during an active war. While Kyivstar officially denied personal data exfiltration, the Solntsepek hacking group (a Sandworm front) published screenshots suggesting access to client information dating back to November 2023. Full service was restored by December 20 with SBU assistance.

2. Ukrainian State Registers Attack (December 2024)

Date: December 19-20, 2024
Affected: Potentially all Ukrainian citizens with records in government databases
Data exposed: Property records, biometric data, business registrations
Attribution: Russian state-sponsored hackers (XakNet claimed responsibility)

Described as the "largest cyberattack on Ukraine's state registers" by Ukrainska Pravda, this assault targeted Ministry of Justice systems housing critical databases: property records, business registrations, and biometric data. The hackers claimed to have downloaded databases containing over one billion rows of data and then destroyed all data they accessed, including backup copies stored on servers in Poland.

The Diia app temporarily shut down dozens of services including business registration, child benefits, marriage applications, and disability assistance. While Prime Minister Denys Shmyhal stated that Diia itself was disconnected before compromise, the full extent of data exfiltration remains under investigation.

3. Facebook / Meta Data Leak (2021)

Date: Data scraped in 2019; leaked publicly in April 2021
Affected globally: 533 million users across 106 countries
Ukrainian impact: Estimated hundreds of thousands of Ukrainian accounts
Data exposed: Full names, phone numbers, email addresses, locations, birth dates, biographical information

In April 2021, a dataset containing personal information of 533 million Facebook users appeared freely on a hacking forum. The data had been scraped by exploiting a vulnerability in Facebook's Contact Importer feature, which allowed attackers to match phone numbers to profiles at scale. Countries with the highest exposure included Italy (35M), the US (32M), France (19.8M), and the UK (11M).

For Ukrainian users, this breach was particularly dangerous because phone numbers linked to real identities enable targeted phishing, SIM-swapping attacks, and social engineering — all tactics actively used by Russian threat actors against Ukrainian targets. Facebook stated it would not notify affected users.

4. LinkedIn Data Scrape (2021)

Date: April-June 2021
Affected globally: 700 million users (~92% of all LinkedIn users)
Ukrainian impact: Significant — LinkedIn is widely used by Ukrainian IT professionals and cybersecurity specialists
Data exposed: Full names, email addresses, phone numbers, workplace information, professional profiles

Hackers scraped data from approximately 700 million LinkedIn accounts — nearly the entire user base. The leaked dataset included names, email addresses, phone numbers, geolocation records, and workplace details. For Ukrainian cybersecurity professionals, IT workers, and defense sector employees, this data is a goldmine for spear-phishing campaigns. Russian APT groups have repeatedly used LinkedIn data to craft targeted attacks against Ukrainian defense and government personnel.

5. Collection #1-5 Mega Compilations (2019)

Date: January 2019
Total records: 2.7 billion email/password pairs (773 million unique emails in Collection #1 alone)
Ukrainian impact: Millions of Ukrainian email accounts included
Data exposed: Email addresses and passwords from 2,000+ previous breaches

The Collection #1-5 compilations represent the largest aggregation of stolen credentials ever assembled. Collection #1 alone contained 773 million unique email addresses and 21 million unique passwords, compiled from over 2,000 separate data breaches. The full set (Collections #1 through #5) contained billions of records.

These compilations are particularly dangerous for Ukrainian users because they enable credential stuffing attacks — automated attempts to log into accounts using previously leaked password combinations. Given that many Ukrainians reuse passwords across services, these collections provide direct pathways into email accounts, banking platforms, social media, and even government services.

6. Telegram Bot Data Leaks (2020-2022)

Date: Ongoing from 2020
Affected: Up to 26 million Ukrainian records claimed; MP Fedienko cited 20 million
Data exposed: Passport numbers, tax IDs, driver's licenses, bank details, social media passwords
Source: Aggregated from multiple Ukrainian government and commercial database leaks

Starting in 2020, Telegram bots like @UA_baza began selling personal data of Ukrainian citizens for nominal fees. These bots aggregated data from multiple sources, claiming to hold 900 GB of records including passport numbers, personal identification codes (IPN), driver's licenses, and banking details. A Ukrainian MP stated that approximately 20 million citizens' data was available through these channels.

In 2021, files labeled as originating from Diia's storage appeared online, containing applicant information with names, dates of birth, passport numbers, photos, and COVID vaccination data. The Ministry of Digital Transformation denied Diia was the source, noting that the bots claimed 26 million driver's license records while only 9.5 million licenses exist in Ukraine. The SBU launched an investigation, but these bots demonstrated how fragmented Ukrainian government data leaks can be weaponized when compiled together.

7. PrivatBank Customer Database (2020-2024)

Date: Database appeared on hacking forums; phishing campaigns ongoing through 2024
Affected: Up to 40 million customer records claimed
Data exposed: Full names, birth dates, passport details, contact information, banking data
Attribution: Unknown initial actors; UAC-0006 linked to ongoing phishing campaigns

An unknown threat actor offered what they claimed to be PrivatBank's full customer database on a hacking forum — 40 million entries containing passport details, banking information, and personal data. PrivatBank denied the breach, stating the data "was created by fraudsters." However, the bank had approximately 20 million customers when nationalized in 2016, raising questions about the dataset's authenticity.

Regardless of the original database's provenance, PrivatBank customers have faced relentless phishing campaigns linked to the UAC-0006 threat group. Active since at least November 2024, these campaigns use deceptive emails with password-protected archives deploying SmokeLoader malware for data theft and unauthorized account access. Researchers have noted overlaps with Russian APT group FIN7's tactics.

8. Adobe Data Breach (2013)

Date: October 2013
Affected globally: 153 million accounts
Data exposed: Internal IDs, usernames, emails, encrypted passwords, password hints in plain text
Ukrainian impact: Ukrainian creative professionals, IT workers, and students using Adobe products

While this breach predates the current conflict, its effects persist. Attackers compromised an Adobe web server and moved laterally through the network, extracting 153 million account records. The password encryption was poorly implemented, and plain-text password hints made many passwords trivially recoverable. Adobe paid a $1 million settlement to 15 US states.

For Ukrainian users, the concern is longevity: passwords and email addresses from the 2013 breach continue to appear in credential stuffing attacks and compilation databases (like Collection #1-5) over a decade later. Users who never changed their Adobe passwords remain at risk.

9. Monobank DDoS and Financial Sector Attacks (2024)

Date: Multiple incidents throughout 2024
Affected: Monobank's 8+ million users; broader financial sector
Attack type: DDoS (7.5 billion requests), phishing, malware distribution
Attribution: Suspected Russian state-sponsored actors

Monobank, Ukraine's popular mobile-only bank with over 8 million users, faced a "massive" DDoS attack that lasted an entire weekend, peaking at 7.5 billion requests. The attack specifically targeted Monobank's service for processing donations to the Ukrainian military.

While DDoS attacks do not directly leak data, they are frequently used as a smokescreen for data exfiltration attempts or to disrupt banking services during coordinated phishing campaigns. Combined with the SmokeLoader campaigns targeting PrivatBank and broader credential theft operations, Ukraine's financial sector faces persistent, multi-vector attacks aimed at both disruption and data theft.

10. WRECKSTEEL Campaign Against Ukrainian Government (March 2025)

Date: March 2025
Affected: Ukrainian government agencies and critical infrastructure organizations
Data exposed: Documents, screenshots, system information from compromised government workstations
Attribution: Russian-linked threat actors (tracked by CERT-UA)

In one of the most recent campaigns, CERT-UA documented attacks using the WRECKSTEEL malware targeting Ukrainian state systems. The attackers distributed phishing emails with links to legitimate services (such as DropMeFiles) that delivered a Visual Basic Script loader, which then deployed a PowerShell-based stealer. The malware was designed to exfiltrate documents and capture screenshots from compromised systems.

This campaign represents the evolving sophistication of attacks against Ukrainian government infrastructure, combining social engineering with multi-stage malware delivery to steal sensitive government data.

The Full Picture: Ukraine's Breach Landscape in Numbers

What You Should Do Right Now

If you are a Ukrainian citizen or anyone who has used Ukrainian digital services, the probability that your data has been compromised in at least one of these breaches is extremely high. Here are immediate steps:

1. Check your exposure. Use breach-checking tools to see if your email, phone number, or credentials appear in known leak databases.
2. Change reused passwords immediately. If you use the same password on multiple services, change them now. Use a password manager.
3. Enable two-factor authentication (2FA) on every account that supports it — especially email, banking, and government services.
4. Monitor your bank accounts for unauthorized transactions. Enable SMS/push notifications for every operation.
5. Be hyper-vigilant about phishing. Do not open unexpected attachments, especially password-protected archives claiming to be from banks or government agencies.
6. Review your Diia and government service access for any unauthorized activity.

Check If Your Data Was in These Breaches — Free

CyberPeople provides a free breach-check tool that scans known leak databases for your email addresses and phone numbers. Find out if your personal data has been exposed in any of these major incidents.

Check your data now →

Sources: CERT-UA, Microsoft Digital Defense Report 2024-2025, Ukrainska Pravda, BleepingComputer, Cybernews, The Record, Have I Been Pwned, CSIS Significant Cyber Incidents database.