2026’s most damaging hacks hit DOGE, FBI, energy and water systems

1. DOGE’s Social Security spill

The deepest wound came from inside the government, where whistleblower complaints and court filings described DOGE workers with unauthorized access to Social Security data, use of an unapproved third-party service, and behavior that could have carried sensitive records outside the agency. The data at issue sat in SSA systems that hold health diagnoses, income, banking information, family relationships and biographic details on hundreds of millions of people, and one whistleblower said more than 300 million Americans’ Social Security data had been put at risk after being uploaded to a cloud account outside oversight. For older adults, disabled Americans and families living paycheck to paycheck, this is not a theoretical breach: it is the kind of failure that can fuel identity theft, benefits fraud and years of anxiety around some of the most essential records in the federal system.

2. Water and energy systems were attacked at the control layer

The next failure was not a single stolen file but a direct assault on the infrastructure that keeps neighborhoods running. On April 7, a joint advisory from EPA, FBI, CISA, NSA, the Energy Department and Cyber Command warned that Iranian-affiliated actors were exploiting internet-facing programmable logic controllers, including Rockwell Automation and Allen-Bradley devices, across water, wastewater, energy and government systems. Officials said the activity had already caused PLC disruptions, configuration wiping, software-based sensor tampering, HMI disruption, operational interruption and financial loss, which is why this kind of attack should be read as a public-health threat as much as a cybersecurity problem. When drinking water systems are pushed offline or destabilized, the impact reaches hospitals, schools, small businesses and entire communities that cannot simply switch to another source.

3. The FBI’s surveillance network was breached through a vendor path

The FBI’s own surveillance systems showed how fragile federal defenses remain when attackers move through trusted third parties instead of smashing through the front door. The bureau told Congress in early March that it was investigating suspicious activity on an internal system, and by April 1 it had classified the intrusion as a major cyber incident after a suspected China-linked breach of an unclassified network that stored pen register and tap-and-trace data, wiretap returns, FISA warrant information and phone numbers tied to active targets. Reporting said the access came through a commercial internet service provider’s vendor infrastructure, and that matters because a breach in a law-enforcement system can expose who is under investigation, how networks of associates are mapped and where national-security operations are most vulnerable. The pattern is clear: after years of warnings and spending, the weakest seams are still the ones most Americans rely on for safety, privacy and basic trust.