Skip links
June 2026 Cyber Attacks & Data Breaches- Full Monthly Threat Report

June 2026 Cyber Attacks & Data Breaches: Full Monthly Threat Report

Cybersecurity Insights June 2026: Key Threats, Data Breaches, Ransomware & Security Insights

June 2026 was one of the busiest months of the year for cybercrime. Microsoft shipped its largest-ever Patch Tuesday, a 24-billion-record credential database sat exposed on the open internet, and ransomware gangs listed 721 new victims worldwide. In this report, we break down the June 2026 cyber attacks, data breaches, and threat trends that matter most to businesses — and what small companies and large enterprises should each be doing about it right now.

June 2026 Cybersecurity Snapshot

Cybercriminal activity remained persistent throughout June 2026, with ransomware groups continuing to target organizations worldwide while threat actors increasingly focused on identity compromise, software supply chains, cloud-connected environments, and critical infrastructure.

Key Global Statistics

Ransomware Activity Continues at Scale

721 publicly disclosed ransomware victims were recorded globally in June 2026, continuing the elevated pace seen through the year, with the US still the single most-targeted country.

Zero-Day Vulnerabilities and Critical Security Flaws

Phishing Campaigns Continue to Evolve

Data Records Exposed

Why Ransomware Remains a Top Threat

Organizations continue to face ransomware risks because threat actors increasingly combine multiple attack methods to maximize financial pressure.

Common Attack Methods

Top Affected Regions: June 2026 Cyber Attacks by Geography

North America (US & Canada): Novo Nordisk, ServiceNow, Oracle PeopleSoft breaches, GrayRobinson, Alcott HR, Texas government systems, and Eastman Kodak (US); Mount Royal University and London Hydro (Canada).

Europe: University of Nottingham breach, Council of Europe incident, France's Tchap messaging app hack, and a NAIC/rating-agency disruption affecting Moody's, S&P, Fitch, and KBRA.

Asia-Pacific: Tata Electronics breach (India), KDDI — 14.2 million accounts exposed (Japan), and a Nintendo disruption.

Africa: South African Police Service — medical records of 3,000 officers leaked.

Global Impact Overview – June 2026

1. Education

The University of Nottingham confirmed a breach after hackers leaked stolen data online, and Mount Royal University's website and phone systems were knocked offline by a cyberattack.

2. Healthcare

Novo Nordisk faced a $25M extortion attempt over stolen clinical trial data. DentaQuest exposed roughly 2.6 million accounts. Amazon One Medical, iRhythm Technologies, and One Medical Seniors also disclosed breaches, alongside Chinese state-backed hackers targeting REDCap medical research servers.

3. Manufacturing

Tata Electronics, a key Apple and Tesla supplier, confirmed a breach after Hunters International leaked its files. Bajaj Auto disclosed a ransomware attack disrupting IT systems.

4. Information Technology

ServiceNow disclosed a customer data exposure. A Klue OAuth breach cascaded into Salesforce and LastPass. Oracle confirmed a PeopleSoft zero-day exploited across 100+ organizations.

5. Professional Services

GrayRobinson law firm exposed data on 65,000+ people. Silent Ransom Group ran fake IT-support calls targeting law firms. Alcott HR disclosed an employee data breach.

Top 5 Major Cybersecurity Incidents in May 2026

1. GitHub Breached

Employee Device Hack Exposes 3,800+ Internal Repos GitHub is investigating a breach in which the hacking group TeamPCP allegedly stole thousands of internal repositories after compromising an employee's device through a malicious VS Code extension. The same group is linked to supply chain attacks that infected popular software packages with credential-stealing malware. The stolen data is reportedly being offered for sale online.

2. Threat Actors Exploit Critical FortiClient EMS Flaw to Deploy Credential Stealer

Threat actors actively exploited a critical Fortinet FortiClient EMS vulnerability (CVE-2026-35616) to distribute credential-stealing malware across managed enterprise devices, abusing FortiClient's trusted management system to push malicious PowerShell scripts disguised as legitimate updates.

3. WhatsApp VBScript Campaign Uses Fake Documents to Install ManageEngine RMM Tool

A malware campaign used compromised WhatsApp accounts to send malicious VBScript (.vbs) files disguised as business and financial documents, installing legitimate Remote Monitoring and Management (RMM) software to give attackers remote access.

4. Hackers Actively Exploit Gravity SMTP WordPress Plugin Flaw on 100,000+ Sites

Threat actors mass-exploited CVE-2026-4020, an unauthenticated information disclosure bug in the Gravity SMTP plugin, to steal API keys, OAuth tokens, and email service credentials. Wordfence blocked more than 17 million exploitation attempts, with a single-day peak of 4 million attempts on June 7.

5. Texas Government Vendor Breach Exposes 3 Million Driver's Licenses and Passport Numbers

The Texas Parks and Wildlife Department disclosed that a breach at its hunting/fishing license system vendor exposed driver's license numbers, passport numbers, and contact details for more than 3 million people.

Analysis & Trends: What Defined Cybersecurity in June 2026

Identity-based attacks continued to dominate.

OAuth token abuse (the Klue → Salesforce/LastPass cascade), credential theft, and social engineering remained the primary entry point into enterprise environments.

Exploitation of critical vulnerabilities stayed elevated

Microsoft's largest-ever Patch Tuesday landed alongside active exploitation of an Oracle PeopleSoft zero-day affecting 100+ organizations.

Supply-chain and developer ecosystem threats increased.

Fallout from the "Megalodon" GitHub campaign (5,500+ repos compromised) continued cascading into downstream organizations.

Manufacturing and OT convergence drew fresh scrutiny

The Tata Electronics and Bajaj Auto breaches marked a broader shift from pure data theft toward operational disruption risk in industrial environments.

Large-scale data exposure remained a major concern.

The 24-billion-record Elasticsearch exposure, plus KDDI and DentaQuest, added to a heavy month for healthcare and telecom data.

RSecurity’s Perspective: What This Means for You

For Small Businesses

Key Risks

What You Should Do

For Large Businesses

Key Risks

What You Should Do

June 2026 demonstrated that ransomware, identity-based attacks, supply-chain compromises, and large-scale data breaches continue to dominate the global threat landscape.

Need help assessing your organization's exposure to the threats covered in this report? Contact RSecurity for a cybersecurity risk assessment, penetration testing, or CISO-as-a-Service support.

Visit Linkeldn for more

FAQs

How many ransomware attacks happened in June 2026?

721 publicly disclosed ransomware victims were recorded globally in June 2026, with the United States remaining the most-targeted country.

The largest single exposure was a publicly accessible Elasticsearch database containing 24 billion stolen credential records (8.3TB). Among confirmed corporate breaches, KDDI’s exposure of roughly 14.2 million accounts in Japan was the largest.

Microsoft’s June 2026 Patch Tuesday — the largest in the program’s history — fixed 200 vulnerabilities, including an actively exploited Exchange Server flaw (CVE-2026-42897) that let attackers hijack Outlook Web Access sessions via crafted email.

Healthcare, education, manufacturing, IT, and professional services all recorded significant incidents, with healthcare seeing the highest volume of confirmed breaches (Novo Nordisk, DentaQuest, One Medical, iRhythm, and REDCap).