The worst hacks and breaches of 2026 (so far)

If we look at 2026 so far, it might be easy to see cybersecurity falling by the wayside, as much of the world’s attention remains focused on raging wars, a worsening climate, and we seem to be just one elusive sneeze away from the next global pandemic.

But cybersecurity remains a powerful barometer of what is happening on the global stage, where botnets power digital efforts to undermine the West, and governments use citizen data and civilian infrastructure as a weapon against entire groups of people. Meanwhile, financially motivated hackers seek huge ransom payments, causing disruption and accidental destruction across governments and private industries.

While we’re in the middle of this already horrific year of digital attacks and hybrid warfare, we look at some of the worst hacks and breaches to date, and how they could affect us in the future.

Questions remain about DOGE’s massive hit on Social Security data

A year later, a year after agents of Elon Musk’s government destroyer group known as the Department of Government Efficiency (or DOGE) overran federal agencies and dismantled them from the inside out, we’re still learning about the data lapses that occurred under their watch.

After DOGE entered the Social Security Administration, it remains unclear what happened to some of the country’s most sensitive data, as lawsuits are still ongoing in federal court. The most disturbing allegation is that DOGE uploaded a live copy of its Social Security database to an unsecured third-party server, leading to a scramble to understand what was stored there. This database allegedly contains the Social Security numbers and associated personal information of most living Americans.

In court filings, the Social Security Administration doesn’t know for sure what was on the server, but said DOGE signed an agreement with an outside political advocacy group under the guise of finding evidence of voter fraud, something President Trump continues to claim without any evidence. Concerns are that the database could be misused to target Americans for false reasons.

Two senior House Democrats investigating some DOGE activities at the Social Security Administration said the disclosure of the government’s Social Security database “could be the largest data breach in our nation’s history.”

Hackers are increasingly targeting water systems and power grids

A series of cyber attacks across Europe targeting civilian energy and water supplies, such as power plants and water dams, has created a worrying trend recently. Many of the hacks attributed to Russia (or at least partly blamed) risked causing real harm to communities and populations.

Poland’s power grid was targeted with computer-destroying malware at the end of last year, as well as a Swedish thermal plant and a Norwegian dam that leaked the equivalent of swimming pools’ water. Hackers targeted Poland again earlier this year, this time its water treatment plants, showing that Russia’s hostility to hybrid warfare still extends beyond the digital realm.

Now, thanks to the recent war between the United States and Israel against Iran, there are warnings that Iranian hackers are targeting critical infrastructure in the United States. This includes privately owned water utilities, which remain easy targets for hackers and often lack basic cybersecurity protections.

Iranian government hackers hit Stryker with a devastating hack of the device

Speaking of Iran, a cyberattack on US medical technology company Stryker in March saw Iranian hackers break into and remotely wipe out tens of thousands of employee devices in one fell swoop, causing widespread disruption of the company’s operations for several days.

The hack marked a marked shift in Iranian hacking tactics at a time of ongoing war in the Middle East, with Iran moving from its typical focus on espionage, hacks and leaks to aid the country’s political gains, towards actively causing devastating hacks in apparent retaliation for the war. The US government attributed the hacking group behind the hack to an arm of Iranian intelligence. The hack ended up having a material impact on Stryker’s earnings in the first quarter after regaining control of its systems.

Teach as part of ShinyHunters’ disruptive hacking campaigns

ShinyHunters continued their hacking campaigns, targeting dozens of companies using simple but highly effective voice phishing techniques. English-speaking hackers are skilled at tricking companies into handing over access to their internal systems by pretending to be IT support, or conversely, an employee who has forgotten their password.

Few know better the toll a ShinyHunters hack can take than edtech giant Instructure. Hackers breached the company’s leading learning management system Canvas to steal private data and personal information belonging to more than 30 million students and employees. When the company did not pay the hackers’ ransom, the hackers broke in — again — and defaced the school’s login screens for Canvas, which students use to access their exam and course materials. This second hack occurred during school final exams, disrupting student exams across the United States. Instructure eventually paid the ransom, despite efforts by the FBI to dissuade the company from paying.

Instructure isn’t the only company targeted by ShinyHunters hackers so far. The gang was behind some of the largest breaches in terms of number of records stolen, including about 40 million records from Internet service provider Charter and at least 6 million customer records from cruiseliner Carnival, among other victims in higher education, finance and government.

The supply chain is under attack, targeting open source projects and major technology companies

A series of persistent, simultaneous, and sometimes overlapping attacks on open source developers has led to massive hacks targeting major technology companies and their customers.

Some of the biggest names in security, including Aqua Security’s Trivy tool, Bitwarden and Checkmarx, along with other major open source projects, were compromised this year, allowing hackers to steal passwords, credentials and other sensitive codes from the computers of anyone who installed a backdoor version of the software, or automatically updated pre-installed software to download malware.

These attacks used stolen credentials to spread further, opening the door to eventual compromises to major companies that relied on the targeted software, including artificial intelligence giant OpenAI and web hosting company Vercel. With a new hack occurring almost every week, the open source world remains a vulnerable target in the broader technology ecosystem.

The FBI’s surveillance system was hacked, resulting in a “major cyber incident.”“

The US Federal Bureau of Investigation was forced to declare a “major cyber incident” in April, which prompted Congress to disclose it under the law, after determining that one of its surveillance systems had been hacked. According to reports, the hack likely exposed the phone numbers of targets being monitored by federal agents.

Chinese spies have been accused of infiltrating the unclassified network, which contains sensitive information about the surveillance targets of wiretaps and other communications interceptions, such as pen records. By notifying lawmakers, the breach likely met the requirement of causing “demonstrable harm” to U.S. national security.

Hasbro hack led to weeks of downtime

Toy giant Hasbro is the latest example of what happens when a large company suffers a security incident and is unprepared for it. Weeks after hackers were discovered in its systems in late March, the 103-year-old company remained largely offline, its website unavailable and unable to serve its customers.

The company, which owns big brands like Transformers, Peppa Pig, and Dungeons & Dragons, has said little about the incident itself, what data was taken (if any), and whether it paid the hackers. But the disruption alone is likely to impact the company’s financials, which it was forced to delay, as the company scrambled to deal with the incident.

Hasbro said as of mid-May that the hackers were no longer present in its systems and that its recovery process was underway. But the financial costs of the hack and the damaging impact on its business are likely to materialize in the coming months and are expected to be significant.

Millions of passports and driver’s licenses have been exposed

Over the past few months alone, there has been an uptick in major disclosures of data relating to people’s sensitive government-issued identity documents, including scans of passports and driver’s licenses left exposed on the internet. From a hotel check-in system and money transfer app to a prison payphone provider and a UK visa service, these services have exposed the personal documents of more than two million people that could easily be misused. Many of them were caused by simple security vulnerabilities that could have been easily avoided through basic cybersecurity practices.

These massive data spills come at a time when closed society apps and websites increasingly rely on “know your customer” checks to force users to verify their identity before letting them in, and governments are pushing age verification laws that require adults to undergo similar identity checks to access a wide swath of the internet.

The logic goes that the more spills there are, the less effective identity verification systems become, as they can easily be misused with a stolen or leaked passport or driving licence. The further rollout of these identity collection systems will inevitably lead to more data breaches and security lapses.