Welcome to my weekly cybersecurity roundup! Here, I share updates on the projects I’m currently working on, along with the most insightful cybersecurity videos I watched, articles I found valuable, and podcasts I tuned into this week.

Featured Analysis

Featured article analysis: Researcher reveals evidence of private Instagram profiles leaking photos

A significant privacy vulnerability was discovered by security researcher Jatin Banga, which reportedly allowed unauthenticated users to access private Instagram content. The flaw resided in how Instagram’s backend handled server-side authorization; specifically, when certain private profiles were accessed via specific mobile user-agents, the HTML source code returned JSON objects containing direct CDN links to private photos and captions. Banga’s testing suggested that approximately 28% of the accounts he analyzed were susceptible to this leak, effectively bypassing the platform’s primary “private account” security wall.

The story also highlights a contentious dispute between the researcher and Meta regarding the disclosure and remediation process. Banga reported the issue in October 2025, but Meta initially dismissed the findings as a CDN caching issue rather than a server-side authorization failure. Although Meta eventually closed the report as “not applicable” and “not reproducible,” Banga observed that the exploit stopped working shortly after his report was submitted. This led to accusations of a “silent fix,” where the company allegedly patched the vulnerability to avoid paying a bug bounty or admitting to a critical security lapse, while publicly maintaining that no actionable bug existed.

Ultimately, the analysis serves as a cautionary tale about the complexities of coordinated disclosure and the transparency of tech giants. By going public after the standard 90-day disclosure window, Banga forfeited potential financial rewards to prioritize public awareness, arguing that Meta’s reluctance to acknowledge the root cause leaves users in the dark about how long their data may have been exposed. The situation underscores a persistent tension in the cybersecurity industry: the balance between a company’s desire to protect its reputation and a researcher’s mission to ensure that systemic vulnerabilities are fully understood and verified.

Projects

• TryHackMe – FlareVM: Arsenal of Tools – Completed
• TryHackMe – Security Principles – In Progress

Articles

• Nike Probing Potential Security Incident as Hackers Threaten to Leak Data – The WorldLeaks cybercrime group claims to have stolen information from the footwear and apparel giant’s systems.
• Sandworm hackers linked to failed wiper attack on Poland’s energy systems – A cyberattack targeting Poland’s power grid in late December 2025 has been linked to the Russian state-sponsored hacking group Sandworm, which attempted to deploy a new destructive data-wiping malware dubbed DynoWiper during the attack.
• Crunchbase Confirms Data Breach After Hacking Claims – Crunchbase was targeted alongside SoundCloud and Betterment in a ShinyHunters campaign.
• Microsoft gave FBI a set of BitLocker encryption keys to unlock suspects’ laptops: Reports – Microsoft provided the FBI with the recovery keys to unlock encrypted data on the hard drives of three laptops as part of a federal investigation, Forbes reported on Friday.
• Have I Been Pwned: SoundCloud data breach impacts 29.8 million accounts – Hackers have stolen the personal and contact information belonging to over 29.8 million SoundCloud user accounts after breaching the audio streaming platform’s systems.
• 149M Logins from Roblox, TikTok, Netflix, Crypto Wallets Found Online – Another day, another trove of login credentials in plain text found online.
• US Charges 31 More Defendants in Massive ATM Hacking Probe – A total of 87 individuals, mostly Venezuelan nationals, have been charged for their role in the ATM jackpotting scheme.
• Slovakian man pleads guilty to operating darknet marketplace – A Slovakian national admitted on Tuesday to helping operate a darknet marketplace that sold narcotics, cybercrime tools and services, fake government IDs, and stolen personal information for more than two years.
• Trump’s acting cybersecurity chief uploaded sensitive government docs to ChatGPT – The acting head of U.S. cybersecurity agency CISA uploaded sensitive contracting documents marked “for official use only” to ChatGPT, according to Politico.
• Operation Switch Off dismantles major pirate TV streaming services – The latest phase of the global law enforcement action resulted in seizing three industrial-scale illegal IPTV services.
• U.S. convicts ex-Google engineer for sending AI tech data to China – A U.S. federal jury has convicted Linwei Ding, a former software engineer at Google, for stealing AI supercomputer data from his employer and secretly sharing it with Chinese tech firms.
• Researcher reveals evidence of private Instagram profiles leaking photos – A security researcher has published detailed evidence showing that some Instagram private profiles returned links to user photos to unauthenticated visitors.