UrbanX.io
January 6, 2026
•[ data leak, initial access broker, information-stealer malware ]
SecurityWeek reported that Hudson Rock linked dozens of major breaches to a single initial access broker operating under the aliases Zestix and Sentap. The actor is described as using credentials harvested via information-stealer malware (including RedLine, Lumma, and Vidar) from infected employee devices to log into enterprise file-transfer/file-sharing environments such as ShareFile, OwnCloud, and Nextcloud when MFA was missing. After gaining access, the actor allegedly exfiltrated sensitive corporate data and monetized it by selling datasets or access on closed Russian-language forums, with victim organizations spanning sectors such as aerospace, government infrastructure, legal services, and robotics.
Netstar Australia
January 5, 2026
•[ ransomware, data leak, financial data ]
Netstar Australia, a Melbourne-based telematics and GPS fleet tracking provider, was named on a ransomware leak site in December 2025 by the Black Shrantac ransomware group. The threat actors alleged they compromised Netstars systems and stole customer, financial, and database information, claiming roughly 800GB of data and posting sample files said to include internal records related to staff, tax, equipment, and customers. Public reporting noted that Netstar had not provided a detailed public statement confirming the claims at the time of publication.
Brightspeed
January 5, 2026
•[ cybersecurity event, extortion, data breach ]
Brightspeed said it is investigating reports of a cybersecurity event after the Crimson Collective extortion group claimed it breached the company and stole personal data tied to more than one million residential customers. Reporting described the attackers claimed dataset as including names, emails, phone numbers, postal addresses, user account information linked to session or user IDs, payment history, partial payment card information, and appointment or order records containing customer information. Brightspeed publicly stated it takes security seriously and is investigating the reports and would keep customers, employees, and authorities informed as it learns more.
At least one hospitality company in Europe
January 5, 2026
•[ phishing, malware, unauthorized access ]
The article reports that Russian-linked threat actors targeted European hospitality companies using phishing emails masquerading as booking inquiries. Victims who opened the attachments triggered malware that displayed a fake blue screen while enabling unauthorized access to internal systems.
Bolttech
January 5, 2026
•[ ransomware, data leak, extortion ]
Cybernews reported that the Everest ransomware group claimed to have stolen about 186GB of data from Bolttech (a global insurance infrastructure platform) and demanded ransom. The group claimed the dataset includes employee/agent account details (emails, names, roles, identifiers), customer information and contact details, policy data, mortgage-related records, insured property addresses, and financial parameters/identifiers. The group posted samples and a countdown timer on its leak site, threatening to publish the data if Bolttech did not respond. The article notes the claim was based on the leak-site post and that confirmation from Bolttech was being sought.
Former Minister Ayelet Shaked
January 3, 2026
•[ data leak, unauthorized access, cyber espionage ]
Iran-linked hacking group Handala claimed it breached the mobile phone of former Israeli minister Ayelet Shaked and published roughly 60 photos and videos it said were stolen from her device. The group alleged it held additional messages, documents, and other confidential material and urged followers to expect further releases. The reported effect is limited to alleged unauthorized access and data theft/exposure involving a single political figure, with no operational disruption to organizations reported.
Venezuelan Power Grid
January 3, 2026
•[ cyber-physical disruption, critical infrastructure, state-led operation ]
Reporting described a U.S. cyber operation on January 3, 2026 that allegedly plunged parts of Venezuelas capital into darkness by disrupting electric power systems and also interfered with military air-defense radar as part of a broader U.S. raid/capture operation. Sources cited in public reporting characterized it as a high-visibility use of offensive cyber capabilities designed to create a temporary but precise disruption window, including the ability to restore systems afterward. The incident is best coded as a state-led cyber-physical disruption targeting critical infrastructure and defense-related systems in support of an operational objective; public reporting did not provide victim counts, exact affected assets, or detailed dwell time.
Prosura
January 2, 2026
•[ Data leak, Cyber incident, Personally Identifiable Information (PII) ]
Prosura, a car rental insurance provider that partners with VroomVroomVroom and trades as Hiccup, reported a cyber incident after a third party accessed its internal IT systems. Cybernews reported that attackers posted what they claimed was stolen Prosura data on a leak forum and described a dataset of roughly 98 million lines. Cybernews said its team reviewed the sample and believed it could be legitimate, noting it included photocopies of drivers licenses and full insurance policies containing personally identifiable information. The article also reported Prosura said it was working to verify the claims, had taken mitigation steps (including halting sales and some self-service functions), and stated that payment information was not exposed because it does not store credit card details.
WhiteDate
January 2, 2026
•[ hacktivism, data leak, data destruction ]
Reporting describes a hacktivist using the pseudonym Martha Root who infiltrated an extremist dating website and related sites and later demonstrated deleting them live on stage during the Chaos Communication Congress. The coverage indicates the actor used automated tools/AI chatbots to extract and download user profile information and then published the acquired dataset. As described, the incident combined disruptive impact (site/service deletion) with unauthorized access and data acquisition affecting site users.
Esquire Brands
January 2, 2026
•[ ransomware, data leak, extortion ]
Cybernews reported that Esquire Brands (a childrens footwear maker operating several brands/licenses) was posted on the Play ransomware leak site, with attackers threatening to publish stolen data shortly thereafter. According to the leak-site post summarized in the article, the attackers claimed they obtained client documents, payroll data, and finance information. The report frames the incident as data theft with extortion leverage (typical double-extortion posture).
LawPavilion
January 1, 2026
•[ data breach, unauthorized access, data leak ]
Unauthorized actors accessed systems associated with the Nigerian legal technology platform LawPavilion and exposed a database containing user account information affecting approximately 63,000 users, with no reported operational disruption.
At least one PT Taspen customer
January 1, 2026
•[ scam, phishing, malware ]
The online scam involving PT Taspen, which involved sending APK files to retirees, represents an increasingly structured and dangerous form of cybercrime, particularly as it involves the specific exploitation of personal data. The malicious APK applications sent to victims were designed to resemble official PT Taspen apps and were used to trick users into unknowingly granting access to various sensitive elements on their Android devices.
French Office for Immigration and Integration (OFII)
January 1, 2026
•[ data leak, hacking, third-party breach ]
A hacker posted samples of foreigners personal data online on January 1, 2026, stating on a specialist forum that the information was obtained by hacking the French Office for Immigration and Integration (OFII) and that the motive was profit. Reporting described two posted samples: one with fewer than 1,000 foreign nationals and another involving 600 Israelis currently or previously residing in France, with fields such as names, date of entry, status/reasons for stay, email addresses, and phone numbers. OFII confirmed a data theft but said the intrusion was linked to a subcontractor/operator with access to OFII data rather than directly compromising OFIIs information system.
Tokyo FM Broadcasting Co., LTD
January 1, 2026
•[ data leak, personal information, telemetry ]
HackRead reported that on January 1, 2026 an actor using the alias victim claimed to have breached Tokyo FMs private computer systems and stolen data exceeding three million records. The stolen dataset was described as containing personal details (full names, birthdays, email addresses) plus technical telemetry (IP addresses and user-agent strings). The actor also claimed to have obtained internal system login IDs and information related to individuals jobs. The report emphasized that the claim was listed as pending verification at the time of publication, but Tokyo FM was described as investigating the allegation.
Undisclosed UK Construction Firm
January 1, 2026
•[ malware, botnet, cryptojacking ]
eSentire TRU finds that a UK construction firm discovered Prometei malware on a Windows Server in January 2026. Researchers assessed initial access likely occurred via Remote Desktop Protocol using guessed weak/default credentials. Once inside, Prometei established persistence (service UPlugPlay and file sqhost.exe), downloaded an encrypted payload (zsvc.exe), routed traffic through TOR, and used Mimikatz (labelled miWalk) to steal passwords across the network. The report described Prometei as a Russia-linked botnet used for Monero mining and credential theft, and did not describe customer data exposure or service shutdown.
At least one government official
January 1, 2026
•[ espionage, phishing, surveillance tools ]
A Mustang Panda espionage campaign (late Dec 2025 to mid-Jan 2026) using fake diplomatic briefing documents to trick high-level targets into installing surveillance tools. It does not provide a single named victim organization with a confirmed primary effect suitable for one incident record; it is campaign-level reporting.
ManoMano
January 1, 2026
•[ data breach, third-party compromise, PII ]
ManoMano disclosed that hackers compromised a third-party customer service provider in January 2026 and unlawfully extracted customer account-related personal data and customer service interaction data affecting 38 million individuals.
At least one IoT device compromised
December 31, 2025
•[ botnet, iot, vulnerability ]
Security researchers reported that the RondoDox botnet successfully exploited a critical vulnerability to take control of at least one internet-connected networking device, enrolling it into a botnet for malicious activity.
Sedgwick Government Solutions
December 31, 2025
•[ ransomware, data leak, file transfer system ]
SecurityWeek reported that Sedgwick confirmed a security incident at its subsidiary Sedgwick Government Solutions after the TridentLocker ransomware group claimed to have hacked it. Sedgwick stated the incident affected only an isolated file transfer system and that the subsidiary is segmented from the rest of Sedgwick, with no evidence of access to claims management servers and no impact on service delivery. The article noted that on New Years Eve, TridentLocker claimed it stole roughly 3.4GB of data from Sedgwick Government Solutions and leaked it publicly, while Sedgwick did not comment on the specifics of the attackers claims.
Missouri State Government Employee Self-Service
December 31, 2025
•[ unauthorized access, forensic investigation, financial fraud prevention ]
Missouris Office of Administration temporarily shut down the Employee Self-Service portal to contain suspicious activity and support a forensic investigation. The agency said the incident was highly localized and involved 47 accounts, and that fraud protection systems detected the unauthorized activity and prevented unauthorized transactions. Reporting noted the issue centered on an unauthorized attempt to access workers deferred savings account information and that the portal remained offline while the state worked to restore service before the next pay date, with contingency plans for pay stubs and W-2 access if downtime continued.
