Hello and welcome back to The Breach Report!

February 2026 was a month of high-stakes pressure, defined by a "double-down" strategy from threat actors. While global ransomware volumes showed a slight stabilization, the impact per attack skyrocketed. Attackers pivoted from simple data theft to "operational extortion" — specifically targeting payment gateways, healthcare infrastructure, and high-end hospitality to create immediate, public-facing chaos.

This month proved that the "Identity Crisis" in the cloud is accelerating. From insiders being manipulated at major crypto exchanges to the first sightings of AI-embedded malware on mobile devices, February 2026 sent a clear message: the tools we use to manage our digital lives are now the primary weapons used against us.

Follow along and subscribe to stay ahead of the latest cyber threat and data breach developments.

🚨 Top 7 Data Breaches of February 2026

1. Wynn Resorts: The 800,000 Record Hospitality Breach

  • What happened: Luxury giant Wynn Resorts was listed on a public ransomware leak site in mid-February after the ShinyHunters group claimed responsibility for a deep system intrusion.

  • Impact: Approximately 800,000 sensitive records were compromised, including guest names, contact information, and internal corporate documents.

  • Lesson: High-end hospitality remains a "Tier-1" target for extortion because the reputational damage of a VIP data leak is often more expensive than the ransom itself.

  • Source: Read More

2. Panera Bread: The 5.1 Million Record Fallout

  • What happened: In a major February update, Panera Bread faced multiple class-action lawsuits after the ShinyHunters group leaked a 760MB archive of customer data.

  • Impact: The breach exposed the personal contact information (names, emails, physical addresses) of 5.1 million user accounts.

  • Lesson: Retaliatory leaks are becoming the norm. If a company refuses to pay, attackers are now faster to "dump" data publicly to fuel legal and regulatory pressure.

  • Source: Read More

3. CarGurus: 12 Million Users Exposed

  • What happened: The online automotive marketplace CarGurus disclosed a massive security incident involving unauthorized access to user account data.

  • Impact: Over 12 million users were impacted, with names, email addresses, and hashed passwords exposed.

  • Lesson: Automotive platforms are gold mines for "Identity Graphing" — attackers use this data to link emails to physical locations and vehicle ownership for high-value phishing.

  • Source: Read More

4. BridgePay: The National Payment Outage

  • What happened: A ransomware attack crippled BridgePay, a major payment vendor, in early February. The outage was so severe it forced businesses across the U.S. to revert to cash-only transactions.

  • Impact: Nationwide disruption of bill payment services and the potential compromise of consumer financial metadata.

  • Lesson: We are increasingly dependent on "Invisible Infrastructure." A breach at a payment processor can halt physical commerce for thousands of small businesses instantly.

  • Source: Read More

5. University of Mississippi Medical Center (UMMC): Statewide Shutdown

  • What happened: A mid-February ransomware attack hit UMMC, forcing the closure of clinics and the cancellation of surgeries across the state.

  • Impact: Attackers encrypted Electronic Health Records (EHR) and exfiltrated sensitive patient data, forcing staff to use manual paper processes for weeks.

  • Lesson: Healthcare is the most "time-sensitive" sector. Attackers know that every hour of downtime puts lives at risk, making it the highest-pressure environment for extortion.

  • Source: Read More

6. Coinbase: The Insider Support Tool Breach

  • What happened: Coinbase confirmed in February that attackers successfully manipulated or bribed insiders to gain access to internal support tools.

  • Impact: Attackers used these tools to view customer account metadata and take screenshots of internal dashboards.

  • Lesson: Social engineering has moved from "tricking" employees to "recruiting" them. Internal "God Mode" tools are a massive liability without strict multi-party authorization.

  • Source: Read More

7. Odido: 6.2 Million Records (The Third-Party Supplier Link)

  • What happened: Dutch telecom provider Odido disclosed that unauthorized access to a third-party supplier's environment exposed its customer database.

  • Impact: Personal information for 6.2 million customers was exposed, including subscription details and contact info.

  • Lesson: The "Vendor Chain" is where the most data is lost. You can have world-class security, but if your marketing or support vendor doesn't, your data is gone.

  • Source: Read More

🖥️ Industry Highlights: What’s in the Hot Seat

  • Remote Access Vulnerabilities: CISA added multiple flaws in BeyondTrust and Ivanti to the KEV catalog this month. These "gateways" are currently the #1 target for gaining privileged network holds.

  • The "Zero-Day" Tail: LexisNexis confirmed a breach this month caused by the Reach2Shell vulnerability — a flaw discovered months ago. Organizations are still struggling to patch legacy infrastructure.

  • Telecom Under Fire: The FCC issued a "4x Attack Rise" alert for the telecom sector, noting that hackers are increasingly targeting the backbone of our communications for national espionage.

🛡️ Pro Tips & Tools

  • Kill "God Mode" Support Tools: Implement "Just-in-Time" (JIT) access for internal support staff. No one should have permanent access to customer dashboards.

  • Secure the "Cloud Backup": Multiple breaches this month (including Marquis Health) started with compromised cloud backup credentials. Ensure backups are immutable and require separate MFA from the main network.

  • Verify Third-Party APIs: Audit every vendor that has an API connection to your customer database. If they don't use modern OAuth or haven't rotated keys in 90 days, cut the connection.

⚠️ Emerging Threats to Watch

  • PromptSpy Malware: Researchers discovered the first Android malware that embeds Google Gemini AI directly into its code. It uses AI to dynamically generate "deceptive overlays" to prevent users from uninstalling it.

  • "Reach2Shell" Persistence: This critical RCE (Remote Code Execution) is being used to deploy "Logic Bombs" that remain dormant in servers for months before activating.

  • Baggage System Hijacking: As seen with Japan Airlines, attackers are targeting non-critical systems (like lost luggage claim platforms) to harvest passenger names and travel details for highly targeted phishing.

💡 Final Thoughts

February 2026 served as a powerful reminder that in our hyper-connected ecosystem, the "Perimeter" is no longer a wall — it’s a web.

Whether it was a bribed insider at a crypto exchange, an unpatched legacy server at a medical center, or a third-party payment vendor causing a nationwide retail blackout, the common thread this month was unmanaged trust. Attackers have realized that the most efficient way to bypass a multi-million dollar security stack is to simply target the "trusted" entities that already have the keys.

As we look toward March, the fundamental question for security leaders must shift. It is no longer enough to ask, "Are our systems secure?" Instead, we must ask:

  • "Who else has the keys to our data?"

  • "What happens to our business if our most critical partner goes dark?"

  • "Are we monitoring the behavior of our 'trusted' users as closely as we monitor external threats?"

In 2026, cyber resilience isn't just about building higher walls; it’s about assuming the walls have already been breached and designing systems that can survive — and stay operational — in a state of constant compromise.

Stay vigilant, stay proactive — and we’ll bring you the March report next month.

Until then,

Keep Reading

© 2026 EveryKey Inc.
Report abusePrivacy policyTerms of use
beehiivPowered by beehiiv