The first half of 2026 has been brutal for cybersecurity. Nation-state hackers, ransomware gangs, and even AI chatbot exploits have caused damage on a scale that makes previous years look tame. Here are the worst breaches and hacks that have hit so far this year.
1. DOGE and the Social Security Database
The biggest question mark of 2026 surrounds what happened when operatives from the Department of Government Efficiency (DOGE) entered the Social Security Administration. Whistleblower claims allege that DOGE uploaded a live copy of the Social Security database, containing the Social Security numbers and personal information of most living Americans, to an unsecured third-party server.
Two top House Democrats investigating the incident called the exposure “potentially the largest data breach in our nation’s history.” Court filings show the SSA doesn’t know exactly what data was on the server. DOGE reportedly signed an agreement with an outside political advocacy group “under the guise of finding evidence of voter fraud.”

2. Water Systems and Energy Grids Under Attack
A wave of cyberattacks across Europe has targeted civilian energy and water supplies. Russia-attributed hackers hit Poland’s energy grid with computer-destroying malware, a Swedish thermal plant, and a Norwegian dam that spilled swimming pools’ worth of water. Poland’s water treatment plants were also breached earlier this year.
Following the U.S. and Israel’s war against Iran, Iranian hackers are now targeting U.S. critical infrastructure, including privately owned water utilities that often lack basic cybersecurity protections.
3. Iranian Hackers Wipe 10,000+ Devices at Stryker
In March, Iranian hackers broke into medical tech company Stryker and remotely wiped tens of thousands of employee devices in one operation. The U.S. government attributed the breach to an arm of Iranian intelligence. The attack had a material impact on Stryker’s first-quarter earnings, marking a shift from Iran’s typical espionage focus toward destructive retaliation.
4. Klue Breach Hits 200 Companies Including Security Giants
Market research provider Klue suffered one of the broadest breaches of the year, affecting close to 200 companies including Jamf, HackerOne, and LastPass. The extortion gang Icarus used a credential from a 2022 pilot that Klue had four years to decommission. The hackers exposed customer cloud service keys, enabling downstream data theft from victim companies. Klue reportedly paid the hackers to prevent publication of stolen data.
5. ShinyHunters Devastate Instructure During Finals
The ShinyHunters hacking group breached Instructure’s Canvas learning management system, stealing data on over 30 million students and staff. When Instructure refused to pay, the hackers broke in again and defaced school login screens during finals week, disrupting exams across the United States. Instructure eventually paid the ransom, despite FBI efforts to dissuade them.
The same group also hit Charter (40 million records) and cruise liner Carnival (6 million records) this year.
6. FBI Surveillance System Breach
The FBI declared a “major cyber incident” in April after discovering that one of its surveillance systems was compromised by Chinese hackers. The breach potentially exposed phone numbers of surveillance targets, including pen register returns. The incident required a legally mandated disclosure to Congress, suggesting it caused “demonstrable harm” to national security.
7. Instagram AI Chatbot Exploit
Thousands of Instagram accounts were hijacked through a simple exploit of Meta’s AI chatbot. Attackers opened chats with the chatbot, pretended to be locked out of accounts, and asked it to send password reset codes to attacker-controlled email addresses. The technique affected tens of thousands of accounts before Meta noticed and shut it down.
8. Open Source Supply Chain Attacks
Major security tools including Aqua Security’s Trivy, Bitwarden, and Checkmarx were compromised through supply chain attacks targeting open source developers. The attackers used stolen credentials to spread to downstream targets, including OpenAI and Vercel. With a new hack nearly every week, the open source ecosystem remains a persistent vulnerability.
9. Hasbro Goes Down for Weeks
Toymaker Hasbro (Transformers, Dungeons & Dragons, Peppa Pig) was hit by a cyberattack in late March and remained largely offline for weeks. The 103-year-old company delayed its financial filings as it scrambled to recover. Hasbro has said little about what data was taken or whether it paid hackers.
10. Two Million Passports and IDs Exposed
A cluster of security lapses exposed over two million passport and driver’s license scans from services including a hotel check-in system, a Canadian money transfer app, a prison payphone provider, and a U.K. visa service. Most were caused by basic security oversights that could have been prevented with standard cybersecurity practices. These exposures come as governments push for more identity verification checks online.
Frequently Asked Questions
What was the biggest data breach of 2026?
The DOGE Social Security database exposure is potentially the largest, affecting the Social Security numbers and personal information of most living Americans. Two Democratic lawmakers called it “potentially the largest data breach in our nation’s history.”
How did hackers exploit Meta’s AI chatbot on Instagram?
Attackers simply asked Meta’s AI chatbot to send password reset codes to email addresses they controlled, by pretending to be locked out of high-profile accounts. Tens of thousands of accounts were hijacked before the exploit was discovered.
Which companies were affected by the Klue data breach?
Nearly 200 companies were affected, including major cybersecurity firms like Jamf, HackerOne, and LastPass. The hackers gained access using a credential from a 2022 pilot that was never decommissioned.
Are water treatment plants really being targeted by hackers?
Yes. Polish water treatment plants were breached in early 2026, and following the U.S.-Israel war against Iran, warnings have been issued about Iranian hackers targeting privately owned U.S. water utilities that often lack basic cybersecurity protections.
How did the ShinyHunters disrupt student exams?
After Instructure refused to pay their ransom, the ShinyHunters broke into Canvas again and defaced login pages during finals week, preventing students from accessing exams and coursework across the United States. Instructure eventually paid the ransom.
