New Congressional Email Breach may be Salt Typhoon; Spanish Energy Data Breach; Healthcare LLMs Raise Privacy & Accuracy Concerns

Cyber threat actors with ties to China's government have once again infiltrated email systems, compromising US congressional staff members' communications. The intrusion was detected in December 2025 and was first reported by the Financial Times, which said the perpetrators are Salt Typhoon, a threat actor group that gained notoriety for breaching telecommunications systems around the world in 2024. Officials are investigating the breach, which reportedly affects "email systems used by congressional staff working on House national security committees."

Energía XXI are notifying customers that account information was compromised in a cybersecurity incident. Endesa is one of Spain's largest energy utilities providing gas and electricity services to more than 10 million customers in Spain and Portugal. In a letter to customers, Endesa writes that it "detected a security incident that has allowed unauthorized and illegitimate access to its commercial platform. This incident has compromised the confidentiality of certain data for which Endesa Energía is responsible." The compromised information includes "basic identification data, contact information, national identity card numbers, and data related to [customer] contract[s] with Endesa Energía, and possibly ... payment details." Endesa has notified Spain's Data Protection Agency and other relevant authorities.

On January 8, 2026, OpenAI announced implementations of ChatGPT models and the OpenAI API for use in healthcare, followed three days later by Anthropic's announcement of a healthcare-focused implementation of the Claude LLM. OpenAI's stated aim is to provide specific versions of tools that are already in use in the healthcare sector, "giving organizations a secure, enterprise-grade foundation ... while supporting HIPAA compliance." Notably, sharing medical data with ChatGPT Health "remove[s] the HIPPA protection from those records," according to Sara Geoghegan, senior counsel at the Electronic Privacy Information Center. The healthcare models of ChatGPT will be trained with "healthcare workflows," and promise "transparent citations" as well as integration with institutional software policies, access controls and "user management through SAML SSO and SCIM," and support for HIPAA compliance: "Patient data and PHI remain under an organization’s control, with options for data residency, audit logs, customer-managed encryption keys, and a Business Associate Agreement (BAA) with OpenAI to support HIPAA-compliant use.” The final paragraph of ChatGPT's terms of service states, "Our Services are not intended for use in the diagnosis or treatment of any health condition." Anthropic characterizes Claude for Healthcare as "HIPAA-ready," and says it is set up to connect to the Centers for Medicare & Medicaid Services (CMS) Coverage Database, the International Classification of Diseases, 10th Revision (ICD-10), and the National Provider Identifier Registry. Certain subscription plans allow Claude "secure access to patient lab results and health records." Meanwhile, Google has removed AI Overview results from a few specific search queries after investigation by The Guardian revealed the site offering false and dangerously decontextualized medical advice. Examples include harmful diet recommendations for pancreatic cancer and misinformation about test results for liver function and cancer.

Threat research from a Greynoise honeypot shows two recent campaigns probing the security of LLM APIs by way of misconfigured proxy servers. The first campaign spanned from October 2025 to January 2026, exploiting server-side request forgery vulnerabilities to target Ollama model pull functionality and Twilio SMS webhook integrations. The attackers "used ProjectDiscovery's OAST (Out-of-band Application Security Testing) infrastructure to confirm successful SSRF exploitation," leading Greynoise to believe the attackers were likely researchers or bug bounty hunters. The second campaign, however, was most likely a "professional threat actor conducting reconnaissance" by methodically probing at least 73 LLM model endpoints over eleven days, starting December 28, 2025. The attackers generated over 80 thousand sessions in that time, "hunting for misconfigured proxy servers that might leak access to commercial APIs. [...] Every major model family appeared in the probe list." Data associates the attacker's IPs with extensive previous CVE exploitation, and the researchers posit that the threat actor is building target lists as part of a larger pipeline. Greynoise recommends users configure Ollama to only accept models from trusted registries, set up alerts for rapid-fire requests and fingerprinting queries, block OAST at DNS, rate-limit suspicious ASNs, and monitor JA4 fingerprints. The blog post contains network fingerprints, OAST callback domains, and IP addresses to block as part of defending LLM infrastructure.

On January 9, 2026, Malwarebytes warned that "cybercriminals stole the sensitive information of 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses, and more," and posted a screenshot showing an Instagram password reset email. However, the data in question and recent reports of unsolicited Instagram password reset requests are not related, despite surfacing online simultaneously. Instagram announced via social media on January 10 that while "there was no breach of [their] systems," the company has now fixed a vulnerability that had allowed a third party to trigger password reset emails, and directs users to disregard the emails. No recent data breach has been confirmed by Meta, but Malwarebytes was likely referring to a dataset recently published in a hacking forum and listed on Troy Hunt's site, “Have I Been Pwned?” (HIBP). The data allegedly contain user information obtained via API scraping; some cybersecurity researchers speculate that the breach happened in 2022, but the data's provenance, authenticity, and age have not yet been publicly corroborated. BleepingComputer posits that "the data may be a compilation of previously scraped information from multiple sources over several years."

Resecurity has analyzed a database of 323,986 forum member records alleged to identify administrators, moderators, and users of the latest incarnation of a cybercrime forum called BreachForums. The company's threat intelligence team believes the database and associated leaked data contain information that may be useful to law enforcement pursuing cybercriminals. "Some of the records identified in the database are definitely authentic and can be cross-checked with other sources regarding specific actors. However, some records have been edited, removed, or contain non-existent information (for example, replaced on IP 127.0.0.9), which is likely an OPSEC measure taken by the actors administering it. The last registration date in the newly leaked user database is from August 11, 2025, which is the same day that the previous BreachForums at breachforums[.]hn was closed." Resecurity contrasts this breach with previous examples of disinformation released by threat actors, asserting that "the events involving the compromised BreachForums database are different from this activity and contain the meta-data of many notable bad actors."

California's Privacy Protection Agency is fining Rickenbacher Data, d/b/a Datamasters, for failing to register as a data broker in the state of California. The decision asserts that Datamasters bought, repackaged, and resold contact data of people with a variety of medical conditions so the information could be used for targeted advertising. The action from CPPA fines Datamasters $45,000 and orders the company to stop selling data belonging to California residents. Datamasters was also ordered to delete all Californians' personal information it holds by the end of December 2025. In a separate action, CPPA fined S&P Global $62,000 for failing to register with the state as a data broker; the issue was due to an administrative error.

Authorities in Spain have arrested 34 individuals in connection with cyber fraud conducted by an international criminal group. According to investigators, the group is responsible for fraud losses of more than €5,93 million. Law enforcement recovered a small portion of that amount by freezing bank accounts and seizing cash. The group engaged in business email compromise attacks, illegal vehicle trafficking through shell companies, and other fraudulent activities. The law enforcement action was conducted by the Spanish National Police (Policía Nacional) in cooperation with the Bavarian State Criminal Police Office (Bayerisches Landeskriminalamt) and support from Europol. Europol writes that "The cross-border collaboration between Germany and Spain included Spanish investigators receiving analytical support, the exchange of intelligence, and the deployment of two German officers on-site during the action day." Europol supported the action "through a range of services, including information analysis, a data sprint held in Madrid, and on-the-spot support."

A software update appears to have caused Irish passports issued between December 23rd, 2025, and January 6th, 2026 to be printed incorrectly, rendering them invalid. Ireland's Passport Service says that "In order to mitigate against any possible travel issues, [they have] notified border authorities worldwide through the International Civil Aviation Organisation (ICAO), as well as Irish Border Management." The documents in question are missing the letters "IRL," which means they are not compliant with Border Control and eGates requirements. The Passport Service has contacted all 12,904 affected customers asking them to return their incorrectly printed passport books and cards, informing them that they will be issued new documents with new numbers.

On Thursday, January 8, 2026, the US Cybersecurity and Infrastructure Security Agency (CISA) retired 10 Emergency Directives issued between 2019 and 2024. In a press release, CISA writes that "a comprehensive review of all active directives ... determined that required actions have been successfully implemented or are now encompassed through Binding Operational Directive (BOD) 22-01, Reducing the Significant Risk of Known Exploited Vulnerabilities." The retired Emergency Directives include one directive from 2019 instructing FCEBs to mitigate DNS infrastructure tampering; three directives from 2020 regarding a variety of Windows vulnerabilities; four directives from 2021, including the SolarWinds Orion Code compromise, Pulse Connect, Microsoft Exchange On-Premises, and Windows Print Spooler; one from 2022 regarding VMware vulnerabilities; and one from 2024 regarding the nation-state compromise of Microsoft corporate email systems.