Biggest Data Breaches of 2026: The Complete List Updated May 2026
One phone call. One convincing impersonation of an IT helpdesk agent. That is all ShinyHunters needed to begin dismantling the security of some of the largest organizations on earth in 2026. The biggest data breaches of 2026 share a single, uncomfortable origin story: not a zero-day exploit, not nation-state malware, but a human being who answered a phone call and handed over the keys to an entire enterprise.
From Canvas LMS to Charter Communications, from Oracle Health to the identity protection company Aura, the 2026 breach landscape is a masterclass in what happens when modern enterprises consolidate authentication onto a single sign-on platform without building defenses around the human layer that protects it. This article covers every major confirmed breach, the real numbers behind each incident, the statistics that define the year, and the specific actions security leaders and executives need to take right now.
The ShinyHunters Factor: One Group, Hundreds of Breaches
To understand the biggest data breaches of 2026, you need to understand one group. ShinyHunters, a cybercriminal extortion operation active since 2020, briefly pulled back in late 2024 following a high-profile arrest. Their 2026 return has been something the security industry has not seen before: a single threat actor operating at industrial scale, with a repeatable playbook, across hundreds of organizations simultaneously.
Their method is disturbingly simple. A vishing call, which is a voice phishing attack, targets an employee who has access to a company’s single sign-on (SSO) platform, such as Okta, Microsoft Entra, or Google Workspace. The attacker impersonates IT support, an identity vendor, or internal helpdesk. The employee hands over their credentials or approves an MFA push request in real time. The attacker now has the keys to every application integrated with that identity provider, and in most modern enterprises, that means everything.
By March 2026, ShinyHunters claimed to have breached between 300 and 400 organizations through their Salesforce Experience Cloud campaign alone, with approximately 100 described as high-profile. Mandiant (Google Threat Intelligence Unit) tracked and documented the campaign. The group then weaponized AuraInspector, a legitimate open-source Salesforce auditing tool Mandiant released in January 2026, to automate scanning for misconfigured guest user permissions at scale. Defensive research converted into an offensive weapon within weeks of publication.
“The Charter breach is a reminder that the most sophisticated security stack in the world can be undone by a convincing phone call.”
Andrew Chipman, GRC Manager, ProCircular | eSecurity Planet, May 2026
This is not a technology failure story. Every organization that ShinyHunters successfully breached in 2026 had technology. Most had MFA. Several had dedicated security teams. The consistent failure point was a human being on a phone call, authenticated in real time, tricked into providing access. The security industry’s reflex toward tool-buying as the primary response misses the actual gap entirely.
The 10 Biggest Data Breaches of 2026 (So Far)
1. Instructure / Canvas LMS — The Largest Educational Breach in History
Canvas, the learning management platform used by 41% of U.S. higher education institutions, became the epicenter of the most significant educational data breach ever recorded. ShinyHunters exploited Instructure’s Free-For-Teacher (FFT) account program, a low-friction onboarding feature that created weak trust boundaries between FFT accounts and the institutional tenants sharing the same infrastructure.
The timeline moved fast. Instructure detected the intrusion on April 29, publicly confirmed unauthorized activity on May 1, and ShinyHunters formally launched a public extortion campaign with a May 7 deadline. When the deadline arrived, the group defaced Canvas login portals at approximately 330 institutions and began extorting individual schools directly. Instructure took Canvas offline on May 8, restored service the same day, and permanently shut down the Free-For-Teacher program.
On May 11, Instructure confirmed they paid a ransom, stating they received “digital confirmation” of data destruction. The Bitdefender Technical Advisory (May 9, 2026) provides the most detailed forensic breakdown of the attack vector available publicly. ShinyHunters’ claimed scale: 3.65 TB of data, approximately 275 million records, across 8,809 educational institutions worldwide. Independently confirmed exposed data included names, email addresses, student ID numbers, and private messages between Canvas users.
2. Charter Communications (Spectrum) — 42 Million Customer Records
Charter Communications, which operates the Spectrum brand and serves tens of millions of U.S. cable and internet customers, confirmed a cybersecurity incident on May 23, 2026. The attack began on April 1, when ShinyHunters executed a vishing attack that compromised an employee’s Microsoft Entra SSO account. From there, the attacker moved into Charter’s Salesforce instance and began exfiltrating customer records.
ShinyHunters’ ransom deadline expired May 27 without payment. The group published the data on their dark web portal the same day. Their claimed dataset: 42 million records including names, email addresses, physical addresses, phone numbers, plan information, support ticket data, and some Customer Proprietary Network Information (CPNI). Charter’s official position contested that sensitive personal information or CPNI was exfiltrated. BleepingComputer’s reporting covers the conflicting claims in detail.
The attack vector is textbook ShinyHunters 2026: one vishing call, one SSO credential, one Salesforce instance, tens of millions of records.
3. Oracle Health (Formerly Cerner) — Up to 80 U.S. Hospitals
This breach started quietly and escalated slowly. On or after January 22, 2025, a threat actor used compromised customer credentials to access legacy Cerner data migration servers on Oracle Cloud Classic infrastructure. Oracle Health became aware of the breach on February 20, 2025. The full scope did not emerge until 2026, as individual hospital notifications rolled out and class action lawsuits accumulated.
Per statements Oracle Health’s attorneys made in class action proceedings, up to 80 U.S. hospitals were potentially affected. Confirmed victims include Munson Healthcare (100,000+ patients notified), Lake Regional Health System, OSF Saint Clare Medical Center, Aultman Health System, and NKC Health. The data compromised is a complete EHR profile: names, dates of birth, Social Security numbers, medical record numbers, diagnoses, medications, test results, and medical images.
Oracle’s response generated significant controversy. The company told affected hospitals it would not notify patients directly, placing the HIPAA notification obligation on individual hospital systems. Security researcher Kevin Beaumont publicly challenged Oracle’s language describing the breached servers as “obsolete,” noting they were Oracle-managed Gen1 cloud services still actively holding patient data. This is not a trivial distinction. HIPAA Journal’s ongoing coverage tracks each hospital notification as they are filed.
4. Match Group (Tinder, Hinge, OkCupid) — 10 Million Dating Records
Match Group, the parent company of Tinder, Hinge, OkCupid, and Match.com, confirmed a security incident on January 28, 2026, after ShinyHunters posted claims of “over 10 million lines” of data. The attack vector was a vishing campaign targeting Okta SSO credentials, with data extracted from an AppsFlyer marketing analytics instance and cloud storage.
Match Group confirmed that login credentials, financial information, and private communications were not accessed. What was accessed: user IDs, IP addresses, transaction records for Hinge subscriptions, and internal corporate documents (1.7 GB compressed). The company disputed that Google Drive and Dropbox files were exfiltrated. The breach occurred as two other major platforms faced simultaneous incidents: Bumble confirmed a contractor’s account was compromised via phishing, and Panera Bread confirmed a breach of 14 million claimed records through a Microsoft Entra SSO compromise.
5. McGraw-Hill — 13.5 Million Accounts
ShinyHunters claimed access to McGraw-Hill’s Salesforce environment as part of their broader Salesforce Experience Cloud campaign. Breach trackers confirm 13.5 million accounts affected. The publisher joins Canvas LMS in a pattern of ShinyHunters specifically targeting the education and educational technology sector, where student and instructor data sits in large, multi-tenant SaaS platforms often managed by lean IT teams.
6. 7-Eleven — 185,000 Franchisee Applicants, SSNs and Driver’s Licenses Exposed
On April 8, 2026, an unauthorized third party accessed 7-Eleven systems storing franchisee application documents. ShinyHunters posted the claim on April 17 with a stated count of 600,000+ Salesforce records. When 7-Eleven declined to pay by the April 21 deadline, the group published a 9.4 GB archive. Have I Been Pwned’s verified count: 185,300 individuals, with names, dates of birth, email addresses, phone numbers, and physical addresses. Some records also included Social Security numbers and driver’s license numbers.
7-Eleven CISO Jim Kastle confirmed the breach was limited to “certain 7-Eleven systems used to store franchisee documents.” This is an important distinction: the victims here are franchise applicants, not general store customers. Their exposed data, including government identity documents, makes them targets for synthetic identity fraud and targeted phishing for years after this headline fades.
7. ADT — 5.5 Million Records, SEC Filing Triggered
ADT, the home security company, filed an SEC 8-K disclosure following a breach confirmed on April 20, 2026. The attack vector was social engineering. With 5.5 million records affected, ADT’s filing is one of the few 2026 breaches that triggered the SEC’s four-business-day material cybersecurity incident disclosure requirement, serving as a practical example of how that regulatory obligation now functions in practice.
8. Aura — 900,000 Records from an Identity Protection Company
The irony here is undeniable. Aura, a Burlington, Massachusetts company that sells identity theft protection and credit monitoring to consumers, was itself breached by ShinyHunters via a single targeted vishing attack that compromised one employee’s account. The attacker had access for approximately one hour before Aura’s security team removed them.
Have I Been Pwned confirmed approximately 900,000 records: names, home addresses, telephone numbers, email addresses, and additional marketing database fields. Aura’s breach drew immediate and widespread attention less for its scale than for its symbolism. If a company whose entire product is protecting people from this exact threat can be undone by one phone call in under an hour, no organization should feel comfortable with its current posture.
9. CarGurus — 12 Million Records, Class Actions Filed
CarGurus confirmed a breach affecting 12 million records attributed to social engineering. Class action lawsuits have been filed. The auto marketplace joins a growing list of consumer-facing platforms where the breach impact extends well beyond the company into long-tail identity fraud risk for affected users.
10. Harvard University Alumni Affairs — 115,000 Records
Harvard University’s Alumni Affairs office was targeted on February 4, 2026, with approximately 115,000 records attributed to ShinyHunters via vishing and SSO compromise. The breach continues the group’s pattern of targeting institutional data stores with large alumni and donor datasets, which carry high social engineering value for future targeting of high-net-worth individuals.
Additional 2026 Breaches at a Glance
Beyond the ten incidents above, a second tier of confirmed and reported breaches rounds out the 2026 picture. The volume is the story: this is not a bad year with a few high-profile incidents. It is a sustained, industrialized campaign.
| Target | Date | Records Claimed | Status | Attack Vector |
|---|---|---|---|---|
| Crunchbase | Jan 2026 | 2+ million | ShinyHunters claimed | Hacking |
| Match Group (Bumble) | Jan 2026 | Undisclosed | Confirmed | Contractor phishing |
| Panera Bread | Jan 2026 | 5.1M published | Confirmed | Microsoft Entra SSO |
| Telus (Canada) | March 2026 | 700 TB claimed | Unverified | Unauthorized access |
| Vercel | April 2026 | API keys, tokens | Confirmed | OAuth supply-chain / Lumma Stealer |
| Medtronic | April 2026 | Up to 9 million (claimed) | Attributed | ShinyHunters claimed |
| Mansura University | May 29, 2026 | 1 million students | Disclosed | Cloud misconfiguration |
Data Breach Statistics 2026: What the Numbers Actually Mean
U.S. Breach Costs Hit an All-Time Record
The IBM Cost of a Data Breach Report 2025 put the global average cost of a data breach at $4.44 million, down 9% from $4.88 million in 2024. That headline decline is accurate. It is also misleading. The decline reflects AI-powered detection improvements at large, security-mature organizations, while U.S. breach costs actually rose 9% to a record $10.22 million per incident. That is 2.3 times the global average, driven by state-level regulations, HIPAA penalties, litigation costs, and mandatory notification requirements. Healthcare led all sectors for the 14th consecutive year at $7.42 million per breach.
Third-Party Involvement in Breaches Doubled
The Verizon 2025 Data Breach Investigations Report analyzed a record 22,052 incidents and 12,195 confirmed breaches across 139 countries. The most significant structural finding: third-party involvement in breaches rose from approximately 15% to 30%, doubling year-over-year. This is the exact attack pattern ShinyHunters has operationalized at scale in 2026. Supply chain breaches now cost an average of $4.91 million and take 267 days to resolve, above the global average on both metrics.
Ransomware Is Now in 44% of All Breaches
The Verizon DBIR also found ransomware or extortion present in 44% of all breaches, up 37% year-over-year, and in 88% of breaches affecting small and medium businesses. ShinyHunters’ extortion-as-a-service model is not an edge case. It is the dominant breach pattern of the era, and it is not confined to large enterprises.
“Organizations accumulate sensitive data faster than they track it. It spreads across CRM platforms, document stores, and franchisee systems, often without clear ownership, often without anyone knowing exactly what’s there. By the time a breach surfaces, the data has already been living somewhere it probably shouldn’t have been for months or years.”
Gidi Cohen, CEO & Co-founder, Bonfy.AI | CPO Magazine, May 2026
Most Security Tools Cannot See the Attack Layer Being Exploited
The 2026 CISO Report found that 84.8% of CISOs considered their security tools insufficient to detect OAuth token or API key abuse. This is the attack layer ShinyHunters is operating at in 2026. Most organizations are running blind against the precise vector that is actively being used against them.
“84.8% of CISOs considered their security tools to be lacking in their ability to detect OAuth token or API key abuse, meaning most organizations have limited ability to detect or contain a compromise at this layer.”
Amir Khayat, CEO & Co-founder, Vorlon | Security Boulevard, April 2026
Mean Breach Detection Time Is 241 Days (Still Far Too Long)
IBM found the mean time to identify and contain a breach at 241 days, the lowest in nine years. It still costs organizations enormously. Breaches detected under 200 days cost $3.87 million on average. Those exceeding 200 days cost $5.01 million, a $1.14 million premium for slow detection. Oracle Health ran from January 22, 2025, through at least early 2026. The Vercel breach had a two-month dwell time before discovery. Speed of detection is not an abstract metric. It is a direct financial variable.
What CISOs and Executives Must Do Right Now
For Security Leaders: Five Immediate Actions
- Audit all Salesforce Experience Cloud sites for guest user permissions on the
/s/sfsites/auraAPI endpoint. This is the specific endpoint ShinyHunters scanned at scale using AuraInspector. If guest user queries are not restricted, this is an open door. - Commission a full OAuth grant inventory. Map every application your employees have authorized across Google Workspace, Microsoft 365, and Salesforce. Most enterprises have no complete picture of this. This is now a first-tier gap, not a backlog item.
- Run voice phishing simulations targeting SSO helpdesk scenarios. ShinyHunters scripts impersonate IT support and identity vendors convincingly. Generic phishing simulations using email will not close this training gap.
- Disable device code flow and legacy authentication protocols in Microsoft Entra if this has not already been done. Both are exploited routinely in 2026-era SSO attacks.
- Upgrade MFA to FIDO2 hardware keys or passkeys where possible. Time-based OTP MFA is defeated routinely by ShinyHunters through real-time phishing proxies. FIDO2 or passkeys are the minimum effective control against this specific attack pattern.
For Executives and Boards: Three Risk Realities
Paying ransoms creates legal and reputational risk with no guarantee of outcome. Instructure’s decision to pay ShinyHunters is already a case study in crisis management tradeoffs. The FBI issued specific guidance in May 2026 warning against paying ransoms to this group. “Digital confirmation” of data destruction is not cryptographically verifiable. It is the attacker’s word.
The Oracle Health incident also reveals a critical contract risk: SaaS vendor agreements must explicitly address breach notification obligations. Oracle Health’s decision to push patient notification responsibility to individual hospitals created legal ambiguity and eroded hospital trust. Any organization that relies on SaaS vendors to handle sensitive regulated data needs to audit those contracts now.
The Critical Perspective: What the Mainstream Narrative Gets Wrong
Most coverage of the 2026 breach wave tells a simple story: ShinyHunters is exploiting human weakness, and organizations need better security awareness training. That framing is accurate at the surface, but it obscures several harder truths worth taking seriously.
The “Skills Gap” Narrative Sells Certifications, Not Security
The frequent claim that 2026’s breaches reflect a cybersecurity skills gap is used heavily by training vendors. The Canvas breach was not caused by an untrained security team. It was caused by an architectural flaw: weak trust boundaries between a freemium account tier (Free-For-Teacher) and institutional tenants sharing the same infrastructure. No security certification closes a multi-tenant isolation bug. When products are architected with trust boundary failures, no amount of employee training compensates.
The IBM 9% Cost Decline Headline Obscures the Real Trend
The 9% global cost decline in IBM’s 2025 report is real, but it is driven by AI-powered improvements at large, security-mature organizations. U.S. costs rose 9% simultaneously. Total breach volume continued rising even as per-breach costs declined in some regions. Supply chain breaches, the dominant 2026 vector, cost above the global average on both cost and dwell time. Reading the headline without the underlying data produces false comfort.
“No Passwords or Financial Data Accessed” Is Not Reassurance
Match Group, Instructure, and Charter all issued statements emphasizing that passwords and financial data were not accessed. Security professionals should read these statements carefully, not as reassurance. Names, email addresses, student IDs, IP addresses, phone numbers, and physical addresses are precisely the inputs needed for highly targeted spear phishing, SIM swapping, and synthetic identity fraud. The downstream risk from a 2026 breach typically materializes 6 to 18 months after the headline, not in the week of disclosure.
Kevin Beaumont’s Oracle Challenge Remains Unanswered
Security researcher Kevin Beaumont publicly challenged Oracle’s breach notification language as “engaging in wordplay,” noting the company described actively used, Oracle-managed cloud servers as “obsolete” to minimize the perceived severity of the breach. If cloud providers can selectively describe infrastructure to manage breach perception, HIPAA’s notification framework becomes substantially harder to enforce. This accountability gap has not been adequately addressed in mainstream coverage of the Oracle Health incident.
Our read: the 2026 breach environment is not primarily a story about one skilled threat actor. It is a story about the structural fragility of modern enterprise authentication, built on SSO consolidation that was designed for usability and was never hardened against a group willing to spend weeks profiling individual employees before a single phone call.
FAQ: Data Breaches 2026
The largest data breach of 2026 is the Canvas LMS breach affecting Instructure’s platform. ShinyHunters claimed exfiltration of 3.65 TB of data across approximately 275 million records at 8,809 educational institutions globally. Instructure confirmed the breach in May 2026, shut down its Free-For-Teacher program, and paid a ransom with a May 11 announcement. Independently confirmed exposed data included names, emails, student IDs, and private messages.
Yes. Multiple major breaches have been confirmed in 2026, including Canvas LMS (275 million records claimed), Charter Communications (42 million records claimed), Match Group (10 million confirmed), Oracle Health (up to 80 hospitals), 7-Eleven (185,300 confirmed), Aura (900,000 confirmed), McGraw-Hill (13.5 million), CarGurus (12 million), ADT (5.5 million), and Harvard University Alumni Affairs (115,000), among hundreds of others.
The global average cost of a data breach is $4.44 million, per IBM’s Cost of a Data Breach Report 2025, down 9% from 2024’s $4.88 million. U.S. organizations face a record average of $10.22 million per breach, more than double the global figure and up 9% year over year. Healthcare remains the highest-cost sector at $7.42 million per breach for the 14th consecutive year.
ShinyHunters is a cybercriminal extortion group active since 2020 that has become the dominant breach actor of 2026. The group specializes in vishing attacks targeting SSO credentials, then exfiltrating data from SaaS platforms, particularly Salesforce, before demanding ransoms. By March 2026, they claimed to have breached 300 to 400 organizations in a single Salesforce Experience Cloud campaign, with approximately 100 described as high-profile.
In late April 2026, ShinyHunters exploited Instructure’s Free-For-Teacher account program to access Canvas LMS, the platform used by 41% of U.S. higher education institutions. The group claimed 275 million records across 8,809 institutions. Instructure detected the intrusion April 29, confirmed it publicly May 1, and shut down the Free-For-Teacher program permanently after paying a ransom on May 11, 2026.
Healthcare leads with an average breach cost of $7.42 million, a title it has held for 14 consecutive years, followed by financial services at $5.56 million. By incident frequency, Public Administration led with 543 breaches in the past 12 months, representing 21% of all confirmed incidents. Education was heavily targeted in 2026 following the Canvas LMS and McGraw-Hill breaches.
Use Have I Been Pwned to check whether your email address appears in known breach databases. The service has already indexed the 7-Eleven, Aura, Canvas, and Match Group incidents from 2026. Enabling breach alerts ensures you are notified automatically if your email appears in future disclosures.
What You Now Know That Most People Don’t
The biggest data breaches of 2026 are not a technology story. The organizations that were breached had firewalls, had MFA, had dedicated security teams. What they did not have was a hardened human layer around the single most valuable asset in their entire security architecture: the SSO credential. ShinyHunters understood that before most defenders did.
In the 6 to 18 months ahead, watch for three things. First, the downstream fraud wave from this year’s breaches. The names, emails, phone numbers, and partial identity data exposed in 2026 will fuel SIM swapping, spear phishing, and synthetic identity fraud campaigns well into 2027. Second, regulatory response: the Oracle Health notification controversy and the FBI’s anti-ransom payment guidance both point toward stricter vendor accountability requirements taking shape. Third, AI-enabled voice phishing escalation. ShinyHunters has been attributed with using deepfake voice technology to enhance vishing credibility. As voice synthesis improves and access costs fall, the attack that defined 2026 will get harder to defend against with existing controls.
The three things to act on before this week ends: audit your Salesforce Experience Cloud guest user permissions, commission an OAuth grant inventory, and schedule a voice phishing simulation specifically targeting your SSO helpdesk scenario. The group that caused most of the damage on this list is still active. The phone is still ringing.
Stay Ahead of the Next Breach
The Neural Loop delivers weekly intelligence on cybersecurity, AI, and enterprise technology to 50,000+ professionals across 80 countries. No noise. No filler.
Subscribe to The Neural Loop