Canvas Parent Company Confirms Massive Breach, Education Data Exposed

Breaking: Instructure Data Breach Compromises Student Records

Instructure, the U.S. education technology firm behind the Canvas learning platform, has confirmed a major data breach affecting its cloud-hosted environment. Exposed data includes student and staff records, private messages, and login portals were defaced with ransom messages by the threat group ShinyHunters.

“This is one of the most significant breaches in the education sector this year,” said Dr. Elena Rossi, cybersecurity analyst at CyberSafe Insights. “The combination of stolen PII and portal defacement signals a targeted extortion campaign.”

Other Major Breaches This Week

Zara, the flagship brand of Inditex, reported a breach tied to a third-party technology provider. Inditex confirmed unauthorized access, exposing 197,400 unique email addresses, order IDs, purchase history, and customer support tickets.

Hungarian media company Mediaworks suffered a data-theft extortion attack, with World Leaks posting 8.5TB of internal files online, including payroll records, contracts, and internal communications.

Czech automaker Škoda disclosed a security incident affecting its online shop after attackers exploited a software flaw. Exposed customer data may include names, contact details, order history, and logins, though passwords and payment card data were unaffected.

AI Threats on the Rise

Critical WebSocket Hijacking in Cline's AI Agent

Researchers uncovered a CVSS 9.7 WebSocket hijacking vulnerability in Cline's local Kanban server, impacting the open-source AI coding agent. Patched in version 0.1.66, the flaw allowed any website a developer visited to exfiltrate workspace data and inject arbitrary commands.

Claude Extension Flaw Exposes Browser Data

A flaw in Anthropic's Claude in Chrome extension allowed other browser extensions to hijack the AI agent, enabling unauthorized actions and access to sensitive browser-connected data. “AI assistants are expanding the browser attack surface,” noted Dr. Marcus Chen, threat researcher at VulnWatch.

InstallFix Campaign Targets Claude Users

Researchers detailed an InstallFix campaign using fake Claude AI installer pages promoted through Google Ads. The multi-stage malware steals browser data, disables protections, and establishes persistence via scheduled tasks.

Critical Patches Released for MOVEit and Ivanti

Progress alerted customers to CVE-2026-4670, an authentication bypass in MOVEit Automation, and CVE-2026-5174, a privilege escalation flaw. Fixes are available in versions 2025.1.5, 2025.0.9, and 2024.1.8.

Ivanti fixed CVE-2026-6973, a high-severity Endpoint Manager Mobile vulnerability exploited as a zero-day. The flaw affects EPMM 12.8.0.0 and earlier, allowing attackers with admin permissions to run remote code. Hundreds of appliances remain unpatched.

Background

The week of May 11 saw a surge in cyber attacks targeting education, retail, media, and automotive sectors. Breaches at Instructure and Zara highlight the vulnerability of cloud-hosted platforms and third-party ecosystems. Meanwhile, AI-related threats continue to evolve, with vulnerabilities in popular coding agents and deceptive installer campaigns.

What This Means

Organizations must prioritize patching critical vulnerabilities such as those in MOVEit and Ivanti, and review third-party security postures. The Canvas breach underscores the need for stronger access controls and incident response plans in educational institutions. AI tool users should verify installation sources and restrict browser extension permissions to mitigate hijacking risks.