48 million Gmail credentials exposed. In late January 2026, security researcher Jeremiah Fowler reported an unprotected database containing roughly 48 million Gmail usernames and passwords (about 96 GB of data) leaked online. The set appears to be a compilation of past breaches and infostealer logs rather than a new Google breach. The incident underscores the risk of credential stuffing and the need to use unique passwords and two-factor authentication for webmail.
LastPass phishing campaign (Jan 19–22). An active phishing campaign targeted LastPass users with emails claiming scheduled maintenance and urging recipients to back up their vault within 24 hours. After LastPass disrupted the first wave, a second wave appeared around 22 January with updated links. Anyone using a password manager should avoid following such links from email and should open the service only via the official site or app.
"Reprompt" attack on Microsoft Copilot. Researchers disclosed a method to steal data from Microsoft Copilot by hiding malicious prompts in URL parameters. A single click could hijack an authenticated session and exfiltrate chat history and other sensitive data. Microsoft addressed the issue in its January 2026 Patch Tuesday release; there was no confirmed in-the-wild exploitation. Users are advised to keep Windows and Office updated and to be cautious with Copilot links from untrusted sources.
RedVDS criminal infrastructure disrupted. Microsoft's Digital Crimes Unit took action against RedVDS, a virtual desktop provider used by threat actors for business email compromise (BEC), mass phishing, account takeovers, and financial fraud across sectors including legal, healthcare, and education. The takedown reduces capacity for large-scale mail-based and credential-abuse campaigns that affect the general public.
SharePoint-based AiTM and BEC campaign. Microsoft Defender documented a multi-stage adversary-in-the-middle (AiTM) phishing and BEC campaign targeting energy-sector organisations. Attackers abused SharePoint file-sharing to deliver phishing payloads and used inbox rules for persistence. The pattern highlights how legitimate collaboration and email services are abused for credential theft and underscores the importance of verifying shared links and sender identity.
Instagram 17.5 million user records leaked. On 7 January 2026, approximately 17.5 million Instagram user records (usernames, emails, phone numbers, partial addresses) appeared on BreachForums, stemming from a 2024 API exposure. The leak triggered a wave of unsolicited password-reset emails to users. Anyone who received unexpected reset or login alerts in January should assume their contact data may be in criminal hands and should review account security and reuse of the same email or password elsewhere.
CIRO phishing incident. A phishing attack against the Canadian Investment Regulatory Organisation (CIRO) led to the exposure of income data for about 750,000 Canadian investors on 20 January 2026. The case is a reminder that high-value targets (regulators, financial services) are frequently abused for both direct theft and follow-on phishing against individuals.
In short: January 2026 was marked by large credential leaks (Gmail, Instagram), targeted phishing (LastPass, CIRO), abuse of collaboration and AI tools (SharePoint, Copilot), and the disruption of a major criminal desktop provider (RedVDS). For the general public, the main takeaways are to avoid password-manager and login links from email, to use unique passwords and 2FA, to apply January 2026 patches, and to treat unexpected reset or "urgent" emails with scepticism.