Hacked, Wiretapped, and Held to Ransom: The Worst Cyber Incidents of 2026 So Far

If the first half of 2026 has taught us anything, it is that the digital threat landscape has stopped being a background concern and become the main event. Ransomware gangs are more brazen than ever. Nation-state hackers are bolder, more destructive, and operating with something approaching impunity. And the systems we rely on most — school platforms, healthcare networks, toy companies, the FBI itself — have all cracked under pressure in the past six months.

The attacks are no longer just embarrassing disclosures in press releases. They shut down exams. They wiped tens of thousands of devices overnight. They handed foreign intelligence services a map of who the United States government is watching. And, in at least one case, they may represent the largest exposure of government data in American history.

Here is a look at the incidents that defined the first half of the year, and what they tell us about where we are headed.

The DOGE Data Question Has Still Not Been Answered

Perhaps the most consequential data exposure of the year — possibly in modern U.S. history — was not a hack at all, at least not in the conventional sense. Operatives connected to the Department of Government Efficiency, the Elon Musk-led effort to gut federal agencies, swept through the Social Security Administration earlier this year and allegedly uploaded a live copy of the Social Security database to an unsecured third-party server. If true, that database would contain the Social Security numbers and associated personal information of most living Americans.

Lawsuits are still grinding through federal court. The Social Security Administration itself admitted in court filings that it is not entirely sure what was stored on the server. What is known is that DOGE signed an agreement with an outside political advocacy group under the banner of hunting voter fraud — a claim the president continues to make without any supporting evidence. Two of the most senior House Democrats investigating the matter described the potential exposure as one that "could very well be the largest data breach in our nation's history."

The lack of a definitive answer, months later, is itself a kind of answer.

China Breached the FBI's Wiretap System

In February, analysts at the FBI detected unusual activity on an internal unclassified network. What they found was alarming: suspected Chinese hackers had gained access to the FBI's Digital Collection System Network — known internally as DCS-3000, or Red Hook — the system that stores the results of court-authorised wiretaps and communication intercepts. It contains phone numbers, call metadata, and the identities of individuals under active federal surveillance.

The FBI notified Congress in early March and formally classified the incident as a "major cyber incident" under the Federal Information Security Modernization Act (FISMA) — a designation reserved for breaches that present demonstrable harm to U.S. national security. The attackers are believed to have entered by compromising a commercial internet service provider's vendor infrastructure, a tactic consistent with Salt Typhoon, the Chinese state-sponsored group previously credited with breaching all three major U.S. cellular carriers between 2019 and 2024.

The implications go beyond the technical. Phone numbers alone do not reveal identities — but they can be used to map networks of associates, identify informants, and expose the contours of ongoing counterintelligence investigations. If China now knows who the U.S. is surveilling, the operational damage may be incalculable and will not be visible for years.

ShinyHunters Disrupted Exam Season for Millions of Students

The English-speaking extortion group ShinyHunters has been the most consistently damaging criminal hacking gang of 2026, responsible for a sprawling wave of breaches that has claimed victims across education, entertainment, gaming, and travel.

Their most disruptive campaign targeted Instructure, the company behind Canvas, the learning management platform used by thousands of universities and schools worldwide. ShinyHunters breached Canvas in late April, stealing data including names, email addresses, and student ID numbers belonging to tens of millions of students and staff. When Instructure declined to negotiate, the group struck again — defacing Canvas login screens with a ransom note during the height of final exam season. For students across the United States and beyond, the outage meant scrambling to access coursework and exam materials at the worst possible moment. Instructure ultimately paid the ransom, despite the FBI's advice to the contrary.

But Canvas was far from the only target. Through a compromise of Anodot, a third-party analytics provider, ShinyHunters achieved a supply chain cascade that produced confirmed breaches at Rockstar Games (78.6 million records), Vimeo (119,000 users), and Zara's parent company Inditex (around 197,000 customers). The gang also claimed responsibility for breaching Charter Communications, taking some 40 million records, and was linked to the Carnival Corporation breach exposing passport and identification data of around 6 million cruise passengers.

The group's method is deceptively simple: voice phishing, fake IT support calls, stolen OAuth tokens, and exploited third-party integrations. The complexity is not in the intrusion — it is in the scale and speed of what follows.

Iran Wiped 200,000 Devices at a U.S. Medical Company — Overnight

In March, Iranian hackers broke into Stryker, one of the largest medical technology companies in the United States, and remotely wiped tens of thousands of employee devices in a single operation. The attack caused widespread disruption to the company's operations for several days and materially affected its first-quarter earnings.

The breach represented a significant shift in Iranian tactics. Where Iranian state-sponsored groups have traditionally focused on espionage and hack-and-leak operations in service of political objectives, this was openly destructive — a reprisal operation in the context of the ongoing conflict in the Middle East. The U.S. government attributed the attack to a group linked to Iranian intelligence.

It was not an isolated move. Iranian hackers separately targeted the personal email of FBI Director Kash Patel, with the Handala Hack Team reportedly publishing some of the contents online. U.S. officials confirmed the authenticity of the leaked material. Separately, warnings have been issued about Iranian hackers targeting water utilities and other critical infrastructure inside the United States — often the softest and least-protected targets available.

The Open Source Supply Chain Remained Under Sustained Attack

Running beneath many of the year's biggest breaches is a quieter, more insidious campaign against the open source software ecosystem. Major security tools including Aqua Security's Trivy, Bitwarden, and Checkmarx were compromised in attacks that inserted backdoors or malicious updates into widely used software. Anyone who installed an affected version — or whose software auto-updated — potentially handed attackers their credentials and access tokens.

Those stolen credentials then became the keys to downstream targets. OpenAI confirmed that two employee devices were compromised as part of a broader supply chain attack in which malicious npm package updates were used to harvest credentials from developer machines. Vercel, the widely used AI development and deployment platform, disclosed in April that attackers had gained access to its internal systems by compromising Context.ai, a third-party AI productivity tool used by an employee. From that single integration, attackers moved laterally through the employee's Google Workspace account and into Vercel's systems, making off with API keys, NPM tokens, and source code. A threat actor claiming affiliation with ShinyHunters put the stolen data up for sale at $2 million.

The Vercel incident in particular illustrated the new reality of enterprise risk: every OAuth grant to an AI productivity tool, every forgotten third-party integration, every vendor connection that security teams never formally reviewed is a potential entry point. Modern engineering organisations have quietly accumulated supply chains that their own security teams cannot fully see.

Hasbro Went Dark for Weeks

The 103-year-old toymaker Hasbro — owner of Transformers, Peppa Pig, Dungeons and Dragons, and Magic: The Gathering — identified unauthorised access to its network in late March 2026. The company took systems offline, activated business continuity plans, and began working with third-party cybersecurity experts. For weeks, its website was unavailable and its financial results were delayed because the systems needed to compile them were offline.

Hasbro has said little publicly about the nature of the intrusion, what data was taken, or whether any ransom was paid. What it has confirmed — in SEC filings — is that the breach did not affect first-quarter financial results, that its Magic: The Gathering release schedule continued as planned, and that remediation and legal costs began mounting in the second quarter. The full financial toll has not yet been quantified, but the company has said it will seek reimbursement through its cybersecurity insurers.

It is a case study in how a large corporation with no obvious strategic value to a nation-state actor — no defence contracts, no surveillance data, no critical infrastructure — can still be brought to its knees for weeks simply by being large and insufficiently prepared.

Millions More Passports and ID Documents Were Spilled

Carnival's exposure of passport and driver's licence numbers belonging to around 6 million customers was the most prominent of a broader surge in identity document breaches in the first half of 2026. Across the same period, passport scans and government ID documents were left exposed through a hotel check-in system, a money transfer application, a prison payphone provider, and a UK visa processing service — collectively affecting more than two million people.

The trend coincides directly with the rapid expansion of identity verification requirements across online platforms. Age-verification laws and "know your customer" checks are increasingly requiring users to submit government-issued documents before accessing services. The more of these systems exist, the larger the pool of stored documents — and the greater the potential damage when those systems are breached or misconfigured. Many of the exposures this year were the result of basic security lapses that could have been prevented with standard practices.

A stolen passport number, unlike a stolen credit card, cannot be cancelled. It remains attached to a physical document valid for years, and combined with a date of birth and a name — data that is routinely collected alongside identity checks — it is more than enough to commit fraud, open accounts, or build a synthetic identity.

What Comes Next

Global cyberattacks are running at an all-time high in 2026, with around 2,090 attacks logged per week — a 17 percent increase year on year. The average cost of a data breach now stands at $4.88 million, with the worst cases exceeding $18 million. AI-assisted phishing, supply chain compromise, and ransomware extortion are the dominant vectors, and each is growing more sophisticated faster than most organisations can defend against.

The regulatory picture remains fragmented. The Cyber Incident Reporting for Critical Infrastructure Act, which was supposed to impose mandatory federal reporting standards by mid-2026, has slipped past its deadline. CISA continues to publish guidance and performance goals, but its authority remains advisory for most private-sector organisations. State-level breach notification laws fill some of the gap, but unevenly and inconsistently.

The attacks keep getting bolder. The systems keep cracking. And the regulatory frameworks designed to contain the damage are still running behind the threat.

Sources: FBI Congressional notification (March 2026); Hasbro SEC filings (March–May 2026); PKWARE 2026 Data Breach Report; Cyber Management Alliance monthly breach reports; Push Security ShinyHunters analysis; UpGuard/Strobes Vercel breach reporting; Militarnyi/Politico FBI surveillance breach coverage; SentinelOne Data Breach Statistics 2026.