Featured image of post Cybersecurity Week in Review: February 3–February 9, 2026
News

Cybersecurity Week in Review: February 3–February 9, 2026

Cyberattacks, data breaches, zero-days, and global responses—discover the biggest cybersecurity headlines of this week.

By Senthorus SOC

Major Data Breaches

Iron Mountain Data Breach Claims

Priority: Critical
Headline: Hackers Claim 1.4 TB Theft from Iron Mountain, Major Data Management Company

A Russia-linked threat group, Everest, claims to have stolen 1.4 terabytes of internal documents and client data from Iron Mountain, a leading S&P 500 information management company. The attackers posted screenshots of folder names, suggesting exposure of client data, but have not released downloadable files—a common tactic in ransom negotiations. Iron Mountain confirmed a cybersecurity incident and stated that a single compromised login credential was used to access one folder, primarily containing marketing materials shared with third-party vendors. The company asserts that no customer confidential or sensitive information was involved, and no ransomware was deployed. However, the Everest gang has set a February 11th deadline, and the situation is under ongoing assessment1.

  • Organization: Iron Mountain (Global)
  • Data Exposed: Alleged internal documents and client data (1.4 TB)
  • Attack Vector: Compromised login credential
  • Discovery Date: February 2–3, 2026
  • Response: Public statement, ongoing investigation

EyeCare Partners Data Breach

Priority: High
Headline: EyeCare Partners Data Breach Impacts SSNs, More; Lawsuit Possible

EyeCare Partners, a large network of ophthalmology and optometry practices across 18 states, began notifying individuals of a data breach that may have exposed names, addresses, dates of birth, Social Security numbers, driver’s license numbers, health plan details, and limited clinical information. The breach was discovered after suspicious activity in an email account in late January 2025, with further investigation revealing unauthorized access to additional accounts between December 2024 and January 2025. Notification letters were sent starting February 3, 2026. Medical records and detailed clinical data were reportedly not affected2.

  • Organization: EyeCare Partners (USA)
  • Data Exposed: PII, SSNs, health plan details
  • Attack Vector: Email account compromise
  • Discovery Date: February 3, 2026 (notification)
  • Response: Notification, legal investigation, credit monitoring

Gladney Center for Adoption Data Breach

Priority: High
Headline: Gladney Center for Adoption Data Breach Exposes Sensitive Information

The Gladney Center for Adoption, a Texas-based non-profit, reported a breach affecting over 3,600 individuals. Sensitive personal and health information, including names, Social Security numbers, dates of birth, driver’s license numbers, email addresses, passwords, and medical information, may have been compromised. The breach was discovered in February 2025, with a related third-party vulnerability in April 2025. Notification letters were sent to affected individuals on February 3, 20263.

  • Organization: Gladney Center for Adoption (Texas, USA)
  • Data Exposed: PII, PHI, credentials
  • Attack Vector: Network and third-party system vulnerability
  • Discovery Date: February 3, 2026 (notification)
  • Response: Notification, credit monitoring

Loyola University Maryland Data Breach

Priority: Medium
Headline: Loyola University Maryland Suffers Data Breach

Loyola University Maryland reported unauthorized access to a university email account, with the breach confirmed on December 19, 2025. The incident, discovered in September 2025, exposed full names and potentially other sensitive identifiers. The university is offering complimentary credit monitoring to affected individuals. There is no evidence of broader network compromise4.

  • Organization: Loyola University Maryland (USA)
  • Data Exposed: Names, personal identifiers
  • Attack Vector: Email account compromise (likely phishing)
  • Discovery Date: February 3, 2026 (notification)
  • Response: Credit monitoring, investigation

Step Finance Crypto Theft

Priority: High
Headline: Step Finance Loses $40M in Crypto Theft

Step Finance, a DeFi platform on Solana, lost approximately $40 million after hackers compromised devices belonging to company executives. The breach was detected on January 31, 2026, and some assets have been recovered. The attack vector was not fully disclosed, raising suspicions of a potential insider threat. Operations were partially halted for security reinforcement5.

  • Organization: Step Finance (DeFi, Solana)
  • Data Exposed: Digital assets ($40M)
  • Attack Vector: Compromised executive devices
  • Discovery Date: January 31, 2026
  • Response: Asset recovery, investigation, operational pause

Significant Cyberattacks

Notepad++ Supply Chain Attack

Priority: Critical
Headline: Notepad++ Update Mechanism Hijacked by State-Sponsored Hackers

A state-sponsored threat actor, likely linked to Chinese APTs, compromised the update supply chain of Notepad++ for nearly six months, starting June 2025. The attackers hijacked update traffic at the hosting provider level, redirecting targeted users to malicious servers. The campaign selectively targeted users in East Asia’s telecommunications and financial sectors. Notepad++ has since migrated to a new hosting provider and strengthened its update verification process6.

  • Target: Notepad++ users (global, focus on East Asia)
  • Attack Vector: Supply chain compromise at hosting provider
  • Discovery Date: February 2, 2026 (public disclosure)
  • Response: Update mechanism hardened, cryptographic signing

APT28 Exploits Microsoft Office Zero-Day (CVE-2026-21509)

Priority: Critical
Headline: Russia’s APT28 Rapidly Weaponizes Newly Patched Office Vulnerability

The Russian cyberespionage group APT28 exploited a newly patched Microsoft Office vulnerability (CVE-2026-21509, CVSS 7.8) within days of its disclosure. The flaw allows attackers to bypass security features via malicious Office files. Attacks targeted users in Ukraine, Slovakia, and Romania, using social engineering lures in multiple languages. The campaign delivered malware such as MiniDoor (an Outlook email stealer) and PixyNetLoader (for deploying a Covenant Grunt implant)7.

  • Target: Central and Eastern Europe (Ukraine, Slovakia, Romania)
  • Attack Vector: Malicious Office files exploiting CVE-2026-21509
  • Discovery Date: January 29, 2026 (first observed)
  • Response: Emergency patching, advisories from CERT-UA and CISA

Google Disrupts IPIDEA Proxy Botnet

Priority: High
Headline: Google Disrupts Massive Residential Proxy Network Used in Cyberattacks

Google took legal and technical action to disrupt the IPIDEA residential proxy network, which had been used as a last-mile link in cyberattack chains. The disruption reduced the available pool of compromised devices by millions, impacting attackers’ ability to conceal malicious traffic and conduct brute-force attacks8.

  • Target: Global (U.S., Canada, Europe)
  • Attack Vector: Residential proxy network
  • Discovery Date: February 2, 2026 (public recap)
  • Response: Domain seizure, sinkholing, public disclosure

Critical Vulnerabilities

Microsoft Office Zero-Day (CVE-2026-21509)

Priority: Critical
Headline: Microsoft Patches Actively Exploited Office Zero-Day Vulnerability

Microsoft released emergency out-of-band updates for CVE-2026-21509, a security feature bypass in Office (CVSS 7.8). The flaw affects Office 2016, 2019, LTSC 2021/2024, and Microsoft 365 Apps for Enterprise. Exploitation requires user interaction with a malicious file. Microsoft recommends immediate patching and additional email filtering9.

  • CVE: CVE-2026-21509
  • CVSS: 7.8
  • Affected Products: Microsoft Office 2016/2019/LTSC 2021/2024, Microsoft 365 Apps
  • Attack Vector: Malicious Office files
  • Response: Emergency patch, mitigation guidance

Ivanti EPMM Zero-Days (CVE-2026-1281, CVE-2026-1340)

Priority: Critical
Headline: Ivanti’s EPMM Under Active Attack from Two Critical Zero-Days

Attackers are actively exploiting two critical zero-day vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM), CVE-2026-1281 and CVE-2026-1340, both with CVSS 9.8. The flaws allow unauthenticated remote code execution. Over 1,400 potentially vulnerable instances remain exposed. Mass exploitation began shortly after public disclosure, with CISA adding CVE-2026-1281 to its Known Exploited Vulnerabilities catalog10.

  • CVE: CVE-2026-1281, CVE-2026-1340
  • CVSS: 9.8
  • Affected Products: Ivanti EPMM
  • Attack Vector: Remote code execution, unauthenticated
  • Response: Patching, CISA advisory, incident response

BeyondTrust Remote Support and PRA RCE (CVE-2026-1731)

Priority: Critical
Headline: BeyondTrust Fixes Critical Pre-Auth RCE Vulnerability

BeyondTrust patched a critical pre-authentication remote code execution vulnerability (CVE-2026-1731, CVSS 9.9) in its Remote Support and Privileged Remote Access products. The flaw allows unauthenticated attackers to execute OS commands as the site user. Over 11,000 instances were exposed, with 8,500 on-prem deployments at risk if unpatched. The vulnerability was discovered using AI-enabled variant analysis11.

  • CVE: CVE-2026-1731
  • CVSS: 9.9
  • Affected Products: BeyondTrust Remote Support ≤25.3.1, PRA ≤24.3.4
  • Attack Vector: OS command injection, pre-auth RCE
  • Response: Emergency patch, upgrade guidance

Government Responses

CISA Adds New Vulnerabilities to KEV Catalog

Priority: High
Headline: CISA Adds Multiple Vulnerabilities to Known Exploited Vulnerabilities Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added several new vulnerabilities to its KEV catalog, including the actively exploited Office zero-day (CVE-2026-21509) and Ivanti EPMM flaws. Federal agencies are mandated to remediate these vulnerabilities promptly. CISA also released guidance on reducing the attack surface for end-of-support edge devices12.

  • Agency: CISA (USA)
  • Vulnerabilities: Office CVE-2026-21509, Ivanti EPMM CVE-2026-1281
  • Response: KEV catalog update, remediation mandates, technical guidance

Miscellaneous

Cybersecurity, Stronger Together Conference 2026

Priority: Medium
Headline: Cybersecurity, Stronger Together Conference Focuses on Critical Infrastructure and Event Security

The Cyber Guild and George Washington University hosted the “Cybersecurity, Stronger Together” conference on February 3, 2026, in Washington, DC. The event brought together leaders from cybersecurity, operational technology, and public policy to discuss proactive risk assessment for major events, with a focus on the 2028 Olympics. Panels addressed the convergence of digital and physical threats, risk modeling, and actionable intelligence for executive decision-makers13.

  • Event: Cybersecurity, Stronger Together Conference
  • Date: February 3, 2026
  • Location: Washington, DC
  • Focus: Critical infrastructure, event security, OT/IT convergence

RSAC 2026: Where the World Talks Security

Priority: Medium
Headline: RSAC 2026 Sets the Stage for AI Security and Global Collaboration

The RSA Conference 2026 continued its tradition as a global forum for cybersecurity professionals, with a strong focus on AI security, agentic risk, and practical approaches to securing emerging technologies. Industry leaders emphasized the importance of community, collaboration, and actionable insights in addressing the evolving threat landscape14.

Conclusion

This week’s cybersecurity landscape was marked by high-impact data breaches, rapid weaponization of zero-day vulnerabilities, and significant government and industry responses. Organizations are urged to prioritize patching, review their exposure to supply chain and remote access risks, and stay informed through trusted advisories and professional forums. The convergence of digital and physical threats, especially in the context of major public events, underscores the need for integrated, proactive security strategies.

© 2026 Senthorus Blog