Daily Threat Intel Digest - 2026-02-08

🔴 Critical Threats & Active Exploitation

[NEW] Substack breach reveals 4-month dwell time, exposing millions to targeted attacks A major breach of the Substack platform allowed unauthorized access to user systems for four months, from October 2025 to February 2026, putting the data of its 50 million subscribers at risk. While the platform claims only “limited user data” like email addresses and phone numbers were taken, a cybercrime forum post alleges a threat actor is selling 700,000 detailed records including names and profile images. The prolonged “dwell time” indicates a significant failure in detection controls and enables attackers to conduct highly personalized social engineering attacks, leveraging the trusted relationship users have with writers on the platform [SOCFortress analysis via Medium].

[UPDATE] Ivanti Endpoint Manager bug confirms data breach at Dutch government agencies Personal data from employees of the Dutch Data Protection Authority (AP) and the Council for Justice was accessed following the exploitation of a vulnerability in Ivanti Endpoint Manager. This incident confirms real-world impact from the ongoing Ivanti vulnerability theme previously reported, demonstrating how flaws in enterprise software can lead to the compromise of the very bodies tasked with overseeing data privacy [Malware.News].

🎯 Threat Actor Activity & Campaigns

[NEW] Clop ransomware adds US law firm and Canadian industrial firm to victim list The Clop ransomware group has publicly claimed two new victims, demonstrating a continued cross-sector campaign. On February 7, the group announced an attack on NG Attorneys, a US-based law firm, and IDEALWELDERS.COM, a Canadian industrial company. In both instances, Clop has threatened to leak sensitive stolen data unless the organizations negotiate, showing the group’s relentless pressure tactics across legal and manufacturing sectors [DeXpose on NG Attorneys; DeXpose on IDEALWELDERS.COM].

[NEW] Sophisticated hybrid phishing attack bypasses Apple Pay 2FA A new, highly convincing phishing campaign is targeting Apple users to steal Apple ID credentials and payment information by combining realistic emails with a live “vishing” (voice phishing) call center. The attack sends a fake receipt for a high-value Apple Pay transaction, urging the victim to call a fraudulent support number. The scammer then triggers a real login attempt on the victim’s account and socially engineers them into providing the two-factor authentication code, granting the attacker full account access [Cyberpress; GBHackers].

[NEW] Hong Kong to revive mandatory data breach reporting law Hong Kong’s Privacy Commissioner for Personal Data plans to consult lawmakers this year on introducing mandatory data breach notification requirements and associated penalties. The revival of this stalled legislative proposal would significantly alter the threat landscape for businesses operating in the region, increasing compliance pressure and potentially forcing attackers to alter their tactics to avoid earlier detection [Malware.News].