SecureFact – Cyber Security News – Week of January 26, 2026

The ShinyHunters extortion gang confirmed responsibility for ongoing voice phishing attacks targeting single sign-on (SSO) accounts at major identity providers including Okta, Microsoft, and Google.
These sophisticated attacks enable threat actors to breach corporate SaaS platforms and steal company data for extortion purposes.
The attacks involve threat actors impersonating IT support staff and calling employees to trick them into entering credentials and multi-factor authentication codes on phishing sites.
Once compromised, attackers gain access to victims’ SSO accounts, providing gateway access to connected enterprise applications and services.
The group specifically targets Salesforce as their primary interest, with other platforms serving as secondary targets.
Multiple companies have received extortion demands signed by ShinyHunters following successful breaches.
The attacks primarily target companies in fintech, wealth management, financial, and advisory sectors.
Confirmed breaches include SoundCloud, Betterment, and Crunchbase, with data stolen from corporate networks and email platforms.

Two malicious extensions in Microsoft’s Visual Studio Code Marketplace, collectively installed 1.5 million times, have been exfiltrating developer data to China-based servers.
The extensions, “ChatGPT – 中文版” (1.34 million installs) and “ChatMoss” (150k installs), operate as AI-based coding assistants while secretly stealing sensitive developer information.
The malware employs three distinct data-collection mechanisms: real-time monitoring of opened files with complete contents encoded in Base64 and transmitted to attackers’ servers, server-controlled file harvesting that transmits up to 50 files from victims’ workspaces, and zero-pixel iframe tracking using commercial analytics SDKs.
The extensions expose private source code, configuration files, cloud service credentials, and environment files containing API keys and credentials.
All file contents are captured the moment they are opened, not requiring any user interaction.
The malware performs hardware, software, and user activity checks to avoid analysis environments before generating unique host identifiers.
Microsoft has been contacted about the presence of these extensions and is investigating the report for appropriate action.

Okta has warned about sophisticated custom phishing kits specifically designed for voice-based social engineering attacks targeting single sign-on credentials for data theft.
These adversary-in-the-middle platforms enable real-time interaction during voice calls, allowing attackers to dynamically change content and display dialogs as calls progress.
Threat actors perform extensive reconnaissance on targeted employees, including identifying applications they use and phone numbers associated with company IT support.
The attacks involve spoofed corporate or helpdesk numbers, with victims directed to customized phishing pages while attackers guide them through login and multi-factor authentication processes.
The phishing kits include web-based control panels allowing real-time manipulation of authentication flows, with stolen credentials relayed to Telegram channels operated by threat actors.
These platforms can bypass modern push-based MFA, including number matching, because attackers instruct victims which numbers to select while simultaneously displaying matching prompts in browsers.
Once successful, attackers access Okta SSO dashboards to identify available platforms and proceed to steal data from connected services including Microsoft 365, Google Workspace, Dropbox, Salesforce, and other enterprise platforms.

Two Venezuelan nationals have been convicted of stealing hundreds of thousands of dollars from US banks through ATM jackpotting schemes using malware and will face deportation after serving sentences.
Luz Granados (34) and Johan Gonzalez-Jimenez (40) pleaded guilty to conspiracy and computer crimes for targeting older ATM models throughout South Carolina, Georgia, North Carolina, and Virginia.
The attackers connected laptops to targeted ATMs and installed malware that bypassed security protocols, forcing machines to dispense all available cash until funds were exhausted.
All stolen funds came directly from bank reserves rather than individual customer accounts, with Gonzalez-Jimenez ordered to pay $285,100 in restitution and Granados ordered to pay $126,340.
The investigation led to broader discoveries, with Nebraska authorities indicting 54 individuals in a related multi-million-dollar ATM jackpotting conspiracy.
The defendants deployed Ploutus malware variants through multiple methods including removing hard drives for direct installation, using external devices like thumb drives, or replacing hard drives with pre-infected ones.
The malware forced unauthorized cash withdrawals and deleted evidence to conceal attacks from bank employees, representing a sophisticated financial crime operation targeting banking infrastructure.

A cybersecurity researcher, Jeremiah Fowler, uncovered a publicly accessible, unencrypted 96 GB database containing 149,404,754 unique login credentials from prior breaches and infostealer malware logs, including an estimated 48 million Gmail usernames and passwords as the largest affected group.
Other major platforms impacted include 17 million Facebook accounts, 6.5 million Instagram, 3.4 million Netflix, alongside Yahoo, Outlook, financial services, crypto wallets, and even some government domains.
This is not a new Google breach but a compilation of historical data, prompting urgent recommendations to avoid password reuse, adopt passkeys where possible, enable two-factor authentication, and check personal accounts via tools like Have I Been Pwned.

A massive data exposure affecting 149 million login credentials across platforms like Instagram, Gmail, Netflix, and OnlyFans was uncovered by cybersecurity researcher Jeremiah Fowler in a 96 GB unencrypted database left publicly accessible without safeguards.
The breach, reported by ExpressVPN and covered in Financial Express, aggregates historical data from infostealer malware, including ~48 million Gmail accounts, 17 million Facebook, 6.5 million Instagram, 3.4 million Netflix, plus Yahoo, Outlook, financial services, crypto wallets, and government domains, enabling risks like credential-stuffing, phishing, identity theft, and national security threats.
Urgent recommendations include checking exposure via Have I Been Pwned, changing passwords (avoiding reuse), enabling 2FA or passkeys, and monitoring accounts, as affected companies have not yet issued statements.