January 2026 was a stark reminder that cyber risk is no longer confined to any single sector or geography. From global consumer brands to government agencies, healthcare providers, and education institutions, the month saw a relentless wave of cyber attacks, data breaches, and ransomware incidents that disrupted operations, exposed sensitive data, and tested organisational resilience.
The scale and diversity of victims underscored a sobering reality: no organisation is too big, too regulated, or too well-known to be targeted.
This month’s most significant incidents spanned cryptocurrency platforms, public sector bodies, healthcare networks, and household-name brands. High-profile breaches and attacks affected Trust Wallet, Higham School Lane, Illinois Department of Human Services, Brightspeed, Covenant Health, Kyowon Group, and Sedgwick Government Solutions—each highlighting different failure points, from credential misuse and third-party exposure to ransomware-driven operational paralysis.
Consumer brands were equally in the crosshairs. Incidents involving Under Armour, Nike, and Crunchbase reinforced how valuable customer data, brand trust, and digital platforms have become prime targets for attackers.
In this January 2026 cyber attack compilation, we break down what happened, how attackers gained access, and—most importantly—the lessons organisations can draw to strengthen their incident readiness, detection capabilities, and response strategies in an increasingly hostile threat landscape.
|
Date |
Victim |
Summary |
Threat Actor |
Business Impact |
Source Link |
|
January 02, 2026 |
LastPass |
Cryptocurrency theft attacks traced to 2022 LastPass breach |
Unknown |
Ongoing cryptocurrency thefts traced to the 2022 LastPass breach have seen attackers slowly decrypt stolen encrypted vaults, extract private keys and seed phrases and drain victims wallets with millions in crypto, laundered allegedly via Russian linked exchanges. |
Source: Bleeping Computer |
|
January 02, 2026 |
Indian government academic and strategic institutions |
Pakistan-linked hackers target Indian government, universities in new spying campaign |
APT36 |
A Pakistan-linked cyber-espionage campaign by the APT36 threat actor targeted Indian government, academic and strategic institutions with spear-phishing malware to gain remote control and steal sensitive information. |
Source: The Record |
|
January 03, 2026 |
Resecurity |
Hackers claim to hack Resecurity; firm says it was a honeypot |
Scattered Lapsus Hunters Group |
Hackers linked to the Scattered Lapsus Hunters group claimed to have breached Resecurity and stolen data. The company, however, said the activity was limited to a controlled honeypot environment and no real systems or customer data were affected. |
Source: Bleeping Computer |
|
January 03 and 21, 2026 |
Illinois/Minnesota Department of Human Services |
Two DHS (Human Services) system failures expose personal data of nearly one million people |
Unknown |
The first incident involved a misconfigured Illinois DHS system that exposed sensitive public assistance data online. A separate Minnesota case took place where excessive internal access led to improper disclosure of personal and financial information affecting nearly one million people in total. |
|
|
January 05, 2026 |
Ledger and Global-e |
Crypto wallet shop Ledger confirms customer data lifted in Global-e snafu |
Unknown |
The breach involving Ledger and its ecommerce partner Global-e resulted in the exposure of customer names, contact details and order information which was later used in phishing campaigns while no crypto assets wallets or recovery phrases were compromised. |
|
|
January 05, 2026 |
ShareFile Nextcloud and OwnCloud |
Cloud file-sharing sites targeted for corporate data theft attacks |
Zestix |
A threat actor known as Zestix has been selling corporate data stolen from dozens of companies after breaching their cloud file-sharing platforms like ShareFile Nextcloud and OwnCloud using stolen credentials making many organizations vulnerable to data theft and industrial espionage. |
Source: Bleeping Computer |
|
January 06, 2026 |
Brightspeed |
Hackers claim to disconnect Brightspeed customers after breach |
Crimson Collective |
Hackers claiming to be the Crimson Collective allegedly breached US broadband provider Brightspeed’s systems exposing sensitive personal and account data of over 1 million customers and threatening service disruptions, prompting an ongoing investigation into the potential cyber attack. |
|
|
January 07, 2026 |
Spanish airline Iberia |
Spanish airline Iberia attributes recent data breach claims to November incident |
Zestix |
Spanish airline Iberia said that data allegedly stolen and shared by the threat actor Zestix during a breach in November included technical and customer information and that the incident was linked to a previous supply chain compromise rather than a new attack being uncovered. |
Source: The Record |
|
January 10, 2026 |
BreachForums |
Infamous BreachForums forum breached, spilling data on 325K users |
“James” when posting the data online on a site associated with the ShinyHunters extortion gang |
BreachForums a long-running cybercrime forum suffered a data breach that exposed account details for about 324000 users undermining the anonymity of its community and potentially aiding investigations against its participants. |
Source: The Register |
|
January 11, 2026 |
|
Instagram denies breach amid claims of 17 million account data leak |
Unknown |
Instagram said it fixed a bug that allowed external parties to request mass password reset emails and denied any new data breach affecting 17 million accounts even though a large dataset of user information was being shared online. |
Source: Bleeping Computer |
|
January 14, 2026 |
Canadian Investment Regulatory Organization |
CIRO says about 750K people’s data affected by cybersecurity incident |
Unknown |
A major data breach at the Canadian Investment Regulatory Organization exposed sensitive personal and financial information of about 750,000 Canadian investors in a phishing-related cyber attack, though no specific threat actor has been publicly identified. |
|
|
January 21, 2026 |
Online retailer PCComponentes |
Online retailer PCComponentes says data breach claims are fake |
Unknown |
Online retailer PCComponentes said that claims of a data breach affecting its customers were false and that its systems were not compromised, and no specific threat actor was linked to the alleged incident. |
Source: Bleeping Computer |
|
January 22, 2026 |
Under Armour |
Under Armour looking into data breach affecting customers email addresses |
Unknown |
Under Armour investigated a data breach that exposed about 72 million customers' email addresses and other personal information from late last year but said there was no evidence that passwords, financial information or core systems were compromised. |
|
|
January 24, 2026 |
Nike |
Nike probing potential security incident as hackers threaten to leak data |
WorldLeaks |
Nike investigated a potential security breach after the cybercrime group WorldLeaks claimed it had stolen and posted about 1.4 terabytes of internal data from the company’s systems. |
Source: Security Week |
|
January 24, 2026 |
Crunchbase |
Crunchbase confirms data breach after hacking claims |
ShinyHunters |
Crunchbase confirmed a data breach after the cybercrime group ShinyHunters claimed it had stolen more than two million records containing personal and business information from its systems and posted part of the stolen data online causing potential risks to users and companies listed on the platform. |
Source: Security Week |
|
January 28, 2026 |
Polish energy grid operators |
Cyber attack on Poland’s power grid hit around 30 facilities, new report says |
Electrum |
A coordinated cyber attack in late December 2025 hit around 30 sites linked to Poland’s energy grid disrupting operational technology and damaging key equipment. Researchers attributed the operation to the Russia linked threat actor Electrum with medium confidence and no widespread power outages. |
Source: The Record |
|
January 30, 2026 |
Bumble and Match Group |
Bumble and Match dating apps hit by cyber attacks |
ShinyHunters |
The ShinyHunters cybercrime group claimed to have breached the dating apps Bumble and Match Group and leaked internal documents including some customer and corporate information while both companies said that user login credentials, financial information and core profile data were not accessed. |
Source: The Record |
|
Date |
Victim |
Summary |
Threat Actor |
Business Impact |
Source Link |
|
January 02, 2026 |
Covenant Health |
Nearly 480,000 impacted by Covenant Health data breach |
Qilin Ransomware |
The ransomware attack on Covenant Health exposed sensitive personal and medical data of about 478,188 patients and disrupted hospital operations. |
|
|
January 02, 2026 |
Sedgwick Government Solutions |
Sedgwick confirms cyber incident affecting its major federal contractor subsidiary |
TridentLocker Ransomware |
The ransomware attack against Sedgwick Government Solutions led to about 3.4 gigabytes of data being stolen from an isolated file transfer system and exposed sensitive information. It was claimed by the TridentLocker ransomware gang. |
Source: The Record |
|
January 13, 2026 |
Kyowon Group |
Kyowon Group in South Korea hit by suspected ransomware attack |
Unknown |
A suspected ransomware attack on South Korean education company Kyowon Group disrupted internal systems and prompted incident response efforts while investigations continued and no specific threat actor had been publicly identified. |
Source: The Record |
|
January 27, 2026 |
SoundCloud |
SoundCloud data breach impacts 29.8 million accounts |
ShinyHunters |
SoundCloud suffered a breach that exposed personal and contact information for about 29.8 million user accounts and was carried out by the ShinyHunters extortion group who later tried to extort the company. |
|
|
January 29, 2026 |
Marquis Health’s SonicWall cloud backup |
Marquis blames ransomware breach on SonicWall cloud backup hack |
Unknown |
Marquis Health attributed a ransomware breach to a compromise of its SonicWall cloud backup systems that allowed attackers to encrypt data and disrupt operations at its facilities and although the specific ransomware group was not publicly confirmed the incident exposed weaknesses in third-party backup protections. |
Source: Bleeping Computer |
|
Date |
Victim |
Summary |
Threat Actor |
Business Impact |
Source Link |
|
January 02, 2026 |
Trust Wallet |
Trust Wallet links $8.5 million crypto theft to Shai-Hulud NPM attack |
Shai-Hulud NPM Malware |
Trust Wallet suffered a supply chain cyber attack tied to the Shai-Hulud npm malware campaign that was used to publish a malicious browser extension and drain about 8.5 million USD in cryptocurrency from over 2,500 wallets by the Shai-Hulud threat actor. |
Source: Bleeping Computer |
|
January 05, 2026 |
Higham Lane School |
Cyber attack forces British high school to close |
Unknown |
A cyberattack on Higham Lane School in central England disabled the school’s IT systems and forced the shutdown of operations and delayed reopening for around 1,500 students, though no specific threat actor has been publicly identified. |
Source: The Record |
|
January 06, 2026 |
Windows Blue Screen of Death (BSOD) |
ClickFix attack uses fake Windows BSOD screens to push malware |
PHALT#BLYX |
The ClickFix social engineering campaign tricked users, especially in the hospitality sector, with fake Windows BSOD screens to get them to run malicious commands that delivered remote access malware such as DCRat giving attackers control of infected systems, in a campaign tracked as PHALT#BLYX. |
Source: Bleeping Computer |
|
January 14, 2026 |
AZ Monica Hospital |
Cyber attack forces Belgian hospital to transfer critical care patients |
Unknown |
A cyber attack on the AZ Monica hospital network in Belgium forced it to shut down all servers, cancel scheduled procedures, transfer seven critical patients to other facilities and operate at reduced emergency capacity while authorities investigated the incident. |
Source: The Record |
|
January 16, 2026 |
Anchorage police |
Anchorage police takes servers offline after third party attack |
Unknown |
Anchorage police took its servers offline after a cyber attack on a third-party service provider disrupted access to systems and data for the department and no specific threat actor has been publicly identified in relation to the incident. |
Source: The Record |
|
January 22, 2026 |
Zendesk |
Zendesk ticket systems hijacked in massive global spam wave |
Unknown |
Attackers hijacked a large number of Zendesk ticketing systems around the world to send massive waves of spam and phishing messages potentially putting users at risk of fraud and credential theft, and no specific threat actor was publicly identified. |
Source: Bleeping Computer |
|
January 22, 2026 |
Fortinet FortiGate |
Hackers breach Fortinet FortiGate devices; steal firewall configs |
Unknown |
Attackers exploited vulnerabilities in Fortinet FortiGate devices to breach them and steal firewall configuration files, potentially exposing network security settings. |
Source: Bleeping Computer |
|
January 23, 2026 |
Dresden State Art Collections |
Cyber attack disrupts digital systems at renowned Dresden museum network |
Unknown |
A cyber attack on the Dresden State Art Collections disrupted major parts of the museum networks digital systems, including online services and internal operations while the museums remained open and no threat actor has been publicly identified. |
Source: The Record |
|
January 26, 2026 |
BGP route protocole |
Cloudflare misconfiguration behind recent BGP route leak |
Unknown |
Cloudflare explained that a misconfiguration in its network caused a BGP route leak that disrupted IPv6 traffic and led to congestion and packet loss for some networks without any specific threat actor being involved. |
Source: Bleeping Computer |
|
January 26, 2026 |
Telnet servers |
Nearly 800,000 Telnet servers exposed to remote attacks |
Unknown |
Researchers found that nearly 800000 Telnet servers around the world were exposed to remote attacks because of weak default credentials and poor configuration, allowing attackers to gain unauthorized access and potentially control affected devices, and no specific threat actor was identified in the report. |
Source: Bleeping Computer |
|
January 27, 2026 |
SmarterMail servers |
Over 6,000 SmarterMail servers exposed to automated hijacking attacks |
Unknown |
Over 6,000 SmarterMail servers were found exposed to automated account hijacking attacks due to misconfigurations and vulnerabilities, allowing attackers to take over email accounts and potentially access sensitive communications. |
Source: Bleeping Computer |
|
January 27, 2026 |
Amadeus Software Labs |
Rs 87 crore data theft reported at Bengaluru IT firm; case filed against ex-employee |
Allegedly an ex-employee |
A data theft incident at a Bengaluru IT firm, Amadeus Software Labs, saw sensitive information worth about Rs 87 crore taken by a former employee, allegedly using unauthorised access to systems. There is no publicly identified external threat actor beyond the accused ex-staff member. |
|
|
January 27, 2026 |
Russian security and alarm systems provider, Delta |
Russia Delta security alarm company cyber attack |
Unknown |
A cyber attack on the Russian security and alarm systems provider Delta disrupted services for tens of thousands of customers causing malfunctions in home and vehicle alarm systems and the company said the attack was carried out by a hostile foreign state although no specific threat actor name was publicly confirmed. |
Source: The Record |
|
January 28, 2026 |
eScan |
eScan confirms update server breached to push malicious update |
Unknown |
Security vendor eScan confirmed that its update server was breached and used to distribute a malicious update containing malware to customers. Researchers said the activity was linked to the RATANKBA malware, though no specific threat actor group has been publicly named. |
Source: Bleeping Computer |
|
January 29, 2026 |
Kolomensky Bakery, a major bread producer in Russia. |
Cyber attack on Russian bread factory disrupts supply |
Unknown |
A cyber attack on a major Russian bread factory’s computer systems forced production slowdowns and interruptions in the distribution of bread and baked goods to retailers, causing supply disruptions for customers and highlighting vulnerabilities in the plant’s operational technology and IT infrastructure. |
Source: The Record |
|
New Ransomware |
Summary |
|
A new GlassWorm malware |
A new macOS malware named GlassWorm emerged that spread through trojanized crypto wallet applications and malicious developer extensions to steal credentials, browser data and crypto assets. It was attributed to the GlassWorm threat actor. |
|
Phishify malware |
A new malware-as-a-service offering emerged that promised to create and distribute phishing extensions on the Chrome Web Store to help criminals steal credentials and bypass security protections. |
|
ClickFix campaign |
A new ClickFix campaign was observed abusing trusted Windows App-V scripts to trick users into running commands that ultimately delivered the Amatera infostealer malware, though no specific CVE vulnerability was involved in this technique. |
|
HiddenAdsBot |
A new Android malware called HiddenAdsBot was spotted that uses artificial intelligence to automatically click on hidden browser ads in the background to generate fraudulent ad revenue and potentially waste device resources and data. |
|
Amatera infostealer malware |
A fake ad blocker extension used in ClickFix attacks was found to crash users' browsers and trick them into executing malicious actions that ultimately delivered the Amatera infostealer malware to compromised systems. |
|
Tsundere Bot |
Hackers have started using a new initial access tool called Tsundere Bot to gain entry into networks and support subsequent ransomware attacks by automating credential theft and persistence efforts. |
Source: Bleeping Computer, Recorded Future News
|
Date |
New Flaws/Fixes |
Summary |
|
January 02, 2026 |
CVE-2020-12812 |
Over 10,000 Internet-exposed Fortinet firewalls remain vulnerable to active two-factor authentication bypass attacks exploiting the critical flaw, allowing attackers to log in without the second factor and potentially compromise network defenses. |
|
January 06, 2026 |
CVE-2026-0625 |
A newly discovered critical command injection vulnerability in legacy D-Link DSL routers is being actively exploited in the wild, allowing unauthenticated attackers to execute remote commands and potentially take control of affected devices. |
|
January 07, 2026 |
CVE-2025-4549 and CVE-2025-4550 |
A set of newly disclosed Veeam backup server vulnerabilities could allow unauthenticated attackers to execute remote code on exposed Veeam servers if exploited successfully. |
|
January 09, 2026 |
CVE 2025 6694 |
A critical remote code execution flaw in Trend Micro Apex Central Console was fixed by the vendor because it could allow unauthenticated attackers to execute arbitrary code on impacted management servers if exploited. |
|
January 21, 2026 |
CVE 2025-7890 |
A critical flaw in the Advanced Custom Fields WordPress plugin allowed hackers to gain administrator access on more than 50,000 WordPress sites by exploiting inadequate input validation. |
|
January 21, 2026 |
CVE 2025 4697 |
A set of security bugs in the Chainlit AI framework allowed attackers to escape sandbox protections and compromise cloud environments running vulnerable instances. |
|
January 21, 2026 |
CVE 2026 20274 |
A critical remote code execution flaw in Cisco Unified Communications Manager was fixed after it was actively exploited, allowing attackers to execute arbitrary code on vulnerable systems if left unpatched. |
|
January 21, 2026 |
CVE 2025 12825 |
A recently patched vulnerability in Fortinet FortiGate firewalls was being exploited by attackers to breach devices even after patches were applied, allowing unauthorized access to firewall systems and exposing network defenses to risk. |
|
January 21, 2026 |
CVE 2025 5678 |
GitLab warned that multiple high severity two-factor authentication bypass and denial-of-service flaws including CVE 2025 5678 could allow attackers to bypass 2FA or take GitLab instances offline if they were not patched. |
|
January 26, 2026 |
CVE 2025 38067 |
Microsoft patched an actively exploited zero-day vulnerability in Office that allowed attackers to execute arbitrary code via malicious Office documents. |
|
January 26, 2026 |
CVE 2026 20860 |
A critical VMware remote code execution flaw in the VMware Aria Suite (vRealize Operations and vRealize Log Insight) was reported by CISA as being actively exploited in the wild, allowing attackers to run arbitrary code on vulnerable systems if not patched. |
|
January 27, 2026 |
CVE 2025 3421 |
A critical security flaw in the popular vm2 NodeJS library was discovered that allowed attackers to escape the sandbox environment and run arbitrary code on affected systems |
Source for the above table: Bleeping Computer, Recorded Future
|
News Type |
Summary |
|
Report |
Jaguar Land Rover’s third-quarter wholesale volumes plunged about 43 percent due to production disruptions and delayed global distribution following a September 2025 cyber attack that also forced shutdowns and contributed to financial losses. |
|
Report |
China’s cyber attacks on Taiwan’s energy sector increased about tenfold over a recent period as reported by Taiwanese authorities highlighting a sharp rise in hostile cyber activity aimed at critical infrastructure. |
|
Report |
The UK government announced a plan to strengthen public sector cyber defences by investing in improved cybersecurity capabilities, increased training and better incident response to protect against rising cyber threats. |
|
Report |
OwnCloud reported that increased credential theft incidents have prompted it to urge users to enable multi factor authentication after attackers used stolen logins to gain unauthorized access to cloud file sharing accounts and data. |
|
Report |
A sophisticated China-linked threat actor tracked by researchers as UAT-7290 has been breaching telecommunications providers by exploiting vulnerabilities in edge network devices and weak access controls to gain unauthorized access and establish persistent malware footholds. |
|
Report |
A man from Illinois was formally charged by law enforcement for breaking into hundreds of Snapchat accounts without authorization, where he accessed and stole private nude photos and videos from the victims, then allegedly shared or trafficked the stolen intimate content online, prompting criminal and possibly federal charges for computer hacking and invasion of privacy. |
|
Report |
Hackers exploited misconfigured proxy servers to bypass access controls and tap into paid large language model services without authorization, potentially using those resources for their own benefit and exposing weaknesses in how these services are protected. |
|
Report |
The European Union moved to overhaul its cybersecurity rules to strengthen protection of critical infrastructure by reducing reliance on high-risk foreign suppliers in communication and technology supply chains and tightening ICT security standards. |
|
Report |
Hackers took advantage of security testing applications to breach several Fortune 500 companies by abusing the trust these tools had in corporate networks to gain unauthorized access and compromise systems. |
|
Report |
People are still getting successfully phished because attackers are using increasingly clever and human-like techniques to trick users into revealing sensitive information. |
|
Report |
Fake LastPass phishing emails were circulating that spoofed password vault backup alerts in an attempt to trick users into revealing their login credentials and compromise their accounts. |
|
Report |
A mistake by the INC ransomware group in how they handled their operations allowed victims from about a dozen US organizations to recover encrypted data without paying ransom because decryption materials were exposed or flawed. |
Sources: Bleeping Computer, Recorded Future News