Update on the Instructure breach we covered May 2: Instructure confirmed Saturday that names, email addresses, student ID numbers, and private messages between students and teachers were exposed. ShinyHunters now claims 275 million individuals across 9,000 schools worldwide are in the dataset, totaling 3.65+ TB of data including billions of private messages. The group set a pay-or-leak deadline of May 6 - this Tuesday. The Salesforce instance was also breached. This is Instructure's second breach in eight months. PowerSchool's January 2025 breach with similar scope produced a $17.25 million settlement.
Update on the cPanel flaw covered April 30: attackers are now mass-exploiting CVE-2026-41940 to deploy a Linux ransomware called 'Sorry' that encrypts websites and demands payment to unlock them. Shadowserver confirms at least 44,000 cPanel hosts have been compromised, with hundreds of victim sites already showing up in Google search results. The Sorry encryptor is written in Go, uses ChaCha20 with an embedded RSA-2048 public key (so victims cannot recover files without the attacker's private key), and appends '.sorry' to filenames. KnownHost reports the cPanel flaw was being exploited as a zero-day since at least February 23.
Update on the ANTS breach we covered April 22: French police detained a 15-year-old on April 25, suspected of running the breach3d alias and stealing data from France Titres (ANTS), the agency that issues French ID cards, passports, and driver's licenses. The Paris Prosecutor's Office charged the minor on April 29 with three offenses carrying up to seven years in prison. ANTS now confirms 11.7 million accounts affected - lower than the original 19 million claim but still one of the largest leaks of French citizen identity data ever. Exposed data includes full names, email addresses, dates of birth, postal addresses, and phone numbers.
Update on the Mini Shai-Hulud campaign covered April 30: The same supply-chain worm that hit four SAP npm packages on Wednesday spread to two more major packages on Thursday. PyTorch Lightning, an AI training framework with 31,100 GitHub stars and hundreds of thousands of daily downloads, had malicious versions 2.6.2 and 2.6.3 published on PyPI for 42 minutes before being quarantined. Intercom-client, the official Node.js SDK for Intercom (361,510 weekly downloads), was compromised at 14:41 UTC. Intercom traced its compromise to pyannote-audio pulling Lightning as a dependency - showing the worm propagating through stolen credentials from the SAP victims.
Update on the ADT breach we covered April 25: Have I Been Pwned added the leaked dataset yesterday with 5,488,888 unique email addresses confirmed - lower than ShinyHunters' original 10 million claim but still the largest US home-security customer leak on record. Beyond the email, name, phone, and address fields ADT originally disclosed, the leak includes details ADT downplayed: account creation dates, premise types, internal account flags, ADT installer IDs, and prospect/customer status. None catastrophic alone, but combined gives attackers enough context to run convincing 'security audit' phone scams against named customers with real install dates and installer names.