Data Security

Between April 18-20, 2026, Vercel suffered a data breach originating from a compromise of Context.ai, a third-party AI productivity tool. A Context.ai employee downloaded malware (Lumma Stealer), leading to credential theft and OAuth token compromise that gave attackers access to Vercel internal systems. Approximately 580 employee records, API keys, database credentials, source code, internal dashboards, and limited customer credentials were compromised. An attacker claiming to be 'ShinyHunters' demanded $2 million ransom. CEO Guillermo Rauch said the attack was 'significantly accelerated by AI.'

In March 2026, T-Mobile confirmed a data breach affecting 47.8 million people including current, former, and prospective customers. Approximately 7.8 million current postpaid customer records were stolen, ~40 million former/prospective customer records, and 850,000 active prepaid customers had phone numbers and account PINs exposed. Exposed data included names, dates of birth, Social Security numbers, and driver's license/ID information. T-Mobile discovered the breach through an online forum post and shut down the leak.

On February 19, 2026, a federal grand jury indicted three Iranian national engineers for stealing trade secrets from Google and transferring sensitive processor security and cryptography data to Iran. The engineers allegedly copied hundreds of files to personal devices and a third-party platform. One took photos of another company's Snapdragon SoC secrets the night before traveling to Iran. Google detected the theft through routine security monitoring and referred the case to law enforcement.

A bug (CW1226324) allowed Microsoft Copilot Chat to read and summarize customers' confidential emails without permission for approximately four weeks (January 21 to mid-February 2026). Emails marked with confidentiality labels and protected by DLP policies were incorrectly processed across Word, Excel, and PowerPoint. Affected organizations included the UK's National Health Service. Microsoft did not disclose the number of affected customers or what data was accessed. This was the second trust boundary violation in eight months, following CVE-2025-32711 'EchoLeak' in June 2025 (CVSS 9.3).

On February 10, 2026, PayPal disclosed a data breach affecting approximately 100 PayPal Working Capital loan applicants due to a software coding error. Personal data including Social Security numbers, dates of birth, and business contact information was exposed from July 1 to December 13, 2025. Some customers experienced unauthorized transactions and received refunds. PayPal offered 2 years of free credit monitoring through Equifax.

Cisco released a patch for a critical vulnerability affecting its Unified Communications and WebEx products that allowed remote code execution. The vulnerability was actively exploited in the wild before the patch was released, representing a significant security risk to enterprise communications infrastructure.

Microsoft issued out-of-band security patches for a high-severity Microsoft Office zero-day vulnerability tracked as CVE-2026-21509, with a CVSS score of 7.8 out of 10.0. The vulnerability allows attackers to bypass document security checks and is being actively exploited in the wild via malicious files. The emergency patch was released outside Microsoft's normal Patch Tuesday schedule due to active exploitation.

The FTC announced a proposed order to settle allegations that cryptocurrency company Nomad (Illusory Systems Inc.) failed to implement adequate security measures leading to a breach in which hackers stole $186 million from customers. The FTC alleged that Nomad prominently touted its security in advertising, claiming 'security-first' services, but failed to live up to these promises by failing to use secure coding practices, implement processes for receiving and addressing vulnerability reports, respond to security incidents, or utilize widely known technologies that might have helped mitigate consumer losses.

On January 21, 2026, Cisco disclosed a critical code injection vulnerability (CVE-2026-20045, CVSS 8.2) affecting Unified Communications Manager, Webex Calling, and related products that was actively exploited as a zero-day before a patch was available. The vulnerability allowed attackers to send crafted HTTP requests to obtain user-level access to the underlying operating system and escalate privileges to root. Cisco's PSIRT was aware of attempted exploitation in the wild. The U.S. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog and gave federal agencies until February 11, 2026 to deploy updates. The zero-day status indicates attackers discovered the vulnerability before Cisco's security teams, representing a failure to identify and remediate critical vulnerabilities before exploitation.

Crunchbase confirmed it was hacked in January 2026 after the cybercriminal group ShinyHunters published samples of stolen data. The company stated they detected a cybersecurity incident where a threat actor exfiltrated certain documents from their corporate network. Investigators linked the attack to a broader ShinyHunters campaign focused on voice phishing targeting Okta single sign-on credentials, with similar techniques tied to recent breaches at SoundCloud and Betterment.

Nike disclosed it is investigating unauthorized access that resulted in the extraction of approximately 1.4 terabytes of internal data. The incident involves a large volume of files taken from internal systems, which signals sustained access rather than a short-lived intrusion. The breach represents a significant compromise of Nike's internal systems and data.

A widespread malware campaign abused Google's Chrome Web Store for months, exposing private AI chatbot conversations and browsing data from roughly 900,000 users. The campaign involved two malicious browser extensions identified as 'ChatGPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI' and 'AI Sidebar with DeepSeek, ChatGPT, Claude.' The extensions remained available in the Chrome Web Store despite the security vulnerabilities.

In January 2025, the US Supreme Court unanimously upheld the Protecting Americans from Foreign Adversary Controlled Applications Act, requiring ByteDance to divest TikTok by January 19, 2025 or face a ban. The court found the law sufficiently tailored to address national security concerns over data collection practices by a foreign adversary affecting 170 million US users. TikTok briefly went dark for US users on January 18-19 before Trump issued executive orders delaying enforcement. A consortium including Oracle, Silver Lake, and MGX eventually acquired 80% of TikTok US operations in a deal that closed January 2026.

Ransomware attack in January 2025 on government contractor Conduent exposed data of over 25 million individuals across multiple states: 15.4 million in Texas (initially disclosed as 4 million), 10.5 million in Oregon, plus hundreds of thousands in Delaware, Massachusetts, and other states. Compromised data included names, Social Security numbers, medical records, health insurance info, and treatment history. Ransomware gang 'Safeway/SafePay' stole 8+ TB of data. Texas AG Ken Paxton called it potentially the 'largest healthcare data breach in US history.' 10+ class action lawsuits filed.

The UK Information Commissioner's Office fined 23andMe £2.31 million for failing to adequately protect UK customers' personal data in the 2023 data breach that exposed genetic and ancestry information.

In January 2025, Oracle Cloud suffered a significant security breach exploiting a Java vulnerability. An attacker deployed malware into Oracle's Identity Manager database, exfiltrating sensitive authentication data including usernames, hashed passwords, SSO credentials, and LDAP passwords from over 140,000 Oracle Cloud tenants. Multiple lawsuits filed in March-April 2025 alleged Oracle intentionally withheld information about the breaches, with substantial delays violating mandatory notification requirements.

A data breach occurred December 26, 2024 but wasn't detected until May 11, 2025. Overseas support personnel were bribed to access internal systems and steal customer information including names, Social Security numbers, bank details, and transaction histories. The breach affected 69,461 customers. Coinbase recorded $355 million in costs across Q2-Q3 2025. TaskUs, which provided customer service personnel since 2017, laid off 226 staff in India connected to the breach.

In November 2024, T-Mobile confirmed it was targeted by the Salt Typhoon Chinese state-sponsored hacking campaign that breached multiple US telecommunications companies. The attack potentially exposed call logs, text messages, and surveillance request records for targeted individuals. The campaign highlighted systemic infrastructure security weaknesses across US telecom networks and raised national security concerns about foreign access to sensitive communications data.

Northeastern University research published November 2024 revealed Lyft unintentionally sent driver and applicant Social Security Numbers to TikTok and Meta. Lyft shared unsalted hashes of workers' SSN with Facebook (Meta) and TikTok when applicants used desktop website. Companies had added tracking pixels provided free by Meta and TikTok for web traffic analysis, but these pixels inadvertently collected data from private application web forms and sent it directly to social media companies. Issue only discovered when researchers applied for driver positions via desktop website. Represents major privacy vulnerability in driver onboarding process.

The Wikimedia Foundation adopted a formal Human Rights Policy in December 2021 embedding privacy protection into its mission. In November 2024, the Foundation launched temporary accounts to replace IP-based editing, providing better privacy protection for logged-out editors while maintaining accountability. The Foundation practices data minimization, collects very little personal information, and does not sell user data. It maintains a Country and Territory Protection List limiting data publication for at-risk regions, updated in January 2024. The Foundation also adopted differential privacy techniques in partnership with Tumult Labs to release 8 years of pageview data while protecting individual users.