Worst Data Breaches of 2026 So Far: Klue, Telecoms, and Government Agencies Hit Hard
2026 has been a brutal year for cybersecurity. From a market research firm leaking data on nearly 200 companies to Iranian hackers wiping tens of thousands of corporate devices, the scale and ambition of attacks keeps climbing. If you thought 2025 was bad, 2026 has already set new records in several categories.
Here is a breakdown of the most damaging breaches and hacks that have happened so far this year, along with what regular users should do to protect themselves.
The Klue Breach: 200 Companies Affected
Market research provider Klue became the center of one of the broadest data breaches of the year. Attackers compromised Klue’s production environment, which stored competitive intelligence data for close to 200 companies. Among the affected customers were cybersecurity firms like Jamf, HackerOne, and LastPass.
What makes this breach notable is the knock-on effect. Klue’s platform aggregates sales and marketing intelligence about its customers’ competitors. When hackers breached that data, they did not just get Klue’s information. They got a treasure trove of competitive data from nearly 200 companies at once.
LastPass confirmed that hackers stole customer support case data during the Klue breach. For a password manager company still recovering from its own massive 2022 breach, this is another blow to user trust. Jamf and HackerOne both published security advisories warning that stolen data could be used for phishing attacks targeting their employees and customers.
The breach came less than a year after Klue laid off half its staff and pivoted toward AI-powered competitive intelligence. Critics have questioned whether the cuts affected the company’s security posture.

DOGE and the Social Security Database
One of the most alarming incidents of the year involves the Department of Government Efficiency (DOGE) and the Social Security Administration. Whistleblowers allege that DOGE operatives uploaded a live copy of the Social Security database to an unsecured third-party server. This database allegedly contained Social Security numbers and personal information for most living Americans.
Two top House Democrats investigating the incident called it a potential candidate for the largest data breach in US history. The Social Security Administration has acknowledged it does not know exactly what data was stored on the server. Court filings reveal that DOGE signed an agreement with an outside political advocacy group under the stated purpose of finding voter fraud evidence.
Lawsuits are ongoing in federal court. The full scope of exposure remains unclear, but security researchers have flagged the potential for this data to be misused for identity theft at an unprecedented scale.
Iranian Hackers Target US Infrastructure
The ongoing conflict between the US/Israel and Iran has spilled into cyberspace in destructive ways. A pro-Iranian hacking group called Handala breached Stryker, a major US medical technology company, in March 2026. The attackers remotely wiped tens of thousands of employee devices in a single operation, causing widespread disruption for days.
This marked a shift in Iranian hacking strategy. Previously, Iranian state-sponsored groups focused on espionage and leak operations to advance political goals. The Stryker attack represented a move toward actively destructive operations, wiping hardware rather than just stealing data.
The US government attributed Handala to an arm of Iranian intelligence. The breach had a material impact on Stryker’s first-quarter earnings after the company spent weeks regaining control of its systems.
Beyond corporate targets, Iranian hackers have also been probing US water utilities and critical infrastructure. Private water utilities remain especially vulnerable because many lack basic cybersecurity protections.
European Water and Energy Grid Attacks
A series of cyberattacks across Europe targeted civilian energy and water supplies throughout early 2026. Several were attributed to Russian-linked groups:
- Poland’s energy grid was hit with computer-destroying wiper malware at the end of 2025, with follow-up attacks on water treatment plants in early 2026.
- A Swedish thermal power plant was targeted by a pro-Russian group in April 2026.
- A Norwegian dam had its control systems hijacked, causing it to spill large volumes of water. Norwegian intelligence blamed Russian hackers.
These attacks target critical civilian infrastructure, raising the stakes beyond corporate data loss. When hackers can manipulate water dams and power grids, the consequences can be measured in human lives rather than just financial losses.
What Users Should Do Now
With breaches hitting everything from password managers to government databases, regular users need to take basic protective steps:
- Use unique passwords everywhere. A breach at one company should not compromise your accounts at others. A password manager makes this practical.
- Enable two-factor authentication. Even if your password leaks, 2FA adds a second barrier. Hardware keys are the strongest option; authenticator apps are the next best.
- Monitor your accounts. Set up alerts for financial accounts and check Have I Been Pwned regularly to see if your email has appeared in known breaches.
- Freeze your credit. With the potential Social Security database exposure, a credit freeze prevents new accounts from being opened in your name.
- Update your devices. Many of the infrastructure attacks exploit known vulnerabilities. Keeping your phone, laptop, and router firmware updated closes the most common entry points.

Frequently Asked Questions
What was the biggest data breach of 2026?
The Klue breach affected close to 200 companies and exposed competitive intelligence data. However, the DOGE Social Security database incident could potentially affect more individuals if the allegations of mass data exposure are confirmed.
Was LastPass hacked again in 2026?
LastPass was not directly hacked. However, customer support case data was stolen through the Klue breach, since LastPass was one of Klue’s customers. LastPass advised affected users to watch for phishing attempts.
How can I check if my data was in the Klue breach?
If you work at a company that used Klue for competitive intelligence, your employer should have been notified directly. You can also check Have I Been Pwned to see if your email address has appeared in any recently disclosed breach databases.
Are water systems in the US safe from hackers?
Many privately owned water utilities in the US still lack basic cybersecurity protections. The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about Iranian hackers targeting water infrastructure. Users should stay informed about their local utility’s security measures.
What is a credit freeze and how do I set one up?
A credit freeze prevents new credit accounts from being opened in your name. You can set one up for free through Equifax, Experian, and TransUnion. It does not affect your existing accounts or credit score, but you need to temporarily lift it if you apply for new credit.
