Cybersecurity Headlines – January 13, 2026

Hosted by Sarah Lane (CISO Series)
Daily news roundup covering the latest events and trends in cybersecurity, with a focus on major breaches, evolving attack vectors, organizational responses, and emerging industry threats.

Episode Overview

This episode covers several major stories: Instagram’s response to claims of a massive data leak, Sweden’s detention of a suspected spy, a targeted supply chain attack against N8N, a ransomware incident at the University of Hawaii Cancer Center, active probing of AI large language model endpoints, a significant breach at Spain’s largest utility, and the sentencing of a hacker in Europe for aiding drug smuggling via port system compromise. Insights are shared on risk management maturity, supply chain vulnerabilities, and AI prompt security.

Key Stories and Insights

1. Instagram Denies Breach, Attributes Data Leak to a Bug

[00:12]

• Summary: Instagram responded to claims of over 17 million scraped and leaked account records, clarifying that the incident was due to a bug triggering mass password reset emails, not a full-scale breach.
• Details:
  • Data leaked includes usernames, emails, phone numbers, names, and addresses, excluding passwords.
  • Researchers believe data may be from old breaches or scraping, not a new API exploit.
  • Meta (Instagram’s parent company) denies any past API leak.
• Security Recommendation: Users advised to stay vigilant for phishing and enable two-factor authentication.
• Notable Quote:
  • "Instagram has weighed in on what it says is a bug, not a breach, that led attackers [to] mass trigger Password reset emails..." – Sarah Lane [00:13]

2. Sweden Detains Consultant on Alleged Russian Espionage

[01:02]

• Summary: Swedish authorities arrested a 33-year-old former IT consultant suspected of spying for Russia.
• Details:
  • Suspected espionage spanned from 2022 through early 2026.
  • Suspect worked with the armed forces through an IT services company and ran an offensive cybersecurity company with “no recorded turnover.”
  • Context: Intensified scrutiny across Europe regarding Russian intelligence operations.
• Notable Quote:
  • "The case involves Sweden's Justice Ministry and comes amid a broader European crackdown on alleged Russian intelligence activity." – Sarah Lane [01:21]

3. N8N Workflow Supply Chain Attack: OAuth Credential Theft

[01:35]

• Summary: Threat actors uploaded eight malicious npm packages posing as N8N integrations, targeting OAuth tokens and other credentials.
• Details:
  • Attackers aimed at N8N “community nodes,” which serve as central vaults for integrations (Google Ads, Stripe, Salesforce).
  • Malicious packages, once installed, exfiltrated sensitive environment variables to attacker-controlled servers.
  • N8N responded: Community nodes are not sandboxed and can read decrypted credentials; audits and disabling of these nodes recommended.
• Notable Quote:
  • "Once installed, the fake integrations captured OAuth tokens and and exfiltrated them to attacker servers." – Sarah Lane [02:03]

4. Block (formerly Square) Red Teams AI Agent – Finds Real World Infostealer Risk

[02:31]

• Summary: Block’s CISO discusses treating AI security with the rigor of self-driving vehicles, citing a red team exercise where an AI agent was tricked into leaking sensitive info.
• Details:
  • AI agent “Goose” is deployed across nearly 12,000 staff.
  • Red team used prompt injection hidden in Unicode to trick a developer into running an infostealer.
  • Mitigations now include recipe warnings, Unicode detection, and adversarial AI checks.
• Notable Quote:
  • "Block successfully used prompt injection hidden in Unicode to poison a workflow recipe, leading a developer to execute an info stealer on a laptop." – Sarah Lane [02:47]
  • "Agents must be safer and better than humans." – James Netisham, Block CISO [02:36]

5. University of Hawaii Cancer Center Hit by Ransomware

[03:38]

• Summary: Ransomware encrypted systems tied to a research project, with some participant data (including 1990s Social Security records) stolen.
• Details:
  • University paid for decryption and the “purported” deletion of stolen files.
  • Operations and patient care were not impacted.
  • Security overhaul included new systems, reset credentials, endpoint protection, and third-party audits.
• Notable Quote:
  • "UH paid for a decryptor and for the purported deletion of stolen data..." – Sarah Lane [04:00]

6. Mass Probing of Exposed LLM Services

[04:33]

• Summary: Nearly 100,000 probes hit exposed AI language model services in two major campaigns, hinting at future risks for enterprise AI deployments.
• Details:
  • First campaign: Grey hat researchers abusing SSRF for outbound callbacks.
  • Second campaign: Two attacker IPs mapped 73 major LLM endpoints.
  • Recommendations: Block OAST domains, monitor enumeration patterns, tighten egress, watch JA4 fingerprints.
• Notable Quote:
  • "The activity indicates growing interest in fingerprinting enterprise AI deployments to enable future attacks..." – Sarah Lane [05:05]

7. Endesa (Spain) Discloses Customer Data Breach

[05:21]

• Summary: Spain’s top electric utility reports attackers pulled customer identity and contract data from its commercial platform.
• Details:
  • Exposed fields: Name, contact, national ID (DNI), contract data, IBANs—but no passwords.
  • Endesa notified regulators, contacted users, and warned of phishing.
  • Separately, a threat actor offers 1TB of alleged Endesa data (20 million records) matching details of the breach.
• Notable Quote:
  • "Endesa notified regulators and is contacting affected users, adding that it sees no evidence of fraud but warns of phishing risks." – Sarah Lane [05:42]

8. Dutch Court Sentences Hacker for Cocaine Smuggling via Port Systems

[06:09]

• Summary: A hacker receives seven years in prison for using malware to aid traffickers in smuggling 210kg of cocaine through European ports.
• Details:
  • Malware was delivered via USB, giving access to gate and container controls at Antwerp and Rotterdam.
  • Hacker was also convicted of attempted extortion.
  • Police intercepted encrypted messaging (Sky ECC) showing his involvement.
• Notable Quote:
  • "Judges cited risks to port security and also convicted him of attempted extortion." – Sarah Lane [06:47]

9. Industry Challenge: Risk Management For GRC Tool Adoption

[07:07]

• Summary: Brief mention of organizational difficulty in starting risk management processes, a challenge for effective GRC tool adoption.
• Teaser:
  • "Most GRC tools assume a degree of process maturity that many orgs just don't have. So how do you get the ball rolling?" – Sarah Lane [07:12]

Memorable Moments & Quotes

• “Agents must be safer and better than humans.”
  — James Netisham, Block CISO [02:36]

• “Instagram has weighed in on what it says is a bug, not a breach, that led attackers [to] mass trigger Password reset emails…”
  — Sarah Lane [00:13]

• “UH paid for a decryptor and for the purported deletion of stolen data…”
  — Sarah Lane [04:00]

• "Judges cited risks to port security and also convicted him of attempted extortion."
  — Sarah Lane [06:47]

Useful Timestamps

• Instagram Data Leak: 00:12–01:00
• Sweden Espionage Arrest: 01:02–01:31
• N8N OAuth Supply Chain Attack: 01:35–02:17
• Block AI Agent Red Team: 02:31–03:12
• University of Hawaii Ransomware: 03:38–04:16
• Exposed LLM Service Probing: 04:33–05:18
• Endesa Data Breach: 05:21–06:04
• Cocaine Smuggling via Port Hack: 06:09–06:59
• Risk Management/GRC Discussion: 07:07–07:28

Tone

Concise, factual, direct, and slightly urgent—reflecting the fast-paced world of daily cyber news. The host maintains professionalism, prioritizing clarity and actionable advice.

For full stories and deeper coverage, listeners are directed to CISOseries.com.