The Worst Cyberattacks and Data Breaches of 2026 So Far
2026 has been a brutal year for cybersecurity. Wars are being fought on digital fronts as well as physical ones. Ransomware gangs are holding critical institutions hostage. Nation-state hackers are targeting power grids, water systems, data breaches, and government networks. And the attacks are getting bolder, more destructive, and harder to contain.
We are only six months in. Here are the incidents that have defined the year so far — and what they tell us about where the threat landscape is heading.
The DOGE Data Breach: Government Data Exposed at Scale
One of the year’s most politically charged incidents involved the Department of Government Efficiency — DOGE. Security researchers flagged that DOGE’s rapid, poorly secured access to multiple federal systems created significant exposure of sensitive government data. The breach was a marked shift in how data leaks happen: not through external attackers breaking in, but through insecure internal access granted too quickly and without sufficient oversight.
The incident sparked congressional investigations and highlighted a risk that is easy to overlook — sometimes the biggest threat to government data isn’t a sophisticated hacker. It’s poor access controls on the inside.
Iranian Hackers Hit Energy Infrastructure
As the US-Israel conflict with Iran escalated in early 2026, Iranian threat actors shifted tactics dramatically. Rather than their typical espionage and hack-and-leak operations, Iranian hackers moved toward actively destructive attacks targeting civilian infrastructure. Energy systems, water treatment facilities, and financial networks were all targeted. Several Amazon data centre facilities in the UAE and Bahrain were hit by drone strikes coordinated alongside digital intrusions, disrupting cloud services across the Middle East.
This represents a dangerous evolution. Cyberattacks are no longer just about stealing data or extorting money — they are increasingly a direct extension of kinetic warfare.
Canvas Ransomware: 275 Million Students and Staff Affected
In May, Instructure — the company behind Canvas, the most widely used learning management system in the world — suffered a devastating ransomware attack. The breach affected an estimated 275 million students and staff globally. Instructure paid the ransom and received a decryption key — but the attackers had already copied the data. Names, email addresses, enrolment records, and crucially, private messages were all exposed.
The “contained by May 6, defaced on May 7” sequence was a stark reminder: an organisation’s belief that an incident is over is not evidence that it is. The Canvas breach is the clearest example yet that paying ransomware gangs provides no guarantee of data security.
Supply Chain Attacks: Two US Banks Hit Through a Shared Vendor
April 2026 was dominated by supply chain compromises. Two major US banks were breached through a single shared third-party vendor — neither bank’s own network was directly penetrated. The Everest ransomware group posted both banks on its dark web leak site simultaneously, making clear that the entry point was the shared vendor rather than either institution.
This is the pattern that keeps security teams awake at night. Your own defences can be solid. But if a supplier, contractor, or software vendor you depend on is compromised, attackers can walk straight through. Attackers are no longer breaking down the front door — they are walking in through trusted third parties.
OnlyFans: 340 Million Records Leaked
In June, hackers claimed to have leaked 340 million user records from OnlyFans — one of the largest alleged data dumps of the year. The leaked data reportedly included email addresses, usernames, and other account details. The claim is still being verified, but samples published by the threat actors have been confirmed as authentic by multiple researchers.
The scale is significant. 340 million records is larger than the population of the United States. And given the nature of OnlyFans — a platform where users often share highly personal content — the privacy implications for affected users go well beyond a typical account credential leak.
The Pattern Behind All of It
Looking across these incidents, several common threads emerge.
AI is accelerating both attack and defence. Ransomware groups are using AI to write more convincing phishing emails, find vulnerabilities faster, and automate lateral movement inside compromised networks. Defenders are using the same tools to detect intrusions and patch faster. The arms race is intensifying on both sides. Read more on how to protect yourself from the growing wave of AI-powered cyber threats.
Third-party risk is the biggest unsolved problem. The Canvas breach, the dual bank compromise, and the ServiceNow API incident this week all share the same root cause: attackers found a trusted intermediary and exploited it. Organisations that focus only on their own perimeter are missing where most attacks now originate.
Paying ransoms doesn’t work. Instructure paid. The data was still leaked. The FBI and CISA have said for years that paying ransoms funds further attacks and provides no guarantee of data recovery. 2026 is proving them right in the most painful way possible.
What the Rest of 2026 Looks Like
With Microsoft’s record Patch Tuesday yesterday, a fresh unpatched Windows Defender exploit already in the wild, and the ServiceNow breach still under investigation, the second half of 2026 is not starting quietly. The threat landscape is more complex, more automated, and more geopolitically charged than at any point in the history of the internet.
The organisations that will fare best are the ones that treat cybersecurity as a continuous process — not a compliance checkbox. Patch fast. Audit your supply chain. Assume your defences will eventually be tested. And have a plan for when they are.
Read more tech related articles here.
