Cybersecurity and Data Breaches

Grubhub has confirmed that "unauthorized individuals" accessed and downloaded data from some of its internal systems, and says it has hired a third‑party cybersecurity firm and notified law enforcement after detecting and stopping the activity. The company told BleepingComputer that payment data and order history were not affected but declined to say when the breach occurred, what customer information was accessed, or whether it is being extorted. Sources quoted in the report attribute the intrusion to the ShinyHunters hacking group, which is allegedly demanding Bitcoin to avoid leaking data said to include older Salesforce records from a February 2025 incident and newer Zendesk customer‑support records from the latest breach. Investigators believe attackers may have reused credentials and tokens stolen in last year’s Salesloft/Salesforce 'Drift' campaign, which Mandiant has tied to widespread theft of cloud access keys from hundreds of companies. Security experts note that even support‑system data such as names, emails and account notes can fuel targeted phishing and identity scams, and the case is feeding social‑media criticism that corporate breach disclosures often understate risk when upstream SaaS providers are compromised.

Gulshan Management Services, Inc., tied to Gulshan Enterprises’ roughly 150 Handi Plus and Handi Stop gas stations and convenience stores in Texas, has disclosed a ransomware attack that exposed personal data for more than 377,000 people, according to a filing with the Maine Attorney General’s Office. The company says attackers gained access to its IT systems via a phishing email in late September and remained inside for about 10 days before deploying ransomware that encrypted files across its network. During that time, the intruders stole names, contact information, Social Security numbers and driver’s license numbers, a combination security experts say can fuel identity theft and account‑takeover fraud for years. Gulshan reports it restored operations from known‑good backups and has not seen a ransomware group publicly claim responsibility, but once data is copied out, it cannot be recovered, leaving affected customers and employees at ongoing risk. The incident underscores how retail and fuel businesses with legacy systems and frontline staff are increasingly targeted in U.S. ransomware campaigns, even though they are not traditional tech firms.

The Illinois Department of Human Services has confirmed that an unauthorized party accessed one of its systems, exposing personal and program records for roughly 700,000 residents tied to state benefits and disability services. The breach affected more than 672,000 Medicaid and Medicare Savings Program recipients, whose exposed data includes addresses, case numbers, demographic details and medical assistance plan names, and about 32,000 Division of Rehabilitation Services customers whose names, addresses, case details and referral information were accessed over multiple years. Officials say the incident involved personally identifiable information and have begun notifying impacted individuals, though they have not yet disclosed full technical details or whether Social Security numbers were involved. Cybersecurity experts note that because this data stems from government systems, it cannot easily be changed and could fuel long‑term identity theft, fraudulent benefits claims and highly targeted phishing attacks, especially when combined with information from other breaches. DHS says it is working to secure its systems and prevent similar incidents as the investigation continues, but for now the burden of monitoring and protection falls heavily on affected residents.

Apple has warned that two critical WebKit flaws used in "extremely sophisticated" attacks could let malicious websites run arbitrary code on iPhones and iPads, enabling device takeover, password theft and access to payment data simply by visiting the wrong page. The company says the bugs affect iPhone 11 and later models plus recent iPad Pro, iPad Air, iPad and iPad mini generations, and that the only effective fix is upgrading to iOS 26.2 or iPadOS 26.2 because it is no longer offering a security‑only update for users who want to stay on iOS 18. Usage data cited in the piece suggest a large patch gap: roughly half of eligible users, and possibly as many as 80% worldwide, have yet to update, leaving an estimated hundreds of millions of devices exposed, including a huge share of U.S. phones. Security experts quoted say there is no user‑behavior workaround, since the vulnerability resides deep in Safari’s browser engine and in every browser that runs on iOS, and that risk rises once technical details are public because attackers can reliably weaponize them. The article walks users through how to check and update their software via Settings > General > Software Update, underscoring that timely patching is now the only real protection against this active exploit.

Brightspeed, a major U.S. fiber broadband provider serving rural and suburban areas in 20 states, says it is investigating what it calls a potential cybersecurity event after a hacking group known as Crimson Collective claimed on Telegram to have stolen sensitive data tied to more than one million residential customers. The group alleges it accessed customer names, emails, phone numbers, home and billing addresses, account identifiers, payment histories with partial card details, and appointment and order records, and has threatened to release samples if the company does not respond. Brightspeed has not confirmed a breach but told BleepingComputer it is rigorously monitoring threats, trying to understand what happened, and will inform customers, employees and authorities as more facts are known, though it has not yet posted a public notice on its own channels. Crimson Collective has a recent track record, including a 2025 GitLab breach at Red Hat that cascaded into a Nissan customer-data exposure, which makes the new claims harder to dismiss even as they remain unverified. If accurate, the combination of personally identifiable and partial financial data would create serious risks of identity theft, phishing and account fraud for affected subscribers in some of the country’s most broadband‑dependent communities.

Fox’s tech column reports a January surge of unexpected Instagram "Reset your password" emails, many of them legitimate messages triggered when unknown parties run usernames or emails through Instagram’s real password‑reset form. A Meta spokesperson confirms the company "fixed an issue that allowed an external party to request password reset emails for some Instagram users," while insisting there was no breach of its core systems and that accounts remain secure. The article notes that a BreachForums post in early January 2026 allegedly exposed data tied to about 17.5 million Instagram accounts, timing that coincides with the reset‑email wave and could have given attackers a large list of targets, though a direct link is not proven. Security experts quoted in the piece describe the campaign as social engineering that relies on panicked users clicking through reset links, choosing weak or reused passwords or falling for follow‑on phishing pages, and urge people to treat surprise resets as a warning to harden logins with strong, unique passwords and two‑factor authentication. For U.S. users, the episode highlights how even unbreached platforms can become vectors for account takeovers when attackers exploit normal recovery tools at scale.