Is My Data Safe in February 2026? Substack, Flickr, and WhatsApp Security Updates You Missed

Why Are Encrypted Apps Like WhatsApp and Instagram Leaking Private Data in 2026?

The digital security landscape remains volatile this month. We see a clear pattern: even established platforms struggle with basic vulnerability management. Below is an advisory summary of the critical incidents reported through February 6, 2026.

Substack Confirms Data Leak of 700,000 Accounts

Substack, a major platform for newsletters and podcasts, suffered a significant security breach. The company revealed that unauthorized parties accessed user data beginning in October 2025.

Impact Analysis:

• Scope: Attackers compromised approximately 700,000 accounts.
• Data Exposed: The leak includes email addresses, phone numbers, and internal metadata.
• Resolution: Substack discovered the breach on February 3, 2026. They have patched the vulnerability and currently report no known misuse of the stolen data.

Rofu Kinderland: Insolvency Meets Cyberattack

German toy retailer Rofu is battling a dual crisis. The company filed for self-administered insolvency and simultaneously reported a cyberattack on its online shop in early February 2026.

Incident Details:

• Attack Vector: Criminals targeted the online shop infrastructure, causing temporary technical failures.
• Data Compromised: Names, addresses, email addresses, and encrypted passwords were accessed.
• Financial Data: Payment details (credit cards, bank data) remain secure.
• Response: Rofu deactivated all customer passwords and notified law enforcement. An external IT security firm is currently securing their systems.

Flickr Third-Party Breach Exposes User Details

A service provider for the image hosting platform Flickr reported a vulnerability on February 5, 2026. This flaw allowed unauthorized access to member information.

What You Should Know:

• Exposed Data: Names, email addresses, usernames, IP addresses, and account activity.
• Secure Data: Passwords and payment card numbers were not affected.
• Action Taken: Flickr disabled the compromised system and is reviewing its third-party security protocols. Users should remain vigilant against phishing emails that reference their Flickr account details.

WhatsApp and Instagram Privacy Failures

Meta’s platforms have faced serious scrutiny regarding their encryption and privacy promises in early 2026.

WhatsApp Vulnerabilities:

• Group Exploit: A flaw allowed attackers to forcibly add users to groups and send malicious media files. These files could execute actions within the device’s MediaStore database.
• Delayed Fix: Meta missed Google’s 90-day disclosure deadline, leaving users vulnerable before a patch was released.
• Legal Action: A US lawsuit currently accuses Meta of undermining its own end-to-end encryption, though the company denies these claims.

Instagram “Private” Post Leak:

• The Flaw: A server-side error allowed unauthenticated users to view private posts via specific GET requests.
• Exposure: Approximately 28% of tested accounts were vulnerable. Direct links to private media and captions were accessible.
• Status: Meta initially dismissed the report in late 2025 but has since quietly patched the issue.

Hardware and Software Vulnerabilities

Several widely used tools have disclosed critical security flaws that require immediate attention.

• Dormakaba Smart Locks: Researchers at SEC Consult found 20 vulnerabilities in Dormakaba’s electronic lock systems. Some flaws are critical and could render the locks useless.
• TeamViewer Remote Access: New vulnerabilities allow attackers to bypass access controls. This enables remote connection to target systems without owner confirmation. Users must update immediately.
• Microsoft “CrashFix” Attacks: Microsoft identified a new social engineering tactic called “CrashFix.” Similar to “ClickFix,” this method tricks users into pasting malicious code to “fix” a fake crash. Attackers use Large Language Models (LLMs) to generate prompt injections that execute these attacks.

Critical Data Loss: AOK Bayern and AI Errors

Data recovery is impossible in several recent incidents, highlighting the need for robust backups.

• AOK Bayern Deletes Patient Records: The German health insurer accidentally deleted electronic patient record (ePA) files for numerous applicants. The data is irretrievable.
• ChatGPT Deletes Professor’s Work: A professor lost two years of research after disabling the “Data Consent” option in ChatGPT. The AI system deleted his history immediately upon the setting change.
• Nitrogen Ransomware & “Vibe Coding”: A new ransomware strain, likely written with AI assistance (“Vibe coding”), contains a fatal flaw. It deletes the decryption keys during the encryption process. Victims cannot recover their data even if they pay the ransom.

Recurring Negligence: CDU Nextcloud Servers

The Christian Democratic Union (CDU) continues to operate insecure infrastructure. Security scans from February 6, 2026, show their Nextcloud instance (version 29.0.11.1) is outdated and unsupported. Despite repeated warnings and previous breaches, the party has failed to implement a consistent patching strategy.

Brief Security Updates

• Spain: The Ministry of Science shut down IT systems following a cyber incident.
• Conpet (Romania): The pipeline operator halted operations due to a suspected Qilin ransomware attack.
• Betterment/Okta: Attackers compromised 1.4 million user accounts in a breach linked to the ShinyHunters group.
• n8n Automation: The platform patched multiple critical vulnerabilities (CVE-2026-21877, etc.) in January.
• Ivanti EPMM: The Shadowserver Foundation reports active exploitation of CVE-2026-1281. Germany currently hosts the highest number of exposed instances.