Large data breaches disclosed in 2026, each affecting more than one million people. US-focused, with global breaches included where US residents are among those affected.
Last updated June 2026.
Scorecard
| Metric | Value |
| Breaches tracked | 15 (plus 3 earlier-intrusion cases, separate section) |
| Records and accounts exposed | Over 380M (aggregate, not de-duplicated; mixes individuals, accounts and records) |
| Dominant threat actor | ShinyHunters, 10 of 15 (two thirds) |
| Most-breached sector | Healthcare and health-adjacent, 4 of 15 by count; Education holds the single largest breach (Instructure, 231M) |
| Identity-based attacks | 10 of 15 (vishing, stolen credentials or token abuse, where a vector is known) |
| Voice phishing | 5 of 15 (confirmed or well-supported for the specific breach) |
Key findings
Five patterns run through the 15 breaches tracked here.
- One actor dominates
ShinyHunters is the named group behind 10 of the 15 breaches, two thirds of the total. The breached organisations operate in unrelated sectors, yet the method used against them was the same.
- The entry point was usually a person
Where the method is known, an employee was talked out of their login by a caller posing as IT support or an identity vendor, and data was then exported in bulk from a connected SaaS platform. In every breach where the entry method was disclosed, it was social engineering or credential theft, not a software zero-day. That makes cyber liability insurance less of an optional IT purchase and more of a balance-sheet protection tool for any business storing customer, employee, patient or payment data.
- Headline numbers are unreliable
When a hacker’s claim and the confirmed count differ, the claim is usually larger, sometimes sharply: Charter, 42 million claimed against 4.9 million confirmed. The gap is not universal though. SoundCloud and Crunchbase matched their claims and CarGurus came in higher, so the confirmed figure is the one to use.
- The soft spot is the back office
In four of the 15 breaches, six counting the earlier-intrusion section, the victim was an administrator, processor or vendor holding data for others, rather than the brand the affected people would recognise. One breach at a clearinghouse can reach millions across many client organisations.
- Some of the biggest breaches predate the year they surfaced
Three large incidents that intruded in 2024 or 2025 had their counts confirmed in 2026, the longest gap about 20 months. These are tracked in their own section so the main table stays comparable.
Methodology in brief
The report covers large data breaches disclosed in 2026 that each affected more than one million people. The focus is the United States. Global breaches are included where US residents are among those affected, so some entries are worldwide totals with US individuals as a subset. This is not an exhaustive census of every US breach over one million. It tracks the major incidents that were publicly disclosed and could be verified, and given reporting lag at the HHS breach portal, more will surface. Ranking uses the organisation-confirmed count where one exists. The attacker-claimed figure is recorded beside it and flagged, never used for the ranking. “Disclosed in 2026” means the public disclosure date, not the intrusion date.
The full dataset
| # | Organisation | Confirmed | Claimed by hackers | Breach began | Disclosed | Group | Attack type | Attack vector | Ransom paid | Data leaked | Breached entity | Notes |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 1 | Instructure (Canvas LMS)Education · Global | 231M emails | 275M records | Apr 2026 | May 2026 | ShinyHunters | Data-theft extortion | Stolen third-party integration tokens (Anodot), Free-for-Teacher account abuse · Confirmed | Yes | No (paid to prevent leak) | Company | |
|
Intrusion began Apr 25, detected Apr 29; ransom paid around May 11. Hackers also claimed data from about 9,000 institutions. | ||||||||||||
| 2 | Under ArmourApparel/Retail · Global | 72.7M emails | — | Nov 2025 | Jan 2026 | Everest | Ransomware (extortion) | Entry method undisclosed · Undisclosed | No | Yes | Company | |
|
Exfiltrated by Everest in Nov 2025; data leaked publicly Jan 18–21. | ||||||||||||
| 3 | SoundCloudMusic/Tech · Global | 29.8M | 29.8M | Dec 2025 | Jan 2026 | ShinyHunters | Data-theft extortion | Vishing, Okta SSO compromise · Confirmed | No | Yes | Company | |
|
Company confirmed in late Dec 2025; data added to Have I Been Pwned in Jan. | ||||||||||||
| 4 | CarGurusAuto marketplace · US + UK | 12.4M | 1.7M (initial) | Feb 2026 | Feb 2026 | ShinyHunters | Data-theft extortion | Vishing, credential theft (not Salesforce) · Well-supported | No | Yes | Company | |
|
Breach Feb 13; leaked archive surfaced Feb 21 and ran larger than the initial claim. | ||||||||||||
| 5 | Carnival CorporationTravel/Cruise · US | 6M | — | Apr 2026 | May 2026 | ShinyHunters | Data-theft extortion | Employee social engineering (vishing inferred) · Confirmed | Not disclosed | Claimed | Company | |
|
Activity identified Apr 14; notifications began May 27. Listed by the actor without a stated count. | ||||||||||||
| 6 | ADT Inc.Home security · US | 5.5M emails | 10M+ | Apr 2026 | Apr 2026 | ShinyHunters | Data-theft extortion | Vishing, Okta SSO compromise, Salesforce export · Inferred | Not disclosed | Leak threatened | Company | |
|
Detected Apr 20; data added to Have I Been Pwned Apr 27. | ||||||||||||
| 7 | Panera BreadRestaurant/Loyalty · US | 5.1M | 14M | Jan 2026 | Jan 2026 | ShinyHunters | Data-theft extortion | Vishing, Entra SSO compromise · Well-supported | No | Yes | Company | |
|
Never proactively disclosed by the company; data surfaced in a leak on Jan 27. | ||||||||||||
| 8 | Charter (Spectrum)Telecom · US | 4.9M | 42M | Apr 2026 | May 2026 | ShinyHunters | Data-theft extortion | Vishing, Entra SSO compromise, Salesforce export · Confirmed | No (refused) | Yes | Company | |
|
Breach Apr 1; disclosed in late-May Q2 reporting. Actor claim reported as 40M-plus and commonly cited as 42M. | ||||||||||||
| 9 | Citizens (bank)Banking · US | Disputed | 3.4M | Not disclosed | Apr 2026 | Everest | Ransomware | Third-party vendor breach (Everest), method undisclosed · Undisclosed | Not disclosed | Sample posted | Third-party vendor | |
|
Listed by Everest Apr 20. Bank says a small number were affected and much of the posted sample was masked test data; the vendor is shared with Frost Bank. | ||||||||||||
| 10 | QualDerm PartnersHealthcare (dermatology) · US | 3.1M | — | Dec 2025 | Feb 2026 | Not named | Network intrusion | Network intrusion, method undisclosed · Undisclosed | Not disclosed | Not disclosed | Company | |
|
Breach Dec 23–24, 2025; notification letters sent Feb 22. | ||||||||||||
| 11 | Navia Benefit SolutionsBenefits administration · US | 2.7M | — | Dec 2025 | Mar 2026 | Not named | Data theft | Network intrusion, method undisclosed · Undisclosed | Not disclosed | Not disclosed | Company | |
|
Access window Dec 22, 2025 – Jan 15, 2026; notice issued Mar 13. Navia is itself a third-party administrator. | ||||||||||||
| 12 | DentaQuestDental benefits administration · US | 2.6M | 234GB of data | May 2026 | Jun 2026 | ShinyHunters | Data-theft extortion | Credential/token theft, cloud-storage exfiltration (vishing inferred) · Confirmed | No | Yes | Company | |
|
Earliest access traced to May; disclosed Jun 1–2. No malware used. | ||||||||||||
| 13 | AmtrakTransportation · US | 2.1M emails | 9.4M records | Not disclosed | Apr 2026 | ShinyHunters | Data-theft extortion | Infostealer malware, credential theft, Salesforce export · Confirmed | Not disclosed | Yes | Company | |
|
Never proactively disclosed by the company; data added to Have I Been Pwned Apr 17. | ||||||||||||
| 14 | CrunchbaseTech / business data · Global | 2M+ | 2M+ | Jan 2026 | Jan 2026 | ShinyHunters | Data-theft extortion | Vishing, Okta SSO compromise · Confirmed | No | Yes | Company | |
|
Intrusion began Jan 9; company confirmed Jan 26. | ||||||||||||
| 15 | NYC Health + HospitalsPublic healthcare · US | 1.8M+ | — | Nov 2025 | May 2026 | Not named | Data theft | Third-party vendor breach, method undisclosed · Undisclosed | Not disclosed | Not surfaced | Third-party vendor | |
|
Access window Nov 25, 2025 – Feb 11, 2026; disclosed May 18. Confirmed count is "at least" 1.8M. Data exfiltrated but not publicly surfaced. | ||||||||||||
| — | ConduentEarlier intrusion · Business services · US | 62.2M | — | Oct 2024 | Jun 2026 | SafePay | Ransomware | Network intrusion, ransomware (SafePay), roughly 3-month dwell · Confirmed | Not disclosed | Not disclosed | Company | |
|
Detected Jan 13, 2025. Company estimates rose from 10.5M to 25.5M (Feb 2026) to a final 62.2M filed with HHS on Jun 4, 2026. | ||||||||||||
| — | TriZetto Provider Solutions (Cognizant)Earlier intrusion · Healthcare clearinghouse · US | 3.4M | — | Nov 2024 | Feb 2026 | Not named | Network intrusion | External network intrusion, method undisclosed · Undisclosed | Not disclosed | Not disclosed | Company | |
|
Intrusion Nov 19, 2024; discovered Nov 28, 2025; notifications began Feb 6, 2026. | ||||||||||||
| — | University of Hawai’i Cancer CenterEarlier intrusion · Healthcare / research · US | 1.2M notified | — | Aug 2025 | Feb 2026 | Not named | Ransomware | Ransomware (encryption and exfiltration), entry method undisclosed · Confirmed | Implied yes | Not surfaced | Company | |
|
Breach Aug 31, 2025; disclosed Feb 27, 2026. Only 87,493 were confirmed in the stolen research files; the rest were notified based on decades-old driver’s-licence and voter records. Ransom payment implied: the centre bought a decryptor and a destruction promise. | ||||||||||||
Showing 18 of 18 incidents. Confirmed figures are organisation-confirmed counts; hacker claims are recorded but never used for ranking. Source: company disclosures, HHS Office for Civil Rights breach portal, state Attorney General filings and Have I Been Pwned. Updated June 2026.
Key patterns
The ShinyHunters problem
One group sits behind most of 2026’s largest breaches. ShinyHunters is the named actor in 10 of the 15 incidents, across education, music, auto, travel, home security, restaurants, telecom, dental benefits, transport and business data. Where the entry point is known, the group socially engineers an employee, takes over the single sign-on account in Okta or Microsoft Entra, then exports data from a connected platform, most often Salesforce. The model is pay or leak, and in most cases where the victim’s decision was public, the company refused and the data was published. The early-2026 campaign added automation. Reporting attributes the calls to commercial AI voice platforms, named as Vapi and Bland, used to run social-engineering calls at scale. That attribution sits at the campaign level, not against any single breach.
| ShinyHunters breach | Confirmed | Attack vector |
|---|---|---|
| Instructure (Canvas) | 231M emails | Stolen third-party integration tokens |
| SoundCloud | 29.8M | Vishing, Okta SSO |
| CarGurus | 12.4M | Vishing, credential theft |
| Carnival | 6.0M | Employee social engineering |
| ADT | 5.5M emails | Vishing, Okta SSO, Salesforce |
| Panera Bread | 5.1M | Vishing, Entra SSO |
| Charter (Spectrum) | 4.9M | Vishing, Entra SSO, Salesforce |
| DentaQuest | 2.6M | Credential/token theft |
| Amtrak | 2.1M emails | Infostealer malware, Salesforce |
| Crunchbase | 2.0M+ | Vishing, Okta SSO |
Vishing
Voice phishing means an attacker calls an employee and talks them into surrendering login access, usually by posing as IT support and walking the target through an MFA approval. It is the most common technique in the dataset, and the evidence runs from firm to circumstantial, so each case is graded. Three breaches have voice phishing confirmed for the specific incident. Two more are well-supported. Three are inferred, where the organisation confirmed social engineering or credential theft without naming the voice element. Count strictly that is 3 breaches. With the well-supported cases, 5. With the inferred cases, 8.
| Breach | Confidence | Basis |
| SoundCloud | Confirmed | ShinyHunters stated it voice-phished Okta SSO codes |
| Charter (Spectrum) | Confirmed | Actor claimed a voice-phishing attack on an Entra account, carried by reputable outlets |
| Crunchbase | Confirmed | Part of the confirmed Okta SSO vishing campaign |
| CarGurus | Well-supported | Actor-asserted vishing, named in campaign victim lists |
| Panera Bread | Well-supported | Entra SSO compromised via a vishing campaign, one source hedges “likely” |
| ADT | Inferred | Secondary reporting describes vishing; primary sources confirm only cloud-environment access |
| Carnival | Inferred | Employee social engineering confirmed, voice element not specified |
| DentaQuest | Inferred | Credential and token theft confirmed, no malware, vishing matches the method |
Two further identity-based breaches were not voice phishing: Amtrak used infostealer malware, and Instructure used stolen third-party tokens. Including them, 10 of 15 breaches trace to compromised credentials rather than a software flaw.
Third-party and vendor exposure
Six of the 18 organisations tracked were intermediaries rather than the consumer brand: four in the main list and two in the earlier-intrusion section. In two cases the breach happened at a separate vendor the company had outsourced to. In four more, the breached company is itself an administrator or clearinghouse that aggregates data for many clients, hit on its own systems. The structural point holds either way: a single breach at one of these organisations reaches large numbers of people across many downstream clients.
| Breach | Type | Holds data for |
| Citizens (bank) | Breach at a separate vendor | Shared vendor with Frost Bank |
| NYC Health + Hospitals | Breach at a separate vendor | Outsourced data handling |
| Navia Benefit Solutions | Administrator, own systems | Employers (FSA, COBRA members) |
| DentaQuest | Administrator, own systems | State Medicaid programmes and members |
| Conduent | Processor, own systems | Government agencies and health plans |
| TriZetto (Cognizant) | Clearinghouse, own systems | Healthcare providers |
Conduent and TriZetto are in the earlier-intrusion section but share the same structural exposure, so they are listed here for completeness.
Healthcare concentration
Healthcare and health-adjacent organisations are the largest sector group, four of the main 15. They also look different from the rest: most were network intrusions with an undisclosed entry method rather than the vishing pattern seen across the consumer brands. One caution on reading this. Healthcare breaches are reported through the HHS Office for Civil Rights portal under a federal mandate, which makes them more visible than breaches in sectors without a disclosure requirement. Some of the lead reflects that obligation. The frequency observation still holds: healthcare and health-adjacent organisations are the most-breached group by count in 2026 so far.
Education and scale
Education appears once in the dataset, but it is the largest breach in the report by a wide margin. The Instructure breach exposed 231 million email addresses tied to the Canvas learning platform, which is used by thousands of institutions. The entry method also differed from the consumer-brand breaches: the attackers abused stolen access tokens belonging to a third-party integrator. The case shows how a single education-technology platform, by aggregating data across thousands of schools, concentrates exposure in one place. Education appears only once, so its weight in the report comes from the size of this one breach rather than from how often the sector is hit.
The claimed versus confirmed gap
The claim and the confirmed count usually diverge, with the claim higher. There are exceptions in both directions. CarGurus is the case where the leaked archive ran larger than the opening claim. Conduent is a different kind of exception: the figures that climbed there were the company’s own estimates, not a hacker’s claim, rising from 10.5 million to 25.5 million to a final 62.2 million over four months, which is why it sits outside the table below. The working rule for this report: rank on the confirmed figure, record the claim beside it, and treat both as provisional until a regulatory filing settles them.
| Breach | Claimed | Confirmed |
| Charter (Spectrum) | 42M | 4.9M |
| Panera Bread | 14M | 5.1M |
| ADT | 10M+ | 5.5M |
| Amtrak | 9.4M records | 2.1M accounts |
| Citizens (bank) | 3.4M | Disputed, “small number” |
| CarGurus | 1.7M (initial) | 12.4M (higher) |
Ransom decisions and outcomes
Nine of the 18 organisations have a known ransom decision. Seven refused, and all seven had their data published. Two paid, and neither has seen its data surface: Instructure paid around May 11 to keep 231 million records offline, and the University of Hawai’i Cancer Center bought a decryptor and a destruction promise after its ransomware attack.
| Decision | Organization | Outcome |
| Refused | Under Armour, SoundCloud, CarGurus, Panera Bread, Charter, Crunchbase, DentaQuest | Data published, 7 of 7 |
| Paid | Instructure, UH Cancer Center (implied) | No public surfacing |
| Not disclosed | Remaining 9 | Mixed: Amtrak’s data leaked anyway, Citizens had a sample posted |
The one thing worth mentioning – a payment buys a deletion promise from a criminal group, not a verifiable deletion, and stolen data can resurface years later. Companies that pay quietly rarely say so, which means some of the nine undisclosed cases may be payments that never became public. And the FBI and CISA advise against paying, since every payment funds the next campaign. What the data settles is simpler: in 2026 the leak threat is real, and every public refusal was followed by a leak.
Earlier intrusions, disclosed in 2026
Three large breaches qualify on disclosure date but sit apart from the main 15 because the intrusion happened well before 2026. They are worth tracking for one reason: they show how long a major breach can stay below the surface. Conduent was intruded in October 2024 and detected in January 2025, yet its final count of 62.2 million was not filed until June 2026, a gap of about 20 months. TriZetto dates to November 2024 and was disclosed in February 2026. The University of Hawai’i Cancer Center incident occurred in August 2025 and surfaced in February 2026. The implication is direct: more 2024 and 2025 intrusions may still be disclosed, and the 2026 count should be read as a minimum.
| Organisation | Sector | Confirmed | Took place | Disclosed | Disclosure lag |
| Conduent | Business services | 62,2M | Oct 2024 (detected Jan 2025) | Jun 2026 (final) | About 19 months |
| TriZetto (Cognizant) | Healthcare clearinghouse | 3,4M | Nov 19 2024 | Feb 2026 | About 15 months |
| UH Cancer Center | Healthcare/research | 1.2M notified (87,493 confirmed) | Aug 31 2025 | Feb 27 2026 | About 6 months |
UH Cancer Center: 1.2 million people were notified, but only 87,493 were confirmed present in the stolen research files. The remainder were notified on the basis of decades-old driver’s-licence and voter records.
Monthly additions log
June 2026. Added DentaQuest (2.6M, disclosed June 1 to 2). Updated Conduent to its final HHS count of 62.2 million (filed June 4). Investigated and excluded Nacogdoches Memorial Hospital: the HHS portal listed 2,507,073, but the hospital’s own Maine Attorney General filing reports 257,073, below the one million threshold. The portal figure appears to be a data-entry error.
Sources and full methodology
Sources. HHS Office for Civil Rights breach portal, Have I Been Pwned, company disclosures and state Attorney General filings, and security-researcher and news reporting.
Threshold. More than one million confirmed or credibly claimed individuals, accounts or records. Incidents that are only claimed and not corroborated are tracked separately and not ranked.
Disclosure date. “Disclosed in 2026” means the public disclosure date, not the intrusion date. Three incidents that intruded in 2024 or 2025 with counts confirmed in 2026 are grouped in their own section.
Counts. The confirmed figure is used for ranking where it exists. Claimed figures are recorded and flagged. Units vary by breach because organisations report differently.
Vector confidence. Confirmed means reported for that specific incident. Well-supported means attributed but resting on actor claims. Inferred means consistent with the actor’s known method but not confirmed for that breach. Undisclosed means the entry method was never made public.
Talk to a Risk Advisor today.
Click below to share more about your business and schedule a time that works for you.
