Major Data Breaches

Canvas (Instructure) Data Breach Disrupts Education Sector

The education technology giant Instructure, operator of the Canvas learning management system, suffered a significant data breach on May 7, 2026. The ShinyHunters cybercrime group claimed responsibility, gaining unauthorized access and causing widespread outages during the critical final exam period for schools and universities across the United States and internationally. The breach affected nearly 9,000 educational institutions, with the attackers claiming to have compromised data on up to 275 million users, including students, teachers, and staff. Exposed information includes names, email addresses, student ID numbers, and private messages between students and teachers. While Instructure reported that no additional data was accessed in the May 7 incident beyond what was compromised in a previous breach on April 29, the attackers were able to deface login pages and post extortion messages, demanding negotiations by May 12. The incident forced some institutions, such as Pennsylvania State University, to cancel exams and extend assignment deadlines, highlighting the operational impact of the attack. Experts have called this breach a wake-up call for the education sector, emphasizing the need for stronger data protection and incident response capabilities1​2​3.

Cushman & Wakefield Salesforce Data Breach

Global real estate services firm Cushman & Wakefield confirmed a vishing-related security breach after both the ShinyHunters and Qilin ransomware groups listed the company on their dark web leak sites. ShinyHunters claimed to have stolen over 500,000 Salesforce records containing personally identifiable information (PII) and internal corporate data. The company responded by activating incident response protocols and engaging third-party experts, but has not confirmed the full extent of the data theft. The attackers issued a ransom demand with a deadline of May 6, threatening to leak the data if not paid. This incident is part of a broader campaign by ShinyHunters targeting Salesforce and other cloud-based platforms4.

Significant Cyberattacks

Trellix Source Code Breach

Cybersecurity company Trellix reported a breach of its source code repository. While there is no immediate evidence that the code has been exploited or released, the attackers’ access to the source code could potentially allow them to identify weaknesses in Trellix’s security solutions. The company has engaged its incident response protocols and is investigating the full extent of the breach5​2.

Port of Fujairah Cyberattack

A hackers group claimed responsibility for a major cyberattack targeting the Port of Fujairah in the United Arab Emirates, allegedly obtaining hundreds of thousands of records. Details on the attack vector and the impact on port operations remain limited, and the claim is still under investigation6.

Critical Vulnerabilities

cPanel & WHM Authentication Bypass (CVE-2026-41940)

A critical authentication bypass vulnerability (CVSS 9.8) in cPanel & WHM, tracked as CVE-2026-41940, has been actively exploited since at least February 2026. The flaw allows attackers to inject arbitrary credentials and gain root access, leading to mass deployment of the “SORRY” ransomware and Mirai botnet malware. Over 1.5 million internet-accessible cPanel instances are potentially exposed, with at least 44,000 compromised IPs reported. Administrators are urged to patch immediately, rotate all credentials, and audit for persistence mechanisms7​8.

MOVEit Automation Vulnerabilities (CVE-2026-4670, CVE-2026-5174)

Progress Software released patches for two critical vulnerabilities in MOVEit Automation, a widely used managed file transfer solution. CVE-2026-4670 (CVSS 9.8) allows authentication bypass, while CVE-2026-5174 (CVSS 7.7) enables privilege escalation. Exploitation could result in unauthorized access, administrative control, and data exposure. No workarounds are available; immediate patching is required9.

Windows Shell Zero-Click NTLM Hash Leak (CVE-2026-32202)

A high-severity vulnerability in Windows Shell, CVE-2026-32202, is being actively exploited by the Russian APT28 group. The flaw allows attackers to coerce NTLM authentication and steal credential hashes without user interaction, enabling pass-the-hash attacks. Microsoft has released patches, and organizations are advised to disable NTLM where possible and monitor for anomalous authentication attempts7​8.

Other Notable Vulnerabilities

• Apache HTTP Server (CVE-2026-23918): Double-free and possible remote code execution bug in HTTP/2 protocol, patched in version 2.4.6710.
• Node.js vm2 Sandbox (CVE-2026-26956): Critical sandbox escape vulnerability allowing arbitrary code execution on hosts11.

Government Responses

CISA Adds New Vulnerabilities to KEV Catalog

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added several new vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog, including the cPanel authentication bypass and Windows Shell NTLM hash leak. Federal agencies were given strict remediation deadlines, and CISA issued multiple alerts throughout the week, emphasizing the urgency of patching these actively exploited flaws12.

Miscellaneous

Cybersecurity Conferences

The week saw a series of international cybersecurity conferences, including the World Conference on Cyber Security and Ethical Hacking (WCCSEH) in Da Nang, Vietnam, and Larissa, Greece, as well as the International Conference on Cyber Security and Cloud Computing (ICCSCC) in multiple locations worldwide on May 9, 2026. These events focused on emerging threats, cloud security, and the integration of AI in cybersecurity defense13.

Industry Trends

The RSA Conference 2026 continued to be a focal point for industry leaders, with discussions centering on AI-driven security, agentic risk, and the convergence of compliance, resilience, and digital trust. Executives highlighted the need for practical, scalable approaches to securing AI systems and managing regulatory complexity14.

Sources:

• Cybersecurity Dive
• SharkStriker May 2026 Data Breaches
• Cybernews: Cushman & Wakefield Breach
• TechCrunch: Instructure Breach
• The Hacker News: MOVEit Automation
• Carthage Electronics: Zero-Day Threat Report
• SecurityWeek: Apache HTTP Server
• BleepingComputer: vm2 Sandbox Bug
• CISA Cybersecurity Alerts
• AllConferenceAlert: May 2026 Conferences
• Cybersecurity Ventures: RSAC 2026

This week’s events underscore the persistent and evolving nature of cyber threats, the critical importance of timely patching, and the need for robust incident response and cross-sector collaboration. Stay vigilant and ensure your organization is up to date with the latest advisories and best practices.