February 2026 brought a series of significant data breaches spanning automotive, aviation, hospitality, finance, telecom, and media. The incidents were not driven by a single attack method. Some resulted from credential stuffing, others from ransomware and extortion tactics, and several from inadequate third-party access controls. What connects them is the scale of exposure and the sensitivity of the data involved. Millions of customer records, account credentials, and personal identifiers were compromised across multiple cases.
This roundup breaks down the most significant data breaches reported in February 2026, explaining what happened, what data was exposed, how organisations responded, and the key lessons security teams can act on.
1. Substack Data Breach Exposed Subscriber Emails and Phone NumbersÂ
1. Substack Data Breach Exposed Subscriber Emails and Phone Numbers Incident Overview:
Substack disclosed a security incident in which unauthorized access led to the exposure of certain subscriber contact details. The breach did not involve a full compromise of its core infrastructure but resulted in the extraction of user data, primarily emails and phone numbers. Reports indicated that the exposure may have been linked to unauthorized access to internal systems or a third-party service integration.
What Data Was Exposed:
 The exposed information included:
- Email addresses
- Phone numbers
There was no confirmed exposure of passwords, payment card data, or full financial records in the same incident.
Number of Affected Individuals:
The exact number of affected users was not publicly disclosed in early reports. However, given Substack’s large subscriber base, the potential impact could involve a significant number of writers and subscribers.
Business Impact:
The breach raised concerns about user privacy and data protection practices. For a platform that relies on direct creator-subscriber relationships, exposure of contact data can reduce user trust. It also increases the risk of phishing, spam campaigns, and targeted social engineering attacks against both writers and subscribers.
Company Response:
Substack stated that it investigated the incident, secured affected systems, and worked to prevent further unauthorized access. The company also notified impacted users and reviewed its access controls and monitoring mechanisms.
Key Lesson:
Even limited contact data exposure can create serious downstream risks. Email addresses and phone numbers can be used for phishing, SMS fraud, and credential stuffing attempts. Strong API controls, access monitoring, and data minimization practices are essential for platforms handling large subscriber databases.
Date of Breach: February 17, 2026
Source: Foxnews
2. Japan Airlines Unauthorized Access Incident Impacts Baggage Service System
Incident Overview:
Japan Airlines disclosed that unauthorized access was detected in a baggage service system used to manage lost luggage claims and related passenger communication. The affected system was separate from flight operations and booking infrastructure. The intrusion allowed access to customer data stored within that specific operational platform.Â
What Data Was Exposed:
The potentially exposed information included:
- Passenger names
- Contact details such as phone numbers and email addresses
- Baggage claim reference information
- Flight-related details associated with baggage handling
There was no indication that payment card information, passport numbers, or core reservation systems were compromised in this incident.
Number of Affected Individuals:
Japan Airlines stated that up to 28,000 customers may have been impacted by the unauthorized access.
Business Impact:
The incident raised privacy concerns and could affect customer trust. Although flight safety and core booking systems were not impacted, exposure of travel-related contact data increases the risk of phishing and targeted fraud. The airline may also face regulatory review depending on applicable data protection laws.
Company Response:
Japan Airlines reported that it secured the affected system after detecting the unauthorized access and initiated an internal investigation. The airline assessed the scope of exposure and began notifying affected customers as required. Additional monitoring and security measures were implemented to prevent recurrence.
Key Lesson:
Operational support systems, such as baggage management platforms, can become entry points for attackers if not protected with the same rigor as core systems. Continuous monitoring, strict access controls, and proper segmentation are essential across all enterprise systems.
Date of Breach: February 11, 2026
Source: Teiss
3. CarGurus Data Breach Impacts Over 12 Million Users
Incident Overview:
CarGurus disclosed a major security incident that resulted in unauthorized access to user account data. The breach reportedly affected millions of registered users on the automotive marketplace platform. The exposure stemmed from a compromise of systems that stored customer account information, leading to one of the largest publicly reported incidents in the online automotive sector.
What Data Was Exposed:Â
The exposed information included:
- User names
- Email addresses
- Account-related details
- Encrypted or hashed passwords
There was no confirmed widespread exposure of payment card information. However, exposure of account credentials increases the risk of account takeover and credential reuse attacks.
Number of Affected Individuals:
More than 12 million users were reported to be impacted by the breach.
Business Impact:
The breach created reputational and operational challenges for CarGurus. Affected users may lose confidence in platform security, and the company could face regulatory review and potential legal claims. Large-scale exposure of user credentials also increases the risk of phishing and fraudulent activity targeting customers.
Company Response:
CarGurus investigated the incident, secured affected systems, and notified impacted users. The company encouraged password resets and implemented additional safeguards to strengthen account security controls.
Key Lesson:
High-volume consumer platforms are attractive targets because of their large user databases. Even when financial data is not involved, exposure of personal and login information can lead to widespread fraud and secondary attacks. Strong access controls, continuous monitoring, and user authentication protections are essential.
Date Of Breach: February 25, 2026
Source: Security Week
4. PayPal Data Breach Customer Information Exposed After Account Takeover Incident
Incident Overview:
PayPal disclosed that unauthorized actors accessed a portion of customer accounts through a credential stuffing attack. The activity occurred over a short window in December 2022, when attackers used previously leaked login credentials from other breaches to gain access to PayPal accounts. The intrusion did not stem from a direct compromise of PayPal’s core infrastructure but from reused usernames and passwords.
What Data Was Exposed:
 For affected accounts, the exposed information included:
- Full names
- Email addresses
- Physical addresses
- Dates of birth
- Social Security numbers or tax identification numbers in certain cases
There was no evidence that full credit card numbers or bank account credentials were directly extracted from PayPal’s internal systems.
Number of Affected Individuals:
PayPal confirmed that approximately 34,942 users were impacted by the incident.
Business Impact:
The breach triggered regulatory reporting requirements and increased fraud monitoring efforts. Even though the root cause involved credential reuse, the incident raised concerns about account security on major financial platforms. The company faced potential reputational impact and the cost of reimbursing unauthorized transactions.
Company Response:
PayPal reset passwords for affected accounts and required users to create new credentials. The company notified impacted individuals and encouraged stronger authentication measures. Additional monitoring controls were implemented to detect abnormal login behavior and prevent further unauthorized access.
Key Lesson:
Credential reuse remains a significant security risk. Even when a company’s systems are not directly breached, attackers can exploit exposed credentials from other incidents. Strong multi-factor authentication, anomaly detection, and user education are essential to reduce account takeover risk.
Date of Breach: February 21, 2026Â
Source: The 420
5. Odido Data Breach Impacts Approximately 6 Million Customers
Incident Overview:
Odido disclosed a large-scale data breach affecting millions of customers in the Netherlands. The incident was linked to unauthorized access to a customer data environment associated with a third-party supplier. While Odido’s core telecom network was not reported as compromised, customer information stored in connected systems was exposed.
What Data Was Exposed:
 The exposed data reportedly included:
- Customer names
- Email addresses
- Phone numbers
- Customer account or subscription details
There was no confirmed disclosure that payment card information, bank account data, or call content was accessed.
Number of Affected Individuals:
Odido stated that up to 6 million customers may have been impacted by the breach.
Business Impact:
The breach raised concerns regarding data protection practices and third-party risk management. Given the scale, Odido faced regulatory scrutiny under European data protection laws, including GDPR. The exposure may also increase the risk of phishing, SIM swap fraud, and identity-based attacks targeting customers.
Company Response:
Odido initiated an investigation, secured the affected systems, and began notifying regulators and impacted individuals in accordance with GDPR requirements. The company also reviewed its supplier security controls and monitoring mechanisms to prevent similar incidents.
Key Lesson:
Third-party vendors can introduce significant exposure risk. Even when a telecom provider’s core infrastructure remains secure, connected partner systems must be protected with equal rigor. Continuous monitoring, strict vendor security assessments, and data access controls are critical in large customer ecosystems.
Date of Breach: February 13, 2026
Source: SecurityWeek
6. Wynn Resorts Confirms Data Breach After Ransomware Leak Site Listing
Incident Overview:
Wynn Resorts confirmed it experienced a cybersecurity incident after a ransomware group listed the company on its public leak site. The attackers claimed to have exfiltrated company data and added Wynn Resorts to their data leak portal, which is commonly used to pressure victims into negotiations. Shortly after being listed, Wynn Resorts was removed from the leak site, suggesting that negotiations or remediation actions may have taken place. The company acknowledged the breach but did not disclose detailed forensic findings immediately.
What Data Was Exposed:
At the time of initial reporting, full technical details were not publicly disclosed. However, data potentially involved in hospitality-related breaches typically includes:
- Customer names
- Contact information such as email addresses and phone numbers
- Reservation and loyalty program details
- Internal corporate documents
There was no confirmed public disclosure that payment card systems or gaming infrastructure were directly compromised in the early reports.
Number of Affected Individuals:
The exact number of affected individuals was not publicly confirmed at the time of disclosure.
Business Impact:
The breach created reputational and regulatory risk for Wynn Resorts. Casino and hospitality operators are subject to strict oversight, especially in jurisdictions such as Nevada. Exposure of guest information can reduce customer trust and increase legal and compliance costs. The incident may also trigger investigations by gaming authorities and data protection regulators.
Company Response:
Wynn Resorts acknowledged the incident and initiated an investigation. The company worked to secure affected systems and assess the scope of the breach. Public statements indicated coordination with cybersecurity professionals and relevant authorities. Further notifications to affected individuals would depend on the investigation findings.
Key Lesson:
Ransomware incidents now prioritize data exfiltration and public pressure tactics. Even if stolen data is not ultimately published, confirmed unauthorized access carries legal and operational consequences. Organizations in hospitality and gaming must implement strong monitoring, segmentation, and incident response readiness across all data environments.
Date Of Breach: February 25, 2026
Source: SecurityWeek
Conclusion:
The data breaches reported in February 2026 reveal a consistent pattern. Exposure did not always come from sophisticated attacks. It came from unmonitored peripheral systems, third-party vendor access gaps, credential reuse, and limited visibility into where sensitive data resided. Once access was gained, organisations were left managing notifications, regulatory scrutiny, reputational damage, and customer trust loss.
This is exactly where Strobes Security changes the outcome. Strobes helps you continuously track assets, identify exposure early, prioritise what truly matters, and validate risk before it becomes an incident. Instead of reacting after data is already exposed, teams gain clear visibility into misconfigurations, vendor risks, and attack paths while there is still time to act.
Explore how Strobes Security helps teams identify, prioritize, and reduce real exposure. Book a platform walkthrough and see how continuous exposure management works.
