The first half of 2026 has been brutal for cybersecurity. From government data mishandling to ransomware gangs disrupting schools during finals, the scale and variety of attacks keeps climbing. Here are the breaches that defined the year so far.

DOGE and the Social Security Database
Two top House Democrats described the exposure of the government’s Social Security database as potentially “the largest data breach in our nation’s history.” Operatives from the Department of Government Efficiency (DOGE) entered the Social Security Administration and, according to a whistleblower claim, uploaded a live copy of the Social Security database to an unsecured third-party server.
The database allegedly contained Social Security numbers and personal information for most living Americans. The SSA does not know exactly what was on that server, but court filings reveal that DOGE signed an agreement with an outside political advocacy group under the guise of investigating voter fraud. Lawsuits are ongoing in federal court.
Critical Infrastructure Under Fire
Polish energy grids were hit with computer-destroying malware. A Swedish thermal plant was targeted. A Norwegian dam had its controls hijacked, spilling swimming pools’ worth of water. Poland’s water treatment plants were breached. Russian-attributed hackers were behind most of these attacks, extending hybrid warfare into civilian infrastructure.
With the US-Israel conflict against Iran, warnings have emerged about Iranian hackers targeting American water utilities. These privately owned systems often lack basic cybersecurity protections, making them easy targets.
Stryker: Iran’s Destructive Medical Device Hack
Iranian hackers breached medical tech company Stryker in March and remotely wiped tens of thousands of employee devices simultaneously. The US government attributed the attack to an arm of Iranian intelligence. This marked a shift from Iran’s typical espionage operations toward actively destructive attacks in retaliation for the Middle East war. The breach had a material impact on Stryker’s first-quarter earnings.
Klue Breach Affects 200 Companies
Market research provider Klue suffered a breach affecting close to 200 companies, including cybersecurity firms Jamf, HackerOne, and LastPass. The attackers used a credential from 2022 that Klue had issued for a limited pilot and never decommissioned. The Icarus extortion gang broke in, stole cloud service keys, and used them to breach Klue’s customers.
Klue reportedly paid the hackers to suppress the stolen data, but a second hacking group also had a portion of the data and made separate extortion demands.
ShinyHunters Hit Instructure During Finals
The ShinyHunters hacking group breached Instructure’s Canvas learning management system, stealing data on over 30 million students and staff. When Instructure refused to pay, the hackers broke in again and defaced school login pages during exam season, disrupting finals for students across the US. Instructure eventually paid the ransom despite FBI advice against it.
The ShinyHunters also hit Charter (40 million records), Carnival Cruise (6 million records), Harvard, UPenn, fintech firm Figure, and EU agencies.
FBI Surveillance System Breached
The FBI declared a “major cyber incident” in April after discovering that one of its surveillance systems was compromised. Chinese spies were accused of breaching the unclassified network, potentially exposing phone numbers of wiretap targets. The breach triggered a legally required disclosure to Congress.
Instagram Account Hijackings via Meta’s AI Chatbot
Thousands of Instagram accounts were hijacked when attackers simply asked Meta’s AI chatbot for password reset codes. By pretending to be locked out of an account and requesting a reset to an email they controlled, attackers gained access to tens of thousands of accounts before Meta discovered and patched the vulnerability.
FAQ
What was the biggest data breach of 2026?
The DOGE-related exposure of the Social Security database is considered the most significant, potentially affecting most living Americans. Democrats in Congress called it possibly the largest data breach in US history.
How did the ShinyHunters hack Instructure?
The ShinyHunters used voice phishing (vishing), pretending to be IT support or employees who forgot their passwords. This social engineering approach was effective enough to breach Instructure’s Canvas platform twice.
What companies were affected by the Klue breach?
Nearly 200 companies were affected, including cybersecurity firms Jamf, HackerOne, and LastPass. The breach occurred because Klue failed to decommission a credential from a 2022 pilot program.
How were Instagram accounts hijacked through Meta’s AI?
Attackers chatted with Meta’s AI chatbot, pretended to be locked out of an account, and asked the chatbot to send a password reset code to an attacker-controlled email. This social engineering exploit affected tens of thousands of accounts.
