Cybersecurity

Meta denies widespread reports of an Instagram breach

Authorities bust 34 alleged members of the Black Axe cyber fraud group, BreachForums user database exposed in breach, Fancy Bear has launched credential harvesting attacks, NIST seeks agentic AI security input, MuddyWater launches spearphishing campaign in Middle East, much more

Cynthia B Brumfield

12 Jan 2026 — 11 min read

Photo by Souvik Banerjee / Unsplash

icon — Photo by Mariia Shalabaieva / Unsplash

Support independent media - upgrade your Metacurity subscription today.

Metacurity is one of the few independent media outlets delivering a daily round-up of the critical infosec developments you should know. For years, we have worked to scan thousands of sources to deliver you summarized and aggregated news to help you keep your organizations secure.

We value all of our readers, but the paid subscribers help us keep plugging away at our mission of ending infosec news overload. Please, please help keep Metacurity alive with a paid subscription. Thank you!

Upgrade my subscription

If you can't afford a paid subscription right now, please consider donating whatever you can. Thanks.

Donate what you can

Instagram says it fixed a bug that allowed threat actors to mass-request password reset emails, amid claims that data from more than 17 million Instagram accounts was scraped and leaked online.

"We fixed an issue that allowed an external party to request password reset emails for some Instagram users," a Meta spokesperson said.

"We want to reassure everyone there was no breach of our systems and people's Instagram accounts remain secure. People can disregard these emails, and we apologize for any confusion this may have caused."

A media frenzy over an alleged Instagram data breach began after Malwarebytes warned its customers that cybercriminals had stolen data from 17.5 million accounts.

This alleged Instagram data was released for free on numerous hacking forums, with the poster claiming it was gathered through an unconfirmed 2024 Instagram API leak.

In total, the shared data contains 17,017,213 Instagram account profiles, including phone numbers, user names, names, physical addresses, email addresses, and Instagram IDs.

Cybersecurity researchers on X claim that the scraped data is from a 2022 API scraping incident, but have not provided any clear evidence to confirm this.

Furthermore, Meta told BleepingComputer that it is not aware of any API incidents in 2022 or 2024.

However, Instagram has previously suffered from API scraping incidents, such as a 2017 bug that was exploited to scrape and sell the personal information of an alleged 6 million accounts.

It is not clear whether the newly leaked Instagram data is a compilation of the 2017 leak and additional information from the past couple of years. (Lawrence Abrams / Bleeping Computer)

Forum post leaking alleged Instagram data. Source: Bleeping Computer.

Authorities in Spain have arrested 34 individuals allegedly part of a criminal network involved in cyber fraud and believed to be connected to the Black Axe group responsible for illicit activities across Europe.

The operation was carried out with the help of the Bavarian State Criminal Police Office and the support of Europol.

During searches in Seville, Madrid, Malaga, and Barcelona, the police seized €66,400 in cash, electronic devices, vehicles, and froze €119,350 in bank accounts.

The Spanish cybercrime ring was led by individuals of Nigerian origin who were members of the Black Axe gang, specializing in so-called man-in-the-middle scams, such as business email compromise (BEC).

"The organization specialized in the scam known as Man-in-the-Middle (MITM), a technique in which criminals insert themselves into legitimate communications to intercept, modify, or redirect information and payments without the victims noticing," the Spanish National police says.

According to the investigators, the damages the cybercriminals caused in the last 15 years exceed $6 million, of which $3.5 million are linked to this operation.

The group used an extensive network of money mules and leads based in various countries across Europe, who aided in moving the illegal proceeds around and obfuscating the trail. (Bill Toulas / Bleeping Computer)

Researchers at Resecurity report that the latest incarnation of the notorious BreachForums hacking forum suffered a data breach, with its user database table leaked online.

BreachForums is the name of a series of hacking forums used to trade, sell, and leak stolen data, as well as sell access to corporate networks and other illegal cybercrime services.

The site was launched after the first of these forums, RaidForums, was seized by law enforcement, with the owner, "Omnipotent," arrested.

While BreachForums has suffered data breaches and police actions in the past, it has been repeatedly relaunched under new domains, with some accusing it of now being a honeypot for law enforcement.

Yesterday, a website named after the ShinyHunters extortion gang released a 7Zip archive named breachedforum.7z. A representative of the ShinyHunters extortion gang claimed they are not affiliated with the site that distributed this archive.

The last registration date in the newly leaked user database is from August 11, 2025, which is the same day that the previous BreachForums at breachforums[.]hn was closed. This shutdown followed the arrest of some of its alleged operators.

The current BreachForums administrator, known as "N/A," has acknowledged the new breach, stating that a backup of the MyBB user database table was temporarily exposed in an unsecured folder and downloaded only once.

Cybersecurity firm Resecurity told BleepingComputer that an update on the website now includes a password for BreachForum's PGP private key.

A different security researcher confirmed that the password is the correct one for this key. (Lawrence Abrams / Bleeping Computer)

According to researchers at Recorded Future, APT 28 or Fancy Bear, one of the world's most capable threat actors, has been carrying out seriously simple, inexpensive credential harvesting attacks against specific organizations in the Balkans, the Middle East, and Central Asia.

Fancy Bear, linked to the Russian Federation's Main Directorate of the General Staff of the Armed Forces (GRU), was the single most notorious advanced persistent threat (APT) of the mid-2010s.

Matt H., principal threat analyst at Recorded Future, warns that "these campaigns may appear simple on the surface, but they are highly effective for state-sponsored actors and, in many cases, offer greater return on investment than more complex, malware-heavy operations."

The known targets of this campaign include an IT integrator based in Uzbekistan, a European think tank, a military organization in North Macedonia, and scientists and researchers associated with a Turkish energy and nuclear research organization. (Nate Nelson / Dark Reading)

Related: Recorded Future, Security Affairs

OWA login-themed credential-harvesting page. Source: Recorded Future.

The US federal government’s Center for AI Standards and Innovation, which was formerly known as the AI Safety Institute and is housed within the Department of Commerce’s National Institute of Standards and Technology, is looking to the public for input on artificial intelligence agents to support its work evaluating and establishing guidance for the technology.

An RFI was published on the Federal Register specifically seeking information from stakeholders, such as developers, deployers, and researchers focused on computer security, on practices and methods for developing and adopting AI agent systems. Comments will be due 60 days after the request is officially published.

Agentic AI, which has become a buzzy term for the tech industry, generally refers to systems that can autonomously complete specific tasks, as opposed to something like an AI chatbot that is designed to work by interacting with a user.

The center is looking for examples of agent system deployments and how risks were managed and anticipated.

“AI agent systems are capable of taking autonomous actions that impact real-world systems or environments, and may be susceptible to hijacking, backdoor attacks, and other exploits,” the RFI states. “If left unchecked, these security risks may impact public safety, undermine consumer confidence, and curb adoption of the latest AI innovations.” (Madison Alder / FedScoop)

New research from CloudSEK’s TRIAD recently identified a spearphishing campaign attributed to the Muddy Water APT group targeting multiple sectors across the Middle East, including diplomatic, maritime, financial, and telecom entities.

The campaign uses icon spoofing and malicious Word documents to deliver Rust-based implants capable of asynchronous C2, anti-analysis, registry persistence, and modular post-compromise capability expansion.

CloudSEK found that RustyWater attempts to detect a wide range of antivirus and EDR tools by scanning for agent files, service names, and installation paths of more than 25 AV products.

The email titled ‘Cybersecurity Guidelines’ was sent from the email domain ‘info@tmcell,’ which looks to be an official contact email for TMCell (Altyn Asyr CJSC), the primary mobile operator in Turkmenistan. There is also a document attached called ‘Cybersecurity[dot]doc, which serves as the primary payload for the next stage. (Anna Ribeiro / Industrial Cyber)

The National Security Agency announced Tim Kosiba as its deputy director, nine months after the Trump administration axed his predecessor, reportedly at the behest of far-right activist Laura Loomer.

Kosiba, a veteran of the NSA with a 33-year career in federal government, was previously deputy commander of the cyberespionage agency’s largest field office, which is located in Georgia. He was also the deputy director of the agency’s Commercial Solutions Center, among other cyber roles in the FBI and the Naval Criminal Investigative Service.

Early in his career, he served as technical director for the Joint Functional Component Command for Network Warfare. (Drew F. Lawrence / DefenseScoop)

Police are considering imposing a travel ban on Korea's Coupang interim CEO Harold Rogers after he refused to appear for questioning over an investigation into the online retailer's massive data breach.

Rogers was summoned for questioning on Jan. 5 but failed to comply without providing a reason. "We've summoned him again, and we believe he will appear for the second one," Seoul Metropolitan Police Agency Commissioner Park Jeong-bo told reporters.

Separately, Fair Trade Commission Chairman Ju Biung-ghi said his agency is considering imposing a business suspension on Coupang in Korea.

“We will order Coupang to rectify its business practices after figuring out the estimated harm to customers from the data leak and what Coupang’s appropriate damage relief measures should be,” Ju said in a local YouTube broadcast.

If Coupang declines to abide by the order, the watchdog can order the company to halt its business here, according to Ju. (Lee Min-hyung / The Korea Times)

Related: Korea JoongAng Daily

Italy’s communications regulator AGCOM imposed a record-breaking €14.2 million (around $16.6 million) fine on Cloudflare after the company failed to implement the required piracy blocking measures.

Cloudflare argued that filtering its global 1.1.1.1 DNS resolver would be "impossible" without hurting overall performance. AGCOM disagreed, noting that Cloudflare is not necessarily a neutral intermediary either.

The dispute centers specifically on the refusal to comply with AGCOM Order 49/25/CONS, which was issued in February 2025. The order required Cloudflare to block DNS resolution and traffic to a list of domains and IP addresses linked to copyright infringement.

Cloudflare reportedly refused to enforce these blocking requirements through its public DNS resolver. Among other things, Cloudflare countered that filtering its DNS would be unreasonable and disproportionate. (Ernesto Van der Sar / TorrentFreak)

Indonesia and Malaysia restricted access to Elon Musk’s Grok AI over the weekend, becoming the first countries to ban the artificial intelligence system over its generation of sexual content.

Indonesia’s Communications and Digital Affairs Ministry is imposing a temporary ban on Grok “to protect women, children, and the entire community from the risk of fake pornographic content generated using artificial intelligence technology,” according to a statement issued on Saturday. The ministry has asked platform X to provide clarification regarding the matter immediately, it said.

“The government views non-consensual deepfake sexual practices as a serious violation of human rights, dignity, and national security in the digital space,” Minister of Communications and Digital Meutya Hafid said in the statement.

On Sunday, Malaysia’s internet regulator also said it’s limiting access to Grok until adequate safeguards are implemented. The Malaysian Communications and Multimedia Commission added that it issued notices to X Corp. and xAI LLC to prevent AI-generated content that may contravene Malaysian law, but the company’s responses failed to address the inherent risks posed by the AI tool. (Soraya Permatasari and Ram Anand / Bloomberg)

Ofcom, Britain’s media regulator, has threatened X’s AI chatbot Grok with a ban or a multimillion-pound fine after launching a formal investigation into sexualised deepfakes of women and children being created on Elon Musk’s platform.

The media watchdog raised concerns that the AI chatbot was being used for potential “intimate image abuse” and “child sex abuse material."

An Ofcom spokesperson said: “Reports of Grok being used to create and share illegal non-consensual intimate images and child sexual abuse material on X have been deeply concerning.

Ofcom last week launched a fast-track review into X after Grok was used to generate thousands of sexualised images of women wearing lingerie and bikinis without their consent, as well as extreme images of teenage girls and children.

Under the Online Safety Act, Ofcom said that it can apply to the courts to block Musk’s platform, or fine the group either the higher of £18mn or up to a tenth of its global revenues, if it finds that X has not done enough to prevent illegal content from being seen or allowing over-18 material to be seen by children.

The investigation will look at six areas, including whether X has carried out necessary risk assessments, whether it has taken action to take down images swiftly, and whether children could have seen the content. (Daniel Thomas and Mari Novik / Financial Times)

Agentic AI security company Torq announced it had closed $140 million in a Series D funding round.

Merlin Ventures led the round with participation from all existing investors, including Evolution Equity Partners, Notable Capital, Bessemer Venture Partners, Insight Ventures Partners, and Greenfield Partners. (Ruchika Khanna / Reuters)

Best Thing of the Day: Baby Steps to End European Dependence on American Tech

The European Commission has opened a call for evidence on a new initiative aimed at strengthening open-source technologies and reducing the European Union’s dependence on non-EU digital infrastructure.

Worst Thing of the Day: We're Just a Wee Bit Iranian

A network of social media accounts posing as Scottish independence supporters has fallen silent once again, closely mirroring a fresh shutdown of internet access inside Iran and reinforcing evidence that parts of the online constitutional debate are being manipulated from outside the UK.

Bonus Worst Thing of the Day: We'll Take Our Sweet Time Telling Cancer Patients Their Data Have Been Exposed

Canopy Health, the largest private medical oncology provider in New Zealand, took six months to inform patients that it had been subject to a data breach exposing their personal information.