If anything, 2026 has made it clear that cybersecurity is no longer a background concern – it’s front and center, woven into almost every big story of the year. Yes, wars are still raging, the weather is getting worse, and we seem to be about to sneeze at another global pandemic.
But working underneath it all is a digital machine that affects everything: wars fought across digital and physical borders, governments weaponizing citizens’ data against themselves, botnets quietly undermining democratic institutions, cybercriminals targeting people’s infrastructure from power grids to water systems, and ransomware gangs holding companies and institutions hostage for huge ransoms. Attacks become bolder, more devastating, and harder to contain.
As we’re in the middle of this already terrifying year of digital attacks and hybrid warfare, we take a look at some of the worst hacks and breaches to date, and how they could affect us going forward.
Questions remain over DOGE’s massive swiping of Social Security data
A year later, after Elon Musk-led operatives and a group of saboteurs known as the Department of Government Operations (or DOGE) swept and dismantled government agencies from the inside out, we’re still learning about the data breaches that happened under their watch.
After the DOGE moved into the Social Security Administration, it’s unclear what happened to the country’s sensitive data, as cases continue in federal court. The investigator’s startling claim is that DOGE uploaded a live copy of the Social Security database to an unsecured third-party server, leading to confusion over what was stored on it. This database is said to contain the Social Security numbers and associated personal information of most living Americans.
In court filings, the Social Security Administration doesn’t know for sure what was on the server, but it said the DOGE signed an agreement with an outside political lobby group under the pretense of finding evidence of voter fraud, something President Trump continues to demand without proof. The fear is that the database could be misused to target Americans for the wrong reasons.
Two of the top House Democrats investigating some of DOGE’s activities at the Social Security Administration said the disclosure of the government’s Social Security database “could be the largest data breach in our country’s history.”
Cybercriminals are increasingly targeting water systems and power grids
Cyberattacks across Europe targeting public energy and water supplies, such as power plants and water dams, have set a worrying recent trend. Several hacks attributed to (or at least partially blamed on) Russia have risked real-world harm to communities and individuals.
Poland’s power grid was targeted by malware that destroyed computers late last year, as well as a Swedish thermal plant and a Norwegian dam that spilled water to a number of swimming pools. Hackers again targeted Poland earlier this year, this time its water treatment plants, showing that Russia’s hybrid war continues to extend beyond the digital realm.
Now, because of the recent war between the US and Israel against Iran, there are warnings that Iranian hackers are targeting important infrastructure in the United States. This includes privately owned water utilities, which are often a soft target for hackers, who often lack basic cyber security protections.
Iranian government hackers hit Stryker with a devastating hack
Speaking of Iran, a cyberattack on American medical technology company Stryker in March saw Iranian hackers hack into and remotely wipe tens of thousands of employees’ devices at once, causing severe disruption to the company’s operations for several days.
This breach was a significant change in Iranian hacking tactics during the ongoing war in the Middle East, where Iran is moving away from its usual focus on espionage and hacking and leaking activities to serve the country’s political gains, towards causing destructive hacks in apparent revenge for the war. The US government says the hacking group caused the breach of Iran’s intelligence arm. The breach ended up having a significant impact on Stryker’s first quarter earnings after it regained control of its systems.
A tutorial in the midst of ShinyHunters’ disturbing hacking campaigns
ShinyHunters continued their hacking campaigns, targeting dozens of companies with simple but highly effective phishing tactics. English-speaking hackers have the ability to trick companies into changing access to their internal systems by pretending to be IT support, or vice versa, an employee who has forgotten their password.
Few know better than the toll a hack from ShinyHunters would have on Education tech giant Instructure. Hackers breached the company’s leading learning management system Canvas to steal the private information and personal information of more than 30 million students and staff. When the company didn’t pay the hackers, the hackers broke in – again – and defaced the school’s Canvas login screens, which students use to access their exams and study materials. The second hack happened during the school holidays, disrupting exams for students across the United States. Instructure eventually paid the ransom, despite the FBI’s efforts to dissuade the company from paying.
Teaching wasn’t the only company targeted by the ShinyHunters hackers so far. The gang was responsible for a major breach in the number of stolen records, including 40 million records from Internet provider Charter and at least 6 million customer records from the cruiseliner Carnival, among other victims of higher education, finance and government.
The supply chain is under attack, targeting open source projects and large technology companies
A series of ongoing, simultaneous, and sometimes overlapping attacks on open source developers has resulted in massive hacks targeting major technology companies and their customers.
Some of the biggest names in security, including Aqua Security’s Trivy tool, Bitwarden, and Checkmarx, as well as other major open source projects, have been vulnerable this year, allowing hackers to steal passwords, credentials, and other sensitive tokens from the computers of anyone who has installed a backup of the software, or had their pre-installed software automatically installed to download the malware.
The attack used stolen data to spread further, and opened the door to the downfall of major companies that rely on the targeted program, including AI giant OpenAI and web hosting company Vercel. With a new crime almost every week, the open source world remains a vulnerable target in the wider technology ecosystem.
The FBI’s surveillance system was breached, sparking a “massive cyber incident“
The US Federal Bureau of Investigation was forced to declare a “major cyber incident” in April, triggering a legally required disclosure to Congress, after identifying that one of its surveillance systems was vulnerable. According to reports, the breach may have exposed the target phone numbers under the surveillance of government employees.
Chinese spies were accused of breaching an undisclosed network, which contained sensitive information about surveillance purposes for wiretaps and other communications, such as the retrieval of a written record. According to lawmakers, the breach may have met the threshold of causing “apparent harm” to US national security.
Hasbro’s hack led to weeks of rest
Toymaker giant Hasbro is the latest example of what happens when a large company is hit by a security incident and is unprepared. Weeks after finding hackers in its systems in late March, the 103-year-old company remained offline, its website unavailable, and unable to serve its customers.
The company, which owns big names like Transformers, Peppa Pig, and Dungeons & Dragons, has not said anything about the incident itself, what data was taken (if any), and whether it paid the hackers. But this disruption alone could affect the company’s finances, which forced it to be delayed, as the company insisted on handling the incident.
Hasbro said in mid-May that the hackers were no longer in its systems and that its recovery was ongoing. But the financial costs of the breach and the resulting disruption to its business are likely to materialize in the coming months, and are expected to be substantial.
Millions of passports and driver’s licenses have been exposed in bulk
In the past few months alone, there has been a dramatic increase in big data disclosures involving government-issued sensitive personal identities, including passport scans and driver’s licenses left exposed on the web. From a hotel check-in system and a money transfer app to a prison payphone provider and a UK visa service, these services have exposed more than two million people’s documents that could easily be misused. Many are caused by security flaws that could have been easily avoided with basic internet security practices.
This massive data spill comes at a time when closed public apps and websites are increasingly relying on “know your customer” checks to force users to verify their identity before being allowed in, and governments are pushing age-verification laws that require similar identity checks for adults to access large areas of the internet.
The idea is that if the spill is large, these identity verification systems are ineffective, as they can easily be misused with a stolen or leaked passport or driver’s license. The further release of these identity collection systems will lead to more data breaches and security breaches.
If you shop through links in our articles, we may earn a small commission. This does not affect our editorial independence.
