Cybersecurity Executive Brief: January 2026

Cybersecurity Insights for Decision-Makers | 2-Minute Executive Summary | Full Analysis: ~10 pages

Scope: Incidents disclosed or materially updated during January 2026. In cyber, “when it happened” and “when it hit the board” are rarely the same week.

Section 1 — Executive Brief #

The Month Data Became the Outage #

Attackers don’t need to encrypt your systems to trigger a material event. January proved that the leverage has shifted: data theft + public pressure now delivers equal or greater impact than ransomware ever did — without tripping your recovery playbooks.

Three patterns defined the month:

• Leak-first extortion. Nike faced a 1.4TB data theft claim with no encryption involved. The threat was IP exposure, regulatory pressure, and media amplification — not downtime.
• Identity and support workflow compromise. Voice phishing, contractor access abuse, and single sign-on compromise made help desk and SaaS admin workflows the highest-priority attack surface of the month.
• Vendor cloud trust failure. Attackers exploited a flaw in Fortinet’s cloud-based single sign-on platform to remotely access customer firewalls — even fully patched ones. The vulnerability wasn’t in the device; it was in the authentication trust chain above it.

January also saw real disruption to cybercrime infrastructure: the RAMP forum seized, BreachForums leaked, a major proxy network dismantled. Helpful — temporarily. The underground will re-platform. Your exposure won’t wait.

One line to remember: Backups protect uptime. They do not protect you from a leak site.

Critical Actions Required #

🔴 IMMEDIATE — Lock down identity recovery and support paths. Require phishing-resistant authentication — hardware-based or device-bound methods that can’t be intercepted (your security team will know these as FIDO2/WebAuthn). Tighten help-desk resets. Add out-of-band verification for privileged changes.

🔴 THIS WEEK — Audit vendor-managed authentication and internet-facing controls. If any security appliance delegates admin login to a vendor’s cloud SSO, verify that configuration is intentional, patched, and monitored. Apply Fortinet’s remediation guidance — and treat the pattern as broadly applicable.

🟡 THIS MONTH — Run a data-extortion tabletop. Scenario: “A credible actor posts proof + countdown.” Test legal, comms, customer support, and executive decision rights — not just IT recovery.

🟢 MONITOR — Regulatory and supply-chain pressure is building. EU cybersecurity package, UK resilience bill, and post-quantum cryptography procurement guidance are moving from policy into contract language.

Key Metrics (January 2026) #

Counts reflect publicly disclosed datasets as reported in cited sources. Individuals appearing in multiple breaches are counted separately in each.

What to Say When the Board Asks “Are We Exposed?” #

• Extortion is now ransomware without the inconvenience. If data is stolen quietly, backups don’t save you.
• Identity is an operational workflow problem. “Help desk” and “SSO admin” are breach primitives now.
• Vendor trust is attack surface. When we delegate admin authentication to a vendor’s cloud platform, their security posture becomes ours.
• Third-party platforms multiply blast radius. If a tool can message your customers, it’s a crown jewel.
• Patch speed is a risk decision. Define the SLA. Name who accepts residual risk when patching is delayed.
• Regulation is turning architecture into governance. Procurement and security are converging.

Section 2 — Full Analysis #

Why January Matters #

The signal isn’t that attackers got more sophisticated. It’s that they got more economically rational.

A decade ago, ransomware forced urgency through outages. Today, many threat actors achieve equal leverage by stealing sensitive data, proving possession, threatening publication, and letting the media and regulators apply the pressure.

That shifts enterprise risk from “Can we restore systems?” to three harder questions: Can we detect exfiltration fast enough to matter? Do we know where our most sensitive data lives and who can reach it? Can leadership operate a time-compressed crisis where facts arrive late but decisions are due early?

January also reinforced an operational reality: your perimeter is defined by identity and SaaS, not network boundaries. A compromised contractor account, help-desk workflow, or SSO admin session is indistinguishable from an attacker inside your enterprise. The Fortinet incident went further: it showed that even the authentication layer itself — managed by a trusted vendor in the cloud — can become the entry point.

Critical Incidents: Top 5 #

1. Nike: Leak-First Extortion (1.4TB Claimed) #

What happened: An extortion group claimed it published 1.4TB of Nike data related to business operations and threatened further disclosure. Nike confirmed it was investigating. Reuters could not verify the dataset.

Why it matters: This is pure leverage economics. No encryption, no outage, no early warning signals from backup systems. If corporate repositories — design files, supply chain documents, partner contracts — are implicated, the risk shifts from downtime to IP loss, contractual disclosure triggers, litigation risk, and a PR timeline where the attacker goes public first and the enterprise responds second. Even before technical confirmation, the credibility of the claim drove media and partner reactions.

What to do:

• CEO/CFO: Pre-decide who owns the materiality call. Pre-approve a holding statement that doesn’t overcommit.
• CISO: Segment sensitive repositories (design/PLM, contracts). Enforce access logging. Validate egress monitoring on file repositories — not just databases.
• Legal/Procurement: Ensure vendor agreements define disclosure triggers when confidential business information is implicated.

Sources: Reuters, SecurityWeek

2. Large Dataset Disclosures: Consumer Platforms + B2B Data #

What happened: January surfaced a cluster of large consumer datasets. Under Armour (~72M emails) appeared in breach reporting; the company acknowledged investigating. SoundCloud (~29.8M accounts) was confirmed via HIBP and BleepingComputer. Smaller but operationally significant: Panera (~5.1M emails), Crunchbase (~2M records).

Why it matters: A recognizable brand plus a huge email dataset becomes a targeting engine. These aren’t just consumer problems — employees are consumers too. Leaked email datasets feed enterprise phishing, credential stuffing, and executive impersonation campaigns. The downstream amplification is immediate: expect scam waves within days of circulation, not weeks.

What to do:

• CEO/CFO: Treat mass phishing waves as operational risk events. Budget for customer support surges, fraud attempts, and brand impersonation response.
• CISO: Assume credential stuffing pressure rises after every major consumer leak. Strengthen bot mitigation, impossible-travel detection, and MFA enforcement for privileged accounts. Enforce DMARC and deploy brand-monitoring services.
• Risk/Legal: Align notification triggers with your jurisdictions. Prepare FAQs and support scripts before you need them.

Sources: HIBP, SecurityWeek, TechCrunch, BleepingComputer

3. Identity-Led Compromise: Betterment + Platform Breach Cluster #

What happened: Betterment disclosed a breach tied to social engineering and third-party platform access — attackers sent scam messages to customers through compromised channels. Separately, Bumble and Match disclosed breaches involving phishing-compromised contractor accounts and limited user data exposure — reinforcing how identity compromise and third-party access translate into data exposure and regulatory scrutiny, even when scope is contained. BankInfoSecurity reported on the broader voice phishing and SSO-targeting campaign linked to these claims.

Why it matters: Once single sign-on or admin credentials are compromised, attackers pivot into CRM, marketing platforms, support tooling, and data exports. The Betterment case demonstrated the critical escalation: attackers sending scam messages to customers through the compromised environment, making the fraud immediate and customer-facing. The Bumble/Match disclosures show that even limited-scope contractor compromises create trust and disclosure pressure. Social engineering defeats technical controls by exploiting process gaps — this is where human vulnerability meets platform architecture.

What to do:

• CEO/CFO: Treat customer-messaging platforms as critical infrastructure. Rehearse how you confirm authentic communications during an incident.
• CISO/CIO: Restrict admin privileges aggressively. Require phishing-resistant MFA for all SaaS admins. Monitor bulk export events and anomalous session behavior.
• COO/Customer Ops: Build a customer messaging integrity playbook — how you distinguish your real communications from attacker-sent ones, under pressure.

Sources: SecurityWeek, Betterment customer notification, The Record, BankInfoSecurity

4. Fortinet FortiCloud SSO: Vendor Trust Failure at Scale #

What happened: Attackers exploited a critical flaw (CVE-2026-24858, CVSS 9.8) in Fortinet’s FortiCloud single sign-on platform — the cloud-hosted authentication service that lets administrators log into FortiGate firewalls remotely. The vulnerability was a cross-tenant authentication bypass: an attacker with their own FortiCloud account and a registered device could authenticate as an administrator on other customers’ devices if those devices had FortiCloud SSO enabled. This wasn’t a device-level vulnerability — it was a flaw in the vendor’s cloud authentication path.

Arctic Wolf discovered the campaign, reporting automated intrusions beginning January 15. Once authenticated via the SSO bypass, attackers created rogue admin accounts, granted those accounts VPN access, and exfiltrated complete firewall configurations — all within seconds, indicating scripted automation rather than hands-on-keyboard activity. Critically, fully patched devices were compromised because the flaw existed in the cloud SSO layer, not in the device firmware. Fortinet had to temporarily shut down FortiCloud SSO entirely on January 26 as an emergency measure before restoring the service with additional protections the following day. CISA added CVE-2026-24858 to its Known Exploited Vulnerabilities catalog on January 27.

Why it matters: This is a vendor trust story, not just an edge device story. Organizations that registered their firewalls with Fortinet’s cloud management — a routine step during initial setup — unknowingly enabled a cloud authentication pathway that could be exploited across tenant boundaries. The resulting damage was the same as a direct device compromise: stolen configurations expose internal network architecture, credential data requiring rotation, and a blueprint for deeper follow-on intrusion. But the root cause was a flaw in a vendor-managed service that customers couldn’t patch themselves — Fortinet had to fix it on the cloud side.

For boards, the lesson is architectural: when you delegate administrative authentication to a vendor’s cloud platform, their security posture becomes part of yours — and traditional patching can’t address a vulnerability you don’t control.

What to do:

• Board/C-suite: Ask which security appliances delegate admin authentication to vendor cloud services. Require an inventory and a risk assessment of those trust relationships.
• CISO/CIO: Verify FortiCloud SSO status on all Fortinet devices — many organizations enabled it unintentionally during device registration. Apply Fortinet’s remediation, rotate all credentials that may have been exposed, and audit admin accounts and configuration changes. Extend the principle to all vendor-managed authentication: if you didn’t deliberately enable it, disable it.
• Enterprise Architecture: Treat vendor cloud SSO as a trust dependency, not a convenience feature. Design monitoring to detect anomalous admin authentication patterns — regardless of whether the session originates from a “trusted” vendor platform.

Sources: Arctic Wolf, BleepingComputer, Fortinet PSIRT advisory FG-IR-26-060, CISA, Help Net Security

5. RAMP Forum Seizure: Cybercrime Infrastructure Disruption #

What happened: The FBI seized the RAMP (Russian Anonymous Marketplace) forum — a primary coordination hub for ransomware operators, initial access brokers, and stolen data trading. In parallel, the BreachForums database was leaked, exposing ~324K underground users, and Google disrupted IPIDEA, a large residential proxy network used for fraud and intrusion obfuscation.

Why it matters: This is the most significant cluster of cybercrime infrastructure disruption in a single month in recent memory. RAMP’s seizure removes a coordination layer — recruitment, credential sales, and negotiation between ransomware operators all ran through it. The BreachForums leak gives investigators a trove of actor identities. The IPIDEA takedown makes it harder and more expensive for attackers to disguise their traffic as legitimate.

But these are windows, not finish lines. History shows criminal ecosystems reconstitute within weeks to months. The strategic value is temporary friction — use it.

What to do:

• CEO/Board: Enforcement headlines create a false sense of progress. Criminal ecosystems reconstitute — typically within weeks. Don’t let disruption news become a reason to slow security investment.
• CISO: Treat the disruption as a short window to get ahead. Prioritize the remediation work that competes for attention when threat activity is high: access reviews, credential rotation, and configuration audits on internet-facing systems.
• CISO/Security Ops: If your organization uses threat intelligence services, ask whether RAMP or BreachForums data has surfaced any credentials, access listings, or mentions tied to your environment.

Sources: Ars Technica, Bitdefender, Reuters, Google Cloud, Dark Reading

Key Threat Actors (January Framing) #

Attribution in monthly intelligence should be conservative. This section focuses on operational patterns rather than definitive attribution, unless cited sources are explicit.

January’s incidents cluster around five actor patterns: extortion groups leveraging data theft over encryption (Nike), identity and social engineering crews exploiting help desk and SSO workflows (Betterment, dating platforms), initial access brokers feeding credential markets from consumer dataset leaks (Under Armour, SoundCloud), cybercrime infrastructure operators providing the platforms and proxies that enable all of the above (RAMP, IPIDEA), and state-linked destructive actors targeting critical infrastructure with wiper malware (Poland).

These patterns aren’t independent — they feed each other. IABs supply credentials that identity crews exploit, extortion groups monetize what both produce, and infrastructure operators provide the logistics layer that makes it all scalable. The Fortinet SSO exploitation didn’t fit neatly into one actor category but reinforced the throughline: identity and authentication trust are the dominant attack surface. For board conversations, the takeaway is: don’t over-focus on actor names. Focus on pathways — identity, vendor trust, SaaS admin, and third-party access.

Attack Methods: What Your Teams Should Brief Up #

This section is written for security and IT leaders to translate for their executive teams.

January’s intrusion-to-impact chain followed a consistent pattern: identity or support workflow compromise → SSO or SaaS admin access → bulk export or quiet exfiltration → leak site or public pressure → legal, PR, and regulatory clocks start simultaneously.

Six methods worth tracking:

• Pure extortion (no encryption): Faster monetization, fewer early warning signals.
• Voice phishing + help-desk abuse: Attackers call support staff, impersonate employees or vendors, and talk their way into password resets or access grants. This bypasses technical controls entirely by exploiting process gaps.
• Stolen credential and session replay: When login credentials or active session tokens leak in a breach, attackers reuse them to walk through the front door. Multi-factor authentication doesn’t trigger because the attacker is using a legitimate token, not guessing a password.
• Vendor cloud SSO exploitation: Attackers exploited a cross-tenant flaw in Fortinet’s cloud SSO platform to authenticate as admins on other customers’ devices — then automated config theft and persistence account creation within seconds. The attack bypassed device-level patching entirely.
• Proxy infrastructure abuse: Residential proxy networks route attacker traffic through real consumer devices, making malicious activity look like normal browsing.
• Workflow automation exposure: Tools like n8n — used to automate business processes — become high-leverage targets when left exposed to the internet; Canada’s Cyber Centre issued advisories.

Sector Impact Analysis #

Regulatory implications by sector:

• Consumer brands: Expect scrutiny on disclosure timing and customer notification clarity.
• Financial services: Customer scam enablement increases enforcement risk. Regulators will ask how compromised communication channels were possible.
• Critical infrastructure + suppliers: Supply-chain posture and operational resilience expectations are tightening under EU/UK frameworks.

Regulatory Timeline #

Strategic Threat Signals (January) #

Two developments fell outside the brief’s primary data-extortion theme but carry strategic weight for enterprise risk planning:

Geopolitical sabotage is targeting distributed infrastructure. Russian state actors (Sandworm, attributed with medium confidence by ESET and Dragos) targeted Poland’s distributed energy grid — solar farms, wind facilities, and combined heat and power (CHP) plants — with DynoWiper wiper malware in late December. The attack was thwarted before causing a blackout, but Dragos confirmed attackers gained access to operational technology systems and disabled key equipment at some sites. For enterprises with physical operations or energy dependencies in NATO-adjacent regions, OT segmentation and resilience are now continuity requirements — not compliance exercises.

AI-authored advanced malware is no longer theoretical. Check Point Research documented VoidLink, a sophisticated Linux/cloud-first malware framework with 88,000+ lines of code and 37 plugins — including deep kernel-level and container-aware stealth capabilities that would typically require a skilled development team. It was built predominantly by AI under the direction of what appears to be a single developer, reaching functional status in under a week. VoidLink was identified at an early development stage and was not deployed against victims, but it represents one of the first widely documented cases of AI being used to generate a complex, modular malware framework — rather than repurposing existing tools. The implication for defenders: assume that development timelines for sophisticated threats are compressing, and that complexity alone is no longer a reliable signal of a well-resourced adversary.

Market & Industry Intelligence #

Six signals executives should track from January:

• M&A confirms identity is the battleground. CrowdStrike spent over $1.1B in a single week: SGNL ($740M, continuous identity authorization, Jan 8) and Seraphic (~$420M, browser runtime security, Jan 13). Both deals aim to extend real-time access control across SaaS, cloud, and browser layers — directly validating this brief’s core thesis that identity and access workflows are now the primary attack surface. Expect competitors to follow.
• Identity is the control plane. The highest-impact stories this month all trace back to compromised identity and admin workflows — not network exploitation. Budget and architecture should reflect this.
• Cybercrime infrastructure is a target now, not just a threat. FBI, Google, and platform operators are dismantling criminal logistics (forums, proxies, marketplaces). Useful, but not a substitute for internal controls.
• Platform operators are playing defense. Microsoft, Google, and major SaaS vendors are investing more in ecosystem disruption. Enterprises benefit — but can’t rely on it as a control layer.
• Regulation is shaping procurement. EU/UK direction and PQC guidance mean security architecture is drifting into board-level vendor strategy. CISOs and procurement leads need a shared playbook.
• Insurance implications are shifting. Leak-first extortion — where no systems go down but data is exposed — challenges traditional cyber insurance triggers built around business interruption. Confirm triggers and exclusions with your broker; policy language varies.

Investment Priorities #

These aren’t new recommendations — they’re established fundamentals. January’s incidents reinforced why each one matters and exposed where execution gaps persist.

Board Discussion Points #

• If an attacker steals data without encrypting anything, when would we know — and what would prove it?
• Which workflows allow account recovery or admin privilege changes, and how are they verified out-of-band?
• Which security appliances delegate admin authentication to a vendor’s cloud platform — and was that a deliberate architecture decision or a default we never revisited?
• Which vendors can touch customer communications or sensitive data, and how do we validate their controls?
• Do we have a tested extortion playbook that covers comms, legal, regulators, and customer support — not just IT recovery?

Next Month: What to Expect #

Will happen (high confidence): More leak-first extortion campaigns against recognizable brands. Continued identity-led compromise attempts targeting help desks and SSO admins.

Might happen: Further exploitation of vendor-managed authentication and cloud SSO features across security products — the pattern Fortinet exposed is unlikely to be unique to one vendor. Migration to new cybercrime forums and channels after January’s seizures.

Watch for (low probability, high impact): A breach where attackers weaponize customer communication channels at scale — support or marketing platforms sending attacker-controlled messages to an entire customer base. Separately: further state-linked probing of distributed energy infrastructure outside Ukraine, following the Poland precedent.

Key Conclusions #

January 2026 wasn’t about new malware or flashy exploits. It was about harsher economics:

• Data theft is now the outage. If you only measure resilience by system uptime, you’ll miss the business impact until it’s already public.
• Identity is now the breach. The perimeter moved to SSO, help desks, and SaaS admin consoles — and most organizations haven’t moved their defenses with it.
• Vendor trust is now attack surface. When you delegate authentication to a vendor’s cloud platform, you inherit their vulnerabilities — and you can’t patch what you don’t control.
• Patch velocity is now governance. The gap between “patch available” and “patch verified in production” is where risk lives. Someone in your organization should own that gap by name.

If your crisis playbook starts with “restore from backup,” what happens when there’s nothing to restore — just data already in someone else’s hands?

Appendix A — Technical Indicators (Summary) #

• Fortinet / FortiCloud SSO (CVE-2026-24858): Cross-tenant authentication bypass in FortiCloud SSO. All organizations running FortiGate, FortiManager, FortiAnalyzer, FortiProxy, or FortiWeb with FortiCloud SSO enabled are affected — even if previously patched for CVE-2025-59718/59719. Verify FortiCloud SSO status (it may have been enabled automatically during FortiCare registration). Apply Fortinet’s updated firmware, rotate all credentials including connected LDAP/AD accounts, and audit for unauthorized admin accounts and configuration changes. Monitor for the known malicious SSO login account and associated IP indicators published by Arctic Wolf and Fortinet.
• n8n: Workflow automation vulnerabilities — patch per Canadian Cyber Centre advisory AL26-001.
• Poland/DynoWiper (OT signal): Wiper malware targeting distributed energy infrastructure (wind, solar, CHP). Organizations with OT exposure should review segmentation between IT and OT environments, remote terminal unit (RTU) access controls, and default credential usage on industrial systems.
• VoidLink (AI signal): Cloud-first Linux malware framework with eBPF/LKM rootkits and container-aware modules. Defenders should monitor for anomalous Linux process behavior in cloud environments, review cloud metadata API access patterns, and ensure container escape detection is in place.
• General: Alert on bulk exports, suspicious SSO admin events, anomalous vendor-initiated authentication, and config export activity across all edge and SaaS platforms.

(Detailed IOCs and technical hashes are excluded from this version. Contact your threat intelligence provider for indicator-level detail.)

Appendix B — Sources #

1. Reuters — Nike investigating possible data breach (Jan 26, 2026): https://www.reuters.com/sustainability/boards-policy-regulation/nike-says-it-is-investigating-possible-data-breach-2026-01-26/
2. SecurityWeek — Nike probing potential security incident: https://www.securityweek.com/nike-probing-potential-security-incident-as-hackers-threaten-to-leak-data/
3. Have I Been Pwned — Under Armour: https://haveibeenpwned.com/breach/UnderArmour
4. SecurityWeek — Under Armour data breach: https://www.securityweek.com/under-armour-looking-into-data-breach-affecting-customers-email-addresses/
5. TechCrunch — Under Armour aware of data breach claims (Jan 2026): https://techcrunch.com/2026/01/22/under-armour-says-its-aware-of-data-breach-claims-after-72m-customer-records-were-posted-online/
6. Have I Been Pwned — SoundCloud: https://haveibeenpwned.com/Breach/SoundCloud
7. BleepingComputer — SoundCloud breach impacts 29.8M accounts: https://www.bleepingcomputer.com/news/security/have-i-been-pwned-soundcloud-data-breach-impacts-298-million-accounts/
8. SecurityWeek — Crunchbase confirms data breach: https://www.securityweek.com/crunchbase-confirms-data-breach-after-hacking-claims/
9. Have I Been Pwned — Panera Bread: https://haveibeenpwned.com/breach/PaneraBread
10. SecurityWeek — Betterment discloses data breach: https://www.securityweek.com/robo-advisor-betterment-discloses-data-breach/
11. Betterment — Customer Update regarding security incident (Jan 2026): https://www.betterment.com/customer-update
12. The Record — Bumble, Match dating apps disclose breaches: https://therecord.media/bumble-match-dating-apps-data-breaches
13. BankInfoSecurity — Voice phishing / Okta-related coverage: https://www.bankinfosecurity.com/voice-phishing-okta-customers-shinyhunters-claims-credit-a-30590
14. Fortinet PSIRT — Advisory FG-IR-26-060: https://www.fortiguard.com/psirt/FG-IR-26-060
15. BleepingComputer — Fortinet blocks exploited FortiCloud SSO zero-day: https://www.bleepingcomputer.com/news/security/fortinet-blocks-exploited-forticloud-sso-zero-day-until-patch-is-ready/
16. CISA Alert — Fortinet CVE-2026-24858 (Jan 28, 2026): https://www.cisa.gov/news-events/alerts/2026/01/28/fortinet-releases-guidance-address-ongoing-exploitation-authentication-bypass-vulnerability-cve-2026
17. Arctic Wolf — Malicious configuration changes on FortiGate devices (Jan 22, 2026): https://arcticwolf.com/resources/blog/arctic-wolf-observes-malicious-configuration-changes-fortinet-fortigate-devices-via-sso-accounts/
18. Help Net Security — Fortinet FortiCloud SSO zero-day (CVE-2026-24858): https://www.helpnetsecurity.com/2026/01/28/fortinet-forticloud-sso-zero-day-vulnerability-cve-2026-24858/
19. Canadian Centre for Cyber Security — n8n vulnerabilities (AL26-001): https://www.cyber.gc.ca/en/alerts-advisories/al26-001-vulnerabilities-affecting-n8n-cve-2026-21858-cve-2026-21877-cve-2025-68613
20. Ars Technica — RAMP forum seized by FBI (Jan 2026): https://arstechnica.com/security/2026/01/site-catering-to-online-criminals-has-been-seized-by-the-fbi/
21. Bitdefender — FBI takes RAMP ransomware forum offline: https://www.bitdefender.com/en-us/blog/hotforsecurity/fbi-takes-notorious-ramp-ransomware-forum-offline
22. Reuters — Google disrupts residential proxy network (IPIDEA) (Jan 28, 2026): https://www.reuters.com/technology/google-disrupts-large-residential-proxy-network-reducing-devices-used-by-2026-01-28/
23. Google Cloud — Disrupting residential proxy network (IPIDEA): https://cloud.google.com/blog/topics/threat-intelligence/disrupting-largest-residential-proxy-network
24. Dark Reading — BreachForums breached, ~324K users exposed: https://www.darkreading.com/threat-intelligence/breachforums-breached-exposing-324k-cybercriminals
25. Bitdefender — BreachForums database leaked: https://www.bitdefender.com/en-us/blog/hotforsecurity/hackers-get-hacked-as-breachforums-database-is-leaked
26. European Commission — Cybersecurity package (Jan 2026): https://ec.europa.eu/commission/presscorner/detail/en/ip_26_105
27. UK Parliament — Cyber Security and Resilience Bill (Jan 2026): https://www.parliament.uk/business/news/2026/jan-2026/cyber-security-and-resilience-network-and-information-systems-bill-call-for-evidence/
28. CISA — Post-quantum cryptography product categories: https://www.cisa.gov/resources-tools/resources/product-categories-technologies-use-post-quantum-cryptography-standards
29. The Record — Poland electrical grid cyberattack hit ~30 facilities: https://therecord.media/poland-electrical-grid-cyberattack-30-facilities-affected
30. SecurityWeek — Russian Sandworm hackers blamed for cyberattack on Polish power grid: https://www.securityweek.com/russian-sandworm-hackers-blamed-for-cyberattack-on-polish-power-grid/
31. ESET Research — Sandworm behind cyberattack on Poland’s power grid (DynoWiper): https://www.welivesecurity.com/en/eset-research/eset-research-sandworm-cyberattack-poland-power-grid-late-2025/
32. Check Point Research — VoidLink: AI-generated malware framework: https://research.checkpoint.com/2026/voidlink-early-ai-generated-malware-framework/
33. BleepingComputer — VoidLink cloud malware shows signs of being AI-generated: https://www.bleepingcomputer.com/news/security/voidlink-cloud-malware-shows-clear-signs-of-being-ai-generated/
34. Dark Reading — Complex VoidLink Linux malware created by AI: https://www.darkreading.com/threat-intelligence/voidlink-linux-malware-ai
35. CNBC — CrowdStrike buys SGNL for $740M (Jan 8, 2026): https://www.cnbc.com/2026/01/08/crowdstrike-ai-cybersecurity-sgnl-acquisition.html
36. SecurityWeek — CrowdStrike to buy SGNL for $740M: https://www.securityweek.com/crowdstrike-to-buy-identity-security-firm-sgnl-for-740-million-in-cash/
37. SecurityWeek — CrowdStrike to acquire Seraphic for $420M (Jan 13, 2026): https://www.securityweek.com/crowdstrike-to-acquire-browser-security-firm-seraphic-for-420-million/