January 2026: Instagram, BreachForums, SoundCloud Leaks, Trust Wallet Backdoor

January 2026 incident disclosures spanned consumer platforms, enterprise identity workflows, and the cybercrime ecosystem itself. Multiple stories centered on identity data exposure, whether through alleged scraping leaks (Instagram), third-party platform compromise, or an underground forum’s own user database getting dumped. The month also highlighted how attackers abused software distribution channels, and how botnets continued pushing DDoS volume to new highs against telecom and IT targets.

BreachForums Database Leak Exposed Users, Emails, IPs, and Metadata

BreachForums, a well-known marketplace for stolen data, was itself breached again after a database containing detailed user information was published on January 9, 2026.

The leaked dataset reportedly contained records for 323,986 users and included usernames, email addresses, IP addresses, registration dates, and other metadata that could help identify forum members. A security firm that reviewed the dump said it found the records authentic, noting that some email addresses appeared in clear text and that the information could support correlation and attribution efforts.

The leak was published by an individual using the name “James,” and the posting location was described as a site seemingly named after the ShinyHunters extortion group.

Threat actor card of ShinyHunters

Trust Wallet Chrome Extension Backdoor Drained $8.5M From 2,520 Wallets

Trust Wallet disclosed that a supply chain incident tied to the Shai-Hulud outbreak in November 2025 likely enabled attackers to compromise its Chrome extension release process and steal about $8.5 million in crypto assets.

The company said its developer GitHub secrets were exposed, which gave the attacker access to extension source code and a Chrome Web Store API key. With that access, the attacker uploaded a trojanized extension version (2.68) on December 24, 2025, bypassing Trust Wallet’s usual internal approval steps. The malicious code exfiltrated wallet mnemonic phrases, and research cited by Trust Wallet indicated it triggered during wallet unlock events and could affect multiple wallets in the same account.

Trust Wallet said the theft impacted 2,520 addresses and flowed to at least 17 attacker-controlled addresses, and it began a reimbursement claim process for victims.

Instagram Denied Breach as 17 Million Profile Records Circulated on Forums

Instagram denied that its systems were breached after claims spread online that data from more than 17 million accounts had been scraped and leaked.

Meta acknowledged it fixed an issue that let an external party mass-request password reset emails for some Instagram users, but said accounts remained secure and users could disregard the reset emails. The circulated dataset was described as containing roughly 17.0 million account profiles, with fields that could include phone numbers, usernames, names, physical addresses, email addresses, and Instagram IDs, though not every record contained all fields.

The leaker claimed the data came from an unconfirmed 2024 Instagram API leak, while other researchers speculated it might relate to older scraping activity, without conclusive proof presented.

Instagram data breach overview on Have I Been Pwned

Betterment Said Social Engineering Exposed Data of About 1.4 Million Customers

Betterment disclosed a data breach affecting approximately 1.4 million customers after a social engineering-driven compromise that began on January 9, 2026.

According to the company’s incident report, attackers used phishing lures to manipulate employees and gain unauthorized access to third-party operational platforms used for marketing and customer support. The intruders then ran a fraudulent cryptocurrency investment scam by sending deceptive campaign messages that attempted to steer users into transferring funds to attacker-controlled wallets.

During the incident, the attackers also exfiltrated customer data by leveraging platform permissions to query and export datasets. Investigators involved in the response stated that passwords, account balances, and transactional data were not impacted.

The report also described a DDoS attack on January 13, 2026, that was mitigated within hours and was suspected to be a diversion during the broader incident response.

Okta-Targeting Vishing Used Real-Time Phishing Kits, ShinyHunters Claimed Leaks

Okta Threat Intelligence disclosed a vishing-enabled campaign that used custom phishing kits designed to operate in real time.

In the described pattern, attackers posed as internal IT or security staff during phone calls and directed victims to convincing fake login pages that mimicked Okta, Microsoft, or Google. The approach aimed to defeat common authentication flows by coordinating the victim’s actions during the call with the phishing site’s prompts.

Separately, it was reported that ShinyHunters claimed responsibility for an Okta SSO vishing campaign and said the group published alleged victim data after extortion attempts failed. The claimed victims included Betterment, Crunchbase, and SoundCloud, with the actor asserting record counts in the tens of millions.

ShinyHunters’ data breach claims: Betterment, Crunchbase, SoundCloud

SoundCloud Breach Exposed 29.8 Million Accounts After December 2025 Detection

SoundCloud suffered a breach affecting 29.8 million accounts that exposed email addresses alongside profile-related information. The incident was reportedly first detected in December 2025 and raised concerns about phishing because attackers could link private email addresses to public-facing profile details such as usernames and follower counts.

The exposure was framed as account data compromise rather than a service-wide takeover, and the reported dataset size placed it among the larger consumer-platform disclosures discussed in late 2025 and early 2026. While the specific intrusion method was not detailed in the source, the event reinforced the downstream risk of correlating identity attributes that users often assume remain separate, particularly when email addresses could be tied directly to visible social presence.

Aisuru Botnet Hit 31.4 Tbps and 200M RPS in December Telecom Attacks

The Aisuru botnet set a new DDoS record with an attack measured at 31.4 Tbps alongside HTTP floods exceeding 200 million requests per second.

Details of Aisuru botnet on the SOCRadar platform

The activity occurred on December 19 as part of a campaign that targeted telecom companies, and it was detected and handled by Cloudflare. The botnet previously held a reported record at 29.7 Tbps, and Microsoft had also attributed a separate 15.72 Tbps event to the same botnet that originated from about 500,000 IP addresses.

Cloudflare described the broader activity as a campaign that targeted both Cloudflare customers and Cloudflare’s own dashboard and infrastructure using hyper-volumetric HTTP attacks plus Layer 4 floods. The timing led Cloudflare to label the campaign “The Night Before Christmas.”

Track Threats Across Underground Forums

Even underground platforms like BreachForums are not immune to compromise, exposing nearly 324,000 user records, including emails, IPs, and metadata. At the same time, scraped or disputed datasets tied to platforms like Instagram and SoundCloud continued circulating, complicating attribution and response.

For security teams, the challenge is not just responding to confirmed breaches, but tracking how identity data moves across forums, paste sites, and secondary markets after initial exposure.

SOCRadar Dark Web Monitoring

SOCRadar’s Dark Web Monitoring helps teams monitor leaked credentials, underground forum activity, and identity-related threat signals in one place, enabling earlier detection, faster correlation, and more informed response when identity data begins to spread.