The Worst Data Breaches of 2026 So Far — and the Honest Limits of a VPN

The Worst Data Breaches of 2026 So Far — and the Honest Limits of a VPN
Every year the breach headlines get louder, and 2026 has been a particularly bad one. The victims range from fast-food applicants to federal surveillance systems, and the stolen data includes things that can't be reset like a password: facial-recognition profiles, medical records, and the private targets of government wiretaps. So it's fair to ask the question we hear constantly — would a VPN have helped? The honest answer is nuanced, and this article gives it to you straight after walking through what actually happened.
The breaches that defined 2026
Drawing on reporting including TechCrunch's running tally of the year's worst incidents, a few stand out — not just for scale, but for what the stolen data reveals.
The FBI's surveillance system. In April, the Bureau declared a "major cyber incident" after attackers — reportedly Chinese state-linked — breached an unclassified network holding sensitive information about surveillance targets, including people under wiretaps and other intercepts. When the watchers get watched, the exposure is uniquely dangerous.
Madison Square Garden Entertainment. After declining to pay a ransom, MSG saw more than 26 million records published — and the leak included facial-recognition surveillance data and guest threat-assessment profiles generated by the surveillance apparatus at its venues.
McDonald's. A security oversight in an AI hiring chatbot exposed the personal information of more than 64 million job applicants — one of the year's clearest examples of AI systems becoming a fresh source of breach risk.
One Medical (owned by Amazon). The company confirmed unauthorized access to a third-party file-storage system holding legacy patient records — roughly 8.8 terabytes of data.
Government and civil infrastructure. France's sovereign chat app for civil servants was compromised through a hijacked account (a claimed 73,000 accounts and 650,000 messages), and the U.S. National Association of Insurance Commissioners was hit for 3.1 terabytes across more than 105,000 files.
Notice the common thread: in almost every case, the data was stolen from a server the victim didn't control — an employer's database, a hospital's storage vendor, a venue's surveillance system, a government network. That detail is the key to understanding what a VPN can and cannot do.
The uncomfortable truth: a VPN would not have stopped any of these
A VPN encrypts the traffic between your device and the VPN server, and it hides your IP address. That's it. It is a tool for protecting data in transit across a network you don't trust. It does nothing for data at rest on someone else's computer.
When McDonald's exposes applicant records, when One Medical's storage vendor is breached, when MSG's surveillance database is dumped — your information was sitting on their infrastructure. It doesn't matter what tunnel you used to submit it months earlier; once it's in their database, your VPN has no reach there at all. Any provider claiming a VPN would have saved you from these breaches is selling a fantasy, and you should distrust the rest of their marketing too.
A VPN protects the road your data travels on. It cannot protect the building your data is stored in once it arrives.
What a VPN genuinely does protect against
None of that makes a VPN pointless — it just means using it for the right threats. A good, audited no-logs VPN meaningfully protects you when:
You're on untrusted Wi-Fi. At an airport, café, or hotel, a VPN stops anyone on the same network from intercepting your traffic or running a man-in-the-middle attack.
You want your ISP out of your business. Your provider can see and log every domain you visit; a VPN hides your browsing from them and from anyone who later requests those logs.
You're reducing passive tracking. Masking your IP address breaks one of the identifiers advertisers and data brokers use to tie your activity together across sites.
You're crossing hostile or censored networks. On networks that block or monitor content by IP, a VPN restores access and confidentiality.
It's telling that more than 40% of internet users now rely on privacy tools like VPNs or ad blockers. Used for these transit-layer threats, a VPN earns its place. The mistake is expecting it to defend data you've already handed to a third party.
What actually protects you from the fallout of a breach
Since you can't control a company's security, the real defense is limiting how much a breach can hurt you when — not if — one of the services you use gets hit.
Use a unique password for every account. Reused passwords turn one breach into ten. A password manager makes this effortless, and it's the single highest-impact habit on this list.
Turn on two-factor authentication — ideally passkeys. Even a leaked password is far less useful to an attacker when a second factor stands in the way. Phishing-resistant passkeys are the strongest option where they're offered.
Check whether your credentials are already exposed. Services built on the Have I Been Pwned dataset — including the free password check on this site — let you test a password against billions of breached records without ever sending the password itself.
Minimize what you hand over. The data a company never collected can't be stolen from it. Skip optional fields, use email aliases, and think twice before feeding personal details into an AI chatbot — McDonald's showed exactly how that ends.
Freeze your credit and watch your accounts. For the breaches involving identity data, a credit freeze is free and blocks the most common downstream fraud. Set up alerts so you notice misuse early.
The bottom line
2026's breaches are a reminder that most of your exposure lives on infrastructure you'll never touch. A VPN is a genuinely useful tool for the threats it was built for — untrusted networks, nosy ISPs, IP-based tracking and censorship — and a poor fit for the ones it wasn't. Buy it for the right reasons, layer it with unique passwords, strong second factors, and data minimization, and you'll be far better protected than the marketing shortcuts suggest. Honesty about a tool's limits is what makes the tool worth trusting.
Frequently Asked Questions
Would a VPN have prevented the 2026 data breaches?
No. Breaches like McDonald's, One Medical, and MSG stole data from the companies' own servers, where it was stored after you submitted it. A VPN only protects traffic in transit between your device and the VPN server; it has no reach into a third party's database. Anyone claiming a VPN would have prevented these breaches is misrepresenting what the tool does.
What was the biggest data breach of 2026 so far?
Several were enormous. McDonald's exposed more than 64 million job applicants through an AI hiring chatbot, One Medical had roughly 8.8 terabytes of legacy patient records accessed, and Madison Square Garden Entertainment had over 26 million records — including facial-recognition data — published after refusing to pay a ransom. The FBI's April breach of a surveillance system was among the most sensitive.
What does a VPN actually protect against?
A VPN protects data in transit: it encrypts your traffic on untrusted Wi-Fi, hides your browsing from your ISP, masks your IP address to reduce passive tracking, and restores access on censored or IP-blocked networks. It does not protect data at rest on a company's servers, so it can't stop a breach of a service you've shared data with.
How can I tell if my data was in a breach?
Use a service built on the Have I Been Pwned dataset, such as the free pwned-password check on this site, which lets you test a password against billions of leaked records using a privacy-preserving method that never transmits the full password. Also watch for breach-notification emails from services you use, and monitor your accounts and credit for unexpected activity.
What is the single most effective thing I can do to limit breach damage?
Use a unique password for every account, stored in a password manager. Reused passwords let attackers turn one breach into access to many of your accounts through credential stuffing. Pairing unique passwords with two-factor authentication — ideally phishing-resistant passkeys — blocks the most common way a leaked credential gets exploited.



