Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: follow-up (15 articles)Clear

Hackers tell schools to pay by Tuesday or 275 million students' messages and IDs go public - Canvas operator Instructure confirms breach

Update on the Instructure breach we covered May 2: Instructure confirmed Saturday that names, email addresses, student ID numbers, and private messages between students and teachers were exposed. ShinyHunters now claims 275 million individuals across 9,000 schools worldwide are in the dataset, totaling 3.65+ TB of data including billions of private messages. The group set a pay-or-leak deadline of May 6 - this Tuesday. The Salesforce instance was also breached. This is Instructure's second breach in eight months. PowerSchool's January 2025 breach with similar scope produced a $17.25 million settlement.

Check
If your school or organization uses Canvas, prepare your student/parent breach notification template this week - Instructure data is likely to be public by Tuesday.
Affected
Schools, universities, and corporate training organizations using Canvas - 9,000 institutions globally, 275 million individuals. Acute risk for K-12 districts where data on under-13 students falls under COPPA and state student privacy laws (NY Education Law 2-d, California SOPIPA, ~130 similar state statutes). Salesforce-integrated Canvas tenants face additional exposure.
Fix
Rotate every Canvas API key and re-authorize integrations as Instructure has now mandated. Pull your district's Canvas data-sharing inventory and identify which downstream tools held copies. For K-12: prepare COPPA and state-AG notification templates now - PowerSchool's breach triggered class actions in 11 states. Brief students, parents, and faculty that any 'Canvas account verification' email this week is potentially hostile.

Hackers are mass-encrypting websites by exploiting last week's cPanel flaw - 44,000 servers compromised so far in 'Sorry' ransomware attacks

Update on the cPanel flaw covered April 30: attackers are now mass-exploiting CVE-2026-41940 to deploy a Linux ransomware called 'Sorry' that encrypts websites and demands payment to unlock them. Shadowserver confirms at least 44,000 cPanel hosts have been compromised, with hundreds of victim sites already showing up in Google search results. The Sorry encryptor is written in Go, uses ChaCha20 with an embedded RSA-2048 public key (so victims cannot recover files without the attacker's private key), and appends '.sorry' to filenames. KnownHost reports the cPanel flaw was being exploited as a zero-day since at least February 23.

Check
If you run any cPanel or WHM server and have not yet patched, treat the server as already compromised - patch immediately, then start incident response rather than just resuming operations.
Affected
All cPanel and WHM versions before the April 28 emergency patch. ~1.5 million internet-exposed cPanel instances per Shodan, with 44,000 confirmed compromised. Hosting providers, web agencies, e-commerce sites on shared hosting, and any small business website on cPanel are in scope. Anyone whose cPanel was internet-reachable between February 23 and April 28 should assume compromise even if they patched promptly.
Fix
Patch cPanel to a fixed version. After patching, hunt for indicators of compromise (Sorry's '.sorry' file extension, unfamiliar admin sessions, cron entries pointing to /tmp/, modified /var/cpanel/sessions/raw/ files). Restore from clean backups predating February 23 if possible. Block cPanel ports (2082-2087, 2095-2096) at the firewall to non-trusted IPs. Rotate every credential the cPanel host had access to.

France arrested a 15-year-old as the suspected hacker behind the French government ID agency breach - 11.7 million records confirmed stolen

Update on the ANTS breach we covered April 22: French police detained a 15-year-old on April 25, suspected of running the breach3d alias and stealing data from France Titres (ANTS), the agency that issues French ID cards, passports, and driver's licenses. The Paris Prosecutor's Office charged the minor on April 29 with three offenses carrying up to seven years in prison. ANTS now confirms 11.7 million accounts affected - lower than the original 19 million claim but still one of the largest leaks of French citizen identity data ever. Exposed data includes full names, email addresses, dates of birth, postal addresses, and phone numbers.

Check
If you live or operate in France, watch for highly-targeted phishing referencing real ID details over the next 90 days - the breach data is now confirmed in attacker hands.
Affected
11.7 million French residents whose ID data, contact details, and dates of birth are in the breach3d dataset. Acute risk for individuals who used these details to create accounts at French government services or banks. Organizations operating in France that use government-issued ID for KYC checks need to assume their data sources are tainted.
Fix
ANTS recommends affected users reset passwords on government and banking accounts and watch for impersonation messages claiming to be ANTS or La Poste. Treat any inbound email referencing your real ANTS data as hostile. KYC checks based on French government ID numbers should be backed by additional verification (face match, document liveness check) for the next 12 months.

The same supply-chain worm that hit SAP packages on Wednesday spread to PyTorch Lightning and Intercom's npm SDK on Thursday

Update on the Mini Shai-Hulud campaign covered April 30: The same supply-chain worm that hit four SAP npm packages on Wednesday spread to two more major packages on Thursday. PyTorch Lightning, an AI training framework with 31,100 GitHub stars and hundreds of thousands of daily downloads, had malicious versions 2.6.2 and 2.6.3 published on PyPI for 42 minutes before being quarantined. Intercom-client, the official Node.js SDK for Intercom (361,510 weekly downloads), was compromised at 14:41 UTC. Intercom traced its compromise to pyannote-audio pulling Lightning as a dependency - showing the worm propagating through stolen credentials from the SAP victims.

Check
Audit any developer machine or CI runner that ran 'pip install' on PyTorch Lightning or 'npm install' on intercom-client between April 30 and May 1, and rotate every credential on those machines.
Affected
Lightning (PyPI) versions 2.6.2 and 2.6.3 - safe version is 2.6.1. Intercom-client (npm) version 7.0.4 (per Socket) and 7.0.5 (per Wiz). AI/ML environments running Lightning routinely hold GPU cluster credentials, cloud IAM tokens, Hugging Face API keys, and Weights & Biases tokens. Backend services and CI/CD pipelines integrating with Intercom's API are exposed even if they don't use Lightning.
Fix
Pin Lightning to 2.6.1 or earlier; reject 2.6.2 and 2.6.3. Update intercom-client per Intercom's advisory. Rotate all credentials potentially exposed: GitHub tokens, npm tokens, AWS/GCP/Azure keys, environment-variable secrets. Gate npm publish behind environment review (the same pattern that compromised SAP).

ADT customer breach details now public on Have I Been Pwned - 5.5 million records confirmed, more than the 10 million ShinyHunters originally claimed but with worse data

Update on the ADT breach we covered April 25: Have I Been Pwned added the leaked dataset yesterday with 5,488,888 unique email addresses confirmed - lower than ShinyHunters' original 10 million claim but still the largest US home-security customer leak on record. Beyond the email, name, phone, and address fields ADT originally disclosed, the leak includes details ADT downplayed: account creation dates, premise types, internal account flags, ADT installer IDs, and prospect/customer status. None catastrophic alone, but combined gives attackers enough context to run convincing 'security audit' phone scams against named customers with real install dates and installer names.

Check
If you're an ADT customer, treat any inbound call referencing your real install date or installer name as hostile - those details are now public.
Affected
All 5,488,888 ADT customers and prospects - now indexable on HIBP. Acute risk for customers whose installer IDs are in the leak: scammers can call referencing 'Mike from your install on March 14, 2022' and sound legitimate enough to social-engineer security code resets. Elderly customers and high-value households are the highest-risk segment for follow-on physical security scams.
Fix
ADT customers should set a verbal codeword with ADT's real customer service line and refuse to verify identity to any inbound caller without it. Treat any 'free security upgrade' as a scam unless you initiated the call. Brief elderly family members specifically - they're the prime target for follow-on scams using leaked install details. Pressure ADT for credit monitoring if the SSN/Tax ID subset includes you.