Cybersecurity Week in Review: January 27, 2026

Major Data Breaches

Panera Bread: 14 Million Customer Records Leaked

A significant breach struck Panera Bread, a major North American restaurant chain, with hackers claiming to have leaked 14 million customer and employee records. The ShinyHunters cybercrime group took responsibility, posting the data on a dark web forum. The exposed information includes full names, email addresses, phone numbers, home addresses, and dates of birth. The breach presents serious risks of identity theft, fraudulent account creation, and targeted phishing attacks. Cybernews researchers confirmed the authenticity of the data sample and highlighted the potential for social engineering campaigns using the leaked information. Panera Bread has not yet issued a detailed public response, but the scale and sensitivity of the data make this one of the most impactful breaches of the week1.

Organization: Panera Bread (US/Canada)
Data Exposed: Names, emails, phone numbers, addresses, dates of birth
Threat Actor: ShinyHunters
Discovery Date: January 27, 2026
Risks: Identity theft, phishing, fraud

Nike: 1.4TB of Internal Data Exfiltrated

Nike disclosed an ongoing investigation into the unauthorized extraction of approximately 1.4 terabytes of internal data. While the company has not confirmed whether customer data was involved, the breach likely includes internal business documents, employee records, technical documentation, and system files. The incident points to sustained access rather than a one-off intrusion, raising concerns about long-term operational and regulatory impacts. The exact entry point and scope remain under investigation2.

Organization: Nike
Data Exposed: Internal documents, employee records, technical files
Discovery Date: Late January 2026
Risks: Operational disruption, regulatory scrutiny, future attacks

NationStates: Game Platform Data Breach

NationStates, a popular multiplayer browser-based game, confirmed a data breach after taking its website offline to investigate a security incident. Details on the nature and scope of the breach are still emerging, but the platform’s shutdown highlights the seriousness of the event3.

Organization: NationStates
Impact: Website offline, data breach confirmed
Discovery Date: Late January 2026

Significant Cyberattacks

ShinyHunters’ Expanding Campaigns

The ShinyHunters group, already responsible for the Panera Bread breach, has reportedly expanded its extortion and data theft campaigns to other SaaS and consumer platforms. Their tactics include large-scale data exfiltration and public leaks to pressure organizations into ransom payments. The group’s activity underscores the growing threat of cybercriminal collectives targeting high-profile brands1.

Russian APT28 Exploits Microsoft Office Zero-Day

Within 24 hours of Microsoft’s disclosure of a critical Office zero-day (CVE-2026-21509), Russian state-sponsored group APT28 launched targeted attacks against Ukrainian government agencies and European Union institutions. The attackers used malicious documents to deliver the Covenant backdoor, exploiting the vulnerability to establish persistence and exfiltrate sensitive data. CERT-UA detected the campaign almost immediately after Microsoft’s advisory, highlighting the speed and sophistication of modern nation-state actors4.

Threat Actor: APT28 (Russia)
Target: Ukrainian and EU government agencies
Attack Vector: Malicious Office documents exploiting CVE-2026-21509
Payload: Covenant backdoor

VoidLink and CoGUI: New Malware and Phishing Kits

Security researchers identified two new threats this week:

VoidLink: A Linux-focused malware written in Zig, targeting cloud environments (Docker, Kubernetes, AWS, GCP). It uses advanced evasion techniques and can remove traces of its presence, targeting sensitive files and attempting container escapes.
CoGUI: A phishing kit primarily targeting Japan, using geofencing and header fingerprinting to evade detection. It impersonates major brands and government agencies but does not capture MFA credentials5.

Critical Vulnerabilities

Microsoft Office Zero-Day (CVE-2026-21509)

Microsoft issued an emergency out-of-band patch for CVE-2026-21509, a high-severity security feature bypass in Office (CVSS 7.8). The flaw allows attackers to bypass OLE mitigations via specially crafted files. Exploitation requires user interaction (opening a malicious file), but the Preview Pane is not an attack vector. The vulnerability was actively exploited in the wild, with APT28 leveraging it for targeted attacks. Microsoft recommends immediate patching and registry changes for affected Office versions64.

Affected Products: Office 2016, 2019, 2021, Microsoft 365
Patch: Out-of-band update, registry mitigation
Attack Vector: Malicious Office files

Ivanti Endpoint Manager Mobile (CVE-2026-1281)

A critical vulnerability (CVSS 9.8) in Ivanti Endpoint Manager Mobile allows unauthenticated remote attackers to execute OS commands via HTTP requests, potentially granting full system access. Organizations are urged to patch immediately5.

Keycloak SSRF (CVE-2026-1518)

A low-severity flaw in Red Hat’s Keycloak allows highly privileged attackers to perform blind server-side request forgery (SSRF) by manipulating backchannel notification endpoints. Exploitation requires administrative access, and mitigation involves restricting admin privileges7.

Oracle Critical Patch Update

Oracle released a critical patch update addressing 337 new security vulnerabilities across its product lines, including MySQL, JD Edwards, and Fusion Middleware. Customers are strongly advised to apply patches promptly to prevent exploitation8.

Government Responses

CISA and International Advisories

CISA Alerts: The US Cybersecurity and Infrastructure Security Agency (CISA) added several new vulnerabilities to its Known Exploited Vulnerabilities Catalog, including the Microsoft Office zero-day and a Fortinet authentication bypass (CVE-2026-24858). CISA continues to issue rapid alerts and guidance for organizations to mitigate these threats9.
EU Cybersecurity Initiatives: The European Commission proposed a new cybersecurity package to strengthen ICT supply chains and expand ENISA’s role in threat alerts and incident response. The EU and India also signed a partnership to deepen cooperation on cyber defense and threat intelligence sharing10.

Threat Advisory: 0APT Ransomware Group

A new ransomware group, 0APT, emerged with claims of widespread attacks. However, analysis suggests the group’s operations are largely unsubstantiated, with most victim claims unverified and no evidence of actual ransomware deployment. Security teams are advised to monitor but not engage with the group’s extortion attempts11.

Miscellaneous

RSAC 2026: AI and Security Take Center Stage

The RSA Conference 2026 (RSAC) opened with a focus on the intersection of AI, agentic risk, and enterprise security. Industry leaders emphasized the need for practical approaches to AI governance, secure integration of AI into business workflows, and the importance of community-driven solutions. The event highlighted the growing complexity of managing data at scale and the pressure on security teams to adapt to rapid technological change12.

Upcoming Conferences and Community Events

Rocky Mountain Cyberspace Symposium 2026: Focused on “Dominance Through Disruption,” this event brings together industry, academia, and government to discuss emerging tech and cyber defense strategies13.
CISO Events: February and March will see major gatherings of security leaders in Sydney and San Francisco, emphasizing risk, resilience, and leadership in cybersecurity14.

This week’s roundup demonstrates the relentless pace and evolving sophistication of cyber threats, from high-profile data breaches and nation-state attacks to critical vulnerabilities and global policy responses. Security teams are urged to prioritize patching, enhance detection capabilities, and stay informed through trusted advisories and community events.

Sources: