Nordstrom Customers Targeted in Cryptocurrency Scam via Compromised Email System Nordstrom customers recently received fraudulent emails from the company’s legitimate marketing address ([email protected]), promoting a cryptocurrency scam disguised as a St. Patrick’s Day promotion. The messages promised to double any cryptocurrency sent to a specified wallet within two hours, creating a false sense of urgency to pressure recipients into acting quickly. The scam emails contained red flags, including a misspelled company name ("Normstorm") in the subject line, though the official sender address likely led some victims to overlook the deception. Nordstrom later confirmed the messages were unauthorized and warned customers that the company would never request cryptocurrency transactions. A follow-up email urged recipients to disregard the fraudulent offer. While it remains unclear how many customers were affected, some victims reportedly sent funds to the attacker’s wallet, which accumulated over $5,600 in cryptocurrency. According to sources, the breach stemmed from a compromise in Okta SSO and Salesforce Marketing Cloud, allowing threat actors to send the scam emails through Nordstrom’s official channels. This incident mirrors recent attacks on Betterment and GrubHub, which also exploited similar vulnerabilities to distribute crypto scams. Nordstrom, a major U.S. retailer with over $15 billion in annual revenue and millions of customers, has not publicly detailed the extent of the breach or its response beyond issuing customer warnings. The company is investigating the incident.

Nike Targeted in Alleged Ransomware Attack by WorldLeaks Group Global sportswear giant Nike is facing an alleged cyberattack by the ransomware group WorldLeaks, which has publicly claimed responsibility for the breach. The group announced on its leak site that stolen data will be released this Saturday at 6 p.m., escalating pressure on the company as part of an aggressive extortion campaign. WorldLeaks, known for its high-profile enterprise targeting, typically publishes victim announcements to coerce ransom payments. As of now, Nike has not issued a public confirmation of the intrusion, and independent verification from security researchers remains unavailable. The exact scope of the stolen data is unconfirmed, though WorldLeaks claims to have exfiltrated a substantial volume of internal information potentially ranging from hundreds of gigabytes to multiple terabytes. Historically, ransomware groups like WorldLeaks gain initial access through compromised VPN credentials, exploited vulnerabilities in internet-facing applications, or spear-phishing campaigns. Once inside, attackers move laterally to identify and exfiltrate high-value data before deploying encryption. The stolen material may include corporate documents, employee records, customer databases, supplier communications, contracts, and HR data. If the data is published, the fallout could be significant. Exposed employee records may lead to phishing and identity fraud, while leaked customer and partner information could enable social engineering attacks and supply chain compromises. Strategic document disclosures may also undermine competitive positioning and reveal sensitive business operations. Security teams are expected to analyze any released data to verify authenticity, assess breach scope, and evaluate downstream risks for connected organizations. The incident underscores the growing threat of data-extortion ransomware attacks targeting major enterprises.

Betterment Data Breach Exposes Customer Information in 2026 Social Engineering Attack On January 9, 2026, Betterment, a leading automated investment and personal finance platform, disclosed a cybersecurity incident in which hackers exploited third-party marketing and operational tools to access customer data. The attackers employed social engineering tactics deception and impersonation to infiltrate systems, bypassing Betterment’s core security infrastructure. The breach exposed personal information, including names, email and postal addresses, phone numbers, and dates of birth for an undisclosed number of customers. While Betterment confirmed that no account credentials or financial data were compromised, the attackers used the stolen information to send fraudulent cryptocurrency scam messages to some users, promising to triple their holdings in exchange for a $10,000 payment to a hacker-controlled wallet. Betterment detected the breach the same day, revoking unauthorized access and launching an investigation with an unnamed cybersecurity firm. The company stated that no customer accounts were accessed, and login credentials remained secure. However, the incident has raised concerns about the risks posed by third-party integrations in financial services, as the attack did not target Betterment’s internal systems directly but rather exploited vulnerabilities in external platforms. Betterment’s response has drawn criticism for its lack of transparency, including the use of a "noindex" tag on its security incident webpage, preventing search engines from indexing the details. As of January 12, 2026, the company had not disclosed the number of affected customers or further specifics about the attack. The ongoing investigation, along with regulatory scrutiny, may provide additional clarity in the coming weeks. Cybersecurity experts note that social engineering attacks on financial platforms are increasing, emphasizing the need for stronger oversight of third-party vendors and employee training. The breach underscores the broader challenge of securing interconnected digital ecosystems, where even robust internal defenses can be undermined by external vulnerabilities.

Fallen DNA testing firm 23andMe won court approval of a bankruptcy plan that includes settlements to provide up to $62 million to resolve thousands of data breach claims. Judge Brian C. Walsh of the US Bankruptcy Court for the Eastern District of Missouri approved the plan in a Wednesday order, overruling most creditor objections and challenges from data breach victims. Many of those former customers’ objections were deemed moot or premature, and several of them didn’t appear at a court hearing on the plan. Objections from the Justice Department’s bankruptcy watchdog and a coalition of state attorneys general were resolved ...

The ransomware group ShinyHunters (Scattered Lapsus$ Hunters) breached Salesforce by exploiting stolen OAuth tokens from Salesloft Drift’s AI chatbot integration, compromising 1.5 billion records across 760 companies (including Cisco, Disney, and Marriott). The leaked data includes PII (names, DOBs, passports, employment histories), shipping details, chat transcripts, flight records, and car ownership data—validated by cybersecurity researchers. Attackers first infiltrated Salesloft’s GitHub repository, extracting private source code and OAuth tokens, then laterally moved to Google Workspace, Microsoft 365, and Okta platforms of victims. The group demanded separate ransoms from Salesforce and listed 39 high-profile victims on a darkweb leak site, pressuring them to pay under threat of full data exposure. The attack leveraged social engineering (vishing, phishing, IT impersonation) to trick employees into granting access, highlighting vulnerabilities in third-party supply-chain integrations and weak 2FA/OAuth security controls.

Sophisticated Voice-Phishing Kits Fuel Surge in Identity Fraud Attacks Cybercriminals are increasingly leveraging custom voice-phishing kits sold on dark web forums and messaging platforms to execute highly convincing social engineering scams. These kits, designed to mimic authentication flows from major identity providers like Google, Microsoft, and Okta, enable attackers to intercept credentials and multi-factor authentication (MFA) codes in real time. According to Okta Threat Intelligence VP Brett Winterford, at least two such kits have been identified, with capabilities that allow attackers to dynamically adjust phishing pages based on victim interactions. This creates a more persuasive pretext for tricking users into divulging login details or approving MFA challenges. The kits also include real-time assistance, with some ads recruiting native English-speaking callers to pose as IT support staff. The attacks, which have evolved significantly since late 2025, follow a structured approach. Attackers first gather reconnaissance on targets such as names, app usage, and contact details using publicly available sources like LinkedIn or company websites. They then deploy phishing kits to create fake login pages and call victims under the guise of resolving a support ticket or performing a mandatory update. Once a victim enters credentials, the attacker receives them via Telegram and attempts to log in to the legitimate account, monitoring MFA challenges in real time. The phishing page is updated to reflect the authentication request, making the scam more believable. For example, if a push notification is triggered, the attacker instructs the victim to expect it, while the phishing page displays a fake confirmation message. These kits can even bypass number-matching MFA by instructing victims to enter specific codes. The result is full account compromise, with attackers gaining control over corporate systems including Salesforce instances, as seen in last year’s Scattered Spider-style breaches that led to large-scale data theft and extortion. The rise of "impersonation-as-a-service" models, where criminals subscribe to ready-made tools, training, and scripts, has further lowered the barrier for such attacks. These operations often combine social engineering with ransomware, driven by financial motives.

Figure Technology Confirms Data Breach After Social Engineering Attack Figure Technology, a blockchain-based lending firm, has acknowledged a data breach following a social engineering attack that tricked an employee into granting hackers access. The company stated that a "limited number of files" were stolen, though it has not specified which types of sensitive data such as names, addresses, Social Security numbers, or financial details may have been exposed. Affected individuals and partners are being notified, with free credit monitoring offered to those impacted. The cybercrime group ShinyHunters claimed responsibility for the attack, releasing approximately 2.5GB of stolen data on the dark web after Figure refused to pay a ransom. A review of the leak by TechCrunch confirmed the exposure of customer names, home addresses, dates of birth, and phone numbers. ShinyHunters reportedly targeted companies using Okta, an identity management service, with other victims including Harvard University and the University of Pennsylvania. The group employs a "double extortion" tactic, stealing data before demanding payment and threatening public release if demands are not met. Security researchers note that such attacks often exploit weak passwords, third-party vulnerabilities, or unsecured storage systems. The breach adds to growing concerns over crypto fraud and identity theft, as financial institutions remain prime targets due to the sensitive data they hold. A Chainalysis report revealed that criminals stole over $17 billion in crypto last year, with scammers increasingly using AI to craft convincing impersonation schemes. Meanwhile, Privacy Rights Clearinghouse reported over 8,000 breach notifications in 2025, linked to more than 4,000 hacking incidents and exposing the personal information of at least 374 million people. Despite the breach, Figure’s stock rose 3.57% on Friday, closing at $35.29, though shares remain down 37% over the past month. The company recently announced plans to sell up to 4.23 million additional shares and may repurchase up to $30 million of another stock class.

Panera Bread suffered a major data breach exposing sensitive customer information, including Social Security numbers, addresses, birth dates, and passcodes, from 73 million accounts (current and former customers). The breach occurred in two phases: March 30, 2024, and July 12, 2024, with hackers downloading data from a third-party cloud platform and leaking it on the dark web. The incident led to consolidated state and federal lawsuits, alleging negligence in cybersecurity measures. Customers faced risks of identity theft, fraud, and financial losses, with compensation claims categorized into tiers: up to $500 for ordinary losses (e.g., credit monitoring), $2,500 for time spent resolving issues, and $6,500 for documented extraordinary losses. The breach severely damaged customer trust and exposed the company to legal and reputational consequences.

American identity and access management behemoth Okta disclosed that hacking attack targeted its private GitHub repositories. As soon as Okta became aware of the potentially suspicious access, the company suspended all GitHub integrations with third-party applications and immediately imposed temporary access limits on its GitHub repositories. When GitHub spotted unusual access to Okta's code repositories earlier this month, the firm became aware of a security vulnerability. The business declared that it had taken action to stop threat actors from accessing corporate or client environments using the stolen code.