ShinyHunters Breaches EdTech Giant Instructure, Exposing 275M Records; Critical cPanel Zero-Day Exploited in Widespread Attacks

Educational Tech Giant Instructure Hit by Major Data Breach, ShinyHunters Threatens to Leak Data of 275 Million Users

Educational technology firm Instructure has confirmed a significant data breach affecting its widely used Canvas Learning Management System (LMS). The incident, which caused service disruptions starting May 1, 2026, has been claimed by the notorious extortion group ShinyHunters. The threat actor alleges the theft of 3.65 terabytes of data, including the personal information and private messages of 275 million students and educators from nearly 9,000 institutions globally. Instructure has acknowledged the exposure of names, email addresses, and user messages but stated that more sensitive data like passwords and financial information was not compromised. The company is working with law enforcement and has implemented remedial actions, including rotating API keys.

InstructureCanvasShinyHuntersData BreachEducation +2 more

Instructure Confirms Massive Breach; ShinyHunters Claims 275 Million User Records from Canvas LMS

Ameriprise Financial Hit by Data Breach, Exposing Data of Nearly 48,000 Customers

Ameriprise Financial Discloses Second Data Breach in Six Months, Affecting Nearly 48,000 Individuals

Ameriprise Financial, a major U.S. financial services firm, has reported a data breach that exposed the personal and financial information of approximately 48,000 customers. The incident, which began on March 2, 2026, involved unauthorized access to stored data and was not detected for 16 days. Exposed data includes names, addresses, and financial account details, with potential compromise of Social Security numbers. This is the company's second breach in under six months. While not officially confirmed by Ameriprise, the ShinyHunters hacking group was allegedly linked to the attack in now-dropped lawsuits, claiming to have exfiltrated over 200GB of data. Ameriprise is offering credit monitoring services to affected individuals.

Ameriprise FinancialData BreachShinyHuntersFinancial ServicesPII +1 more

Ameriprise Financial Hit by Data Breach, Exposing Data of Nearly 48,000 Customers

Sandhills Medical Foundation Faces Class Action Probe Over Ransomware Attack Affecting 169,000 Patients

Delayed Breach Notification by Sandhills Medical Foundation Prompts Class Action Investigation Following 2025 Ransomware Attack

A ransomware attack on Sandhills Medical Foundation in 2025 has triggered a class action investigation announced on May 3, 2026. The breach, claimed by the 'Inc Ransom' group, exposed the personal and protected health information (PHI) of 169,017 patients. The attack itself was discovered in May 2025, with data exfiltration occurring in November 2025. However, the healthcare provider did not begin notifying affected patients until April 2026, a significant delay that has drawn legal scrutiny and criticism for potentially violating data protection laws. The exposed data includes highly sensitive information such as Social Security numbers, financial details, and medical records.

Sandhills Medical FoundationRansomwareInc RansomHealthcareData Breach +2 more

Sandhills Medical Foundation Faces Class Action Probe Over Ransomware Attack Affecting 169,000 Patients

New Ransomware Group 'Mnt6' Surfaces, Claims Attack on New Zealand Contractor McKay

MEDIUM

Emerging Ransomware Group 'Mnt6' Claims Cyberattack on New Zealand Electrical Firm McKay

A new ransomware group, identifying itself as 'Mnt6', has claimed responsibility for a cyberattack against McKay, a major New Zealand-based electrical contractor. The attack occurred in January 2026, but the nascent threat group only listed McKay on its darknet leak site on April 30. McKay confirmed the incident, stating it detected and contained unauthorized access to a single internal device. In response to the threat of data disclosure, McKay has obtained a High Court injunction to block the publication of any stolen data. Little is known about Mnt6, which has only two other victims listed, suggesting it may be a new player in the ransomware ecosystem.

Mnt6RansomwareMcKayNew ZealandThreat Actor +1 more

3 min read

New Ransomware Group 'Mnt6' Surfaces, Claims Attack on New Zealand Contractor McKay

MoneyForward GitHub Breach Exposes Customer Data, Hardcoded Secrets

MEDIUM

Japanese FinTech MoneyForward Suffers GitHub Breach Exposing Source Code, Hardcoded Keys, and Customer Data

Japanese fintech leader MoneyForward Inc. has disclosed a data breach resulting from a compromise of its corporate GitHub account. The incident, which occurred between May 1 and May 3, 2026, led to the exposure of company source code and the personal data of 370 business card users. In a transparent disclosure, MoneyForward admitted to critical security failures, including hardcoding authentication keys directly in the source code and inadvertently committing a file containing sensitive production data to the GitHub repository during a service update. The company temporarily suspended connections to bank accounts as a precaution while it investigates and remediates the issue.

MoneyForwardGitHubData BreachFintechHardcoded Secrets +2 more

MoneyForward GitHub Breach Exposes Customer Data, Hardcoded Secrets

Cybersecurity Vendor Trellix Confirms Breach of Source Code Repository

Trellix Discloses Security Breach Involving Unauthorized Access to Internal Source Code Repository

Cybersecurity vendor Trellix, formed from the merger of McAfee Enterprise and FireEye, has confirmed a security breach involving unauthorized access to a portion of its internal source code repository. The company stated it has engaged forensic experts and notified law enforcement. While the investigation is ongoing, Trellix has found no evidence that its source code release process was compromised or that the code has been altered or exploited. This incident places Trellix in a growing list of security companies, including Okta and LastPass, that have suffered source code breaches, highlighting the significant threat of supply chain attacks targeting the security industry itself.

TrellixSource CodeData BreachSupply Chain AttackCybersecurity +2 more

Cybersecurity Vendor Trellix Confirms Breach of Source Code Repository

Florida Physician Specialists Breach Exposes Extensive Patient Data, Prompts Legal Probe

Florida Physician Specialists Discloses Data Breach Exposing Sensitive Patient PII and PHI, Faces Legal Investigation

Florida Physician Specialists, a medical practice based in Jacksonville, has disclosed a data breach that exposed a wide array of sensitive patient information. The incident, which took place between November 27 and 29, 2025, involved an unauthorized third party gaining access to the practice's network. A comprehensive review to determine the scope of the breach was not completed until April 2026, and notification letters were sent out late that month. The exposed data includes names, Social Security numbers, financial account details, medical information, and health insurance data. The significant delay between the breach and notification has prompted a class-action law firm to launch an investigation.

Data BreachHealthcareHIPAAPIIPHI +1 more

Florida Physician Specialists Breach Exposes Extensive Patient Data, Prompts Legal Probe

NSW Government Downgrades Treasury Cyber Incident, Cites Containment

MEDIUM

New South Wales Government Downgrades 'Significant Cyber Incident' at Treasury, Attributed to Insider Threat

The New South Wales (NSW) Government has officially downgraded the 'significant cyber incident' declared in April following an alleged internal data breach at NSW Treasury. On May 4, 2026, officials confirmed the incident is now contained and has moved to the recovery phase. The breach, believed to be an insider threat, involved a Treasury staff member who allegedly transferred a large number of confidential documents to an external server. The matter was reported to NSW Police, leading to criminal charges. The government stated that there was no external compromise of Treasury systems and believes all allegedly stolen data has been secured.

Insider ThreatNSW GovernmentData BreachGovernmentSecurity Operations

NSW Government Downgrades Treasury Cyber Incident, Cites Containment

IBM Executive Tom Parker Reportedly a Top Candidate for CISA Director

INFORMATIONAL

IBM's Tom Parker Emerges as Leading Contender to Head U.S. Cybersecurity Agency CISA

Tom Parker, a cybersecurity executive at IBM, is reportedly a leading candidate to be the next director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA). According to sources familiar with the matter, Parker's extensive private-sector background is a key attribute favored by the current administration and Homeland Security Secretary Markwayne Mullin. Parker, who has no prior government experience, founded the cyber solutions firm Hubble and is a regular speaker at the Black Hat conference. The CISA leadership position has been without a permanent director since the previous nominee withdrew, and while Parker is seen as a frontrunner, the selection process remains fluid.

CISAIBMTom ParkerGovernmentCybersecurity Leadership

3 min read

IBM Executive Tom Parker Reportedly a Top Candidate for CISA Director

Updated Articles (4)

AI-Enabled Cybercrime Fuels 389% Surge in Ransomware Victims, Fortinet Reports

Fortinet 2026 Threat Report: AI Tools Drive 389% Increase in Ransomware Victims and Shrink Exploit Time to Under 48 Hours

This update to Fortinet's 2026 Global Threat Landscape Report provides more granular technical insights into AI's impact on cybercrime. It explicitly identifies new MITRE ATT&CK techniques amplified by AI, including T1595.002 (Vulnerability Scanning), T1102 (Web Service), and T1027 (Obfuscated Files or Information). The report also specifies that infostealer logs now comprise 67% of all advertised stolen data, offering a more precise measure of this threat. Furthermore, it introduces Zero Trust Architecture as a crucial mitigation strategy, alongside an integrated security fabric. Derek Manky, Fortinet's Chief Security Strategist, is highlighted, reinforcing the need for AI-driven defense.

May 1, 2026

FortinetThreat IntelligenceAICybercrimeRansomware +2 more

AI-Enabled Cybercrime Fuels 389% Surge in Ransomware Victims, Fortinet Reports

Anodot Breach Leads to Supply Chain Attack on Snowflake Customers; ShinyHunters Claims Responsibility

SaaS Vendor Anodot Breached; ShinyHunters Gang Uses Stolen Tokens to Attack Snowflake Customers

Video hosting platform Vimeo has confirmed it was impacted by the Anodot supply-chain attack, with ShinyHunters accessing its Snowflake and BigQuery instances. The breach exposed technical information, video titles, metadata, and some customer email addresses. Vimeo clarified that no video content, login credentials, or payment information was compromised. This adds Vimeo as another significant victim to the ongoing Anodot compromise, which also affected Rockstar Games. Vimeo has since disabled the Anodot integration and associated credentials.

April 10, 2026

supply chain attackshinyhuntersanodotsnowflakedata breach +2 more

Anodot Breach Leads to Supply Chain Attack on Snowflake Customers; ShinyHunters Claims Responsibility

Critical Flaw in VECT 2.0 Ransomware Turns It Into a Destructive Wiper, Permanently Destroying Large Files

VECT 2.0 Ransomware Flaw Makes Data Recovery Impossible for Files Over 128KB, Functioning as a Wiper

New reports confirm that security firm Halcyon also contributed to the discovery of the critical VECT 2.0 ransomware flaw, alongside Check Point. The RaaS platform's promotion on BreachForums is highlighted, with affiliates reportedly receiving access keys in March 2026. Further technical analysis adds T1105 (Ingress Tool Transfer) to the observed Tactics, Techniques, and Procedures (TTPs), indicating the group hides malware within developer tools for initial access. This ongoing flaw, which renders VECT 2.0 an accidental data wiper, is expected to severely impact the ransomware operation's viability, as victims are advised against paying ransoms for unrecoverable data.

April 30, 2026

VECT 2.0WiperRansomwareCheck PointData Destruction +1 more

cPanel Zero-Day Auth Bypass (CVE-2026-41940) Actively Exploited for Months Before Patch

CRITICAL

Critical cPanel & WHM Zero-Day Vulnerability (CVE-2026-41940) Allowed Unauthenticated Admin Access, Exploited Since February

New intelligence from The Shadowserver Foundation confirms widespread exploitation of CVE-2026-41940, with over 40,000 unique IP addresses associated with compromised cPanel servers observed. Attackers are leveraging this vulnerability to deploy 'Sorry' ransomware, a Go-based Linux encryptor that appends a '.sorry' extension to encrypted files. This represents a significant escalation in the real-world impact of the vulnerability, moving beyond just administrative access to direct data encryption and extortion. New detection methods include monitoring for '.sorry' file extensions and specific process names. An updated list of patched versions is also provided, emphasizing immediate action.

May 1, 2026