infosec in short Meta has fixed a flaw in its Instagram service that allowed third parties to generate password reset emails, but denied that the issue led to the theft of users’ personal data.
Last Friday, security software provider Malwarebytes claimed that “cybercriminals have stolen the sensitive information of 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses and more.” The vendor included a screenshot of a password reset email sent to Instagram users.
On Saturday, Instagram posted: “We fixed an issue where a third party could request password reset emails for some people. There was no breach of our systems and your Instagram accounts are safe. You can ignore these emails – sorry for any confusion.”
The registry understands that Malwarebytes was likely referring to a dataset posted on the infamous data breach site BreachForums, where a user posted a dump of the personal data of more than 17 million Instagram users and claimed it was the result of an API leak discovered in 2024.
Veeam vexes vulnerabilities
Data management and backup vendor Veeam patched four vulnerabilities last week, allowing privileged accounts to perform RCE attacks or write files as the root user. The worst of the four, CVE-2025-59470, scored a 9.0 on the CVSS scale.
Veeam did not reveal many details, only indicating that CVE-2025-59470 would allow a Backup or Tape Operator account to perform RCE by sending a malicious interval or order parameter to the system.
According to Sagy Kratu, senior product manager at automated recovery company Vicarius, the CVSS 9.0 vulnerability would allow ransomware attackers or other threat actors to cause maximum chaos.
“The critical Veeam flaw matters less because it is ‘critical’ on paper and more because of where it sits in the attack chain,” Kratu says. “The role of a backup or tape operator… is exactly the level of access that ransomware actors typically gain after an initial attack. At that point, an internal RCE is not a constraint, but an accelerator.”
Veeam has been a popular target in recent years, with old vulnerabilities emerging and new bugs being discovered regularly.
“Veeam continues to appear in attacks for a simple reason: backup servers check to see if clean data is still present and recoverable,” says Kratu. “Once attackers gain control of Veeam, they can delete backups, block recovery and turn a breach into a crisis, making the backup infrastructure a primary target and not a secondary target.”
Gas station chain Handi reveals leak of customer data
Gulshan Management Services, which operates about 150 gas stations in the U.S. under the Handi Plus and Handi Stop brands, suffered what sounds very much like a ransomware attack last September, but customers are only now being told.
Gulshan reported that 377,082 sets of customer data were exposed, including names, social security numbers, contact details and driver’s license numbers, after a successful phishing attack managed to breach borders, gain access to IT systems and deploy software that encrypted parts of the company’s IT assets.
The company offers the standard year of identity monitoring services to those affected, but according to law firm Schubert Jonckheer and Kolbe, the company likely violated state and federal law by waiting so long to notify affected customers. The law firm is preparing a class action lawsuit against Gulshan and encourages anyone who has received an infringement notice to sign up.
Why hack when you can bribe?
Threat exposure management platform Nord Stellar reports that it has found dozens of dark web posts from cybercriminals looking to gain easy access to the companies they want to penetrate by paying insiders.
This is evident from a press release shared with The registryOver the past 12 months, Nord Stellar researchers found 25 unique dark web posts seeking to recruit employees at companies like LinkedIn, Meta, Google, Coinbase, and other leading companies, hoping insiders would reveal secrets.
Nord Stellar security expert Vakaris Noreika said the messages reflect the fact that organizations’ cyber defenses often focus on external threats.
“Unlike external threats, insiders may not trigger typical security alerts, such as unusual login attempts or data transfers,” Noreika said.
ownCloud tells users to enable MFA and FFS
Last week The registry reported on a series of breaches at 50 different global companies, all of which were hit by a single thief who gained access because customers had not enabled multi-factor authentication on their corporate file syncing and sharing platforms.
One of the platforms targeted by the attacker, ownCloud, is now urging its customers to enable MFA.
“The ownCloud platform has not been hacked or breached,” the company explained in a security advisory. “Threat actors obtained user credentials via infostealer malware (which) was then used to log into ownCloud accounts that did not have Multi-Factor Authentication (MFA) enabled.”
In short, this is a rare example of justified ‘victim blaming’.
“If you have not enabled Multi-Factor Authentication on your ownCloud instance, please do so immediately,” ownCloud urged.
That, and resetting all user passwords, checking logs for suspicious activity, and invalidating all active sessions to force users to log back in with MFA to their accounts.
Students get a week off after cyber attack
The British Higham Lane School closed its doors last week after a cyber attack that disabled almost everything.
It is understood that pupils at Higham Lane School were delighted to learn last Thursday that their school would remain closed for a week after closing on Monday following the incident, which the school initially reported on January 3.
It appears the attack destroyed the school’s electronic gates, took the fire alarm offline and made the student registration systems inaccessible. The school therefore decided that it could not guarantee the safety of students and staff and closed its doors.
“The advice from the police cyber specialists and the Department of Education cyber security experts was very clear: it was not safe to open the school,” headteacher Michael Gannon said last Thursday. ®
