Top 10 Biggest Data Breaches of 2026: Shocking Exposures
Table of Contents
title: “Top 10 Biggest Data Breaches of 2026: Shocking Exposures”
slug: “biggest-data-breaches-2026”
domain: “newsgalaxy.net”
primary_keyword: “biggest data breaches 2026”
meta_description: “The biggest data breaches of 2026 exposed hundreds of millions of records. See the full list, breach timeline, victim counts, and how to protect yourself now.”
date: 2026-07-13
word_count: 2780
status: draft
author: “Michael Torres”
schema:
– Article
– FAQPage
– Author
Disclosure: This article contains affiliate links. If you sign up for a service through our links, we may earn a commission at no extra cost to you.
Top 10 Biggest Data Breaches of 2026: Shocking Exposures
The biggest data breaches of 2026 have already broken records, with hundreds of millions of records stolen across education, healthcare, finance, and government sectors. This is the definitive list of the ten worst incidents, ranked by scope, impact, and what they mean for your personal security.
By Michael Torres | Updated July 13, 2026 | Latest tech news
2026 Data Breach Statistics at a Glance
Data breaches in 2026 set records across every major sector, with cybercrime losses reaching $20.9 billion in the US alone according to the FBI IC3 2025 Annual Report.

According to the FBI’s 2025 Internet Crime Report (IC3), cybercrime losses in the US reached $20.9 billion in 2025, a 26% increase from $16.6 billion the year prior. IC3 received over one million complaints in 2025 for the first time in its 25-year history.
The Verizon 2025 Data Breach Investigations Report (DBIR) analyzed over 22,000 security incidents and 12,000 confirmed breaches. Key findings:
- Ransomware rose 37% and appeared in 44% of all breaches
- Third-party involvement doubled to 30% of confirmed breaches
- Credential theft remains the leading attack vector at 22% of incidents
- Espionage-related breaches surged 163%, now accounting for 17% of incidents
The IBM Cost of a Data Breach Report 2025 found the US average breach cost hit $10.22 million, by far the highest of any country. The global average dropped to $4.44 million as AI-powered defenses allowed faster containment, with organizations using AI extensively cutting their breach lifecycle by 80 days.
In 2026, those trends accelerated. Healthcare, education, and financial services bore the brunt. The ten breaches below represent the worst of what happened.
2026 Data Breach Timeline Table
| # | Company / Organization | Date | Records Exposed | Data Type | Status |
|---|---|---|---|---|---|
| 1 | Instructure (Canvas LMS) | May 2026 | ~275 million | Student names, emails, IDs, messages | Ransom paid |
| 2 | 24B Credential Database (public) | June 2026 | 24 billion credentials | Usernames, passwords, emails | Exposed / unattributed |
| 3 | KDDI / Six Japanese ISPs | June 2026 | 14.2 million | Email addresses, passwords | Under investigation |
| 4 | Klue Supply Chain Attack | June 2026 | ~200 companies’ data | CRM records, customer support data | Ongoing |
| 5 | Illinois/Minnesota Dept. of Human Services | Jan 2026 | ~1 million | Names, SSN (partial), Medicaid IDs | Notified |
| 6 | Drift Protocol (DPRK crypto) | April 2026 | $285M stolen | Crypto assets | Confirmed |
| 7 | KelpDAO Bridge (DPRK crypto) | April 2026 | $292M stolen | Crypto assets | Confirmed |
| 8 | Stryker (Iran-linked) | March 2026 | Tens of thousands of devices wiped | Employee devices, operations data | Contained |
| 9 | FBI Surveillance System (China) | April 2026 | Classified scope | Federal surveillance infrastructure | Major incident declared |
| 10 | Match Group (Tinder / Hinge) | Jan 2026 | Millions of user profiles | User profiles, match data | Under investigation |
The 10 Biggest Data Breaches of 2026
id=”1-instructure-canvas-lms-275-million-students-and-educators-exposed”>1. Instructure Canvas LMS — 275 Million Students and Educators Exposed
The largest educational data breach in history hit Canvas in May 2026. ShinyHunters, the cybercriminal extortion collective, exploited a stored cross-site scripting (XSS) vulnerability in Canvas’s free teacher accounts, escalating to administrative access and exfiltrating 3.65 terabytes of data from approximately 275 million users across 8,809 institutions worldwide.
Schools, universities, and government education ministries in dozens of countries were affected. Exposed data included names, email addresses, student ID numbers, and private messages between Canvas users. Instructure confirmed the breach on May 1, 2026. ShinyHunters struck a second time on May 7, replacing the Canvas login page with a ransomware demand.
Instructure paid the ransom, reportedly around $10 million, one day before the May 12 deadline to prevent data publication.
Sources: Bitdefender Technical Advisory | Inside Higher Ed
Why it matters: A stored XSS vulnerability in a low-privilege feature cascaded into a platform-wide administrative takeover. If your institution uses Canvas, verify credentials were rotated and monitor your student email for phishing attempts.
2. The 24 Billion Credential Database — A Credential Stuffing Weapon
In June 2026, security researchers discovered a publicly accessible Elasticsearch database containing 24 billion stolen credential records totaling more than 8.3 terabytes. The dataset included usernames, email addresses, plaintext passwords, and login URLs, compiled from years of prior breaches for use in automated credential stuffing attacks.
No single organization claimed ownership of the database. It represents the largest publicly exposed credential collection ever found. Attackers with access can test billions of login combinations against live services without any hacking skill required.
Why it matters: This is not a single-company breach. It is a tool built from prior breaches. If you reuse passwords across accounts, this database likely already contains working credentials for your accounts.
3. KDDI and Six Japanese ISPs — 14.2 Million Email Accounts Leaked
Japan’s KDDI Corporation disclosed on June 17, 2026, that a vulnerability in third-party email system software exposed up to 14.22 million email addresses and passwords across six internet service providers: STNet, KDDI Web Communications, JCOM, Chubu Telecommunications, Nifty, and BIGLOBE.
A shared infrastructure flaw meant that a single point of compromise cascaded across the entire ISP ecosystem. Affected users faced immediate risks of account takeover and downstream phishing campaigns using their own email addresses as the attack vector.
Sources: BleepingComputer | The Japan Times
Why it matters: ISP-level breaches are particularly damaging because the email itself, the account used for password resets everywhere else, is the compromised credential.
4. Klue Supply Chain Attack — 200 Companies Hit Through One Forgotten Credential
On June 12, 2026, the hacking and extortion group Icarus breached market research platform Klue using a legacy API credential issued in 2022 and never decommissioned. That single forgotten key gave attackers access to OAuth tokens connecting Klue to hundreds of customers’ Salesforce environments.
Close to 200 companies had data stolen, including major cybersecurity firms: LastPass, HackerOne, Jamf, Gong, OneTrust, Recorded Future, Snyk, Sprout Social, and Tanium. LastPass confirmed that customer names, phone numbers, email addresses, physical addresses, and customer support case data were taken.
Sources: TechCrunch | BleepingComputer
Why it matters: Security companies were among the victims. This underscores that even security-first organizations are only as safe as their least-secured vendor. The Verizon DBIR 2025 noted that third-party involvement in breaches doubled to 30% last year, and the Klue incident is exactly why.
5. Illinois and Minnesota Departments of Human Services — 1 Million Medicaid Recipients
A misconfigured government system exposed approximately 1 million individuals’ records at the Illinois and Minnesota Departments of Human Services in January 2026. Stolen data included names, addresses, email addresses, dates of birth, phone numbers, the first four digits of Social Security numbers, and Medicaid IDs.
Government benefit recipients are a high-value target. They typically have less access to identity protection services and are less likely to check their credit reports regularly.
Why it matters: Partial SSN exposure combined with Medicaid IDs is enough to commit medical identity fraud. This type of fraud can take years to detect and results in incorrect medical records that follow victims permanently.
6 and 7. DPRK Crypto Heists — $577 Million Stolen in Two Strikes
North Korea’s Lazarus Group executed two precision attacks in April 2026 that together accounted for 76% of all cryptocurrency stolen globally through that point in the year.
The first attack drained $285 million from Drift Protocol (a Solana-based derivatives exchange) on April 1, traced to a six-month social engineering operation targeting a developer with privileged access. Seventeen days later, the same group extracted $292 million from the KelpDAO bridge.
Sources: TRM Labs | TechCrunch | The Hacker News
Why it matters: These are state-sponsored operations with operational security that exceeds most enterprise defenses. Decentralized finance protocols remain structurally vulnerable to insider social engineering. Two attacks dwarfed the combined output of every other crypto theft that year.
8. Stryker — Iran-Linked Hackers Wipe Tens of Thousands of Devices
In March 2026, Handala, a hacking group with documented ties to Iranian intelligence, attacked Stryker, one of the world’s largest medical device companies. The attackers claimed the attack as retaliation for a strike on a school in southern Iran. Hackers penetrated Stryker’s global networks and remotely wiped tens of thousands of employee devices, disrupting order processing, manufacturing, and shipments.
The US government attributed the attack to an arm of Iranian intelligence. The FBI subsequently seized domains linked to the attackers.
Sources: Al Jazeera | CNN Politics | Axios
Why it matters: Geopolitical conflict now directly targets civilian corporate infrastructure as a retaliatory vector. Medical supply chains are soft targets with high disruption value.
9. FBI Surveillance System — Chinese Espionage Compromises Federal Infrastructure
In April 2026, the FBI declared a “major cyber incident” after Chinese intelligence operatives compromised one of its surveillance systems. The FBI has not disclosed the full scope of data accessed. The breach targeted national security infrastructure and follows the Salt Typhoon campaign that compromised major US telecoms throughout 2024 and 2025.
Why it matters: When the agency responsible for investigating cybercrime suffers a confirmed major breach by a foreign state actor, it marks an escalation beyond corporate targets. Stolen data could expose ongoing federal investigations and confidential sources.
10. Match Group (Tinder, Hinge, OkCupid) — Dating App User Data Exposed
ShinyHunters claimed responsibility for breaching Match Group in January 2026, targeting the company behind Tinder, Hinge, and OkCupid. Match Group did not issue a formal public disclosure with an exact record count, but security researchers estimated tens of millions of user profiles were exfiltrated across platforms.
Dating app data ranks among the most sensitive personal information categories, often including location history, private messages, and sensitive preferences.
Why it matters: If you use any Match Group platform, rotate your password and the password of the email linked to your account. Review your account’s location and privacy settings.
2026 Data Breach Statistics Summary
| Metric | Figure | Source |
|---|---|---|
| US cybercrime losses (2025) | $20.9 billion | FBI IC3 2025 |
| Global average breach cost | $4.44 million | IBM Cost of Data Breach 2025 |
| US average breach cost | $10.22 million | IBM Cost of Data Breach 2025 |
| Ransomware increase (2025 DBIR) | +37% year-over-year | Verizon DBIR 2025 |
| Breaches with human element | 60% | Verizon DBIR 2025 |
| Third-party breach involvement | 30% | Verizon DBIR 2025 |
| Healthcare sector breach cost | $7.42 million average | IBM Cost of Data Breach 2025 |
| Canvas breach scale | 275 million records | Bitdefender / Rescana 2026 |
| DPRK crypto theft (2026 YTD) | $577 million | TRM Labs 2026 |
How to Protect Yourself After a Data Breach
If your data appeared in any 2026 breach, the window to act is short. Here is the priority order.

Step 1: Find out if you were affected. Check HaveIBeenPwned against every email you use for online accounts. The 24-billion credential database makes this check more urgent than it has ever been.
Step 2: Reset passwords for affected accounts. Use a password manager to generate unique, random passwords for every service. Any account sharing a compromised password is effectively also compromised.
Step 3: Enable two-factor authentication (2FA). Credential theft is the leading attack vector per Verizon DBIR. 2FA blocks most credential-stuffing attacks even when your password is known. Use an authenticator app rather than SMS where possible.
Step 4: Monitor your credit and identity. Breaches involving SSN fragments, Medicaid IDs, or financial account data create windows for identity theft that often surface months later as fraudulent credit accounts or incorrect medical records.
NerdWallet’s free credit monitoring lets you track your credit score and receive alerts when new accounts are opened in your name. It is directly relevant if your data appeared in the Illinois/Minnesota HHS breach, the Match Group exposure, or any breach involving personal identifiers. The dashboard shows your credit factors in plain language and flags activity that warrants follow-up. No credit card required to start.
For more coverage of identity protection options, Bankrate (Bankrate) compares paid services like LifeLock and Aura that include dark web scanning and identity theft insurance, which becomes important when partial SSN data is in play.
Step 5: Place a credit freeze if your SSN was exposed. A credit freeze is free at all three major bureaus (Equifax, Experian, TransUnion) and prevents new credit from being opened in your name. It is the strongest protection available and takes approximately five minutes to activate online at each bureau’s website.
Step 6: Stay current on breach developments. The Canvas, KDDI, and Klue breaches are all still under active investigation. New victim confirmations and data sale events are expected through Q3 2026. Track coverage through NewsGalaxy’s cybersecurity news and bookmark our breaking tech news section for real-time updates as investigations progress.
The 7 best apps to stay informed in 2026 covers tools that push real-time security and tech news directly to your device, useful for staying ahead of breach developments as they break.
Frequently Asked Questions About 2026 Data Breaches
Q: What is the biggest data breach of 2026 so far?
The Instructure Canvas breach is the largest confirmed breach of 2026. It exposed approximately 275 million records across 8,809 educational institutions worldwide. ShinyHunters exploited a stored XSS vulnerability in May 2026, and Instructure paid a reported $10 million ransom to prevent data publication.
Q: How many records were stolen in data breaches in 2026?
Across the ten largest incidents alone, well over 300 million individual records were compromised through July 2026. Healthcare breaches reported to the US Department of Health and Human Services affected more than 19 million individuals in the first half of the year alone.
Q: What data types are most commonly stolen in 2026 breaches?
Credentials remain the top target, appearing in the majority of confirmed breaches according to the Verizon DBIR 2025. Personal identifiers (names, emails, phone numbers), government IDs, and financial data follow. In 2026, academic records and CRM data emerged as newly high-value targets through the Canvas and Klue attacks.
Q: Who is behind the biggest cyberattacks in 2026?
The most active threat actors in 2026 include ShinyHunters (Canvas, Match Group, Crunchbase), the Icarus group (Klue supply chain), North Korea’s Lazarus Group (Drift Protocol and KelpDAO, totaling $577 million stolen), Handala linked to Iranian intelligence (Stryker), and Chinese state-sponsored operatives (FBI surveillance system).
Q: What should I do if my data was in the Canvas or Klue breach?
For Canvas: reset your Canvas password, rotate the password on linked email accounts, and enable two-factor authentication. For Klue: confirm with your employer’s IT team that Salesforce credentials and OAuth tokens were rotated. In both cases, monitor your credit for at least 12 months using a free service like NerdWallet’s credit monitoring, and place a credit freeze at all three bureaus if any SSN data may have been exposed.
Bottom Line
The biggest data breaches of 2026 share identifiable patterns: unrevoked legacy credentials, supply chain trust exploitation, and long-burn social engineering against privileged insiders. The attackers span financial criminal gangs to nation-state actors running operations months in advance.
The personal cost is real and delayed. Compromised credentials, partial SSN exposure, and financial identifiers take months to surface as fraud. The most effective response is to act before the damage appears.
Monitor your credit at NerdWallet, freeze credit if SSN data was exposed, and follow NewsGalaxy for ongoing 2026 breach coverage as investigations develop through the rest of the year.
Sources cited in this article:
– FBI IC3 2025 Annual Report
– Verizon 2025 Data Breach Investigations Report
– IBM Cost of a Data Breach Report 2025
– Bitdefender: Canvas LMS Technical Advisory
– Inside Higher Ed: Instructure Ransom Payment
– TRM Labs: North Korea Crypto Theft 2026
– The Hacker News: Drift Protocol Hack
– TechCrunch: Klue Breach
– BleepingComputer: KDDI Breach
– Al Jazeera: Stryker / Iran Attack
Personal finance writer helping readers save money and build wealth through actionable strategies. Covers budgeting, investing, frugal living, and financial independence topics.
Get the newsgalaxy digest
Honest reviews and no-hype guides — straight to your inbox. No spam, unsubscribe anytime.
Some links in our articles are affiliate links. See our full Affiliate Disclosure for details.
