Summary4 min read

Cybersecurity Headlines – January 12, 2026

Host: Steve Prentiss
Featured stories: BreachForums leak, Instagram breach, UK government cyber law exemption, Microsoft Copilot policy change, NSA leadership update, CISA directive sunset, North Korea and Russian APT activity

Episode Overview

In this episode, Steve Prentiss reports on several major cybersecurity stories making waves at the start of 2026. The episode’s central focus is on emerging data breaches—including a notable leak of the BreachForums database and a panic-inducing Instagram data exposure—alongside legislative and administrative developments like the UK government’s exemption from its own flagship cyber law. Further coverage includes Microsoft’s policy experimentation, changes in NSA leadership, updates to CISA’s directive approach, and the latest APT campaign warnings from North Korean and Russian actors. The episode is rapid-fire, emphasizing practical implications and expert recommendations for each featured story.

Key Discussion Points and Insights

1. BreachForums Hacking Forum Database Leak

[00:06–01:48]

Over 300,000 user accounts from the notorious BreachForums hacking forum were exposed, revealing display names, registration dates, and many IP addresses.
- “Roughly 70,000 records include public IPs, posing security risks for its users and of potential value to law enforcement or researchers.” (Steve Prentiss, 00:23)
The leak also included a PGP private key for forum admins (still passphrase protected).
Forum admin claims the leak is from an old backup, not a fresh breach.
The release is indirectly tied to the “Shiny Hunters” name, but their rep denies involvement.

2. Instagram Data Breach and Password Reset Frenzy

[01:49–03:04]

Malwarebytes Labs reports a breach affecting 17.5 million Instagram users—usernames, physical/phone/email addresses exposed.
Data was sold on a cybercrime forum; not all data was native to Instagram (some came from external marketing lists).
Panic ensued as users received a wave of password reset emails.
Serious concern: “Online identities [could be] linked to physical addresses, thus magnifying the personal danger.” (Steve Prentiss, 02:19)
Strong advice for users: update passwords and enable 2FA—but only through direct logins, not email links.
Meta (Instagram’s parent company) has not released a statement as of the recording.

3. UK Government Exempts Itself from Its Own Cyber Law

[03:05–04:00]

The UK’s new Cyber Security and Resilience Bill aims to modernize protections for critical infrastructure—but intentionally excludes central and local government bodies from compliance.
This has prompted “criticism even as public sector cyber attacks rise.” (Steve Prentiss, 03:19)
Government asserts they’ll meet equivalent standards through an existing Cyber Action Plan, but critics remain skeptical about the lack of legal accountability.
Debate continues over potential future legislation to fill the gap.

4. Microsoft Copilot – Potential for IT Admin Control

[04:01–04:36]

Microsoft is testing a policy that allows IT admins to uninstall Copilot on managed devices, a feature long requested by enterprise users.
The removal policy will apply where both Microsoft 365 Copilot and Microsoft Copilot are installed, and the app was not installed by the user.

5. NSA Cyber Directorate’s New Leadership

[04:45–05:39]

David Imbordino is now acting head of NSA’s Cybersecurity Directorate, with Holly Barudi as deputy chief.
Tim Kosiba appointed Deputy Director of the NSA; William J. Hartman remains the acting director.

6. CISA Retires Ten Emergency Directives

[05:40–06:21]

CISA sunsets 10 directives from 2019–2024, citing redundancy due to the Known Exploited Vulnerabilities Catalog.
Six of these directives related to Microsoft, others to VMware, F5, and Cisco.
This move is credited to CISA’s operational collaboration successes.

7. APT Campaign Warnings

A. North Korea’s KimSuky Group: Quishing Escalates
[06:22–06:56]

FBI warns of “quishing”—spear phishing emails containing malicious QR codes.
Targets: governments, think tanks, academic institutions.
QR codes help attackers evade URL inspection, MFA, and sandboxing.

B. Russian APT28 (GRU) Expands Credential Theft
[06:57–07:33]

New campaign targets Turkish energy and nuclear researchers, European think tank staff, and organizations in North Macedonia and Uzbekistan.
Tactic: redirect users to legitimate sites post-credential theft, helping avoid detection.

Notable Quotes & Memorable Moments

“Although most of the leaked IPs map to local loopback addresses, roughly 70,000 records include public IPs, posing security risks for its users and of potential value to law enforcement or researchers.” (Steve Prentiss, 00:23)
“The breached archive also included a PGP private key used by Breach Forums administrators, though it remains passphrase protected.” (Steve Prentiss, 00:39)
“This together allowed online identities to be linked to physical addresses, thus magnifying the personal danger.” (Steve Prentiss, 02:19)
“Experts recommend that Instagram users update their passwords and add 2fa to their accounts, but to do so directly, of course, and not by clicking through a warning email, which itself might be spam.” (Steve Prentiss, 02:46)
“Opponents in Parliament argue that excluding government weakens accountability and creates a double standard.” (Steve Prentiss, 03:37)
“Their goal is to trick victims into visiting fake websites or downloading malware.” (Steve Prentiss, 06:48)
“Unsuspecting users are redirected to legitimate sites after the credentials are entered on the bogus landing pages, thereby avoiding any red flags.” (Steve Prentiss, 07:18)

Timestamps for Important Segments

BreachForums Database Leak: 00:06–01:48
Instagram Data Breach: 01:49–03:04
UK Cyber Law Exemption: 03:05–04:00
Microsoft Copilot Admin Policy: 04:01–04:36
NSA Leadership Update: 04:45–05:39
CISA Retires Directives: 05:40–06:21
North Korean Quishing: 06:22–06:56
Russian Credential Theft: 06:57–07:33

Episode Tone

The episode is brisk, news-driven, and authoritative, keeping technical details accessible for an audience of security professionals and informed non-experts. Steve Prentiss’s delivery is clear, calm, and practical, emphasizing key takeaways, concrete advice for affected users, and surfacing underlying policy controversies for industry debate.

For full stories and deeper details, listeners are directed to CISOseries.com.

Loading summary

Transcript3 lines

[00:00]
A
From the CISO series. It's Cybersecurity Headlines.
[00:07]
B
These are the cybersecurity headlines for Monday, January 12, 2026. I'm Steve Prentiss. Breach Forums Hacking forum database leaked the latest iteration of the notorious Breach Forums Hacking forum has suffered a data leak that has exposed more than 300,000 user accounts and has revealed internal details such as display name, registration dates and IP addresses. Although most of the leaked IPs map to local loopback addresses, roughly 70,000 records include public IPs, posing security risks for its users and of potential value to law enforcement or researchers. The breached archive also included a PGP private key used by Breach Forums administrators, though it remains passphrase protected. BreachForum's current admin claims the leak stems from an old backup exposed briefly during a 2025 restoration and is not a fresh breach. A website named after the Shiny Hunters gang released an archive named breachedforum7.z, but a shiny Hunters representative denied any affiliation. Instagram breach exposes user data and creates password reset panic Researchers at Malwarebytes Labs set the online world on edge this past weekend with news of a data breach at Instagram. They warned that usernames, physical addresses, phone numbers and email addresses of 17.5 million users had been leaked. This prompted a flurry of password reset emails. The researchers had found the database for sale on a cybercrime forum, and although the stolen data wasn't exclusive to Instagram and contained data from external databases such as marketing lists and other leaked customer records, this together allowed online identities to be linked to physical addresses, thus magnifying the personal danger. Experts recommend that Instagram users update their passwords and add 2fa to their accounts, but to do so directly, of course, and not by clicking through a warning email, which itself might be spam. As of this recording, Instagram parent company Meta has yet to make a statement. UK government exempts self from flagship cyber law the UK's new cyber security and Resilience Bill aims to update outdated cyber regulations and boost protections for critical infrastructure. However, it excludes central and local government bodies from its legal requirements, drawing criticism even as public sector cyber attacks rise. Opponents in Parliament argue that excluding government weakens accountability and creates a double standard. While ministers say government departments will meet equivalent standards via a separate government Cyber action Plan, critics remain unconvinced. Without binding legal duties, some suggest future or separate legislation could address public sector security. But there is at the moment skepticism about the government's commitment. Microsoft may soon allow IT admins to uninstall copilot A new policy that allows IT administrators to uninstall Copilot on managed devices is now being tested. The new Remove Microsoft Copilot app policy started rolling out on Friday to systems in some development and beta insider channels. If furthered, the new policy will apply to devices where the Microsoft 365 Copilot and Microsoft Copilot are both installed and that the Microsoft Copilot app was not installed by the user. End quote Huge thanks To our sponsor ThreatLocker Want real zero trust training? Zero Trust World 2026 delivers hands on labs and workshops that show CISOs exactly how to implement and maintain Zero Trust in real environments. Join us March 4 through 6 in Orlando, plus a live CISO series episode on March 6. You can get $200 off with the code ZTWCISO26. NSA Cyber Directorate gets New Leadership the National Security Agency has a new leadership roster. David Imbordino, an NSA senior executive who is currently serving as the directorate's deputy chief, will work in an acting capacity as head of the Cybersecurity Directorate within the nsa. Second in command within that directorate will be Holly Barudi, a senior official at the agency currently based in the United Kingdom. Tim Kosiba has been officially appointed as the Deputy Director of the nsa, the agency's second in command, and is expected to start that role in the coming days. The director of the nsa, its overall leader, remains William J. Hartman, also in an acting capacity CISA Sunset's 10 directives due to evolution of exploited vulnerabilities catalogue 10 emergency directives that had been issued by the agency have been retired after officials determined they were redundant, thanks in part to the white used known Exploited Vulnerabilities Catalog. End quote. The 10 directives were issued between 2019 and 2024, and the agency credits CISA's commitment to operational collaboration across the federal enterprise for their removal. Six of these are related to Microsoft, with the others related to VMware, F5 and Cisco. A list of the Microsoft vulnerabilities is available in the show. Notes to this episode North Korea Linked Quishing Attacks on the Rise A warning from the FBI about the North Korea linked APT Group Kim Suki continuing to target governments, think tanks and academic institutions with quishing attacks, which is the use of spear phishing emails containing malicious QR codes, hence the term quishing. These QR images often arrive as email attachments or as embedded graphics which evade URL inspection, MFA and sandboxing. Their goal is to trick victims into visiting fake websites or downloading malware. Russian credential stealing campaign targets energy and policy organizations Russian state sponsored threat actors from the APT28 group have been linked to new credential harvesting attacks, this time targeting individuals associated with a Turkish energy and nuclear research agency and as well as staff affiliated with a European think tank and organizations in North Macedonia and Uzbekistan. APT28 is associated with the Main Directorate of the General Staff of the Armed Forces of the Russian Federation, also known as gru. This attack, though localized, is of interest for everyone because of the fact that unsuspecting users are redirected to legitimate sites after the credentials are entered on the bogus landing pages, thereby avoiding any red flags. Did you remember to set a calendar reminder to join us for the Department of No, don't worry, there is still time. We stream your Monday cybersecurity standup each and Every Monday at 4pm Eastern on the CISO Series YouTube channel. If you want to know how the cybersecurity news of the Week applies to your job and team, you need to join us for the Department of no. And if you have some thoughts on the news from today or about this show in general, please be sure to reach out to us@feedbackisoseries.com we would love to hear from you. I'm Steve Prentiss reporting for the CISO series.
[08:00]
A
Cybersecurity headlines are available every weekday. Head to CISoseries.com for the full stories behind the headlines Sat.