Insta, CrunchBase, ICE and others leak tens of millions of records, browser plugins caught spying

January 2026 saw massive data breaches across technology, retail, and government sectors. Over 45 million users had personal data exposed by apps like Chat & Ask AI, Instagram, and Match Group.

Hackers stole gigabytes of corporate secrets from Nike and Target. Malicious browser extensions secretly recorded AI chats, and new government advisories legitimized the scraping of public personal data.

The biggest data leaks and hacks in January 2026

Also read below how to find out if you are affected and what to do, which browser plugins with almost a million installs stole private data and conversations, and how Philippines just gave green light for mass scraping.

Chat & Ask AI app: 25,000,000 affected

The data leaked from the Chat & Ask AI app included complete chat histories between users and their chatbots. The data was not encrypted in the database. The leak exposed over 300 million private messages from 25 million users.

This leak poses a severe danger, as the messages contained highly sensitive searches.

The developer left the Firebase database completely misconfigured and open. The company fixed the issue within hours of disclosure, showing a fast response, but they failed to protect the data initially.

Bondu Web Console: 50,000 children affected

This AI toy company exposed 50,000 logs of conversations between children and their stuffed animals. The database contained children's names, birth dates, family member names, parental objectives for the child, and detailed chat transcripts. The data was completely unencrypted.

Security experts and parents consider this leak horrifying due to the young age of the victims.

A researcher discovered the company left its web console unprotected. Anyone with a standard Google account could log in and view the data. Bondu reacted quickly by taking the portal offline in minutes and relaunching it with proper authentication the next day.

Nike Internal Network: 190,000 affected

A cybercrime group stole 1.4 terabytes (that's 1,400 gigabytes) of company data from the Nike internal network. This dump includes nearly 190,000 files containing product development, manufacturing, and operational workflows. The hackers then posted the files on a leak site to extort the company.

Given the massive size, the leak impacts an estimated thousands of employees and corporate partners. Nike stated they are assessing the incident, appearing very slow to inform affected users.

In turn, customers filed a class action lawsuit against Nike. The lawsuit claims Nike failed to protect personal data during their massive data breach and waited too long to inform the public.

Instagram: 17,500,000 affected

A database leak exposed the personal information of 17.5 million Instagram users. The data included email addresses, phone numbers, usernames, real names, profile bio descriptions, and partial physical addresses. Passwords were not included in the leak.

A threat actor published the database on a dark web forum. Forensic analysis showed the actor scraped the data through software loopholes throughout 2024. Meta denied a system breach and stated the data came from publicly viewable fields, attempting to downplay the severity.

BreachForums: 324,000 affected

This incident exposed the records of over 324,000 individuals tied to a popular hacker forum. The leaked data included user details and communication logs. The information was not encrypted.

This leak comes with quite some satisfying irony, as it targets cybercriminals and hackers themselves. Rival threat actors likely breached the database and published it to discredit the forum operators.

Crunchbase: 2,000,000 affected

Hackers extracted over 2 million records containing personal and corporate data from Crunchbase. The files included full names, contact information, physical addresses, and internal business documents. The data was stored in an unencrypted format.

A cybercrime group breached the platform and demanded a ransom. When Crunchbase refused to pay, the hackers made the files available for download. The company eventually acknowledged the extraction.

U.S. Immigration and Customs Enforcement [US]: 2,150 affected

Attackers leaked online databases exposing the personal information of more than 150 supervisors and 2,000 agents. The unencrypted files contained sensitive staff details and operational identifiers.

This leak is a severe national security and personal safety threat.

Attackers accessed online databases and uploaded them to public forums. The department faced intense criticism for failing to protect its own agents.

Monroe University [US]: 320,000 affected

A massive data breach impacted over 320,000 individuals linked to the university. The exposed unencrypted records included driver licenses, passport numbers, medical and health insurance data, names, and birthdays.

This is a severe loss of highly sensitive identity documents.

The university discovered the breach internally. They sent mail notices to affected members. The administration acted transparently by notifying victims directly, though the damage was already done.

Are you affected?

Check your email addresses on the breach tracking website HaveIBeenPwned to see if your information was exposed.

You should immediately change your passwords if you find a match. Using a password manager helps you generate strong and unique passwords for every site. This prevents a breach at one company from compromising your other accounts.

A password manager that supports two-factor authentication adds a critical layer of defense. Even if hackers steal your password, they cannot log into your account without the secondary code generated by your device.

Read our immediate action guide here:

My data was leaked - what do I need to do now?

You must temporarily freeze your credit cards and wallets and migrate your compromised logins to use two-factor authentication and a secure, encrypted password manager, to stop cybercriminals from using your leaked data to drain your accounts or launch AI-powered phishing attacks. Use data removal services to regularly delete

Better Online PrivacyBOP Authors

Corporate Spying

Google Chrome extensions extracting highly personal data

Security researchers identified two specific malicious Google Chrome extensions posing as AI productivity tools. Together, they amassed over 900,000 downloads before Google removed them from the Chrome Web Store.

The two extensions were:

• Chat GPT for Chrome with GPT-5, Claude Sonnet & DeepSeek AI: This extension accounted for roughly 600,000 of the downloads. Google had previously awarded it a "Featured" badge, which falsely signaled trustworthiness to users.
• AI Sidebar with Deepseek, ChatGPT, Claude and more: This companion extension accounted for the remaining 300,000 downloads.

Both extensions impersonated a legitimate AI sidebar tool called AITOPIA. Once installed, they prompted users to grant permission for the collection of anonymous analytics data. This seemingly harmless request masked their true function.

In reality, the extensions actively monitored browser activity. When a user opened an AI platform like ChatGPT or DeepSeek, the extensions extracted the entire conversation history. This included the exact user prompts and the complete AI responses. The extensions also harvested session identifiers, URLs from open browser tabs, and internal application links.

The software then transmitted this stolen data to remote, attacker-controlled servers every thirty minutes. This exposed sensitive corporate code, business strategies, and personal information directly to cybercriminals

Read our article about this problem and how to secure your data better:

How to secure your browser from invasive extensions

Many seemingly helpful browser extensions are actually disguised data thieves that secretly record your browsing history, intercept session tokens, and even sell your internal network traffic. To lock down and secure your browser, you must manually audit your installed add-ons and permanently delete anything that you do not actively

Better Online PrivacyBOP Authors

Coinbase employee sold customer data to criminals

The police in India arrested a former Coinbase employee. The employee took large bribes from cybercriminal gangs in exchange for selling sensitive customer records, which led to targeted attacks on crypto investors.

If you have a Coinbase account be extra vigilant!

Governmental Privacy Rollbacks

The Philippine National Privacy Commission issued an advisory regarding data scraping. While the government framed it as a standard guideline, the advisory formally acknowledges and permits organizations to use data scraping technologies on publicly available personal data.

This decision weakens user privacy on a global scale. It allows private companies to harvest public social media profiles and online records in bulk without explicit individual consent.

This removes significant legal barriers for mass surveillance and data collection efforts.

Check out our guide on how to delete such data manually or automated:

The “Delete me from the Internet” guide - how to scrub your past from the internet and automate deletion of your data

To permanently purge your phone number, home address, and relative data from data brokers, you must stop manual deletion requests and towards continuous, automated data removal and data leakage suppression. Deleting your personal information from people-search sites manually is a losing battle because data brokers use automated web crawlers

Better Online PrivacyBOP Authors

That's it for January, stay protected and vigilant!

Your BetterOnlinePrivacy.com team