The Cipher

Daily brief · Cyber · AI · Tech

Daily brief at 7am Melbourne. Unsubscribe any time.

← The Cipher

Saturday 9 May 2026

275 Million Students, One Breach, Zero Good Timing: The Canvas Catastrophe

ShinyHunters brings down Canvas for 9,000 schools right before finals — and the data they're holding over Instructure's head is far more sensitive than a list of email addresses.

Lead story

275 Million Students, One Breach, Zero Good Timing: The Canvas Catastrophe

The timing was almost surgical. ShinyHunters — the same crew behind the 2024 Snowflake-linked mega-breaches — hit education technology giant Instructure right as US colleges were entering finals week, taking down Canvas, the learning management system used by roughly 9,000 institutions. Students arriving to submit assignments or sit online exams found the login portal defaced with a ransom demand instead.

Instructure pulled the platform offline to contain the damage, which only made things worse for the students it was supposedly protecting. Dozens of universities scrambled to postpone year-end assessments. Instructure is calling it a "cyber incident" and hasn't confirmed the full scope of what was accessed — but ShinyHunters is claiming data on 275 million students and faculty members, and they've threatened to publish it if their demands aren't met.

Here's what makes this worse than a typical extortion play. Canvas isn't just a place to submit essays. It's where institutions manage medical accommodations, disability services, sexual assault disclosures, grade disputes, and private communications between students and counsellors. The 404 Media framing — "the biggest student data privacy disaster in history" — isn't hyperbole if the claim holds up. This is Sensitive with a capital S.

What we know: ShinyHunters reportedly exploited a second vulnerability at Instructure, having already attacked the company once before. The group defaced login portals, published a ransom demand publicly, and leaked sample data as proof. CISA has not yet issued a formal advisory, but federal attention seems inevitable given the scale.

What we don't know: Whether Instructure had backups that will allow a clean recovery, exactly what data categories were exfiltrated, and whether the 275 million figure is real or ShinyHunters' usual inflation for maximum leverage.

Why it matters beyond the US. Canvas is the dominant LMS in Australian higher education — used at dozens of universities including University of Sydney, Monash, UNSW, and many others. Australian institutions should already be treating this as a potential third-party data breach notification event under the Privacy Act and the Notifiable Data Breaches scheme. If Australian student records — including sensitive support communications — are in Instructure's systems (they almost certainly are), the OAIC will want answers. The SOCI Act may also be relevant for institutions classified under critical infrastructure.

What to watch. Instructure's timeline for restoration, whether any data actually gets published (ShinyHunters has a real track record of following through), and whether any regulatory bodies in the US, EU, or Australia move against Instructure for its apparent failure to patch known vulnerabilities — this is reportedly the group's second successful breach of the same company. If that holds up, it's not just a security failure, it's a governance one.

Also today

Dirty Frag: A Linux Root Exploit With No Patch and a Broken Embargo

A new local privilege escalation vulnerability in the Linux kernel — dubbed Dirty Frag — is giving security teams a headache because it arrived with a working public proof-of-concept exploit and no patch, after someone broke the responsible disclosure embargo early. The flaw is described as a successor to Copy Fail (CVE-2026-31431), which is already being exploited in the wild. Dirty Frag affects all major Linux distributions and can be triggered with a single command to gain root privileges. Linux underpins the vast majority of Australian government, cloud, and critical infrastructure environments, making this one to treat as urgent even without a CVE assigned yet.

The Register

Poland's Water Plants Were Hacked, and the Threat Is Spreading West

Poland's internal security agency has confirmed that hackers breached industrial control systems at five separate water treatment plants, gaining the ability to modify operational parameters — the kind of access that, if misused, could contaminate or cut off public water supplies. Poland's report pins the activity on Russia as part of a broader sabotage campaign targeting civilian infrastructure. The US is reportedly facing analogous threats to its water systems. For Australia, this is a direct signal: water utilities fall under the SOCI Act's critical infrastructure framework, and ICS security in that sector has been a known weak point flagged in ACSC advisories for years.

TechCrunch

CISA Orders Feds to Patch Ivanti EPMM Zero-Day in Four Days

CISA has added a high-severity zero-day in Ivanti Endpoint Manager Mobile (EPMM) to its Known Exploited Vulnerabilities catalogue and given US federal agencies a four-day deadline to patch. The flaw, CVE-2026-6973, lets an authenticated attacker with admin privileges execute arbitrary code remotely. Ivanti has published a patch. Ivanti products have been a recurring target for nation-state actors — particularly those tied to China and Iran — over the past two years, and Australian government agencies that deploy EPMM should treat this advisory as directly applicable, given ACSC typically mirrors CISA's KEV guidance.

Bleeping Computer

Meta Quietly Kills End-to-End Encryption on Instagram DMs

After years of publicly championing end-to-end encryption as the future of private messaging, Meta has reversed course on Instagram, stripping E2EE from direct messages and restoring full visibility into user chats for the company. The decision hands Meta's moderators — and potentially law enforcement or governments — a clear view of conversations that users may have assumed were private. The move comes as governments in multiple jurisdictions, including Australia's ongoing debate over the Online Safety Act's encryption provisions, continue to pressure platforms to provide lawful access to encrypted communications. Critics argue Meta has handed those governments a template.

The Register

TCLBanker: The Banking Trojan That Spreads Itself via WhatsApp and Outlook

Elastic Security Labs has documented a previously unknown Brazilian banking trojan called TCLBanker (tracked as REF3076) that targets 59 banking, fintech, and cryptocurrency platforms. What makes it notable is its propagation method: it hijacks the victim's WhatsApp and Outlook to send copies of itself to contacts, making it a self-spreading worm as well as an infostealer. Initial infection comes via a trojanised MSI installer disguised as Logitech's AI Prompt Builder software. The malware is assessed as a significant evolution of the older Maverick trojan family. Crypto platforms targeted include several with substantial Australian user bases.

The Hacker News

Cloudflare Cuts 1,100 Jobs, Blames AI Efficiency — While Posting Record Revenue

Cloudflare announced its first large-scale redundancy round, eliminating around 1,100 roles it says are no longer needed thanks to AI-driven productivity gains — even as the company posted record revenue. CEO Matthew Prince was direct: AI tooling has made support and operational roles obsolete faster than anticipated. It's the clearest corporate admission yet that AI's job displacement effect is arriving in the services layer of tech, not just manufacturing or data entry. Cloudflare's infrastructure underpins a significant portion of Australia's internet traffic, making its operational decisions — and the cultural shift they signal — worth watching.

TechCrunch

OpenAI Publishes How It Runs Codex Safely — and What That Reveals About Agentic AI Risk

OpenAI has released a detailed write-up on its internal security architecture for Codex, its cloud-based coding agent. The document covers sandboxing, network policy enforcement, agent-native telemetry, and a human-in-the-loop approval model for sensitive actions. It's notable less for being a finished solution and more for being a rare primary-source disclosure of how a frontier AI lab is actually operationalising agentic safety — and where the gaps remain. Given last week's Five Eyes warning about agentic AI outpacing enterprise security controls, OpenAI's transparency here is a useful reference point for defenders building their own guardrails.

OpenAI Blog

Mozilla Says AI Squashed 423 Firefox Security Bugs — But Is the Model Getting Credit?

Mozilla is claiming that its Mythos AI system — built on Anthropic's Claude — helped identify and remediate 423 security vulnerabilities in Firefox. The headline figure is impressive, but The Register notes a murkier detail: it's not entirely clear whether Claude itself is driving the improvement, or whether smarter middleware layered on top of the model is doing most of the heavy lifting. The distinction matters for anyone evaluating AI-assisted code review tooling. If the gains are in the orchestration layer rather than the model, that's a different procurement and deployment decision than buying a better LLM.

The Register

GM Hit With $12M Fine — Largest Ever Under California's Privacy Law

General Motors has agreed to pay over $12 million to settle a California privacy enforcement action, the largest penalty ever issued under the California Consumer Privacy Act since the law took effect in 2020. The case centred on GM's collection and sale of detailed driver behaviour data — including speed, braking, and location — without adequate disclosure or consent. California's Attorney General framed the outcome as a warning to the broader connected-vehicle industry. Australia's Privacy Act reforms, currently working through parliament, include provisions on automated data collection that may similarly apply to connected vehicles sold here.

The Record

Inside Department 4: Russia's Hacker Pipeline From University to APT

A detailed investigation has shed light on what researchers are calling Department 4 — an apparent pipeline at Bauman Moscow State Technical University that funnels elite students directly into Russia's most notorious state-sponsored hacking groups. Unlike a conventional recruitment process, the arrangement appears to operate through structured coursework and supervised projects that blur the line between academic research and offensive cyber operations. The investigation corroborates long-standing intelligence assessments that Russian APT groups maintain deep ties to academic institutions, using them as both a talent pool and a deniable layer of operational cover.

Graham Cluley / Bitdefender

DOGE Used ChatGPT to Cancel $100M in Grants — Court Says That Was Illegal

A US federal judge has ruled that the Department of Government Efficiency's cancellation of more than $100 million in humanities grants was unconstitutional, with a 143-page decision specifically citing DOGE's use of ChatGPT to determine whether grants related to diversity, equity, and inclusion. The judge found the process legally inadequate and the conclusions demonstrably unreliable. The ruling is a significant early precedent on the limits of AI-assisted government decision-making — and a useful data point for Australian agencies considering automated systems for funding, compliance, or regulatory decisions under the APS's AI ethics framework.

The Verge

Sources consulted