Hackers Gone Wild: The Biggest Cyber Incidents of 2026 (So Far)
We are barely three months into 2026 and hackers are already making this one of the most dangerous years in cybersecurity history. From Iran-linked wiper attacks erasing 200,000 devices overnight to a ransomware gang shutting down a hospital for nine days, the digital battlefield is hotter than ever. Here is a breakdown of the biggest hacking incidents to rock the world this year.
The Numbers Tell the Story
Before getting into the incidents, here is some context. GuidePoint Security’s annual ransomware report shows 2025 saw a 58% year-over-year increase in ransomware victims, with 124 distinct ransomware groups active. The highest number ever recorded. Those groups did not slow down when the calendar flipped.
In just January and February 2026, 53 separate ransomware groups claimed victims in the United States. The top crews, including Qilin, Akira, Clop, INC Ransom, Play, DragonForce, and Sinobi, have been hammering organizations ranging from small businesses to Fortune 500 companies. This is the world we live in now.
1. The 149-Million Credential Dump (January 2026)
January 2026 opened with a nightmare for everyday internet users. Security researcher Jeremiah Fowler found a publicly accessible, completely unprotected database containing 149,404,754 unique usernames and passwords. That is 96 GB of raw credential data, sitting wide open for anyone to grab. The leaked credentials spanned nearly every major platform, including an estimated 48 million Gmail accounts, 17 million Facebook accounts, 6.5 million Instagram accounts, Netflix, Roblox, and several financial and crypto platforms.
Researchers confirmed this was not a fresh hack of Google or Facebook. This was a massive compilation of infostealer logs. Data quietly harvested from infected personal computers by malware running silently in the background. The scariest part? While Fowler spent nearly a month trying to get the database taken down, the record count kept climbing. An automated feed was continuously uploading fresh stolen credentials. Your passwords are possibly on the dark web right now. You might never know.
2. Target’s Source Code Stolen (January 2026)
On January 12, 2026, retail giant Target landed in hackers’ crosshairs. Not because of customer payment data, but something more dangerous: its source code. A threat actor using the alias “Sc0rpion” claimed to have breached Target’s internal GitHub Enterprise and Jira servers, stealing approximately 860 GB of source code and developer documentation. Sample repositories were posted publicly on Gitea as proof, with the full archive going up for sale on dark web forums.
Current and former Target employees confirmed the leaked code matched real internal systems. References included wallet and payment services, identity management, store networking tools, and gift card infrastructure. Cybersecurity experts warned stolen source code gives attackers a detailed blueprint of a company’s defenses, enabling far more sophisticated follow-on attacks. Researchers traced the likely root cause to a compromised employee workstation infected with infostealers back in September 2025. Target scrambled to lock down Git access via VPN restrictions. The damage was already done.
3. BreachForums Gets Breached (January 2026)
This one is genuinely ironic. BreachForums, one of the internet’s most notorious dark web cybercrime marketplaces where hackers buy and sell stolen data, got hacked. On January 9, 2026, a database containing 323,986 BreachForums user records was leaked publicly. Exposed data included usernames, email addresses, Argon2-hashed passwords, IP addresses, and PGP keys. The exposure happened due to a misconfiguration during a forum restoration process.
The leak was published on a site linked to the ShinyHunters hacking gang, along with a 4,400-word manifesto from someone calling themselves “James,” who claimed to have spent decades infiltrating powerful systems. The exposure of nearly 324,000 cybercriminals’ account data, including IP addresses linking real identities to dark web activity, is a rare win for law enforcement. Even hackers are not safe from getting hacked.
4. ShinyHunters’ Nonstop Crime Spree (January – February 2026)
If there is one hacking group defining 2026 so far, it is ShinyHunters. Their approach combines voice phishing, calling employees while impersonating IT support to trick them into surrendering single sign-on codes, with exploiting Okta, Microsoft, and Google SSO systems. The results have been devastating.
Major victims include:
- SoundCloud: roughly 30 million user records exposed, including email addresses, usernames, and profile data. When SoundCloud refused to pay ransom, ShinyHunters dumped the data publicly.
- Crunchbase: over 2 million records containing PII, contracts, and internal business documents exfiltrated.
- Betterment: more than 20 million records from the financial advisory firm allegedly compromised.
- Match Group (Tinder, Hinge, OkCupid): 10 million-plus user records including transaction data and IP addresses stolen.
- CarGurus: 12.4 million user records, including names, phone numbers, physical addresses, financial pre-qualification data, and dealer account details, dumped after a failed ransom attempt.
By mid-February, ShinyHunters and their associated group “Scattered Lapsus$ Hunters” claimed at least 15 breaches since the start of the year. Their approach is devastatingly simple. They do not need zero-day exploits or sophisticated malware. They call an employee on the phone and ask nicely, with enough social engineering to sound convincing. Technical defenses mean nothing if humans can be manipulated. MFA and security awareness training are not optional anymore.
5. Conduent: The Breach That Kept Growing (Disclosed 2026)
This one had been quietly lurking since late 2024, but the full scope came into focus in early 2026. Conduent, a government technology contractor processing Medicaid claims, child support payments, unemployment insurance, and food assistance for 46 states, was hit by the SafePay ransomware group. The attackers spent nearly three months inside Conduent’s systems, from October 21, 2024, to January 13, 2025, exfiltrating an estimated 8-plus terabytes of data before anyone detected them.
As states began notifying residents in early 2026, the numbers exploded. Texas revised its affected count from 4 million to 15.4 million people, roughly half the state’s population. Oregon reported 10.5 million affected residents. The running total surpassed 25 million Americans. Stolen data includes names, Social Security numbers, dates of birth, medical histories, and health insurance information. Texas Attorney General Ken Paxton called it “potentially the largest U.S. healthcare breach ever.” Conduent estimates $25 million in response costs so far, with massive class action litigation ongoing.
6. UMMC Ransomware Attack: Nine Days of Chaos (February – March 2026)
On February 19, 2026, the University of Mississippi Medical Center (UMMC), the state’s only Level 1 trauma center, was struck by a ransomware attack attributed to the Russia-linked Medusa gang. For nine days, UMMC shut down all 35 clinics statewide, canceled approximately 650 surgeries, and diverted patients to other hospitals. Staff lost access to phone lines, email, and electronic patient records. They were writing on paper charts.
The financial toll was serious. UMMC reported February revenue fell approximately 20% below budget, a $34.2 million shortfall from the expected $194.1 million. Medusa added UMMC to its dark web leak site on March 12, claiming to have exfiltrated over 1 TB of data and more than 1 million files, including protected patient health information along with employee and student personal records. The group demanded $800,000 ransom, double their average healthcare demand. UMMC reportedly countered with $550,000. Negotiations failed.
The attack also reflected a growing trend. Medusa instructed its affiliates not to fully encrypt UMMC’s systems, focusing instead on data theft to maximize extortion leverage.
7. Handala Wipes Stryker Off the Map (March 2026)
March 11, 2026, started like any other workday for Stryker Corporation employees worldwide. Then their computers went dark. In minutes, the Iran-linked hacktivist group Handala remotely wiped data from over 200,000 systems, servers, and mobile devices across 79 countries. In some departments, up to 95% of devices were erased before anyone could react. Employees watched in real time as their computers and phones reset, replaced by Handala’s logo and propaganda messages.
The attack required no custom malware. Investigators believe Handala gained administrative access to Microsoft Intune, the cloud-based endpoint management platform Stryker used to manage its global device fleet, and then issued a legitimate “remote wipe” command to every enrolled device simultaneously. Handala also claimed to have stolen 50 terabytes of data before the wipe. The group stated the attack was retaliation for a U.S. missile strike killing over 175 people, including children, at an Iranian school. Stryker, which reported $25 billion in global sales, is a Fortune 500 medical technology company with zero military connections. They were targeted purely for the scale of disruption. The U.S. Department of Justice seized related domains on March 19.
What This All Means
The 2026 hacking wave is not a coincidence. Years of accelerating criminal infrastructure built this problem. Ransomware-as-a-Service platforms made cybercrime accessible to anyone with cryptocurrency and bad intentions. State-sponsored hackers like Handala operate with geopolitical motives, making them unpredictable and difficult to stop. Social engineering attacks, like ShinyHunters’ vishing campaigns, prove the most advanced technical defenses fall apart with a single phone call to the wrong employee.
The sectors hit hardest tell their own story. Healthcare, consumer tech, and retail are all in the crosshairs. Hackers go where data is valuable and where organizations are least prepared. With 53 active ransomware groups operating in the U.S. in just the first two months of 2026, the question is no longer whether your organization gets targeted. The answer is when.
Here is what you need to do. Enable two-factor authentication everywhere. Use unique passwords. Keep your software patched. And if someone calls claiming to be from IT support asking for your login codes, hang up.
Stay tuned for ongoing coverage of 2026’s cybersecurity incidents. The year is far from over.
