The meme about 2016’s ‘bad attitude’ is pretty well established. In Britain and the U.S. there were rancorous political contests over Brexit and the U.S. presidency that left folks on both sides of the political divide with a bad taste in their mouth. And though death is a constant no matter the year, 2016 seemed particularly heartless in claiming beloved figures at the end of their journey (John Glenn, David Bowie, Abe Vigoda, Fidel Castro) and those seemingly in the middle of it (Anton Yelchin, Prince, George Michael).

As bad as it was for entertainers, however, on the matter of data security, the news may be even worse, new data suggests: with more than 4,000 data breaches and 4 billion (with a “B”) records exposed in the year ending December 31. Even worse: almost all of the leaked records were the result of hacking, data suggests.

The accounting comes from the firm Risk Based Security, which aggregates reports of data breaches from public sources and Freedom of Information Act (FOIA) requests. The company released its Year End Data Breach report on Wednesday.

The list of horribles from the report is long. Risk Based Security noted 4,129 breaches reported during the last year. The 4.2 billion records reported stolen tops the previous high, in 2013, by 3.2 billion records. The last year saw four of the top five largest data breaches of all time, including Yahoo’s leak of one billion user accounts and the theft of 412 million records from FriendFinder Networks. Eight of the top 20 largest data breaches of all time happened last year.

There were more, bigger breaches. Large breaches involving more than 10 million records jumped 125% in 2016. Further: 123 companies reported multiple breaches. Top among them was Yahoo, which disclosed a 500 million account leak just prior to its 1 billion account leak. That left-right punch to the gut has given the company’s would be suitor, Verizon, reason to put a hold on their nuptials.

Just over half (53%) of the reported breaches were the result of hacking. But hacks accounted for almost all the stolen data (91.9%), suggesting that the dimensions of the data breach and data theft problem are due mostly to online crime, rather than physical theft. That’s especially true as more and more data moves online. In fact, stolen laptops – which used to be a top source of data theft – accounted for just 67 of the more than 4,000 incidents reported in 2016.

Hacking, on the other hand, accounted for 2213 of those incidents, with SQL injection the most common method for gaining access to sensitive data. SQL injection flaws are widespread, despite frequent warnings from the security community about the risk they pose. And we know from talking to “Kapustkiy,” the (self-described) 17 year-old hacker who has been exposing the insecurity of diplomatic missions and government agencies around the globe, that these types of flaws are a quick and easy path to sensitive data. Still… they persist.

And, while the United States accounted for the lion’s share of reported incidents (1,971 or 68%), the problem is widespread. More than 100 countries reported at least one data breach in 2016 and 10 countries accounted for 64% of all breaches.

The scariest news? This list is not at all comprehensive. Risk Based Security’s accounting relies on reporting of breach incidents in public or publicly accessible sources. There are almost certainly many, many incidents that go unreported by companies and (of course) consumers both within the U.S., where data breach disclosure is mostly a state-run affair, and outside the U.S. where data breach disclosure is by no means uniform. Those incidents, of course, are invisible even if their after effects – identity theft, fraud, intellectual property theft – are not.