Check the cybersecurity news digest from the first month of 2026!
1. Nike launches data breach investigation after claim of over 1.4 terabytes exfiltrated by ransomware group
Sportswear giant Nike is investigating a potential cybersecurity incident after a claim by the ransomware group WorldLeaks of a data breach affecting the company. The group announced on January 22, 2026, that they exfiltrated over 1.4 terabytes of data and threatened to release it unless their ransom demands were met. Nike has recognised the situation and indicated that it is currently looking into it. However, the company has shared limited information and has not confirmed whether any customer data has been compromised.
WorldLeaks claims that the stolen data includes internal documentation, customer information, employee credentials, and supply chain records. Initial reports suggest approximately 481,183 user accounts, 220 employee records, and 444 third-party credentials might have been exposed.
The group, which rebranded from Hunters International in January 2025, focuses on data theft without file encryption, enabling faster attacks. WorldLeaks has reportedly affected more than 116 victims, including notable targets such as Dell Technologies, from which the group supposedly extracted 1.3 terabytes of information.
WorldLeaks typically gains access through phishing, compromised websites, VPNs lacking MFA and unpatched applications. This incident follows a similar breach at Under Armour, raising questions about a possible connection between the two. Security experts recommend implementing mandatory multi-factor authentication for remote access points.
2. 16 deceptive Chrome extensions masquerading as ChatGPT enhancements steal ChatGPT logins
Researchers have identified a serious security threat targeting ChatGPT users through 16 malicious Chrome extensions disguised as legitimate productivity tools. These extensions steal session authentication tokens, allowing attackers complete access to users' ChatGPT accounts and conversations. They use convincing branding to trick users into installing them from the official Chrome Web Store. The nearly identical malicious code suggests that they originate from one source.
The malware monitors outgoing traffic, extracts authorisation headers, and sends the tokens to attacker-controlled servers, enabling full impersonation of users and access to all ChatGPT conversations, stored data, Google Drive, Slack, and GitHub. The extensions also collect additional data, increasing the potential for long-term access. With around 900 installations noted, experts warn that users should treat AI-related browser extensions as high-risk and implement monitoring and restrictive policies on third-party tools.
3. ShinyHunters Group targets over 100 major companies, incl Canva, Atlassian, and Epic Games
A significant identity-theft operation is targeting over 100 high-value organisations across various industries, employing real people to call employees while simultaneously using fake login pages that mimic actual company systems. The attackers aim to steal credentials and security tokens from Okta and other single sign-on services, enabling access to all applications within the organisation.
They utilise a “live phishing panel” to capture login information and bypass multi-factor authentication. Major targets include Canva, Atlassian, Epic Games, and various financial institutions and healthcare providers. The attackers conduct voice phishing (vishing) by impersonating IT staff to request password resets or system access, manipulating fake login pages to deceive victims.
Once initial access is obtained, the stolen single sign-on session acts like a “skeleton key,” granting further access to internal systems like Slack or Teams. From there, they impersonate employees to gain higher privileges, leading to data theft and extortion. Attackers demand ransom while threatening to publish stolen data or encrypt enterprise systems to pressure for payment.
4. 149 million unique logins from Instagram, Gmail and other major platforms leaked online
A massive database containing 149 million stolen login credentials was found online without protection. It included 149,404,754 unique logins from major platforms like Gmail, Facebook, and Netflix, exposing users to credential-stuffing attacks. Each record included email addresses, usernames, passwords, and the exact URL links for account authorisation.
Key statistics revealed that 48 million Gmail and 17 million Facebook accounts were compromised, along with numerous others from various services. The database also contained sensitive information from .gov domains, banking logins, and cryptocurrency accounts.
Despite efforts, the database remained accessible for almost a month, growing in size during that period. Security experts recommend users install antivirus software, enable two-factor authentication, use password managers, and monitor their accounts for unauthorised access. Immediate action is advised for those suspecting device infection.
5. Cybercriminals exploit LinkedIn to unleash remote access trojan in corporate environments
A phishing campaign is exploiting LinkedIn to distribute a remote access trojan targeting corporate employees. Attackers send convincing messages with links to weaponised WinRAR archives named to match recipients' roles, prompting them to download malicious files.
The attack chain executes rapidly, often completing its malicious objectives within hours. It employs a multi-stage infection mechanism, using DLL sideloading and an in-memory Python script to avoid detection by traditional security tools. Once executed, the malicious code creates a persistent registry key for automatic execution upon user login, allowing attackers ongoing access for various malicious activities. This combination of social engineering and technical exploitation presents significant challenges for organisations to defend against.
6. Microsoft January 2026 Patch Tuesday
Microsoft's January 2026 Patch Tuesday addresses 114 vulnerabilities, including three zero-day vulnerabilities and several critical remote code execution flaws. The security update covers a wide range of products and services, like Office applications and Windows services such as LSASS. Users are advised to update their software immediately.
7. Deceptive Chrome extension plunders wallet login credentials and activates automated trading
A malicious Chrome extension called MEXC API Automator is designed to steal cryptocurrency trading access from MEXC users. It poses as a tool for automating trading and API key creation, allowing it to take control of newly created API keys during the user's session on MEXC's API management page.
The extension can create powerful keys, trigger trades, and enable withdrawals without needing to steal passwords, focusing instead on API keys that are often reused and less monitored. Once a new key is created, the extension exfiltrates it to a Telegram bot.
The extension uses a content script to automatically select all permissions, including withdrawals, while visually masking this action from the user. It ensures that even when the withdrawal option appears disabled, it remains active on the server side. The keys are then scraped and sent to the attacker, allowing them to drain accounts without alerting the user until it's too late.
Hope your systems will stay safe in 2026! If you need help, contact us for expert advice!