
2026 breaches If 2026 has proved anything so far, it is that cyberattacks are no longer just IT problems. They are disrupting schools, hospitals, government systems, industrial infrastructure, and consumer services, with some incidents now blurring the line between espionage, extortion, sabotage, and hybrid warfare. As the year moves into its second half, here is a look at some of the most consequential hacks and breaches reported so far, and why they matter.
2026 breaches
Questions remain over the DOGE-linked Social Security data incident
One of the most alarming stories of the year centers on the Social Security Administration, where concerns continue to mount over what happened after operatives from the Elon Musk-led Department of Government Efficiency, or DOGE, entered the agency. According to whistleblower claims, a live copy of the Social Security database was uploaded to an unsecured third-party server, creating uncertainty around what was stored and who could access it.
The database allegedly contained Social Security numbers and associated personal information for most living Americans. In court filings, the Social Security Administration said it does not know for sure what was on the server. It also said DOGE signed an agreement with an outside political advocacy group under the guise of finding evidence of voter fraud. Two top House Democrats investigating DOGE’s activities at the agency said the exposure of the government’s Social Security database “could very well be the largest data breach in our nation’s history.”
Critical infrastructure became a repeated target
Across Europe, attacks on civilian water and energy systems have underscored how vulnerable critical infrastructure can be when cybersecurity is weak or inconsistent. The report cites a pattern of incidents attributed to, or at least partly blamed on, Russia, including attacks on Poland’s energy grid, a Swedish thermal plant, and a Norwegian dam that spilled large amounts of water.
Poland was targeted again earlier this year, this time at water treatment plants. The broader concern is that these incidents are not just digital disruptions but potential physical threats to communities. The article also notes warnings that Iranian hackers may be targeting critical infrastructure in the United States, including privately owned water utilities that often lack basic cybersecurity protections.
Iranian hackers shifted toward destructive attacks
In March, U.S. medical technology company Stryker was hit by a destructive cyberattack that remotely wiped tens of thousands of employee devices. The breach caused major operational disruption for several days and marked a shift in Iranian cyber tactics, moving beyond espionage and hack-and-leak operations toward more destructive activity in apparent retaliation for war in the Middle East.
The U.S. government attributed the group behind the attack to an arm of Iranian intelligence. Stryker later said the incident had a material effect on its first-quarter earnings after it regained control of its systems.
Klue’s breach rippled across nearly 200 companies
Market research provider Klue was hit by one of the broadest data breaches of the year, affecting close to 200 companies, including cybersecurity firms Jamf, HackerOne, and LastPass. Klue said the extortion group known as Icarus used a credential issued in 2022 for a limited pilot, suggesting the access was never properly decommissioned before being stolen and used to break in.
That access exposed keys to customers’ cloud services, allowing the attackers to move into those environments and steal more data. Klue told customers it had reached an agreement with the hackers not to publish the stolen information, strongly suggesting a ransom payment. The hackers also said another group had some of the stolen data and urged affected victims not to pay that second crew.
ShinyHunters kept up a damaging campaign
The ShinyHunters group remained one of the year’s most disruptive actors, relying heavily on voice phishing to trick employees into giving up access. One of the most damaging cases involved education technology company Instructure, whose Canvas learning platform was breached to steal private data belonging to more than 30 million students and staff.
When Instructure did not pay the ransom, the hackers returned and defaced Canvas login screens during school finals, disrupting exams for students across the United States. Instructure eventually paid the ransom despite FBI efforts to discourage payment. The gang has also been linked to the theft of around 40 million records from internet provider Charter and at least 6 million customer records from Carnival, along with victims in education, finance, and government.
Open source supply chains stayed under pressure
A series of overlapping attacks on open source developers has created downstream risk for much larger companies. Security projects and tools including Aqua Security’s Trivy, Bitwarden, and Checkmarx were compromised, giving attackers the ability to steal passwords, credentials, and tokens from anyone who installed a backdoored version of the software or received a malicious auto-update.
Those stolen credentials were then used to spread further, creating exposure for companies that depend on the affected projects. The report says that includes OpenAI and Vercel. With a new hack appearing almost every week, open source remains a particularly fragile part of the technology ecosystem.
The FBI suffered a surveillance-system breach
In April, the FBI was forced to declare a “major cyber incident” after one of its surveillance systems was compromised, triggering a required disclosure to Congress. Reports said the breach may have exposed phone numbers associated with federal surveillance targets.
Chinese spies were accused of compromising the unclassified network, which contained sensitive information related to wiretaps and other communication intercepts, including pen register returns. The notification to lawmakers suggests the incident may have met the threshold of causing “demonstrable harm” to U.S. national security.
Meta’s AI chatbot enabled account hijackings
Not all major security failures required sophisticated malware. In early 2026, thousands of Instagram accounts were hijacked after people abused Meta’s AI chatbot to reset passwords. The scheme, first reported by 404 Media, unfolded over months before it was noticed.
Attackers opened chats with the bot, pretended to be locked out of their accounts, and asked it to send password reset codes to email addresses they controlled. The incident affected tens of thousands of accounts before Meta stopped the improper access. It was an embarrassing lapse for one of the world’s largest tech companies.
Hasbro’s recovery dragged on for weeks
Toymaker Hasbro showed how badly a company can be hurt when an incident lingers. Weeks after discovering hackers in its systems in late March, the 103-year-old company remained largely offline, with its website unavailable and customer operations disrupted.
Hasbro, which owns Transformers, Peppa Pig, and Dungeons & Dragons, has said little about the attack itself, including whether data was taken or whether it paid a ransom. It said as of mid-May that the hackers were out of its systems and recovery was underway, but the financial impact is expected to be substantial.
Identity documents were exposed at scale
Another recurring theme in 2026 has been the exposure of passports and driver’s licenses. Over the past few months, more than two million people’s personal documents were exposed through services ranging from a hotel check-in system and a money transfer app to a prison payphone provider and a U.K. visa service.
The common thread, according to the report, is that many of these exposures resulted from basic security failures that should have been avoidable. The issue is especially serious as more companies and governments rely on identity checks and age-verification systems that depend on collecting sensitive documents. The more such data is collected, the greater the consequences when it leaks.
Source: Original report
Was this helpful?
Last Modified: July 8, 2026 at 7:48 am
1 views

