The Worst Hacks and Breaches of 2026 (So Far)
Halfway through what’s shaping up to be a brutal year for cybersecurity, a comprehensive roundup catalogs the most damaging digital incidents of 2026, including DOGE’s alleged upload of a live Social Security database to an unsecured server, Iranian state-backed hackers remotely wiping tens of thousands of Stryker employee devices in a destructive pivot from espionage, the ShinyHunters gang breaching education platform Instructure Canvas and disrupting finals for millions of students, the FBI declaring a “major cyber incident” after Chinese spies compromised a surveillance system exposing wiretap targets’ phone numbers, and a wave of supply chain attacks hitting security tools including Bitwarden and Checkmarx that cascaded into breaches at OpenAI and Vercel.
Recent Palo Alto Networks Vulnerability Exploited for Weeks
Threat actors began actively exploiting CVE-2026-0257, a high-severity authentication bypass in PAN-OS GlobalProtect, just four days after public disclosure, with Rapid7 observing exploitation campaigns starting May 17 from two successive hosting providers. The flaw allows attackers to forge cookies to bypass VPN authentication on vulnerable firewalls, and in eight out of ten observed cases the forged cookies were accepted by target systems. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog and ordered federal agencies to patch by June 1; Palo Alto has released fixes for PAN-OS versions 10.2 through 12.1.
2026 Data Breach Investigations Report
This year’s annual DBIR marks a historic shift in the threat landscape: software vulnerability exploitation has surpassed stolen credentials as the leading initial access vector for the first time in the report’s 19-year history, now accounting for 31% of breaches. Ransomware is present in nearly half of all incidents, though ransom payouts are declining as more organizations refuse to pay. Generative AI is now boosting 15 different attack techniques, compressing exploitation timelines dramatically, while mobile devices have become a preferred target with phishing click rates 40% higher on phones than on traditional email.
New HTTP/2 Bomb Vulnerability Allows Remote DoS on NGINX, Apache, IIS, Envoy & Cloudflare
Researchers have disclosed a remote denial-of-service technique dubbed HTTP/2 Bomb that chains HTTP/2’s HPACK header compression with a zero-byte flow-control window to pin server memory indefinitely — a single client on a 100Mbps home connection can exhaust 32GB of Apache or Envoy server memory in roughly 20 seconds. The attack was discovered by OpenAI Codex and affects default configurations of NGINX, Apache HTTPD, Microsoft IIS, Envoy, and Cloudflare Pingora. NGINX has patched the issue in version 1.29.8 and Apache has a fix in mod_http2 v2.0.41, but Microsoft IIS, Envoy, and Cloudflare Pingora have no patches available at time of writing.
Hackers Used Meta’s AI Support Bot to Seize Instagram Accounts
Pro-Iran hackers briefly defaced high-profile Instagram accounts — including the Obama White House account — by exploiting a flaw in Meta’s AI customer support chatbot that allowed attackers to add a new email address to any account during a password reset flow, effectively bypassing standard authentication. A Telegram-circulated video showed the attack required only a VPN connection near the target’s location and a brief conversation with the AI bot, after which the bot would send a one-time code to the attacker’s newly linked address. Meta has since patched the issue and stated that no back-end database was breached, though the accounts of multiple users were compromised before the emergency fix was deployed.
