infosec in brief Meta has fixed a flaw in its Instagram service that allowed third parties to generate password reset emails, but denied the problem led to theft of users’ personal information.

Last Friday, security software vendor Malwarebytes claimed “Cybercriminals stole the sensitive information of 17.5 million Instagram accounts, including usernames, physical addresses, phone numbers, email addresses, and more.” The vendor included a screenshot of a password reset email sent to Instagram users.

On Saturday, Instagram posted the following: “We fixed an issue that let an external party request password reset emails for some people. There was no breach of our systems and your Instagram accounts are secure. You can ignore those emails — sorry for any confusion.”

The Register understands that Malwarebytes was probably referring to a dataset posted to notorious data leak site BreachForums, where a user posted a dump of 17-million-plus Instagram users’ personal information and claimed they were the result of an API leak detected in 2024.

Veeam vexes vulns

Data management and backup vendor Veeam patched four vulnerabilities last week, all of which allowed privileged accounts to either perform RCE attacks or write files as a root user. The worst of the four, CVE-2025-59470, scored a 9.0 on the CVSS scale.

Veeam didn’t disclose many details, only indicating that CVE-2025-59470 would allow a Backup or Tape Operator account to perform RCE by sending a malicious interval or order parameter to the system.

According to Sagy Kratu, senior product manager at automated vulnerability remediation firm Vicarius, the CVSS 9.0 vulnerability would allow ransomware-slingers or other threat actors to cause maximum chaos.

“The critical Veeam flaw matters less because it’s ‘critical’ on paper and more because of where it sits in an attack chain,” Kratu told us. “A Backup or Tape Operator role … is exactly the level of access ransomware actors typically gain after initial compromise. At that point, an internal RCE is not a limitation, it’s an accelerant.”

Veeam has been a popular target in recent years, with old vulnerabilities rearing their heads and regular discovery of new bugs.

“Veeam keeps appearing in attacks for a simple reason, backup servers control whether clean data still exists and can be restored,” Kratu told us. “Once attackers control Veeam, they can delete backups, block restoration, and turn an intrusion into a crisis, making backup infrastructure a primary target, not a secondary one.”

Gas station chain Handi reveals leak – of customer data

Gulshan Management Services, which operates some 150 gas stations around the US under the Handi Plus and Handi Stop brands, experienced what looks an awful lot like a ransomware attack last September, but it’s just now telling customers.

Gulshan reported that 377,082 sets of customer data were exposed, including names, social security numbers, contact information, and driver’s license numbers, after a successful phishing attack managed to breach its perimeter, gain access to IT systems, and deploy software that encrypted portions of the company’s IT estate.

The company is providing the standard year of identity monitoring services for those affected, but according to law firm Schubert Jonckheer and Kolbe, the company likely violated state and federal law by waiting so long to notify impacted customers. The law firm is putting together a class action case against Gulshan and is encouraging anyone who received a breach notice to sign on.

Why hack when you can bribe?

Threat exposure management platform Nord Stellar is reporting that it has found dozens of dark web posts from cyber criminals looking for an easy way into the companies they want to breach by offering to pay insiders.

According to a press release shared with The Register, in the last 12 months Nord Stellar researchers found 25 unique dark web posts looking to recruit employees at companies like LinkedIn, Meta, Google, Coinbase, and other prominent firms, in the hope that insiders would deliver secrets.

Nord Stellar security expert Vakaris Noreika said the posts reflect the fact that organizations’ cyber-defenses often focus on external threats.

“Unlike external threats, insiders may not trigger typical security alerts, such as unusual login attempts or data transfers,” Noreika said.

ownCloud tells users to turn on MFA, FFS

Last week The Register reported on a series of breaches at 50 different global companies, all of which were hit by a single thief who gained access because customers didn’t have multifactor authentication enabled on their enterprise file sync and sharing platforms.

One of the platforms targeted by the attacker, ownCloud, is now urging its customers to enable MFA.

“The ownCloud platform was not hacked or breached,” the company explained in a security advisory. “Threat actors obtained user credentials via infostealer malware [that] were then used to log in to ownCloud accounts that did not have Multi-Factor Authentication (MFA) enabled.”

In short, this is a rare example of justifiable victim blaming.

“If you have not enabled Multi-Factor Authentication on your ownCloud instance, do so immediately,” ownCloud urged.

That, and reset all user passwords, review logs for any suspicious activity, and invalidate all active sessions to force users to log back in with MFA on their accounts.

Students given week off after cyberattack

The UK’s Higham Lane School closed its doors last week following a cyber attack that took out, well, pretty much everything.

Students at Higham Lane School, we presume, were thrilled to hear last Thursday that their school was staying closed for the week after closing on Monday following the incident, which the school initially reported on January 3.

The attack appears to have broken the school’s electronic gates, took its fire alarms offline, and left its student record systems inaccessible. The school therefore decided it couldn’t guarantee student and staff safety, and closed its doors.

“The advice from the police cyber specialists and the Department for Education cyber security experts was very clear: it was not safe to open the school,” headteacher Michael Gannon said last Thursday. ®