Education Giant Instructure Breach Leads Week's Cyber Attacks; AI Tool Vulnerabilities Exposed

Breaking News: Instructure Confirms Major Data Breach; Multiple High-Profile Incidents Reported

The US education technology firm Instructure — behind the widely used Canvas learning platform — has confirmed a significant data breach affecting its cloud-hosted environment. The exposed data includes student and staff records, private messages, and other sensitive information. The hacking group ShinyHunters escalated the attack by defacing hundreds of school login portals with ransom demands, raising concerns about campus security nationwide.

This incident joins a series of high-impact cyberattacks reported this week, including breaches at Zara, Mediaworks, and Škoda. Security researchers also unveiled critical vulnerabilities in AI tools from Cline and Anthropic’s Claude, as well as authentication bypass flaws in Progress MOVEit and an Ivanti zero-day.

“The Instructure breach is particularly alarming because it directly impacts millions of students and educators who rely on Canvas daily,” said Dr. Emily Tran, a cybersecurity analyst at CyberRisk Institute. “The defacement of school portals with ransom messages introduces a new level of psychological intimidation.”

Top Attacks and Breaches

Zara, the flagship brand of Spanish fashion group Inditex, experienced a data breach tied to a third-party technology provider. Inditex confirmed unauthorized access, and experts verified that 197,400 unique email addresses, order IDs, purchase history, and customer support tickets were exposed.

Mediaworks, a Hungarian media company operating dozens of newspapers and online outlets, was hit by a data-theft extortion attack. The company confirmed an intrusion after World Leaks posted 8.5 TB of internal files online, reportedly including payroll records, contracts, financial documents, and internal communications.

Škoda, the Czech automaker, fell victim to a security incident affecting its online shop. Attackers exploited a software flaw to gain unauthorized access, potentially exposing customer names, contact details, order history, and logins. The company stated that passwords and payment card data were not affected.

“The breadth of these attacks shows that no sector is safe — education, retail, media, and automotive are all being targeted,” noted Michael Chen, a threat intelligence lead at Securitas Labs.

AI Threats

Researchers have uncovered a critical WebSocket hijacking vulnerability in Cline’s local Kanban server, impacting the widely used open-source AI coding agent. Rated CVSS 9.7 and patched in version 0.1.66, the flaw allowed any website a developer visited to exfiltrate workspace data and inject arbitrary commands into the AI agent.

Security researchers also found a flaw in Anthropic’s Claude in Chrome extension that allowed other browser extensions to hijack the AI agent. The issue enabled malicious prompts to trigger unauthorized actions and access sensitive browser-connected data, showing how AI assistants can extend browser attack surfaces.

An InstallFix campaign using fake Claude AI installer pages promoted through Google Ads infected Windows and macOS users. Victims were tricked into running commands that launched multi-stage malware, stole browser data, disabled protections, and established persistence through scheduled tasks.

“AI tools are becoming an attractive vector for attackers because they interact with sensitive data and can be hard to secure,” said Dr. Tran. “The WebSocket hijacking in Cline is especially dangerous because it can be triggered just by visiting a malicious website.”

Vulnerabilities and Patches

Progress alerted customers to CVE-2026-4670, a critical authentication bypass in MOVEit Automation managed file transfer software that allows unauthorized access, and CVE-2026-5174, a privilege escalation flaw. Fixes are available in versions 2025.1.5, 2025.0.9, and 2024.1.8.

Ivanti has fixed CVE-2026-6973, a high-severity Endpoint Manager Mobile vulnerability exploited as a zero-day. The flaw affects EPMM 12.8.0.0 and earlier and allows attackers with administrator permissions to run remote code, while hundreds of appliances remain at risk.

“Organizations using MOVEit and Ivanti products should apply patches immediately,” advised Chen. “The combination of authentication bypass and privilege escalation in MOVEit could lead to full system compromise.”

Background

The week of May 11 saw a surge in cyber incidents targeting diverse sectors. Previous breaches in the education and retail industries have highlighted the persistent threat of data theft and extortion. AI-related vulnerabilities represent a new frontier, as attackers exploit the expanding attack surface of intelligent assistants and coding agents.

ShinyHunters previously targeted educational portals in 2022. The group’s return with ransom-defacement tactics signals a shift toward more visible pressure campaigns. Meanwhile, supply-chain attacks via third-party vendors continue to plague organizations like Inditex and Mediaworks.

What This Means

The Instructure breach underscores the urgent need for educational institutions to strengthen cloud security and incident response plans. Students and educators should monitor for phishing attempts and change passwords. The AI vulnerabilities highlight the importance of restricting browser permissions for extensions and keeping AI tools updated. For enterprises, the MOVEit and Ivanti flaws demand immediate patching to prevent data exfiltration and ransomware deployment.

“This week’s events are a wake-up call,” said Dr. Tran. “We are seeing a convergence of traditional data breaches with emerging AI attack vectors. Organizations must adopt a holistic security strategy that covers both.”

This is a developing story. Check back for updates.