Lead Story | CRITICAL — CONFIRMED BREACH | Enterprise · IT Ops |
|
ShinyHunters Breach 275 Million Instructure Canvas Records — Eight Canadian Universities Confirmed in Scope
ShinyHunters exfiltrated 3.65TB from Instructure’s Canvas LMS, with eight confirmed Canadian post-secondary institutions among the 8,800 affected globally. Mandatory breach notification obligations under applicable provincial privacy legislation are now triggered for each. Ransom agreements offer no data deletion guarantee — treat affected records as compromised.
ShinyHunters breached Instructure’s Canvas learning management platform, exfiltrating 275 million records from roughly 8,800 institutions globally — student email addresses, usernames, student numbers, course enrolments, and internal messages. Eight Canadian post-secondary institutions are confirmed in scope: the University of Toronto, UBC, SFU, the University of Alberta, Western University (Ivey), OCAD, Mohawk College, and Ontario Tech. Mandatory breach notification obligations apply to each under applicable provincial privacy legislation — FIPPA in Ontario and BC, FOIP in Alberta.
Instructure reached an agreement with ShinyHunters before a May 12 extortion deadline, claiming the data was returned with deletion logs provided. Confirmation that the data was not copied or shared downstream is impossible. A second defacement wave hit 330 institutions on May 7 in the lead-up to the deadline. Any organization affiliated with Canvas — as a direct institution, consortium member, or contracted training provider — should confirm with Instructure whether their data was in scope and activate breach response protocols. Bleeping Computer → CBC (Ontario) → CBC (BC) → CBC (Alberta) →
→ Key Takeaway If your organization is affiliated with Instructure Canvas — including partner institutions, workforce training programmes, or shared-services contracts — confirm with your privacy or legal team whether your data was in scope. For the eight named Canadian institutions, contact your applicable provincial Information and Privacy Commissioner as soon as your real-risk-of-significant-harm assessment is complete — provincial breach notification obligations are triggered once that threshold is crossed. |
Quick Hits
| 01 |
MuddyWater Deploys Chaos Ransomware as Cover While the Real Attack Is Credential Theft
Rapid7 attributes a Microsoft Teams vishing campaign to Iran’s MuddyWater (Mango Sandstorm): targets are flooded with email, then called by attackers posing as IT help desk staff who use screen-sharing sessions to harvest credentials and disable MFA — with Chaos ransomware deployed afterward to make the intrusion look like opportunistic RaaS rather than state espionage. Government, defence, telecoms, and critical infrastructure teams should treat any unsolicited Teams call from “IT support” as a social engineering attempt and require out-of-band identity verification before sharing any screen or credentials. The Hacker News → SecurityWeek →
| High — Confirmed Active Campaign | Enterprise |
|
| 02 |
Exim “Dead.Letter” Flaw Opens GnuTLS Mail Servers to Unauthenticated RCE — Upgrade to 4.99.3
CVE-2026-45185 is a use-after-free in Exim’s BDAT message handling on GnuTLS-compiled builds (versions 4.97 through 4.99.2): an attacker sending a TLS close_notify alert mid-transfer can corrupt heap memory, enabling unauthenticated remote code execution on the mail server process. Discovered by XBOW Security Lab and reported May 1, 2026. A patch is available in Exim 4.99.3; OpenSSL builds are not affected. If your organization runs Exim with GnuTLS — common on Debian-family Linux distributions — confirm with your infrastructure team that the upgrade is scheduled. The Hacker News → XBOW Research →
| High — Patch Available | IT Ops · Cloud+DevOps |
|
CVE Watch
|
Patch of the Day
| CVE-2026-2256 | HIGH — No Patch Available |
MS-Agent AI Framework Shell Injection — Two Months Since Disclosure, No Vendor Response, No Fix
CVE-2026-2256 is an unpatched shell injection in MS-Agent, an enterprise AI agent framework used in development environments. Crafted content fed through any data source the agent processes — a prompt, document, or log file — triggers arbitrary OS command execution with the framework’s full process privileges. The root cause is a regex-based blacklist used to filter dangerous commands — a known-unsafe pattern that is trivially bypassed. More than two months after disclosure, no patch exists and CERT/CC has received no vendor response. Teams deploying MS-Agent should isolate it from production credentials and systems until a fix is available. SecurityWeek →
| Vendor: ModelScope — MS-Agent framework · Disclosed: March 2, 2026 · CVSS: 9.8 (researcher) / 6.5 CISA-ADP — NVD pending · CISA KEV: Not listed · Exploited: No active exploitation confirmed — full host compromise path documented, PoC described |
|
Compliance Tip of the Day
|
NIST CSF 2.0 — Govern (GV) — GV.RM-05 — Risk Management: Supplier Risk Communication
Your SaaS Vendors Hold the Data. Your Risk Register Should Reflect That.
The Canvas breach reached 8,800 institutions through a single vendor — exposing personal data none of those institutions directly controlled. NIST CSF 2.0 GV.RM-05 calls for cybersecurity risk communication channels that reach beyond internal teams to suppliers and third parties, with escalation paths and notification thresholds defined before an incident makes them necessary. Leadership ask: Confirm that your top-five SaaS platforms holding personal data — HR systems, learning management platforms, and any shared-services contracts — are mapped in your risk register with defined breach notification expectations and a documented escalation path to your privacy officer and legal team. NIST CSF 2.0 →
|
|
