Welcome to the January edition of Upfort’s Threat Matrix! Cyber threats kicked off 2026 with no signs of slowing down. This month saw a surge in phishing campaigns, critical zero-days, and data breaches across industries—from education and retail to cloud platforms and password managers. Attackers are increasingly exploiting third-party integrations, open-source software, and even browser extensions to gain access to sensitive systems.

For small businesses, the takeaway is clear: you don’t have to be a Fortune 500 company to be a target. This month’s Threat Matrix breaks down the latest cyber incidents and offers practical steps your business can take to stay protected.

Want to know how protected your company really is? Take two minutes to complete our interactive cybersecurity checklist or get a free cybersecurity risk assessment to uncover exploitable vulnerabilities in your network.

Nike investigates data breach after extortion gang leaks files

Nike is investigating claims of a data breach after the Cactus ransomware group leaked internal documents on its dark web extortion site. The leaked files reportedly include invoices, store data, and product presentations. While Nike has not confirmed a breach, the leak appears to come from internal sources and has prompted concerns about unauthorized access to sensitive corporate information.

This incident is part of a broader trend of extortion groups leaking corporate data without deploying traditional ransomware—shifting the focus to pure data theft and pressure campaigns.

How to protect your business: Monitor for signs of data exfiltration even when no ransomware is detected. Audit user access controls regularly and enforce least-privilege principles. Prepare an incident response plan that includes scenarios where attackers leak stolen data as leverage.

Read More

‍

Newly surfaced SoundCloud breach affects 298 million accounts

Security watchdog site Have I Been Pwned has added a massive SoundCloud data breach to its database, affecting nearly 298 million user accounts. The exposed data includes email addresses, usernames, and salted password hashes—making it one of the largest breaches disclosed in recent months.

The breach appears to stem from a past incident where internal credentials were compromised, and the data was later leaked publicly. While SoundCloud has not issued an official statement about this larger breach, the inclusion in Have I Been Pwned indicates widespread exposure.

How to protect your business: Encourage employees to check whether their credentials were exposed using trusted tools like Have I Been Pwned. If company emails were involved, reset passwords immediately. Use a password manager and enable multi-factor authentication (MFA) wherever possible.

Read More

‍

Cyberattacks surge in Latin America, now the riskiest region globally

A new report shows that Latin America has overtaken all other regions in cyberattack activity, with threats ranging from ransomware and data breaches to business email compromise (BEC) and nation-state operations. Countries like Brazil, Mexico, and Colombia are seeing especially high volumes of attacks, many of which target weak cybersecurity infrastructure in critical sectors like finance, healthcare, and government.

The rise is being fueled by both regional cybercriminal groups and international actors exploiting digital transformation gaps. Small businesses operating or doing business in Latin America are particularly vulnerable, especially if they rely on cloud platforms or shared vendors without strong security controls.

How to protect your business: Review cybersecurity policies for any cross-border operations or vendor relationships in Latin America. Ensure cloud configurations follow zero-trust principles and monitor for unusual login activity tied to high-risk geographies. If outsourcing services abroad, validate your partners’ security maturity.

Read More

‍

New malware service guarantees phishing extensions on Chrome Web Store

Researchers have uncovered a malicious “phishing-as-a-service” platform that helps attackers publish harmful Chrome extensions directly to the official Web Store. The service guarantees that these extensions—designed to steal credentials or track browsing—will pass Google’s review process and remain live for at least a week.

This criminal operation highlights a growing threat: attackers are no longer just coding malware themselves—they’re buying guaranteed delivery methods from specialized providers. Once installed, the malicious extensions silently exfiltrate sensitive data or redirect users to phishing sites.

How to protect your business: Block unapproved browser extensions using admin tools. Regularly audit employee browser activity, limit extension installs to a vetted list, and use endpoint protection that flags suspicious behavior from browser add-ons.

Read More

‍

New phishing campaign targets LastPass customers with fake alerts

Security researchers have uncovered a phishing campaign aimed at LastPass users, in which attackers impersonate the password manager to trick victims into clicking on malicious links. The phishing emails warn users of “unauthorized login attempts” and urge them to verify their accounts—redirecting them to a convincing spoofed site that steals master passwords.

This campaign underscores the lasting fallout from LastPass’s past breaches, which attackers are now using as social engineering bait. Small businesses relying on password managers are especially vulnerable if team members reuse credentials or fall for fake security notices.

How to protect your business: Remind employees never to click on links in unsolicited account alerts. Instead, visit official sites directly to check account status. Enable multifactor authentication (MFA) for all password manager accounts and audit employee usage regularly.

Read More

‍

Microsoft patches actively exploited Office zero-day vulnerability

Microsoft has released a security update to fix a zero-day vulnerability in Office that was actively exploited in the wild. The flaw, tracked as CVE-2024-38112, allowed attackers to craft malicious documents that bypassed standard security warnings—tricking users into launching harmful files disguised as trusted Office documents.

Attackers leveraged the bug to deliver malware, steal credentials, or gain remote access to systems. While Microsoft has issued a fix, users who delay updates remain at risk, especially in environments where Office macros or older file types are still in use.

How to protect your business: Apply Microsoft’s latest security updates immediately. Block or restrict macros in Office files, disable legacy file type support where possible, and train employees to avoid opening unexpected email attachments—even from known contacts.

Read More

‍

Sandworm hackers linked to failed wiper attack on Poland’s energy systems

Poland’s cybersecurity agency has confirmed that a recent cyberattack on its energy infrastructure was the work of Sandworm—a Russian state-sponsored hacking group known for previous high-profile attacks. The attackers attempted to deploy wiper malware designed to destroy systems, but the attack was reportedly thwarted before it could cause operational damage.

Wiper attacks are particularly dangerous because they aim not to steal data, but to permanently delete it—crippling infrastructure and disrupting services. While this specific incident targeted critical infrastructure, similar tactics have been used against private companies in the past, often with devastating consequences.

How to protect your business: Maintain regular, offline backups and test your recovery plans frequently. Segment your network to contain damage from attacks, and monitor for early signs of intrusion. Consider threat intelligence services to stay ahead of nation-state tactics targeting your industry.

Read More

‍

ShinyHunters claim responsibility for SSO account data theft attacks

A hacking group known as ShinyHunters is claiming credit for a series of attacks targeting single sign-on (SSO) systems, stealing data from enterprise accounts across multiple organizations. SSO allows users to log into many services with one set of credentials—making it a valuable but risky target if those credentials are compromised.

The attackers reportedly obtained authentication tokens and account data, enabling them to access internal systems and cloud services. This kind of breach can have widespread impact, especially when companies rely heavily on SSO for workforce access and collaboration.

How to protect your business: Use strong multi-factor authentication (MFA) on all SSO accounts. Monitor for unusual login locations or device activity, and consider limiting SSO scope for especially sensitive systems. Review and rotate access tokens regularly, especially after any suspicious activity.

Read More

‍

New Android malware uses AI to click on hidden browser ads

Security researchers have discovered a new Android malware strain that uses artificial intelligence to simulate user behavior—specifically, clicking on hidden ads in web browsers. This click fraud technique allows attackers to generate ad revenue while draining device resources and potentially exposing users to further malicious content.

The malware, disguised as a legitimate app, runs silently in the background and uses AI to mimic human interaction patterns, making it harder for security systems to detect. While primarily a revenue scam, this type of malware can also be used to gather user data or act as a gateway for more harmful attacks.

How to protect your business: Block app installs from unofficial sources on company devices. Use mobile endpoint security to detect hidden processes, and regularly audit apps installed across your team’s phones and tablets. Educate employees to avoid sideloading apps or clicking suspicious links.

Read More

‍