10 Major Cyberattacks And Data Breaches In 2026 (So Far)

The first half of 2026 saw a renewed surge of widely felt cyberattacks and data breaches—with many indicators pointing to increased usage of AI-powered capabilities.

Widespread Attacks

The first half of 2026 saw a renewed surge of widely felt cyberattacks and data breaches—with many indicators pointing to increased usage of AI-powered capabilities. Major incidents included zero-day attacks against Cisco SD-WAN systems and vulnerability exploits targeting Ivanti and Fortinet management tools, while an Iran-linked data-wiping attack struck the Microsoft environment of medical technology giant Stryker Corporation.

Meanwhile, data-extortion group ShinyHunters compromised a series of large organizations and was ultimately tied to more than half of confirmed “mega-breaches” through the end of May, according to a report from Hackmageddon.

[Related: How MSPs Need To Prepare For AI-Accelerated Cyberattacks: Experts]

The attacks came as cybersecurity leaders have already been grappling with the massive impacts of AI, with patching response times expected to be among the key practices that will need to change, experts have told CRN. “The time to respond [shrinking] from days to hours to minutes to now seconds—from vulnerability detection to exploits—that’s just crazy,” said Dan Lohrmann, field CISO for public sector at Presidio, No. 26 on CRN’s Solution Provider 500 for 2026. “Machine-speed, AI-speed attacks [are here]. We’ve got to be able to move so much quicker.”

And without a doubt, “the number of vulnerabilities that we’re dealing with are just going to be a huge challenge,” Lohrmann said. That issue already began to materialize during the first half of the year, with Microsoft disclosing a record-breaking “Patch Tuesday” release of software bug fixes in June with 208 vulnerabilities.

What follows are more details on 10 major cyberattacks and data breaches in 2026 so far.

Cisco SD-WAN Attacks

In February, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive in response to exploitation of vulnerabilities in Cisco Catalyst SD-WAN systems. The flaws included a critical-severity authentication bypass flaw that could allow an unauthenticated remote attacker to gain administrative privileges. The directive followed Cisco’s disclosure that attackers had exploited the flaw in zero-day attacks against SD-WAN controllers. In a post, Cisco's Talos threat intelligence team said that the campaign had dated back to at least 2023.

Stryker Wiper Attack

In March, medical technology giant Stryker Corporation was struck by a data-wiping attack, which impacted the company’s Microsoft environment. The Iran-linked Handala group claimed responsibility for the attack, alleging it had stolen data and wiped large numbers of devices, initially through a compromise of a Windows domain administrator account. The attack prompted CISA to warn organizations to harden their endpoint management systems against similar malicious activity. Stryker said it was fully operational as of early April, about three weeks after the incident.

LexisNexis Breach

In March, LexisNexis disclosed that it had experienced a data breach involving some of its legacy servers, with hackers accessing customer names, business contact information and other information. LexisNexis said it considers the matter contained after an investigation and testing. The breach hit a limited number of servers with legacy, deprecated data from before 2020, according to the company. The data also included user identities, products used, customer surveys with respondent internet protocol (IP) addresses and support tickets. A threat actor called FulcrumSec has posted 2 gigabytes of files in underground forums claiming that the actor accessed LexisNexis’ AWS infrastructure through an unpatched React frontend application React2Shell vulnerability, according to BleepingComputer.

Ivanti EPMM Attacks

In April, CISA ordered federal agencies to prioritize patching for a critical-severity Ivanti mobile management vulnerability. CISA gave affected agencies a short window of four days to remediate the exploited vulnerability (tracked at CVE-2026-1340), which impacts Ivanti’s Endpoint Manager Mobile (EPMM) tool. Ivanti EPMM “contains a code injection vulnerability that could allow attackers to achieve unauthenticated remote code execution,” CISA said in an update to its catalog of vulnerabilities known to have seen exploitation. In late January, Ivanti had disclosed that the flaw was one of a pair of mobile management vulnerabilities that had been exploited in cyberattacks. The attacks impacted a “very limited” number of customers as of that point, Ivanti said in the Jan. 29 advisory.

Fortinet FortiClient EMS Attacks

In April, Fortinet disclosed that it had observed exploitation of a vulnerability in its FortiClient EMS (Enterprise Management Server) platform, prompting the release of an emergency patch. The software update was released on a weekend, with Fortinet urging speedy deployment of the fixes addressing the privilege escalation vulnerability, which is tracked at CVE-2026-35616. “Fortinet has observed this to be exploited in the wild and urges vulnerable customers to install the hotfix for FortiClient EMS 7.4.5 and 7.4.6,” the cybersecurity vendor said in its security advisory. The flaw “may allow an unauthenticated attacker to execute unauthorized code or commands via crafted requests,” Fortinet said in the advisory. The vulnerability was awarded a “critical” rating with a severity score of 9.1 out of 10.0.

ShinyHunters: Canvas Breach

In May, educational technology platform Instructure confirmed a security incident involving its Canvas learning management system, after the ShinyHunters extortion group claimed it had stolen data tied to 275 million users across thousands of schools and universities. The incident stemmed from a compromise of Canvas’ Free-For-Teacher account program, according to BleepingComputer. In addition to names and email addresses, other exposed data included student ID numbers and certain private messages, according to the disclosure from Instructure. The company said it had “no evidence” that other sensitive information such as passwords, financial information, birth dates or government IDs were compromised. The attack reportedly disrupted access for some colleges during finals season.

Hacker in deep mind solutions to destroy web

ShinyHunters: Broader Attacks

A number of other security incidents have been linked to ShinyHunters during the first half of 2026. The group claimed responsibility for Salesforce Aura and Experience Cloud data-theft attacks, and Salesforce warned customers about attackers exploiting misconfigured Experience Cloud sites that gave guest users excessive access to data. ShinyHunters was tied to 14 of 37 confirmed “mega-breaches” between January and May, according to a report from Hackmageddon, making the group the “top threat actor” of the year so far. Other major incidents linked to the group included Charter Communications, Carnival Corporation, Telus Digital and the Council of Europe.

Dashlane Attack

In early June, password management company Dashlane confirmed it had suffered a brute-force attack that targeted six-digit 2FA codes. Beginning May 31, an attack was launched seeking to “brute-force two-factor authentication (2FA) protections to allow the attacker to register new devices on existing user accounts,” the company disclosed. Attackers were also able to download copies of encrypted vaults of fewer than 20 personal customer accounts. Dashlane said it worked with those customers to remediate the issue, and that the attack did not involve a compromise of its own systems.

OpenAI, Anthropic Attacks

During the first half of 2026, high-profile security incidents impacted fast-growing LLM platforms OpenAI and Anthropic. In April, Anthropic said it was investigating a report that unauthorized users had gained access to its unreleased vulnerability discovery tool, Claude Mythos Preview. The alleged access occurred through a third-party vendor environment rather than a direct compromise of Anthropic’s own systems, according to a report from Bloomberg. In May, OpenAI confirmed that two employee devices were breached as part of the broader TanStack “Mini Shai-Hulud” software supply-chain campaign. The company said that customer data, production systems, intellectual property and deployed software were not impacted.

AI-Driven Vulnerability Acceleration

In June, Microsoft disclosed a record-breaking “Patch Tuesday” release of software bug fixes with 208 vulnerabilities, according to TrendAI’s Zero Day Initiative. Researchers suggested that the increase may have reflected the growing role of AI in vulnerability discovery, though only one of the bugs had been exploited in the wild as of the release on June 9. “It is extraordinary that Microsoft can produce so many patches in a single month, but it does raise concerns,” wrote Dustin Childs, head of threat awareness at TrendAI, in a post. “How many of these cases were found using AI tools? How many patches were generated using AI to assist in coding or testing?”