The Worst Hacks of 2026 So Far: DOGE Data, the FBI, and Infrastructure Under Siege

A year defined by who got breached, not whether

Halfway through 2026, cybersecurity has stopped being a background concern and become woven into nearly every major story of the year, from war to government dysfunction.techcrunch A mid-year tally of the worst incidents reads like a map of institutional failure: the data of nearly every living American left exposed, the FBI's own surveillance apparatus penetrated, and hackers probing the water and power systems that keep cities running.techcrunch The attacks, as one accounting put it, are getting bolder, more destructive, and harder to contain.techcrunch

The DOGE data lapse may be the largest breach in US history

A year after operatives from the Elon Musk-led Department of Government Efficiency swept through federal agencies, the fallout at the Social Security Administration is still unfolding in court.techcrunch The most alarming whistleblower claim is that DOGE uploaded a live copy of the Social Security database — containing the numbers and personal details of most living Americans — to an unsecured third-party server.techcrunch The agency has conceded it cannot verify what was on that server, and two top House Democrats warned the exposure "could very well be the largest data breach in our nation's history."techcrunch

The pressure has since intensified. The SSA's inspector general opened a review in March of an anonymous complaint about "potential misuse" of agency data by a former DOGE staffer who allegedly retained copies of sensitive databases on a personal thumb drive.npr Sen. Ron Wyden called the allegations "one of the largest known data breaches in American history," carried out "for the explicit purpose of weaponizing Americans' sensitive personal data for political gain."npr

Nation-state hackers reached the FBI and US infrastructure

In April, the FBI was forced to declare a "major cyber incident" after discovering that one of its surveillance systems had been compromised, a designation that triggered a legally required disclosure to Congress.techcrunch +1 The breached network held returns from legal process — including pen register and trap-and-trace surveillance data — and personally identifiable information on subjects of FBI investigations.politico Suspected Chinese spies were blamed, marking what one former official called an embarrassing penetration by the very adversaries the bureau is meant to track.politico

The threat to physical infrastructure has grown alongside it. After a wave of Russia-linked attacks on European power plants and water systems, US agencies warned in April that Iranian-affiliated hackers were exploiting industrial control software to target domestic energy, water, and government sectors with the intent to "cause disruptive effects."techcrunch +1 Privately owned water utilities, often lacking basic protections, remain a soft target.techcrunch