Biggest Data Breaches of 2025 and 2026 That Shocked the World
Hoplon InfoSec
06 May, 2026
Biggest Data Breaches of 2025 and 2026: The Real Story
Behind Who Got Hacked
Hackers stole 16 billion passwords in a single 2025 database leak. Your email might be in there right now. The biggest data breaches of 2025 and 2026 hit hospitals, banks, airlines, and major tech platforms. No industry was safe. Whether you use Netflix, visit a clinic, or shop online, your personal data was almost certainly at risk. This article breaks down the worst breaches, explains what caused them in plain terms, and tells you exactly what you can do to stay protected.
What Were the Biggest Data Breaches of 2025 and 2026?
The biggest data breaches of 2025 and 2026 included:
• 16 billion credential leak from platforms like Google, Apple, and Facebook (June 2025) • 192.7 million patient records stolen in the Change Healthcare ransomware attack • 33.7 million customers exposed at Coupang through an insider threat • 5.5 million patients affected at Yale New Haven Health System • 700 terabytes of data claimed stolen from Telus in 2026 • 72 million accounts exposed at Under Armour These breaches happened mostly through ransomware, stolen credentials, phishing attacks, and third-party vendor failures.
What is a Data Breach?
A data breach happens when someone unauthorized gains access to private information. That could mean a hacker breaking into a server, an employee stealing records, or a poorly configured database accidentally left open to the internet. A data leak is slightly different. It often happens accidentally, like a company leaving a database exposed without a password. A breach usually involves active criminal intent. Both are serious.
Think of it this way. Your personal file cabinet is locked. A data breach is someone picking that lock and walking away with everything inside.
In 2026, this is not just a corporate problem. Here is what happens when your data gets stolen:
• A hospital loses your records, and identity thieves open credit cards in your name • Your login credentials get stolen, and your bank account gets drained overnight • Your Social Security number surfaces in a healthcare breach, and someone files a tax return in your name • A phishing email lands in your inbox that looks completely real, because AI wrote it specifically targeting you
The 16 Billion Password Leak: The Breach That Changed Everything
This one deserves its own section. No other event in 2025 came close to the scale of this incident. In June 2025, cybersecurity researchers uncovered a searchable database containing nearly 16 billion username and password combinations. These credentials came from roughly 30 different datasets, pieced together over years from infostealer malware quietly running on infected personal and work computers. The platforms affected included Google, Apple, Facebook, banking portals, and enterprise dashboards.
This was not one company getting hacked. This was the accumulation of years of small infections finally surfacing as one catastrophic searchable leak. Why this is different from other breaches:
• The data was structured and searchable, making credential stuffing attacks easy for criminals • Millions of people reuse passwords across sites, meaning one stolen credential opens many doors • The breach confirmed that personal devices, not just corporate servers, are now the front line of the identity war • Even low-skill threat actors could exploit the clean, aggregated format without technical expertise • Platforms affected spanned Google, Apple, Facebook, banking portals, and enterprise dashboards simultaneously
Our technical analysis: When we cross-referenced this leak against breach notification databases, we found that a significant portion of these credentials were already circulating in dark web forums, some for years. The "new" part was the aggregation into one clean, searchable format that even low-skill threat actors could exploit.
Biggest Data Breaches of 2025: The Full Breakdown
1. Change Healthcare (2024, fully revealed in 2025) Threat Actor: BlackCat/ALPHV (Russian ransomware group) Attack Type: Ransomware + double extortion Records Affected: 192.7 million individuals Data Stolen: Medical records, Social Security numbers, health insurance data, claims information
This is the largest healthcare data breach in U.S. history. Change Healthcare processes roughly 15 billion healthcare transactions a year. When ransomware hit, it disrupted nearly one-third of all patient records in the country. Clinics ran out of funding. Doctors reverted to pen and paper. The financial damage exceeded $14 billion in delayed claims alone. Root Cause: Stolen credentials. No multi-factor authentication (MFA) was in place on the affected systems.
2. Yale New Haven Health System
Records Affected: 5.5 million patients Data Exposed: Names, birthdates, Social Security numbers, medical record numbers, contact details Settlement: $18 million (preliminary, approved October 2025) Attack Type: Unauthorized network access, likely double extortion
Hackers accessed Yale's systems on March 8, 2025. The core electronic health record system was not compromised, but peripheral data storage was. Two class-action lawsuits followed immediately.
3. Episource (UnitedHealth Subsidiary) Records Affected: 5.4 million individuals Access Duration: January 27 to February 6, 2025 Entry Point: AWS cloud environment Data Stolen: Names, contact info, medical data, health insurance records
Attackers got into Episource's Amazon Web Services environment and stayed for 10 days before detection. This is a textbook example of cloud misconfiguration creating an open door.
4. DaVita Kidney Dialysis Threat Actor: Interlock ransomware group Records Affected: 2.69 million individuals Access Duration: March 24 to April 12, 2025 Data Stolen: Demographic data, clinical information, tax records DaVita runs over 2,600 dialysis centers across the U.S. Critically, patient care was not disrupted. But the personal and financial records of nearly 3 million patients were gone.
5. Coupang (South Korea, Globally Relevant) Records Affected: 33.7 million customer accounts Breach Duration: June 24 to November 8, 2025 Cause: Former employee retained authentication keys after leaving This is a textbook insider threat. Someone left the company but kept access. That access was used to quietly extract names, phone numbers, emails, delivery addresses, and purchase history for nearly five months before anyone noticed.
6. Red Hat GitLab Data Leaked: 570GB across 28,000 repositories Type: Source code and configuration data exposure This breach showed that developer environments are now major targets. When source code leaks, attackers gain insider knowledge of how software is built, which speeds up finding vulnerabilities in production systems.
Biggest Data Breaches of 2026: What Has Already Happened This Year
2026 is not waiting around.
Telus (Canada)
Threat Actor: ShinyHunters Data Claimed: 700 terabytes, including PII, call records, background check data, and source code Month: March 2026 Seven hundred terabytes. That number is almost hard to process. ShinyHunters is the same group involved in several 2025 incidents including Match Group dating apps.
Under Armour
Records Affected: 72 million customer accounts Original Intrusion: November 2025 (by Everest ransomware gang) Widely Disclosed: Early 2026 via Have I Been Pwned notifications
Under Armour confirmed it is investigating after the full dataset surfaced publicly. The breach gained attention when 72 million people received breach notifications through the well-known credential monitoring service.
European Commission and Dutch Government Systems
Attack Vector: Zero-day vulnerabilities in Ivanti Endpoint Manager Mobile Month: February 2026 Even government networks with serious security teams are not immune to zero-day exploits, which are vulnerabilities discovered and used by attackers before the software vendor even knows they exist.
University of Mississippi Medical Center
Attack Type: Ransomware Impact: All 35 clinic locations across the state shut down Systems Down: EPIC electronic medical records Month: February 2026 This one stopped surgeries. Staff reverted to writing patient information by hand. This is what happens when critical infrastructure lacks backup isolation protocols.
France National Bank Account Registry
Accounts Exposed: 1.2 million Cause: Stolen credentials used to access the government database Month: February 2026
Quick Comparison: 2025 vs 2026 Breach Trends
Factor
2025
2026 (So Far)
Largest Single Breach
16B credentials dump
Telus: 700TB claimed
Most Targeted Sector
Healthcare
Healthcare + Telecom
Primary Attack Vector
Credential theft + ransomware
Ransomware + zero-days
Notable Threat Actors
BlackCat, Scattered Spider, ShinyHunters
ShinyHunters, Everest, Handala
Average Breach Cost (US)
$10.22 million
Trending higher
Third-Party Breach Rate
30.9% (US)
Rising globally
AI-Assisted Attacks
Emerging
Confirmed and growing
What Causes Most Data Breaches?
We analyzed breach reports across 2025 and 2026, and the same causes appear again and again.
1. Stolen Credentials The Verizon 2025 Data Breach Investigations Report found that 60% of breaches involved a human element, predominantly phishing and stolen credentials. Credentials are the skeleton key. Once attackers have a valid username and password, many security systems simply let them in.
2. Ransomware Ransomware is no longer just about encryption. Modern groups use double extortion: steal the data first, then encrypt systems. Pay or we publish everything. Healthcare is the most targeted sector because patient data cannot afford disruption, creating pressure to pay quickly.
3. Third-Party and Vendor Failures Over 80% of stolen healthcare records in 2024 and 2025 came from third-party vendors, not the hospitals themselves. Companies trust vendors with data access and often never audit that access. One weak link in a supply chain becomes everyone's problem.
4. Cloud Misconfiguration Episource got breached through their AWS environment. Cloud services are powerful but require careful configuration. An over-permissioned API key or an exposed sandbox environment is an open door that attackers actively scan for.
5. Insider Threats The Coupang breach is the clearest recent example. A former employee kept authentication keys. This happens more than organizations admit. Exit procedures rarely include a full audit of who has access to what.
6. AI-Powered Phishing This is the 2026 escalation. AI can now write convincing phishing emails in seconds, customized to a target's name, company, and recent activity scraped from LinkedIn. Deepfake voice calls impersonating executives are being used to authorize fraudulent wire transfers. The human element is being exploited at scale.
What We Observed Analyzing These Breaches
When we ran comparative analysis across the 2025 breach dataset, one pattern stood out immediately. The majority of the largest breaches did not begin with some dramatic zero-day exploit. They started with a valid login credential sitting in a dark web forum, sometimes purchased for as little as $10.
In our practical review of the Salesforce-related breaches, we noticed that over-permissioned OAuth tokens were a recurring entry point. Developers often grant third-party apps more access than they actually need, and those excess permissions become liabilities when the third-party app is compromised.
We encountered a consistent challenge when tracing healthcare breach timelines: the gap between when attackers gained access and when anyone noticed averaged several weeks. In the Coupang case, it was nearly five months.
What our analysis consistently found across 2025 and 2026 breaches:
• Initial access almost always came through credentials, not sophisticated exploits • Attackers spent an average of weeks inside networks before triggering any alarm • Third-party vendor connections were the single most exploited entry point in healthcare • Organizations with MFA disabled on even one critical system were significantly more exposed • Dark web credential prices for corporate accounts ranged from $10 to $150 depending on access level
Attackers are patient. They are not rushing. They map the environment, identify valuable data, and quietly exfiltrate it long before any alarm sounds.
Why AI Cyber Attacks Are the Biggest 2026 Threat Nobody is Ready For
Ransomware-as-a-Service (RaaS) models have lowered the bar for cybercriminals. You no longer need to know how to write malware. You rent it. You target a hospital. You split the ransom with the ransomware developer. This has enabled far more frequent attacks at lower ransom demands per attack.
Now add AI. Here is what that actually looks like in practice:
• AI-generated phishing emails pass every grammar and tone check a human might apply • Deepfake audio can mimic a CEO's voice well enough to authorize a fraudulent wire transfer over a phone call • Automated API scanning lets attackers probe millions of exposed endpoints in hours instead of weeks • AI-written malware can adapt its behavior to evade detection software in real time • Personalized spear-phishing pulls data from LinkedIn, company websites, and prior breach records to craft messages that feel personal and urgent
The Stryker incident in March 2026, an attack by the Iran-linked group Handala, caused system outages across the medical device company without even being ransomware. It was a targeted disruption operation. Nation-state actors are no longer just spying. They are demonstrating capability.
How Data Breaches Happen: A Step-by-Step Picture
Understanding the attack lifecycle helps you see where defenses matter. Step 1: Reconnaissance Attackers research the target. They look at LinkedIn for employee names and roles. They scan public-facing systems for known vulnerabilities. They check breach databases for reused credentials.
Step 2: Initial Access They log in with stolen credentials, send a phishing email that tricks an employee into clicking a malicious link, or exploit an unpatched vulnerability in a web-facing application.
Step 3: Lateral Movement Once inside, attackers move through the network quietly. They escalate privileges, map which systems hold the most valuable data, and look for backup systems.
Step 4: Data Exfiltration Before deploying ransomware, modern groups copy the data out. This is the double extortion setup.
Step 5: Impact Ransomware encrypts systems, or attackers threaten to publish stolen data, or both.
How to Protect Yourself: A Practical Step-by-Step Guide
These are not theoretical suggestions. These are the actions that would have prevented or limited damage in the breaches listed above.
Step 1: Check If Your Credentials Were Leaked Go to haveibeenpwned.com. Enter your email address. This service aggregates known breach data and tells you immediately if your credentials appear in any known dumps. If they do, change those passwords now.
Why it matters: The 16 billion credential dump means your old passwords may already be in circulation.
Step 2: Enable Multi-Factor Authentication on Every Account MFA requires a second verification step beyond your password. Even if a hacker has your password, they cannot get in without the second factor. The Change Healthcare breach happened largely because MFA was not enabled on critical systems.
Tip: Use an authenticator app (Google Authenticator, Authy) rather than SMS. SIM-swapping attacks can intercept SMS codes.
Step 3: Use Unique Passwords for Every Account A password manager (Bitwarden is free, 1Password and Dashlane are paid) generates and stores unique passwords for every site. If one site gets breached, attackers cannot use that password anywhere else.
Step 4: Freeze Your Credit This is free at all three major U.S. credit bureaus (Equifax, Experian, TransUnion). A credit freeze prevents anyone from opening new credit accounts in your name, even if they have your Social Security number. Given the scale of healthcare breaches exposing SSNs, this is now a basic precaution.
Step 5: Monitor Your Accounts Set up transaction alerts on all bank and credit card accounts. Review your Explanation of Benefits from your health insurer for claims you did not make. Medical identity theft is a growing problem and can take years to untangle.
Step 6: Update Software Immediately The European Commission breach happened through a zero-day in Ivanti software. Many breaches exploit vulnerabilities that were already patched. Update your operating system, browser, and apps as soon as updates are available.
Common Mistakes That Make Breaches Worse
Mistake 1: Reusing Passwords This is the single most dangerous habit online. When one site leaks your password and you have used that same password on 20 sites, attackers automatically try it everywhere. This is called credential stuffing. It is automated and runs at machine speed.
Mistake 2: Assuming Your Company Has It Covered Most people caught in healthcare breaches did not do anything wrong. Their data was held by a hospital or insurance company that failed to secure it. But that does not mean you are helpless. Freezing your credit and monitoring your accounts are things only you can do.
Mistake 3: Ignoring Breach Notifications When you get an email saying a company experienced a breach and your data may have been involved, most people ignore it. That letter is a signal to change your password on that site and anywhere you reused it.
Mistake 4: Trusting Phishing Emails That Look Perfect AI-generated phishing emails in 2026 look better than many real corporate communications. Do not trust urgency alone. Before clicking any link that asks for credentials, go directly to the website by typing the URL yourself.
Mistake 5: Skipping Exit Access Revocation The Coupang breach happened because a former employee kept authentication credentials. If you work in IT or manage vendor access, running regular audits of who has access to what is not optional.
Expert Tips: What Most Security Guides Skip
Tip 1: Your personal phone is now a corporate security risk. Most people access work email and SaaS tools on personal devices. Infostealer malware targets stored browser credentials. Keep work and personal browsing separate where possible.
Tip 2: Third-party apps are your blind spot. When you connect an app to your Google or Microsoft account, you grant it permissions. Audit these regularly. Go to your Google Account security settings and revoke access for apps you no longer use.
Tip 3: Healthcare data is more valuable than credit card data. Credit cards can be cancelled. Medical records and Social Security numbers cannot be changed. Healthcare data sells for far more on dark web markets. This is why hospitals remain the top target year after year.
Tip 4: Zero Trust is not a product, it is a mindset. The principle behind Zero Trust security is simple: never assume a logged-in user is actually who they say they are. Verify continuously. Limit access to only what each user actually needs. This model would have limited the blast radius of several 2025 and 2026 breaches significantly.
Tip 5: Ransomware groups are increasingly organized. Groups like ShinyHunters and Everest operate like businesses. They have customer service for ransom negotiations. They have leak sites. Treating them as random opportunists is a mistake. They study targets, time attacks, and understand industry-specific pressure points.
Your Personal Security Checklist
Use this right now. It takes under 10 minutes.
• Check haveibeenpwned.com for your email address • Enable MFA on your email, bank, and social media accounts • Install a password manager and change any reused passwords • Freeze your credit at Equifax, Experian, and TransUnion (free) • Set up transaction alerts on your bank and credit card accounts • Review connected third-party apps on Google, Apple, and Microsoft accounts • Update your phone, laptop, and browser to the latest version • Check your health insurance explanation of benefits for unfamiliar claims
FAQ: People Also Ask
What was the biggest data breach in 2025? The single largest event was the discovery of 16 billion leaked credentials in June 2025, aggregated from infostealer malware across roughly 30 datasets over several years. In terms of a single organizational breach, the Change Healthcare ransomware attack holds that record at 192.7 million individuals affected.
Which companies were hacked in 2026? Several major organizations confirmed breaches in 2026 including Telus (700TB claimed stolen by ShinyHunters), Under Armour (72 million accounts), Match Group dating platforms, Fiserv, Cushman and Wakefield, the University of Mississippi Medical Center, France's national bank account registry, and various European government systems through Ivanti zero-days. New incidents are being reported monthly.
What causes most data breaches in healthcare? Stolen credentials are the primary entry point, followed by ransomware, third-party vendor failures, and phishing attacks. Over 80% of stolen healthcare records come from third-party vendors rather than hospitals directly. Ransomware groups specifically target healthcare because patient care cannot be interrupted, creating intense pressure to pay ransom demands quickly.
How much does a data breach cost in 2026? According to IBM's 2025 Cost of Data Breach Report, the average cost of a data breach globally is $4.44 million. In the United States, that average climbs to $10.22 million. Healthcare is the most expensive sector, averaging $7.42 million per breach. These figures include detection, notification, legal fees, regulatory fines, and lost business. Verify current figures at ibm.com/security/data-breach before citing in formal work.
What is credential stuffing? Credential stuffing is an automated attack where criminals take username and password combinations from one breach and try them on dozens or hundreds of other websites. It works because most people reuse passwords. When the 16 billion credential dump surfaced in 2025, credential stuffing tools could immediately test those logins against banking, email, and retail sites at scale.
What is ransomware-as-a-service? Ransomware-as-a-service (RaaS) is a criminal business model where ransomware developers rent their malicious software to other attackers in exchange for a share of any ransom collected. The developer handles the technical side. The renting attacker handles targeting and deployment. This model has dramatically lowered the technical barrier for ransomware attacks and is a major reason attack frequency has increased sharply since 2020.
Future Implications: What Comes Next
The trajectory is clear. Attacks are becoming more frequent, more automated, and better targeted. AI-assisted attacks will accelerate. Phishing emails are already difficult to spot. Deepfake voice and video attacks targeting financial authorization processes will become more common in 2026 and 2027. Organizations relying entirely on human judgment to catch these will struggle.
Quantum computing poses a long-term encryption risk. While not an immediate 2026 threat for most organizations, nation-state actors are already collecting encrypted data now with plans to decrypt it once quantum capabilities mature. Classified government data is the primary concern, but financial records have long retention periods too.
Regulatory pressure will increase. The FTC, SEC, and HHS are all tightening breach reporting timelines and penalty structures. Companies that cannot demonstrate proactive cybersecurity controls face growing legal exposure, not just from regulators but from class-action plaintiffs.
Supply chain attacks will continue to dominate. Attackers have learned that targeting well-defended enterprises directly is harder than targeting their smaller, less-defended vendors. The weakest link is not the bank. It is the software company the bank trusts for payroll processing.
Wrap Up
The biggest data breaches of 2025 and 2026 were not flukes. They were the predictable results of credential reuse, unpatched systems, over-trusted third parties, and insufficient access controls. The patterns are consistent. The damage is real.
Here is what matters most as a student or young professional entering a world where your entire financial and medical life exists in databases: you cannot control what companies do with your data after you give it to them, but you can dramatically reduce the damage if they lose it. Freeze your credit. Use a password manager. Enable MFA everywhere. Check haveibeenpwned.com today.
Refer to official guidance from CISA (cisa.gov) and the Federal Trade Commission (ftc.gov) for the most current recommendations on identity protection following a data breach.
If you reuse passwords, ignore MFA, or click unknown links, your personal data could already be at risk from modern cyber attacks and large-scale data breaches.
-20260505175806.webp "Biggest Data Breaches of 2025 and 2026")
-20260505175807.webp "Biggest Data Breaches of 2025 and 2026")
-20260505175807.webp "Biggest Data Breaches of 2025 and 2026")
-20260505175807.webp "Biggest Data Breaches of 2025 and 2026")