SecureFact – May 11, 2026

Instructure confirms data breach, ShinyHunters claims attack

Instructure confirmed that personal information of users was stolen in a cyberattack, with the ShinyHunters extortion gang claiming responsibility. The breach exposed identifying information including names, email addresses, and student ID numbers, as well as private messages among users. ShinyHunters claimed that nearly 9,000 schools worldwide were affected with approximately 275 million individuals’ data compromised, ranging from students, teachers, and other staff containing personally identifiable information (PII). The stolen data allegedly includes several billions of private messages among students and teachers containing personal conversations and other PII. Instructure deployed patches, increased monitoring, and rotated application keys as precautionary steps. The company required customers to re-authorize access to Instructure’s API for new application keys to be issued. Law enforcement was notified of the incident. Instructure stated that no evidence of passwords, dates of birth, government identifiers, or financial information being involved was found at the time of disclosur

(Source: Read full report)

Instructure hacker claims data theft from 8,800 schools, universities

The hacker behind the Instructure breach claimed to have stolen 280 million records tied to students and staff from 8,809 colleges, school districts, and online education platforms. The ShinyHunters extortion gang published a list of affected institutions with record counts per institution ranging from tens of thousands to several million per organization. The threat actors claimed the data was stolen using Canvas data export features, including DAP queries, provisioning reports, and user APIs, harvesting hundreds of gigabytes of user records, messages, and enrollment data. The stolen data includes user records, private messages, enrollment data, and information gathered through Canvas data export features and APIs. Multiple universities including University of Colorado Boulder and Rutgers issued statements acknowledging the nationwide breach affecting multiple institutions. The data breach represents one of the largest education sector incidents, impacting K-12 schools, universities, and online education platforms across multiple geographic regions. Instructure remained largely unresponsive to media inquiries regarding specific details of the incident and notification plans for affected students and staff.

(Source: Read full report)

Trellix source code breach claimed by RansomHouse hackers

The attack on Trellix’s source code repository was claimed by the RansomHouse threat group, which leaked a small set of images as proof of the intrusion. The threat actor published screenshots on their data leak site indicating access to Trellix’s appliance management system. According to the threat actor, the intrusion occurred on April 17 and resulted in data encryption, representing a ransomware attack with data exfiltration. Trellix is an international cybersecurity firm with global Fortune 100 customers, more than 53,000 customers in 185 countries, and 3,500 employees. The company confirmed the breach and stated it was investigating the incident with leading forensic experts and law enforcement. Trellix found no evidence that source code release or distribution processes were affected or that source code had been exploited. RansomHouse is a cybercrime group that operates as a data-extortion operation, listing victims on a darkweb portal and leaking or selling stolen data. The group has advanced encryption utilities including ‘Mario’ (dual-encryption) and ‘MrAgent’ (VMware ESXi automation). Trellix’s investigation remained ongoing with the company promising to share more details once available.

(Source: Read full report)

NVIDIA confirms GeForce NOW data breach affecting Armenian users

NVIDIA confirmed that GeForce NOW user information was exposed in a data breach limited to Armenia, caused by a compromise of infrastructure operated by a regional partner. The company clarified that NVIDIA-operated services were not impacted and the issue was limited to systems run by a third-party GeForce NOW Alliance partner based in Armenia. The breach occurred between March 20 and 26, 2026, and exposed full names (if using a Google account), email addresses, phone numbers (if registered through a mobile operator), dates of birth, and usernames. Critically, no account passwords were exposed in the incident, and users who registered after March 9 were not impacted. The threat actor claiming responsibility (believed to be a ShinyHunters imposter) offered the full database for $100,000 in Bitcoin or Monero. GFN.am is responsible for managing GeForce NOW operations in Armenia, Azerbaijan, Georgia, Kazakhstan, Moldova, Ukraine, and Uzbekistan, though no impact on those other countries has been confirmed. NVIDIA is working closely with the partner to support investigation and resolution, with impacted users to be notified by GFN.am.

(Source: Read full report)

Zara data breach exposed personal information of 197,000 people

Hackers who gained access to databases of Spanish fast-fashion retailer Zara stole data belonging to more than 197,000 customers according to data breach notification service Have I Been Pwned. The compromised databases were hosted by a former tech provider and contained information about business relationships with customers in different markets. Inditex (Zara’s parent company) confirmed that attackers did not gain access to affected customers’ names, phone numbers, addresses, credentials, or payment information such as bank cards. The ShinyHunters extortion gang claimed responsibility for the breach and leaked a 140GB archive containing documents allegedly stolen from BigQuery instances using compromised Anodot authentication tokens. Have I Been Pwned analyzed the stolen data and confirmed it exposed 197,400 unique email addresses alongside product SKUs, order IDs, and the market the support ticket originated in. The breach demonstrates the ongoing threat to retail organizations and the attackers’ ability to compromise third-party service providers. Inditex applied security protocols and notified relevant authorities, though the company has yet to disclose the name of the hacked provider or provide additional incident details.

(Source: Read full report)