The Biggest Data Breaches of 2026 (So Far)

We're only a couple of months into 2026 and the data breach headlines are already piling up. Companies you've probably used, services you've probably signed up for — getting hit, leaking your data, and then quietly putting out a press release hoping nobody notices.

I track these things closely, both professionally and because — let's be real — my own data is in these breaches too. Nobody's immune.

This article is a running roundup of the most significant breaches that have happened in 2026 so far. I'll keep updating it as new ones drop. For each breach, I'll tell you what happened, what data was exposed, and most importantly, what you should actually do about it.

---

Why you should care about data breaches (even if you think you have "nothing to hide")

I hear this all the time: "I don't have anything worth stealing."

With respect — that's not how it works.

Your email and password combo from a breached shopping site? That gets tested against your bank login, your email, your social media. It's called credential stuffing, and it's automated. Attackers don't sit there typing passwords one by one. They run scripts that test millions of stolen credentials against thousands of websites in hours.

Your name, phone number, and address from a breached delivery app? That's enough for targeted phishing, SIM swapping, or identity fraud.

Your date of birth and social security number from a breached healthcare provider? That's full-blown identity theft territory.

Data breaches aren't just an IT problem. They're a you problem.

---

Major breaches reported in 2026

Substack (January 2026)

Substack notified users that a breach affected nearly 700,000 accounts. The leaked data reportedly included email addresses and account metadata. While passwords were reportedly not included, email addresses linked to Substack accounts could be used for targeted phishing.

What to do: Be suspicious of emails claiming to be from Substack, especially ones asking you to click links or enter credentials. Enable 2FA on your Substack account if you haven't already.

UPenn donor database (February 2026)

The University of Pennsylvania disclosed a breach involving approximately 1.2 million records from their donor database. Reports suggest that information about high-profile donors was included. The exact scope of leaked personal data is still being assessed.

What to do: If you've ever donated to UPenn or interacted with their fundraising, monitor your financial accounts for unusual activity and consider placing a fraud alert with credit bureaus.

Global-e / Ledger customer targeting (Early 2026)

Hackers are reportedly using data from the Global-e breach to physically target Ledger hardware wallet owners — at their home addresses. This is an escalation from digital attacks to real-world threats against crypto holders.

What to do: If you've ever purchased a Ledger device, be extra cautious about any unsolicited mail, packages, or visitors. Consider setting up a PO Box for future crypto-related purchases.

Wired / Condé Nast (Late 2025, disclosed 2026)

A breach affecting approximately 2.3 million records from Wired magazine's parent company, Condé Nast, came to light. The compromised data may include subscriber information.

What to do: Change passwords for any Condé Nast properties you're subscribed to (Wired, GQ, Vanity Fair, etc). Monitor for phishing emails pretending to be from these brands.

---

How to check if you're affected

Run your email addresses through these tools:

Have I Been Pwned (haveibeenpwned.com) — The most comprehensive breach database. It'll tell you which specific breaches your email appeared in.

Mozilla Monitor (monitor.mozilla.org) — Same underlying data, cleaner interface, with ongoing email alerts for future breaches.

Your password manager's breach checker — Bitwarden, 1Password, NordPass, and others have built-in features that flag credentials found in known breaches.

If any of your credentials show up, change those passwords immediately. And if you were using the same password on other accounts (be honest with yourself), change those too.

---

What to do every time a major breach happens

I've developed a personal checklist that I follow every time a significant breach makes the news. You can adopt it too:

Check if you had an account with the breached service. Search your email for any signup confirmations or correspondence from the company.

Change the password for that service. Even if they say passwords weren't included in the breach, change it anyway. Companies don't always have full visibility into what was taken.

Check if you reused that password anywhere else. If you did, change it on every other site where it was reused. This is the number one way breaches cascade into bigger problems.

Enable 2FA wherever possible. Two-factor authentication means a stolen password alone isn't enough to get into your account.

Watch for phishing emails. After a breach, scammers often send fake "security alert" emails pretending to be from the breached company. These emails try to get you to click links and enter your credentials on fake login pages. Always go directly to the website instead of clicking email links.

Monitor your financial accounts. If the breach included financial data, payment info, or identity documents, set up alerts on your bank and credit card accounts. Consider a credit freeze if the exposure was severe.

---

This article will be updated

Data breaches don't stop, and neither will this list. I'll keep adding notable breaches as they're confirmed throughout 2026, along with what was exposed and what you should do.

If you want to stay ahead of this without checking back manually, sign up for alerts on Have I Been Pwned. It takes 30 seconds and it's free.

The reality is that we can't stop companies from getting hacked. What we can control is how prepared we are when it happens. Strong unique passwords, two-factor authentication, and breach monitoring aren't overkill — they're the minimum.

Stay sharp.