Encrypted Mayhem, Mega Leaks & AI Under Fire.

A total of 24 breach events were found and analysed resulting in 14,347,979 exposed accounts containing a total of 32 different data types of personal datum. The breaches found publicly and freely available included Instagram, Thermomix, Air Miles España Loyalty Program - Travel Club, Giglio and Qantas [Sample Data]. Sign in to view the full library of breach events which includes, where available, reference articles relating to each breach.

Notable Breaches

• Instagram (2024 API Data Leak), Data on about 17.5 million Instagram accounts (usernames, full names, emails, phone numbers, and partial addresses) was posted by a threat actor in early January[1]. This led to a wave of unsolicited password-reset emails sent to users, although Meta denied any hack and said a bug allowing mass reset requests was fixed[2].

• Thermomix Recipe Forum, A breach of the Thermomix owners’ forum (Rezeptwelt) in Jan 2025 exposed 3.1 million user profiles with names, email and physical addresses, phone numbers, dates of birth, and profile bios. The stolen data has since circulated on hacking forums, creating phishing and fraud risks for affected customers.

• Travel Club (Air Miles España), The operator of Spain’s Travel Club loyalty program (Air Miles España, S.A.) suffered a ransomware attack in Nov 2025. The Everest gang claimed to have stolen ~131 GB of member data, potentially affecting millions of Spanish consumers[5]. Stolen info likely includes names, contact details, loyalty point balances, purchase histories, and other profile data[6], posing widespread identity theft and phishing risks if leaked.

Cyber Spotlight

Encrypted Messenger Breach: A new Russian encrypted messenger (launched in March 2025 and touted as a “Telegram killer” with unbreakable security) suffered a catastrophic breach. Last week a threat actor posted a detailed account on a dark web forum of how they infiltrated the messenger’s entire infrastructure[11]. The attackers claim to have exfiltrated the production database (~142 GB) and boasted that “the 'unbreakable' has been broken.” The leaked data reportedly includes:

• User Profiles: 15.4 million records with full names, usernames, and verified phone numbers[12].
• Auth Tokens & Keys: Active session tokens (allowing account hijack and 2FA bypass) and user password hashes (bcrypt)[13].
• Communication Logs: A complete metadata archive of all message timestamps and sender/receiver IDs since launch (March 2025)[14].
• Infrastructure Access: Internal server SSH keys, API docs, and AWS S3 bucket configurations containing unencrypted media files[15].
• Source Code: The platform’s backend source code, including its custom encryption module, in which the hackers claim to have found hardcoded backdoors[16].

In short, this was an infrastructure-level compromise likely spelling the end for the messenger. The attackers said they exploited a critical zero-day RCE (remote code execution) in the app’s media processing engine: by injecting a malicious payload into a sticker-pack metadata file, they gained persistent server access[17]. As of this writing, the data dump hasn’t been made public, possibly because the hackers issued an ultimatum to the developers, demanding a “bug bounty” payout within 24 hours. They warned that if no deal is reached, they will release 5 GB of raw SQL data to over 10 public torrent trackers[18].

BreachForums Leak Fallout: In an ironic turn, the notorious hacking forum BreachForums (2025 incarnation) had its user database leaked on the dark web this week[19]. The dump, about 324,000 forum user records, was posted on a site linked to the ShinyHunters hacker collective[20]. It includes forum usernames, email addresses, hashed passwords (Argon2i), IP metadata, and even an admin’s private key[21][22]. Law enforcement and researchers have welcomed the leak as it exposes many cybercriminals’ identities. Meanwhile, the cybercrime community (often called “the Com”) is furious, one user griped that “everything gets leaked when ShinyHunters are involved,” reflecting distrust toward that group. ShinyHunters have been tied to prior BreachForums iterations and data sales. Historically, such forum breaches go one of two ways: either the operators attempt to sell off the database before shutting down, or they go dark and lock down completely amid the intense scrutiny from rivals, police, and security researchers[23]. Given the relentless scrutiny on BreachForums, this leak could mark the forum’s demise (again) or at least a major setback.

Instagram API Data Exposure: News of an older Instagram data leak has also caused alarm. A dataset titled “INSTAGRAM.COM 17M GLOBAL USERS, 2024 API LEAK” was circulated on cybercrime forums in early 2026[1]. It purportedly contains profile info for 17 million Instagram users (including over 6 million unique email addresses) harvested via an API vulnerability in 2024[1]. Shortly after the leak became known, many users reported receiving mysterious Instagram password-reset emails, apparently triggered in bulk by attackers using the exposed contact data[2]. Meta (Instagram’s parent) insists it wasn’t a breach of their servers, blaming a now-fixed flaw that allowed mass password reset requests externally[24]. No passwords were leaked in the dump, but the incident underscores a broader point: practically everyone, from law enforcement to threat actors, is scraping social media data these days. For privacy-conscious users, this exposure is a reminder that installing such apps carries risk. In the grand scheme, an Instagram scrape of this kind is hardly new; similar large-scale data scrapes have happened before, and such data is routinely mined for OSINT and marketing. Nonetheless, users are advised to be vigilant (e.g. ignore unsolicited reset emails, enable 2FA, etc.), as leaked contact info can fuel phishing and SIM-swapping attempts[2][24].

Vulnerability Chat

Five significant software vulnerabilities made headlines last week, some newly discovered, others actively exploited in the wild:

1. Microsoft Windows (Desktop Window Manager), An information disclosure zero-day in Windows (CVE-2026-20805) was actively exploited and patched in Microsoft’s January Patch Tuesday[25][26]. The flaw (CVSS 5.5) allows a local attacker to leak kernel memory addresses via the ALPC interface[27], which can be used to defeat ASLR and facilitate remote code execution in a chain[28]. CISA added this bug to its Known Exploited Vulnerabilities list and warned it’s a common attack vector, urging US agencies to patch by Feb 3[26]. It’s notably the first Windows zero-day of 2026[29], and rapid patching is advised as the info leak can make other exploits much more reliable[30].

2. Gogs (Self-Hosted Git Service), A critical path traversal vulnerability in Gogs (CVE-2025-8110, CVSS 8.7) is being actively exploited to achieve remote code execution[31][32]. The flaw, added to CISA’s exploited list, involves improper symlink handling in the repository file editor: attackers can create a malicious git repo with symlinks and use the API to write outside the repo, overwriting config files and gaining code execution[33][34]. Cloud security firm Wiz reported the bug was exploited as a zero-day (bypassing a previous fix CVE-2024-55947) and found at least 700 Gogs servers already compromised[35][36]. No official patch was available at disclosure (as of Jan 13)[37], though fixes have since been merged into the codebase. Gogs admins are urged to restrict access (e.g. disable open registration, use VPN allow-lists) until updates are applied[38].

3. HPE OneView (Server Management), A critical RCE vulnerability in HPE’s OneView appliance (CVE-2025-37164, CVSS 10.0) is now confirmed exploited in the wild[39]. This bug allows an unauthenticated attacker to execute code remotely on all vulnerable HPE OneView versions < 11.0[40]. In mid-January, Check Point researchers observed a massive botnet-driven attack leveraging this flaw, over 40,000 exploit attempts within a 3.5-hour window on Jan 7[41], to deploy the RondoDox malware. CISA responded by adding CVE-2025-37164 to its KEV catalog and set a Jan 28 deadline for federal agencies to apply HPE’s hotfixes[42]. Organisations using OneView are urged to patch immediately, as attackers are actively targeting this vulnerability at scale.

4. n8n Automation Platform, A new code execution flaw dubbed “N8scape” was disclosed in n8n, a popular open-source workflow automation tool[43]. Tracked as CVE-2025-68668 (CVSS 9.9), the bug is a sandbox bypass in n8n’s “code” node for Python: an authenticated user with workflow editing rights can break out of the Pyodide sandbox and execute arbitrary OS commands on the n8n host[44][45]. It affects n8n versions 1.0.0 up to 1.11x (all 1.x releases) and was fixed in n8n v2.0.0 by introducing a more isolated task-runner for Python code[46][47]. Administrators should upgrade to 2.0.0 or apply workarounds (disabling the vulnerable code node or its Python support)[48]. A similar critical flaw (CVE-2025-68613) was also patched, and technical analyses warn that these bugs stem from the inherent complexity of sandboxing in Node/Python environments[49][50].

5. Veeam Backup & Replication, Veeam disclosed and patched a “critical” RCE vulnerability (CVE-2025-59470, CVSS 9.0) in its Backup & Replication software[51]. The flaw allows a malicious Backup Operator or Tape Operator account to execute arbitrary code on the Veeam server as the PostgreSQL database user by sending crafted input to a scheduling parameter[52]. While exploitation requires insider-level privileges (the attacker must already have a backup operator role)[53][54], Veeam still rates it high-severity because such roles are powerful and could be abused if misused or if credentials are stolen[55]. No known in-the-wild exploits have been reported yet[56], but Veeam warns that attackers have leveraged Veeam vulnerabilities in the past[57]. All users are advised to update to Veeam B&R v13.0.1.1071, which fixes this and three related vulnerabilities[58], to preempt any threat actor attempts.

Information Privacy Headlines

California Cracks Down on Data Broker: The California Privacy Protection Agency announced enforcement action against a Texas-based data broker Datamasters for illicitly selling sensitive personal data. The company (which had compiled lists of Alzheimer’s patients, visually impaired individuals, addiction sufferers, etc.) failed to comply with California’s data broker registry law[59]. Regulators fined Datamasters $45,000 and, more significantly, banned it from selling any Californians’ data going forward[60]. The firm had attempted to hide its California contacts, but investigators discovered over 200,000 California student records in its database, prompting this first-of-its-kind order to delete previously sold data and stop further sales[61][62].

EU Streamlines Cross-Border Privacy Cases: The Council of the European Union adopted a new regulation to speed up cross-border GDPR complaint handling[63]. The rules (agreed upon in late 2025) introduce standardised criteria for complaint admissibility across EU states and codify procedural rights for complainants, like the right to be heard and to receive draft decisions for comment[64]. Importantly, deadlines will be imposed: simple cases should be resolved within 12 months (complex ones in 15 months, extendable by 12 more)[64]. This aims to end the slow bureaucratic back-and-forth between national data protection authorities and deliver swifter outcomes on GDPR violations. Once in force (likely by 2027), the regulation should accelerate major privacy investigations that span multiple EU countries.

Global Scrutiny of Musk’s AI ‘Grok’: Elon Musk’s new AI chatbot, “Grok,” is facing pushback from privacy and safety regulators around the world due to its generation of sexualised deepfake images. This past week, authorities in the UK and Canada confirmed ongoing investigations into Grok’s outputs[65], and California’s state officials said they are examining whether Grok’s content violates laws after reports of non-consensual explicit imagery[66]. The Philippines went a step further, moving to block access to Grok entirely over child safety concerns (after Grok allegedly produced sexualised images of minors)[67]. These actions are part of a broader international effort to rein in AI-generated illicit content[68]. Regulators are pressing Musk’s X.ai for safeguards, and in response the company has already limited Grok’s image-generation capabilities while pledging compliance with local laws[69][70].

India’s Phone Security Plan Spurs Privacy Backlash: In India, a government proposal to tighten smartphone security is drawing criticism from privacy advocates[71]. The plan would require phone manufacturers to provide authorities with source code access and allow removal of pre-installed apps as part of new security screenings[71]. Officials argue this would help find backdoors and bloatware, making devices safer. However, civil society groups and tech experts warn that mandating source code sharing could undermine privacy and security, enabling potential state surveillance or weakening encryption. The controversy highlights the delicate balance between national security measures and user privacy rights in the world’s second-largest smartphone market.

Somalia Enacts Data Privacy Law: Somalia has passed the Public Data Protection Law, its first comprehensive privacy legislation[72]. Effective as of January 13, 2026, the law establishes a regulatory framework to ensure protection of personal data for Somali citizens and to strengthen information security nationwide[73]. It outlines requirements for lawful processing of personal data, mandates data security measures, and creates a supervisory authority to enforce the rules. By introducing modern data privacy safeguards, Somalia joins a growing list of nations adopting GDPR-inspired laws, a significant step given the country’s nascent digital economy. This move is expected to boost consumer trust and facilitate international business, as companies handling Somali user data will now need to comply with stricter privacy standards.[72]

[1] [2] [24] 17.5M Instagram Leak: The Reset Email You Must Avoid
https://www.brightdefense.com/news/instagram-breach/
[5] [6] Everest ransomware claims breach at Spain’s national airline Iberia with 596 GB data theft, Hackread, Cybersecurity News, Data Breaches, AI, and More
https://hackread.com/everest-ransomware-spai-airline-iberia-breach/
[7] [8] Critical Alert: Recent Giglio Data Breach
https://www.hookphish.com/blog/critical-alert-recent-giglio-data-breach/
[9] [10] Hackers leak Qantas data containing 5 million customer records after ransom deadline passes | Qantas | The Guardian
https://www.theguardian.com/business/2025/oct/11/hackers-leak-qantas-data-containing-5-million-customer-records-after-ransom-deadline-passes
[11] [12] [13] [14] [15] [16] [17] [18] [DATABASE LEAK] Max Messenger - Full User Infrastructure & SQL Dump
https://darkforums.io/Thread-DATABASE-DATABASE-LEAK-Max-Messenger-Full-User-Infrastructure-SQL-Dump
[19] [20] [22] BreachForums database leak exposes over 320,000 users | SC Media
https://www.scworld.com/brief/breachforums-database-leak-exposes-over-320000-users
[21] Data Breach Roundup (Jan 9, Jan 15, 2026)
https://www.privacyguides.org/news/2026/01/16/data-breach-roundup-jan-9-jan-15-2026/
[23] Database of 323,986 BreachForums Users Leaked as Admin Disputes Scope, Hackread, Cybersecurity News, Data Breaches, AI, and More
https://hackread.com/breachforums-database-users-leak-admin-disputes/
[25] [26] [27] [28] [29] [30] Windows info-disclosure 0-day bug gets a fix and CISA alert • The Register
https://www.theregister.com/2026/01/14/patch_tuesday_january_2026/
[31] [32] [33] [34] [35] [36] [37] [38] CISA Warns of Active Exploitation of Gogs Vulnerability Enabling Code Execution
https://thehackernews.com/2026/01/cisa-warns-of-active-exploitation-of.html
[39] [40] [41] [42] CISA Flags Microsoft Office and HPE OneView Bugs as Actively Exploited
https://thehackernews.com/2026/01/cisa-flags-microsoft-office-and-hpe.html
[43] [44] [45] [46] [47] [48] [49] [50] New n8n Vulnerability (9.9 CVSS) Lets Authenticated Users Execute System Commands
https://thehackernews.com/2026/01/new-n8n-vulnerability-99-cvss-lets.html
[51] [52] [53] [54] [55] [56] [57] [58] Veeam Patches Critical RCE Vulnerability with CVSS 9.0 in Backup & Replication
https://thehackernews.com/2026/01/veeam-patches-critical-rce.html
[59] [60] [61] [62] Data broker fined after selling Alzheimer’s patient info and millions of sensitive profiles | Malwarebytes
https://www.malwarebytes.com/blog/news/2026/01/data-broker-fined-after-selling-alzheimers-patient-info-and-millions-of-sensitive-profiles
[63] [64] The Council of the European Union Adopts New Rules On Handling Of Cross-Border Data Protection Complaints | A&O Shearman - JDSupra
https://www.jdsupra.com/legalnews/the-council-of-the-european-union-5344107/
[65] [66] [67] [68] [69] [70] [71] Data Privacy News | Today's Latest Stories | Reuters
https://www.reuters.com/legal/data-privacy/
[72] [73] IT’S THE LAW (01/13/2026) | CDP Institute
https://www.cdpinstitute.org/news/its-the-law-01-13-2026/