If 2026 has felt like a non-stop drumbeat of breach notifications, the numbers back up the feeling. In June, security researchers at Cybernews found a single misconfigured server holding roughly 24 billion stolen credentials – about 8.3 terabytes of usernames, passwords and login details sitting on the open internet. It was the standout in a year that has already produced some of the largest exposures on record.
Taken together, the data breaches of 2026 tell a clear story: the raw material for account takeovers is now effectively a commodity, traded and re-traded in bulk. Here is what actually leaked, who got hit, and the handful of steps that genuinely reduce your risk.
24 Billion Credentials, One Exposed Server
The June discovery was not a single company being hacked. Cybernews researchers found an unsecured Elasticsearch cluster, dated to 12 June 2026, that pulled together data from 36 different sources – Telegram channels where stolen logins are swapped, old breach compilations, and huge collections of infostealer logs. Some of it appeared to have been exported straight from live servers, and one item in the database was published as recently as February 2026, suggesting the owner was topping it up regularly. The server has since been secured and taken offline.
The scale is hard to picture, and the true number of unique victims is lower than 24 billion because the same credentials appear again and again across sources. But even heavily deduplicated, a haul like this gives attackers an enormous head start. It is also not unprecedented: in 2025 the same researchers reported a 16-billion-record trove, which means the 2026 figure is less a one-off shock than a new baseline.
What makes these mega-leaks so persistent is that they are aggregations, not single events. The same stolen login can sit in a 2022 breach compilation, a Telegram channel and a fresh infostealer log all at once, so every new dump recycles old victims alongside new ones. That is bad news for cleanup, because securing one exposed server does nothing about the dozens of copies already circulating – but it also means good password hygiene pays off across every future leak at once, not just this one.
Why Infostealer Logs Are So Dangerous
Most of the 24 billion records were infostealer logs. An infostealer is malware that silently lifts saved passwords, browser cookies and session tokens from an infected laptop or phone and ships them to whoever planted it. Because it captures live logins rather than password hashes, the data is immediately usable, and stolen session cookies can sometimes let an attacker skip the password entirely.
That fuels credential stuffing, where automated tools try leaked email-and-password pairs across hundreds of sites at once. If you use the same password on your email, your bank and a forum that got breached in 2022, a single old leak can unlock all three. This is precisely why password reuse, not weak passwords, is the vulnerability most of these dumps are built to exploit.
The Year’s Biggest Named Breaches
Beyond the credential dumps, 2026 has been rough for named institutions, as TechCrunch’s mid-year roundup lays out. In the United States, lawmakers warned that a copy of Social Security records – potentially covering most living Americans – had been mishandled inside a government efficiency programme, an incident senior legislators called potentially the largest data breach in the nation’s history. In April, the FBI declared a major cyber incident after intruders reached a surveillance system holding sensitive wiretap information.
Education and business were hit hard too. The Canvas learning platform, run by Instructure, suffered a breach exposing data on more than 30 million students and staff, with login screens defaced during exam season. A prolific extortion group also ran through a string of well-known names, including a telecoms provider with 40 million records exposed and a cruise line with at least 6 million customer records taken. In several cases the companies eventually paid a ransom.
Some of the most damaging incidents were quieter. A breach at one market-research firm exposed cloud credentials affecting around 200 downstream customers, including well-known security vendors, after attackers reused an access key issued back in 2022. Separately, a string of misconfigured systems – a hotel check-in tool, a money-transfer app, a visa service – left more than two million passports and driving licences exposed online, the kind of identity data that fuels fraud for years rather than days.
Critical Infrastructure in the Crosshairs
The most worrying trend is not about passwords at all. Across late 2025 and into 2026, attackers went after physical systems: energy grids, a thermal plant, water-treatment facilities and even a dam, in incidents across Poland, Sweden and Norway that officials attributed to Russia. In the United States, agencies repeatedly warned that Iran-linked hackers were probing critical infrastructure, particularly small water utilities that often lack basic protections. These attacks aim to disrupt the real world, not just steal data, and they are far harder for ordinary people to guard against than a leaked password.
For governments and utilities, the lesson of 2026 is that the attack surface now includes the physical plant, and that small operators with thin security budgets are the softest targets. Regulators in Europe and the United States have responded with tougher reporting rules and infrastructure-security funding, but the gap between well-defended banks and under-resourced local water boards remains one of the clearest weak points heading into the rest of the year.
AI Is Now on Both Sides of the Fight
Artificial intelligence has moved from the sidelines into the breach story itself. In one striking case, attackers hijacked tens of thousands of Instagram accounts simply by asking Meta’s AI chatbot to reset passwords to email addresses they controlled. Security teams also report that AI tools are helping attackers write more convincing phishing lures and find weaknesses faster. The same technology is powering defence – anomaly detection, automated triage and faster patching – which is part of why the model race we covered in our look at OpenAI’s new GPT-5.6 family matters well beyond chatbots. For now, though, the automation cuts both ways. Researchers warn that AI-assisted phishing is already harder to spot, with fewer of the spelling and grammar tells that used to give scams away, which raises the bar for everyone from corporate IT teams to individual users checking their inbox.
What You Can Actually Do
The headlines are alarming, but the practical defence for individuals is unglamorous and effective, as Malwarebytes and other researchers stress. Use a unique password for every account and store them in a reputable password manager, so a leak from one site cannot cascade. Turn on passkeys or two-factor authentication wherever it is offered, which makes a stolen password far less useful on its own. Keep your devices and browsers updated to blunt the infostealers doing most of the harvesting, and run a free breach-notification check on your main email address to see what has already surfaced. If a check flags an old account you no longer use, close it rather than leaving a dormant target, since abandoned accounts with reused passwords are a favourite way in. None of this is exotic, and after a year like this, it is the difference between a leaked credential being a nuisance and being a break-in.
