Braintrust warned customers to rotate API keys after hackers breached an AWS account, exposing secrets tied to cloud-based AI models.
AI observability startup Braintrust warned customers to rotate API keys after attackers gained unauthorized access to one of the company’s AWS accounts, potentially exposing secrets used to connect to cloud-based AI models.
The company said it discovered suspicious activity on May 4 and immediately locked down the affected account, restricted access to related systems, and rotated internal credentials. The firm launched an investigation into the security incident.
“We’ve identified a security incident that involved unauthorized access to one of our AWS accounts. We are actively investigating, and we have engaged incident response experts.” reads the security breach notice published by the company. “We have contained the incident by locking down the compromised account, auditing and restricting access across related systems, rotating internal secrets, and engaging incident response experts to support our investigation. As a precaution, we recommend that all customers rotate any org-level AI provider keys used with Braintrust.”
Braintrust notified customers the following day and shared indicators of compromise and remediation guidance.
Although Braintrust says the impact appears limited, experts warn the breach highlights growing AI supply chain risks, as AI platforms increasingly store valuable API credentials targeted by attackers.
The potential exposure could affect organizations relying on Braintrust to manage AI provider keys across services and applications.
Researchers note that once threat actors obtain valid API keys, they can abuse AI services while appearing as legitimate users, often bypassing traditional security controls.
“To date, we’ve confirmed the issue affected one customer. Three additional customers reported suspicious spikes in AI provider usage, and we’re investigating those alongside them.” continues the notice. “We have not identified broader customer exposure based on our investigation to date, but as a precaution we informed all org admins with stored AI provider secrets in Braintrust. The investigation is ongoing.”
The incident also reflects a broader trend of attackers targeting cloud accounts and SaaS providers to gain indirect access to downstream customers and interconnected AI infrastructure.
The company plans to add new safeguards, including timestamps and user attribution for API key changes, while the investigation into the incident remains ongoing.
RansomHouse claimed responsibility for the Trellix breach, adding the security firm to its Tor data leak site and sharing screenshots of internal systems.
The RansomHouse ransomware group has claimed responsibility for the recent cyberattack on cybersecurity firm Trellix. To support its claims, the gang published screenshots allegedly showing access to internal Trellix services.
In early May, the company revealed a breach that allowed unauthorized access to part of its source code repository. The cybersecurity firm said it quickly launched an investigation with forensic experts and notified law enforcement. While the exact data accessed remains unclear, Trellix stated there is no evidence that its source code has been altered or exploited.
“Trellix recently identified unauthorized access to a portion of our source code repository. Upon learning of this matter, we immediately began working with leading forensic experts to resolve it. We have also notified law enforcement.” reads the update published by the security firm. “Based on our investigation to date, we have found no evidence that our source code release or distribution process was affected, or that our source code has been exploited. As part of our commitment to our broader security community, we intend to share further details as appropriate once our investigation is complete.”
The company did not disclose who carried out the attack and how he did it. It is unclear how long attackers had gained access to the repository.
Unauthorized access to part of a source code repository can expose sensitive logic, APIs, or credentials. Attackers may study the code to find vulnerabilities, create exploits, or plan targeted attacks. It can also lead to intellectual property theft, reputational damage, and supply chain risks if tampered code is later distributed to customers or partners.
The cybersecurity firm confirmed that part of its source code repository was breached, but said there is currently no evidence that its code release process or products were compromised.
RansomHouse is a cyber extortion group that emerged in late 2021 and quickly gained attention for targeting large organizations worldwide. Unlike traditional ransomware gangs, it initially focused on stealing data and extorting victims rather than encrypting systems.
The group presents itself as a “professional mediator” exposing poor cybersecurity practices, although researchers classify it as a financially motivated criminal operation. RansomHouse has been linked to attacks on healthcare providers, retailers, government agencies, technology firms, and critical infrastructure operators, claiming breaches involving AMD, Shoprite, and European institutions. The gang typically exploits exposed services, weak credentials, phishing, and vulnerable remote access systems.
Nearly 200,000 Zara customers were exposed in a third-party breach linked to ShinyHunters, revealing emails, purchase history, and support data.
Personal data belonging to nearly 197,000 Zara customers has been compromised following a cyberattack on a former technology provider used by Inditex, the Spanish fashion giant behind some of the world’s most recognized retail brands including Bershka, Pull&Bear, and Massimo Dutti.
The breach came to light last month when Inditex confirmed unauthorized access to databases hosted by a third-party vendor. The company was careful to limit the alarm: the compromised databases did not contain names, passwords, payment details, addresses, or phone numbers.
“Inditex has immediately applied its security protocols and has started notifying the relevant authorities of this unauthorized access, that stems from a security incident that affected a former technology provider and has impacted several companies operating internationally,” reads a statement by Inditex.
“Operations and systems haven’t been affected and customers can continue to access and use its services safely,”
What was exposed, however, tells a different story about the scale of the incident.
The data breach notification service Have I Been Pwned analyzed the stolen dataset and confirmed that 197,400 unique email addresses were among the compromised records, alongside order IDs, product SKUs, geographic locations, purchase history, and customer support tickets, enough to paint a detailed picture of individual shopping habits and interactions with the brand.
The extortion group ShinyHunters claimed the attack and the theft of a 140GB archive from BigQuery instances by exploiting compromised Anodot authentication tokens, the same technique they have used against dozens of other companies.
“Your Bigquery instances data was compromised thanks to Anodot.com.” the cybercrime group wrote on its Tor data leak site. “The company failed to reach an agreement with us despite our incredible patience, all the chances”
The Anodot vector is significant. ShinyHunters has told journalists that stolen Anodot tokens gave them access to analytics infrastructure across multiple large organizations simultaneously, a single point of failure that cascaded into dozens of separate breaches. The gang has also run coordinated vishing campaigns targeting employees’ SSO accounts at Microsoft Entra, Okta, and Google to move laterally into connected SaaS environments.
Inditex has not yet named the compromised provider or attributed the attack to a specific threat actor, despite ShinyHunters having publicly claimed it and released data as proof.
Zara is the flagship fashion brand of Inditex, one of the world’s largest apparel groups. Inditex reported revenue of about €38.6 billion in fiscal 2025 and employs roughly 160,000 people worldwide. Zara operates in more than 90 countries through thousands of stores and online platforms, making it one of the most globally recognized fast-fashion retailers.
Rival retailer Mango disclosed its own data breach last October, after a marketing vendor was hacked and customer data used in promotional campaigns was exposed. In that case, no extortion group has come forward, and the attackers remain unidentified.
A data breach at GFN.AM, an authorized NVIDIA GeForce NOW cloud gaming service provider operating under “GFN CLOUD INTERNET SERVICES” LLC, has exposed personal information belonging to registered users.
The company disclosed the incident on May 5, 2026, revealing that unauthorized access to its database occurred as far back as March 9, 2026, nearly two months before discovery.
The breach was first detected on May 2, 2026, leaving a roughly 54-day window during which threat actors may have had access to user records.
GFN.AM confirmed that the unauthorized party gained access to its backend database, allowing sensitive user data to be exfiltrated or viewed by third parties.
Critically, only users registered on or before March 9, 2026, are affected. The incident did not impact accounts created after that date.
Phone numbers, for users who registered via a mobile operator
Date of birth
Full name (first and last), for users who authenticated through Google Sign-In
GFN.AM platform username
The company emphasized that account passwords were not compromised in this incident, reducing the immediate risk of account takeover.
However, the exposed combination of email addresses, phone numbers, and full names poses a significant risk of phishing, SIM swapping, and social engineering targeting affected users.
Following the discovery of the breach, GFN.AM stated it took immediate steps to eliminate the root cause of the unauthorized access. The company has also implemented additional organizational and technical security controls to harden its information systems and reduce the likelihood of a similar incident.
No further technical specifics, such as whether the access involved a compromised credential, an unpatched vulnerability, or a misconfigured database, were disclosed in the public notice.
Security professionals warn that even without password exposure, the leaked data is highly valuable to cybercriminals. Personal identifiers such as full names, phone numbers, and email addresses are routinely used in targeted phishing and credential-stuffing campaigns.
Users who authenticated via Google should review their account activity, as their full names were among the exposed fields.
Users registered on or before March 9, 2026, should take the following precautions:
Monitor email accounts for unusual login attempts or phishing messages.
Be cautious of unsolicited calls or SMS messages referencing GFN.AM.
Enable multi-factor authentication on linked Google and email accounts.
Consider placing a fraud alert with relevant financial institutions if additional personal data is suspected to be involved.
GFN.AM has not publicly indicated whether affected users will be notified individually or whether regulatory authorities have been informed of the breach.
Cybercriminals now enter through your suppliers instead of your front door – Free Webinar
Škoda Auto has disclosed a significant IT security incident affecting its official online shop, revealing that unauthorized individuals exploited a vulnerability in the platform’s standard shop software to gain temporary unauthorized access to customer data.
During routine technical security monitoring, Škoda’s IT team identified that attackers had leveraged a flaw in the shop’s underlying software to infiltrate the system.
Upon discovery, Škoda immediately activated containment measures and took the online shop offline as a precautionary step.
The vulnerability has since been fully remediated, and an external IT forensics firm has been commissioned to conduct a thorough technical post-incident analysis.
The breach was also formally reported to the relevant data protection supervisory authority in compliance with regulatory obligations.
Škoda Security Incident
The Škoda online shop stores a range of personal customer data, including full names, postal addresses, email addresses, phone numbers, order history, and account login credentials.
Passwords were stored using cryptographic hashing rather than plaintext, which provides a meaningful layer of protection.
Critically, credit card details are not retained in the shop system; payment data is handled exclusively by third-party payment service providers, ruling out direct financial data exposure based on current forensic findings.
Forensic analysis confirmed that access to stored data was theoretically possible during the intrusion window. However, due to limitations in existing server-side logging protocols, investigators cannot definitively confirm whether data was actively exfiltrated or merely accessed.
Škoda states that no concrete evidence of customer data misuse has been identified so far, but is notifying affected customers as a precautionary measure, given that unauthorized access cannot be entirely excluded.
Customers whose data may have been exposed face two primary threat scenarios. First, phishing attacks where threat actors use known order details or personal information to craft convincing fraudulent emails or messages designed to harvest additional credentials or prompt victims to click malicious links.
Second, credential stuffing attacks, in which adversaries attempt to use compromised email-and-password combinations to gain unauthorized access to other online accounts, particularly when users reuse the same password across multiple services.
This incident underscores the persistent risk of e-commerce platform vulnerabilities, particularly when standard third-party shop software is deployed without sufficient hardening and continuous security monitoring.
Cybercriminals now enter through your suppliers instead of your front door – Free Webinar
GFN Cloud Internet Services, operating as the regional NVIDIA GeForce NOW cloud gaming partner, GFN.AM has officially confirmed a significant data breach. The security incident exposed personal information of users registered on their streaming platform. While the company has now secured its database, the delayed discovery of the network intrusion highlights ongoing challenges in protecting […]
The modern enterprise is no longer breached in the traditional sense. Firewalls remain intact; endpoints appear compliant, and credentials are often never “stolen” in the usual way. Yet attackers still get in—and stay in. The difference lies in how trust is being weaponized.
Threat actors are executing what looks like a supply chain attack without ever touching the actual supply chain infrastructure. Instead, they exploit the implicit trust organizations place in browsers, third-party services, and user behavior.
This shift represents a quiet but dangerous evolution in supply chain cybersecurity. It’s less about breaking systems and more about bending them, using legitimate access paths to bypass defenses that were designed to stop intrusion, not misuse.
The Rise of “Invisible” Supply Chain Attacks
Traditional software supply chain attack scenarios often involve tampering with code libraries, compromising vendors, or injecting malicious updates. Those risks still exist, but attackers are now pursuing a lighter, faster approach: manipulating user-facing workflows that rely on trusted platforms.
In recent campaigns, phishing pages masquerade as routine services—identity verification tools, account recovery portals, or internal workflows. What makes these attacks stand out is not just the deception, but the permissions they request. Instead of asking for passwords, they request access to cameras, microphones, and device-level metadata.
This tactic transforms a simple phishing attempt into a sophisticated supply chain attack example—one where the “chain” is not software distribution, but user trusts in familiar digital processes.
Once permissions are granted, the attack doesn’t need to escalate privileges. It already has them.
When Browsers Become Data Exfiltration Tools
Modern browsers are powerful. They support APIs for video capture, audio recording, geolocation, and device fingerprinting. These capabilities are designed for legitimate applications—but in the wrong hands, they become surveillance tools.
Attackers embed scripts within phishing pages that activate these features immediately after permission is granted. Within seconds, they can:
Capture images and short video clips from the user’s camera
Record audio through the microphone
Collect device details such as OS, browser version, and memory
Approximate location and network characteristics
This isn’t brute-force hacking. It’s precision harvesting.
The data is then quietly transmitted to attacker-controlled systems, often using simple channels like messaging bots. There’s no need for complex infrastructure, which makes detection even harder.
From a supply chain cybersecurity perspective, this is particularly concerning. The browser—arguably one of the most trusted components in enterprise environments—becomes the weakest link.
QR Codes and the Expansion of the Attack Surface
Another variation of this evolving threat involves QR codes embedded in seemingly legitimate documents. This technique, often called “quishing,” shifts the attack from desktops to mobile devices.
An employee receives a polished PDF—perhaps an HR document or compliance guide. It looks authentic, reads well, and builds credibility. Then, at the end, it asks the user to scan a QR code for more information.
That scan leads to a phishing site.
Because QR codes obscure the underlying URL, they bypass many traditional email filters. On mobile devices, where users are less likely to scrutinize links, the success rate increases dramatically.
This approach represents another subtle supply chain attack example: attackers are exploiting trusted communication formats—PDFs, QR codes, and mobile workflows—to deliver malicious payloads without triggering alarms.
Adversary-in-the-Middle: The New Credential Theft
Credential harvesting has also evolved. Instead of simply collecting usernames and passwords, attackers now position themselves between the user and the legitimate service.
This adversary-in-the-middle (AITM) technique allows them to intercept:
Login credentials
Multi-factor authentication (MFA) codes
Session tokens
In effect, they don’t just log in—they become the user.
This is particularly damaging in enterprise environments where MFA was once considered a strong defense. It highlights a critical gap in how to prevent supply chain attacks: focusing solely on authentication is no longer enough. Continuous verification and behavioral monitoring are now essential.
Why These Attacks Work
What makes these campaigns effective isn’t just technical sophistication—it’s psychological alignment. Every step mimics something users already trust:
Identity verification flows
Corporate documents
QR-based access to resources
Familiar login interfaces
Attackers are not introducing new behaviors; they are blending into existing ones.
This is why traditional defenses struggle. Security tools are designed to detect anomalies, but these attacks look normal—because they are built on legitimate features.
Rethinking Defense: From Perimeter to Context
Defending against this new class of software supply chain attack requires a shift in mindset. Organizations must move beyond perimeter-based security and adopt a context-driven approach.
Behavioral monitoring: Detect unusual patterns in device usage and data access
Zero Trust architecture: Continuously verify users, devices, and sessions
User awareness: Train employees to question permission requests, not just links
Understanding how to prevent supply chain attacks now means recognizing that the “supply chain” includes user interactions, browser capabilities, and third-party workflows—not just software dependencies.
Strengthening Endpoint Resilience with Cyble Titan
https://www.youtube.com/watch?v=NS7XHdNpkyE
As attackers exploit trusted access points, endpoint visibility becomes critical. This is where platforms like Cyble Titan play a strategic role.
Cyble Titan is designed to go beyond traditional endpoint protection. It brings together real-time telemetry, threat intelligence, and automated response into a unified platform. Rather than relying on static rules, it continuously analyzes behavior across endpoints, detecting subtle anomalies that indicate misuse of legitimate tools.
Key strengths include:
Real-time visibility: Deep insights into processes, file activity, and user behavior
Intelligence-driven detection: Integration with threat intelligence for contextual awareness
Automated response: Rapid containment to reduce attacker dwell time
Cross-platform coverage: Coverage for environments across Windows, Linux, and macOS
In the context of supply chain cybersecurity, this level of visibility is essential. When attacks don’t “break in” but instead operate within trusted boundaries, detection depends on understanding what shouldn’t be happening, even if it looks normal on the surface.
Trust Is the New Attack Surface
The definition of a breach is changing. It’s no longer about unauthorized access—it’s about unauthorized use of authorized access.
These emerging supply chain attack examples demonstrate that attackers are adapting faster than traditional defenses. They are leveraging trust, not bypassing it. And that makes them harder to detect, harder to prevent, and potentially more damaging.
Organizations that want to stay ahead must rethink how to prevent supply chain attacks. That means focusing on context, behavior, and continuous verification—not just barriers.
Ready to see how modern endpoint security can close these gaps? Explore Cyble Titan and experience a more intelligent approach to defending against today’s most deceptive threats.
Request a demo and evaluate how real-time visibility and AI-driven detection can strengthen your security posture from the inside out.
Trellix, the global cybersecurity firm formed from the merger of McAfee Enterprise and FireEye, has confirmed unauthorized access to a portion of its source code repository, with the RansomHouse ransomware group formally claiming responsibility for the attack.
Trellix reported a data breach involving unauthorized access to a portion of its source code repository, which was disclosed publicly around May 2, 2026.
Upon discovering the intrusion, Trellix immediately engaged leading forensic experts to investigate and has notified law enforcement authorities.
In an official statement published on its website, the company said: “Based on our investigation to date, we have found no evidence that our source code release or distribution process was affected, or that our source code has been exploited”.
The RansomHouse ransomware group formally named Trellix on its dark web leak site, claiming the compromise occurred on April 17, 2026.
The group published multiple screenshots reportedly demonstrating access to Trellix’s internal services and management dashboards, though they have not specified the volume of data exfiltrated or its nature.
Notably, RansomHouse listed the breach status as “Evidence Depends on You,” a hallmark tactic used to pressure victims into negotiations before releasing stolen data publicly.
RansomHouse is a sophisticated ransomware-as-a-service (RaaS) group known for deploying a unique ransomware variant called Mario ESXi, whose code shares lineage with the leaked Babuk ransomware source code, alongside a tool called MrAgent to target both Windows and Linux-based virtualized environments.
The group typically targets VMware ESXi infrastructure and exploits weak domain credentials and monitoring systems to gain privileged access.
RansomHouse distinguishes itself by positioning itself as a “professional mediator community,” often seeking payment for data deletion rather than decryption.
The full extent of the data exposure remains unspecified, and Trellix has not confirmed whether corporate or customer data beyond source code was accessed.
Preliminary investigations indicate no evidence that the software distribution pipeline or customer-facing products were tampered with.
The incident highlights the growing trend of ransomware groups targeting cybersecurity vendors themselves, organizations whose proprietary source code, if weaponized, could have far-reaching consequences for enterprise defenses globally.
Cybercriminals now enter through your suppliers instead of your front door – Free Webinar
In this weekly roundup from The Cyber Express, the global cybersecurity landscape continues to show rapid and uneven change, shaped by both regulatory shifts and escalating cyber threats. Governments are tightening oversight of new technologies such as artificial intelligence, while threat actors are simultaneously refining their techniques to exploit businesses, infrastructure, and end users across multiple platforms.This edition of cybersecurity news brings together some of the most important developments of the week, ranging from significant amendments to the European Union’s AI Act to the expansion of malware campaigns into macOS environments and the discovery of a critical vulnerability in widely used enterprise firewall software. It also covers major sentencing in a global ransomware case and a fresh warning from the FBI about the growing scale of cyber-enabled cargo theft targeting logistics and supply chain organizations.
The Cyber Express Weekly Roundup
EU Updates AI Act with Simpler Rules and New AI Content Bans
In a significant regulatory update, the European Union has agreed to revise parts of the EU AI Act. The updated framework aims to simplify compliance requirements for businesses while simultaneously introducing stricter restrictions on harmful AI-generated content. Read more..
ClickFix Malware Campaign Expands to macOS
Another key development is the expansion of the ClickFix malware campaign beyond Windows systems. Security researchers at Microsoft have confirmed that the operation is now targeting macOS users using deceptive troubleshooting content. Read more...
A critical security flaw has been identified in Palo Alto Networks’ PAN-OS firewall software. Tracked as CVE-2026-0300, the vulnerability carries a CVSS score of 9.3, indicating severe risk. The issue originates from a buffer overflow vulnerability in the User-ID Authentication Portal. Read more...
Latvian Cybercriminal Sentenced in Global Ransomware Case
Latvian national Deniss Zolotarjovs has been sentenced to 102 months in prison for his role in a large-scale ransomware operation. According to the U.S. Department of Justice, the group operated under multiple ransomware brands, including Conti, Royal, Akira, and Karakurt. Between 2021 and 2023, the organization carried out attacks against more than 54 companies worldwide, using data theft and encryption-based extortion tactics to pressure victims into paying ransom demands. Read more...
FBI Warns of Rising Cyber-Enabled Cargo Theft
The FBI has issued an alert regarding a sharp rise in cyber-enabled cargo theft. Criminal actors are using impersonation techniques to pose as legitimate logistics providers, allowing them to intercept and redirect freight shipments. The agency noted that logistics, shipping, and insurance companies have been targeted since at least 2024. Read more...
Weekly Takeaway
This week’s The Cyber Express weekly roundup highlights the growing convergence of regulatory change, advanced malware threats, critical infrastructure vulnerabilities, ransomware enforcement actions, and supply chain fraud. As the global cybersecurity landscape continues to evolve, organizations across all sectors remain under increasing pressure to strengthen defenses and adapt to emerging risks.
Leading cybersecurity firm Trellix is actively investigating a potential security incident following claims made by the RansomHouse extortion group. The threat actors recently listed Trellix on their dark web leak site, alleging a successful cyberattack against the prominent security vendor. The RansomHouse Breach Claims Threat intelligence platform VenariX first highlighted the development, noting on X […]
A major QLearn cybersecurity incident has affected thousands of educational institutions globally, including Queensland state schools and universities, after a cyber breach involving third-party education technology provider Instructure exposed personal information linked to students and staff.
Queensland Education Minister John-Paul Langbroek confirmed the incident in an official statement, saying the Queensland Department of Education was briefed about the international cybersecurity breach involving Instructure, the provider behind the Department’s online learning platform, QLearn.
According to early assessments, the breach may affect more than 200 million people and over 9,000 institutions worldwide, making it one of the largest education-sector cybersecurity incidents disclosed this year.
The Department of Education said students and staff who have worked or studied at Education Queensland schools since 2020 may have been affected by the QLearn cybersecurity incident.
Authorities stated that compromised information currently appears limited to names, email addresses, and school locations. Officials added there is currently no evidence that passwords, dates of birth, or financial information were accessed during the breach.
The online learning platform QLearn was introduced in Queensland schools in 2020 under the previous government and has since become a widely used digital education system across the state.
Minister Langbroek said school principals have already begun contacting affected families and teachers to notify them about the breach and provide further guidance.
“This morning I have been briefed by the Department of Education about an international cybersecurity breach involving a third-party provider, Instructure, which delivers the Department’s online learning platform, QLearn,” Langbroek said in the statement.
Instructure Data Breach Raises Concerns Across Education Sector
The QLearn cybersecurity incident has once again highlighted the growing cybersecurity risks facing the global education sector, particularly as schools and universities continue relying heavily on third-party digital learning platforms.
Because the breach involves Instructure, a provider serving institutions across multiple countries, the incident extends far beyond Queensland. Authorities indicated that educational institutions across Australia and overseas are also impacted.
While officials stressed that no sensitive financial or authentication data has been identified as compromised so far, cybersecurity experts often warn that exposed personal information such as names and email addresses can still be valuable to cybercriminals.
Threat actors frequently use this type of information in phishing campaigns, identity-based scams, and social engineering attacks targeting students, parents, and school employees.
The Department of Education has not publicly disclosed how the cybersecurity breach occurred or whether any ransomware or unauthorized network access was involved. Investigations into the incident are ongoing.
Queensland Department Prioritizes Support for Vulnerable Families
In response to the QLearn cybersecurity incident, the Queensland Department of Education said it is prioritizing support for vulnerable individuals and families potentially affected by the breach.
According to the Minister’s statement, the Department is providing priority assistance to families and teachers with known family and domestic violence concerns, as well as individuals connected to Child Safety services.
The additional support measures appear aimed at reducing potential risks associated with the exposure of school-related location information and contact details.
Government agencies increasingly recognize that cybersecurity incidents affecting education systems can carry broader safety implications, especially for vulnerable groups whose personal or location-related information may require additional protection.
Global Education Sector Continues Facing Cybersecurity Threats
The QLearn cybersecurity incident adds to a growing list of cyberattacks and data breaches targeting educational institutions worldwide. Schools, universities, and online learning providers have become frequent targets due to the large amount of personal information they manage and the widespread use of interconnected digital platforms.
Education systems often rely on multiple third-party vendors for online learning, communications, and student management services, increasing the potential attack surface for cybercriminals.
The Queensland Department of Education said it will continue updating the public as more information becomes available from the ongoing investigation into the breach.
At this stage, authorities have not advised affected individuals to reset passwords or take additional security measures, though officials are continuing to assess the full scope and impact of the incident.
The investigation into the Instructure-related breach remains active as educational institutions worldwide work to determine the extent of the exposure and any potential long-term cybersecurity implications.
Hackers stole data of 119,000 Vimeo users in April. The breach, linked to a third‑party vendor, exposed personal details.
Vimeo confirmed a data breach after the ShinyHunters gang stole personal information of 119,000 users in April 2026. According to Have I Been Pwned, the attackers accessed user data through a compromise at Anodot, a third‑party analytics vendor.
“In April 2026, the ShinyHunters extortion group listed Vimeo on their extortion portal as part of their “pay or leak” campaign. They subsequently published hundreds of gigabytes of data, predominantly consisting of video titles, technical data and metadata.” reported Have I Been Pwned.”The data also included 119k unique email addresses, sometimes accompanied by names. Vimeo attributed the exposure to a breach of Anodot, a third-party analytics vendor, and advised the incident does not include “Vimeo video content, valid user login credentials, or payment card information”.”
Vimeo confirmed that the security incident is linked to a breach at Anodot. An unauthorized actor accessed some Vimeo user and customer data, mainly technical information, video titles, metadata, and in some cases email addresses.
“Vimeo is aware of a security incident affecting Anodot, a third-party analytics vendor used by Vimeo and many other companies. The Google Threat Intelligence report associated with the unauthorized actor claiming responsibility for the Anodot incident can be found at this link.” reads the notice on the security incident published by the company.
We have identified that, as a result of the Anodot breach, an unauthorized actor accessed certain Vimeo user and customer data. Our initial findings suggest that the databases accessed primarily contain technical data, video titles and metadata, and, in some cases, customer email addresses.”
The company said no video content, login credentials, or payment data were exposed, and services were not disrupted. In response, Vimeo disabled Anodot access, removed the integration, engaged external security experts, and notified law enforcement.
The investigation is still ongoing, and updates will be shared as more details emerge.
After Vimeo’s disclosure, the ShinyHunters cybercrime group leaked a 106GB archive of stolen documents on its Tor data leak site.
ShinyHunters is a well-known name in the cybercriminal ecosystem. The group is associated with a broader loosely connected network often referred to as “the Com,” made up largely of young, English-speaking individuals. Their operations typically focus on stealing data from large organizations and using leak sites to pressure victims into paying ransoms in cryptocurrency.
ShinyHunters has recently targeted major companies and organizations, leaking data when ransom demands fail. Victims include the European Commission, Odido, Figure, Canada Goose, Rockstar, and SoundCloud. The group primarily uses social engineering, especially voice phishing, to steal credentials and access SaaS platforms like Salesforce, Okta, and Microsoft 365.
In a significant supply chain security incident, the popular video hosting platform Vimeo has confirmed a data breach that exposed user information.
Discovered in April 2026, the breach exposed 119,000 unique email addresses and other metadata.
The incident highlights the growing risks associated with third-party service providers, as the compromise did not occur directly on Vimeo’s infrastructure but rather through an analytics vendor.
The notorious extortion group known as ShinyHunters claimed responsibility for the attack.
Shinyhunters Breach Claim
They added Vimeo to their public extortion portal as part of an aggressive “pay or leak” campaign.
Following the initial threat, the threat actors published hundreds of gigabytes of stolen data online.
Google Threat Intelligence has also released a report detailing the expansion of ShinyHunters’ software-as-a-service data theft operations, directly associating the threat group with this specific vendor compromise.
Vimeo Data Breach
While the sheer volume of leaked data is massive, the contents primarily consist of technical records rather than highly sensitive financial information.
The exposed databases contained video titles, system metadata, and technical logs.
However, the most concerning aspect for users is the exposure of 119,000 unique email addresses, which were sometimes accompanied by user names.
Cybercriminals frequently use this type of personal information to launch targeted phishing campaigns or credential stuffing attacks across other platforms.
Vimeo has stepped forward to reassure its user base regarding the limitations of the breach.
According to their official security advisory, the unauthorized access did not compromise actual Vimeo video content.
Furthermore, the company confirmed that valid user login credentials, passwords, and payment card information remain entirely secure.
The incident also did not disrupt Vimeo’s core systems or daily hosting services, meaning platform operations continue to function normally without interruption.
The root cause of the data exposure stems from Anodot, a third-party analytics vendor used by Vimeo and several other organizations.
The threat actors breached Anodot’s systems, gaining unauthorized access to specific Vimeo customer data stored in the analytics environment.
This indirect compromise underscores the critical importance of monitoring vendor security and managing data access permissions within integrated enterprise supply chains.
Upon discovering the unauthorized access, Vimeo’s security team immediately initiated its incident response protocols.
The company promptly revoked all Anodot credentials and completely removed the vendor’s integration from Vimeo’s internal systems to prevent further data exfiltration.
Additionally, Vimeo engaged external third-party cybersecurity experts to assist with a comprehensive forensic investigation.
The company has also notified relevant law enforcement agencies and stated that it will continue to monitor the situation and update users as the ongoing investigation progresses.
Even though passwords were not exposed, individuals should remain highly vigilant against incoming communications.
Threat actors often leverage exposed names and email addresses to craft highly convincing phishing messages designed to steal passwords or deploy malware.
Users are encouraged to use a reputable password manager to generate and store strong, unique passwords for all their online accounts, ensuring that a breach on one platform does not compromise another.
Instructure, maker of the Canvas learning platform, is investigating a cyber incident that exposed users’ personal data.
Instructure is a U.S.-based educational technology company best known for developing Canvas, one of the world’s most widely used learning management systems (LMS).
The U.S. firm confirrmed a cybersecurity incident that exposed users’ personal information. The company is working with external cybersecurity experts and law enforcement to investigate the breach. Canvas is widely used by schools and universities to manage courses, assignments, and online learning, raising concerns about student and staff data security.
The company says the security incident appears to be contained while investigations continue. Instructure revoked privileged credentials and access tokens, deployed security patches, rotated some keys as a precaution, and increased monitoring across systems.
“Out of an abundance of caution, we rotated certain keys, even though there is no evidence they were misused – Implemented increased monitoring across all platforms.” reads the Incident Report. “While we continue actively investigating, thus far, indications are that the information involved consists of certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users. At this time, we have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved.”
So far, the exposed data likely includes user identifiers such as names, email addresses, student ID numbers, and some user messages. The company states that there is currently no evidence that passwords, dates of birth, government IDs, or financial data were affected.
The educational technology firm continues to monitor the situation and will notify institutions if new findings emerge, while updating its status page and working to strengthen system security.
Instructure did not share details about the attack, however, the ShinyHunters extortion group claimed responsibility for the attack and added the company to its Tor data leak site.
“Nearly 9,000 schools worldwide affected. 275 million individuals data ranging from students, teachers, and other staff containing PII. Several billions of private messages among students and teachers and students and other students involved, containing personal conversations and other PII. Your Salesforce instance was also breached and a lot more other data is involved. Pay or Leak.” the group wrote on its leak site. “This is a final warning to reach out by 6 May 2026 before we leak along with several annoying (digital) problems that’ll come your way. Make the right decision, don’t be the next headline.,” reads the data leak site.
An anti-ICE website, GTFO ICE, linked to Miles Taylor, is accused of exposing the personal details of 17,662 activists, sparking concerns that the data may have reached government agencies.
Entrar
