🔐 This Week’s Securityish Brief
Instagram private profiles exposed photo links to visitors who were not logged in.
Extortion group WorldLeaks claims 1.4TB of internal Nike files in data theft.
Former Google engineer convicted for stealing AI trade secrets for companies in China.
Instagram private profiles leaked photo links to people not logged in
Privacy Vulnerability
🔐 The Securityish Brief: A security researcher found that some private Instagram profiles were returning direct links to user photos in the page code, even when viewed by visitors who were not logged in.
🔍 The Breakdown:
Researcher Jatin Banga noticed that private profiles still exposed image URLs in the HTML response sent to people who were not authenticated.
In his testing, about 28 percent of private accounts he checked leaked at least some image links that should have been restricted to approved followers.
Meta was notified in October 2025, the behavior stopped a few days later, and the case was eventually marked as “not applicable” in its bug program.
Banga said this was a server side authorization issue, not just a caching quirk, which means the access control logic itself was failing.
📢 Why it matters: Private accounts are supposed to give people confidence that only approved followers can see their photos. If the underlying systems are sloppy about access checks, sensitive content like family images, travel photos, or workplace shots can quietly leak in ways that users never see in the app.
🛡️ What You Should Do: Treat “private” as a helpful layer, not a guarantee, and avoid posting anything truly sensitive to social platforms at all. Review your Instagram privacy settings, prune older posts you no longer want online, and make separate, more locked down spaces for the most personal content you share.
WorldLeaks claims 1.4TB data theft from Nike’s internal systems
Data Extortion Breach
🔐 The Securityish Brief: Nike is investigating after the extortion group WorldLeaks said it stole 1.4TB of internal data, including nearly 190,000 files tied to sportswear design and manufacturing workflows. The group is believed to be a rebrand of the Hunters International ransomware gang and is focusing on stealing and leaking internal documents rather than encrypting systems.
🔍 The Breakdown:
WorldLeaks says it accessed Nike’s internal systems and copied 1.4TB of data, including folders named for women’s and men’s sportswear and garment making processes.
Nike has confirmed it is looking into the incident and says it takes consumer privacy and data security seriously but has not validated the attackers’ claims.
Early signs suggest the focus is on intellectual property and internal process documents, not customer databases or payment card data.
WorldLeaks is thought to be a successor to Hunters International, part of a trend toward simple data theft and extortion rather than full ransomware.
📢 Why it matters: Even when customer data is untouched, large thefts of internal documents can hurt a company’s ability to compete and can expose supplier details and design roadmaps. For employees and partners, that information can also be used in targeted phishing and fraud that looks more convincing because it references real projects and internal language.
🛡️ What You Should Do: If you work with sensitive internal documents, assume that anything stored in shared drives or cloud folders could someday leak and label, encrypt, and restrict access accordingly. Security teams should treat design and operations data as high value, apply least privilege, and run regular tabletop exercises that assume attackers steal data without ever running ransomware.
Former Google engineer convicted of economic espionage and AI trade secret theft
Insider Threat
🔐 The Securityish Brief: A former Google software engineer, Linwei “Leon” Ding, was convicted on seven counts of economic espionage and seven counts of trade secret theft for stealing thousands of pages of confidential AI infrastructure designs. Prosecutors said he copied documents about Google’s custom AI chips and networking systems while secretly working with companies in China.
🔍 The Breakdown:
Between May 2022 and April 2023, Ding allegedly accessed and removed more than 2,000 pages of confidential technical material about Google’s AI supercomputing systems.
The stolen data included designs for Tensor Processing Unit chips and software used to manage large AI clusters and high speed networking.
Investigators say he uploaded the files to a personal Google Cloud account, then downloaded them to a home computer shortly before resigning.
During this period, Ding was also in contact with two tech companies in the People’s Republic of China that were interested in AI infrastructure.
The FBI framed the case as a national security issue because the theft could help foreign firms accelerate their own AI development.
📢 Why it matters: This case shows how much damage a single trusted engineer can do when they quietly copy out core design documents, especially around emerging AI infrastructure.
🛡️ What You Should Do: Organizations should treat access to AI models, training data, and infrastructure diagrams as tightly as customer data and financial records and restrict who can export or sync them to personal accounts. Put monitoring in place for large downloads, bulk file transfers, and unusual access outside normal working patterns, and make sure offboarding processes immediately remove access to sensitive systems.
📰 Other Trending Articles
💡 Tip Of The Week
Set a recurring reminder to rotate passwords on your most important accounts every few months, starting with email, cloud storage, and social platforms like Instagram. This helps because fresh, unique passwords limit the damage when one site is breached or a game you forgot about leaks old login data.
Use a password manager to generate and store strong passwords, then update a small handful of accounts at a time so the task feels manageable instead of overwhelming.
🧠 Key Terms & Concepts
Private profile leak: When a platform shows pieces of “private” content, such as photo links, to people who are not approved followers, for example leaking image URLs from a private Instagram account in the page code.
Data extortion: An attack where criminals steal internal data and threaten to publish it unless they are paid, such as WorldLeaks claiming to hold Nike design and manufacturing documents.
Insider threat: Risk that comes from a trusted person inside an organization, like an employee who copies AI infrastructure designs or quietly exports large amounts of sensitive data.
Password hash: An encoded version of a password stored by a website so it does not keep the raw text, though older hashes like MD5 can often be cracked back into readable passwords.
Remote code execution (RCE): A flaw that lets an attacker run their own commands on a server from afar, as happened with the NationStates Dispatch Search feature.
📣 Did You Know?
“123456” is still one of the world’s most used passwords
Reports on common passwords show that simple sequences like “123456,” “password,” and “qwerty” remain at the top of global lists, despite years of warnings that they are extremely easy to guess. (source)
