Microsoft reveals actively exploited Office zero-day, provides emergency fix (CVE-2026-21509)
Microsoft released emergency Office security updates to fix a security feature bypass vulnerability (CVE-2026-21509) that its threat intelligence and security teams spotted being exploited in the wild in zero-day attacks. The flaw stems from reliance on untrusted inputs in a security decision in Microsoft Office, allowing unauthorized attackers to bypass OLE mitigations locally. Successful exploitation requires user interaction – an attacker must send a user a malicious Office file and convince them to open it. The vulnerability affects Microsoft Office 2016, 2019, Office LTSC 2021, LTSC 2024, and Microsoft 365 Apps for Enterprise. CISA added CVE-2026-21509 to its Known Exploited Vulnerabilities catalog and ordered federal agencies to address the flaw by February 16, 2026.
Nike investigating potential data breach after WorldLeaks claims 1.4TB stolen
Nike is investigating a possible data breach after extortion crew WorldLeaks claimed to have stolen 1.4TB of internal data from the sportswear giant. In a listing on its leak site, WorldLeaks alleges it has stolen 188,347 files from Nike’s systems, with filenames pointing toward design and manufacturing workflows rather than customer databases. Examples include directories labeled “Women’s Sportswear,” “Men’s Sportswear,” “Training Resource – Factory,” and “Garment Making Process.” WorldLeaks, believed to be a rebrand of Hunters International, no longer encrypts data but focuses on stealing files and extorting victims with leak threats. The Nike claim follows weeks after Under Armour was forced into cleanup mode following its own breach.
Under Armour investigating data breach after 72M customer records posted online
Clothing retailer Under Armour is investigating a data breach that exposed customers’ email addresses and other personal information. According to Have I Been Pwned, the breach affected 72 million email addresses, with some records also including names, genders, birthdates, and ZIP codes. The breach is believed to have occurred in November 2025, with the Everest ransomware gang claiming responsibility. Under Armour stated they have no evidence the issue affected UA.com or systems used to process payments, and called implications about sensitive personal information being compromised “unfounded.” Have I Been Pwned CEO Troy Hunt noted he was surprised by the lack of an official disclosure statement from the company given the scale of the breach.
Windows 11 January update causing boot failures with UNMOUNTABLE_BOOT_VOLUME errors
Microsoft is investigating reports that the January 2026 Patch Tuesday security updates are leaving some Windows 11 machines unable to boot. The issue affects Windows 11 versions 24H2 and 25H2 after installing the KB5074109 cumulative update. Affected systems crash during startup with an “UNMOUNTABLE_BOOT_VOLUME” stop error, displaying a Black Screen of Death message. Microsoft says the issue affects a “limited number” of physical devices, with no server editions or virtual machines affected. This adds to a rough month for the update, which has also caused issues with Nvidia GPUs displaying black screens, broken Microsoft Outlook functionality, and unresponsive File Explorer components.
National Cybersecurity Alliance launches Data Privacy Week 2026
The National Cybersecurity Alliance (NCA) announced the launch of Data Privacy Week 2026, taking place January 26-30, 2026. Centered on the theme “Take Control of Your Data,” the initiative underscores the growing need for individuals and organizations to better understand how their personal information is collected, shared, and used. The week-long initiative will feature live and pre-recorded webinars, interactive panels, and educational sessions covering artificial intelligence, children’s online privacy, age verification, privacy law, dynamic pricing, data deletion rights, and biometric data. Today’s session focuses on “Children’s Privacy in a Digital World,” exploring evolving privacy challenges facing children, teens, parents, and educators, including topics like age verification, educational technology, and the Children’s Online Safety Act (COSA).
