✨ The Containment Era is here. Secure AI workloads before they breach. →The Containment Era is here. →The Containment Era is here. →Explore ✨
Primary/Secondary Education
Breach intelligence, attack campaigns, and threat reports targeting the Primary/Secondary Education sector.
Explore Other Sectors
Primary/Secondary Education Threat Reports
ShinyHunters Breach Infinite Campus: 137,000 School Staff Accounts Exposed
In March 2026, the ShinyHunters extortion group infiltrated Infinite Campus's Salesforce instance, compromising personal information of over 137,000 school staff members. The stolen data included names, email addresses, phone numbers, physical addresses, and support tickets. Infinite Campus, a leading EdTech provider serving over 3,200 school districts across the United States, confirmed the breach but stated that the majority of the exposed information was publicly available directory data. This incident underscores the escalating trend of cybercriminals targeting educational institutions and their service providers. The breach highlights the critical need for robust security measures and vigilant monitoring of third-party platforms to safeguard sensitive information in the education sector.
1 week ago
Kill Chain
Former IT Employee Sentenced for Prolonged Cyberattacks on School District
In June 2026, Ezekiel Dean Potter, a former senior IT support specialist at Saydel Community School District in Des Moines, Iowa, was sentenced to 21 months in prison for conducting a series of unauthorized cyberattacks against his former employer. After his termination in April 2023, Potter retained access credentials and over the next 21 months, he deleted the district's Facebook page, disrupted access to educational platforms, and reset employee usernames and passwords, causing significant operational disruptions and financial losses estimated at tens of thousands of dollars. This incident underscores the critical importance of promptly revoking access credentials of departing employees and implementing robust monitoring systems to detect unauthorized access. The case highlights the potential risks posed by insider threats and the necessity for organizations to enforce strict access control policies to safeguard their digital assets.
1 week ago
Kill Chain
French Government's Tchap Messaging Service Compromised in Account Hijacking Incident
In June 2026, the French government's encrypted messaging platform, Tchap, suffered a security breach due to the hijacking of a legitimate user account. The attacker accessed public chat rooms, which are not end-to-end encrypted, and exfiltrated over 643,000 messages and more than 59,000 media files from approximately 73,000 public servants. The compromised account was promptly identified and blocked to prevent further unauthorized access. This incident underscores the critical importance of securing user accounts and the potential risks associated with unencrypted public communication channels. Organizations must reassess their security protocols to ensure that sensitive information is adequately protected, even in public forums.
2 weeks ago
Kill Chain
WeedHack Malware Campaign Compromises Over 116,000 Minecraft Systems
In early 2026, a large-scale malware campaign named WeedHack targeted Minecraft players, infecting over 116,000 systems by June. The malware was disseminated through malicious Minecraft mods, clients, cheats, and utilities promoted via YouTube videos and SEO poisoning techniques. Once installed, WeedHack functioned as a malware-as-a-service (MaaS) infostealer, providing attackers with dashboards to view stolen credentials and system information. The campaign averaged between 2,000 and 3,000 new infections daily, with most victims located in the United States, Germany, India, and the UK. ([mcafee.com](https://www.mcafee.com/blogs/security-news/minecraft-malware-campaign-research-teen-hacker-cyberbullying/?utm_source=openai)) This incident underscores the evolving threat landscape where cybercriminals exploit popular gaming platforms to distribute malware. The accessibility of WeedHack's MaaS model, with free and low-cost premium tiers, has lowered the barrier for entry, enabling even inexperienced individuals to launch attacks. The campaign's success highlights the need for heightened vigilance and robust security measures within the gaming community. ([mcafee.com](https://www.mcafee.com/blogs/other-blogs/mcafee-labs/weedhack-minecraft-malware-as-a-service-campaign-research/?utm_source=openai))
3 weeks ago
Kill Chain
Tennessee Man Indicted for Child Exploitation Linked to Extremist Group '764'
In May 2026, Zachary Sweeney, a 30-year-old from Columbia, Tennessee, was indicted on multiple counts of child sexual exploitation. Sweeney allegedly groomed and coerced minors into producing child sexual abuse material (CSAM), which he distributed and, in some cases, sold. His activities, dating back to at least 2022, included traveling across several states to meet victims in person, where he reportedly drugged, raped, and filmed sexual acts with minors. Sweeney's involvement with the nihilistic violent extremist group '764' underscores the group's exploitation of vulnerable individuals to further their agenda of societal destabilization. ([justice.gov](https://www.justice.gov/usao-mdtn/pr/nashville-man-connected-nihilistic-violent-extremist-nve-group-indicted-sexual?utm_source=openai)) This case highlights the persistent and evolving threat posed by online extremist networks that exploit digital platforms to perpetrate and disseminate CSAM. The intersection of violent extremism and child exploitation necessitates heightened vigilance and coordinated efforts among law enforcement agencies to combat these multifaceted crimes.
3 weeks ago
Kill Chain
Critical Vulnerability in KnowledgeDeliver LMS Exploited to Deploy Malicious Payloads
In early 2026, a critical vulnerability (CVE-2026-5426) in Digital Knowledge's KnowledgeDeliver Learning Management System (LMS) was exploited by threat actors to deploy the Godzilla web shell and Cobalt Strike Beacon. The flaw, stemming from hard-coded ASP.NET machine keys, allowed unauthenticated remote code execution via malicious ViewState deserialization. This exploitation led to unauthorized access and potential data breaches in affected systems. The incident underscores the risks associated with default configurations and hard-coded cryptographic keys in software deployments. Organizations are urged to review and update their security practices to mitigate similar vulnerabilities, especially in widely used platforms like LMSs.
1 month ago
Kill Chain
Red-Teaming Reveals Critical Vulnerabilities in Government Education AI Assistant
In early 2026, a government-deployed AI assistant designed to handle education-related inquiries was subjected to a comprehensive red-teaming assessment. The evaluation revealed that, despite robust defenses against direct prompt injections and social engineering tactics, the AI system was vulnerable to structural manipulation techniques. Specifically, attackers successfully bypassed semantic filters by embedding malicious commands within JSON structures and utilizing Base64 encoding, leading the AI to generate unauthorized outputs, including phishing payloads and the disclosure of its own system prompts. These findings underscore the critical need for AI systems to implement multi-layered security measures that address both semantic and structural vulnerabilities to prevent exploitation through prompt injection attacks. The incident highlights the evolving nature of AI security threats, particularly the sophistication of prompt injection techniques that can circumvent traditional safeguards. As AI systems become increasingly integrated into sensitive sectors like education, it is imperative for organizations to adopt comprehensive security frameworks that encompass regular red-teaming exercises, advanced input validation, and continuous monitoring to detect and mitigate emerging threats effectively.
1 month ago
Kill Chain
Instructure's Canvas Platform Breached Twice by ShinyHunters in May 2026
In early May 2026, Instructure's Canvas learning management system suffered two significant cyberattacks by the ShinyHunters group. The initial breach on April 29 exposed sensitive data of approximately 275 million users across nearly 9,000 educational institutions, including names, email addresses, student ID numbers, and private messages. Despite Instructure's efforts to secure the system, ShinyHunters re-compromised Canvas on May 7, defacing login pages and issuing ransom demands. The attacks disrupted operations during critical exam periods, leading to delays and cancellations of final exams at numerous colleges and universities. In response, Instructure reached an agreement with the attackers, reportedly paying a ransom to secure the return and destruction of the stolen data, though the exact terms were not disclosed. This incident underscores the escalating threat of cyberattacks targeting educational institutions and the challenges in safeguarding sensitive student and staff information. ([techradar.com](https://www.techradar.com/pro/security/us-congress-calls-instructure-ceo-as-it-investigates-canvas-breach?utm_source=openai))
1 month ago
Kill Chain
Instructure Canvas Breach: A Wake-Up Call for Educational Cybersecurity
In May 2026, Instructure, the company behind the Canvas learning management system, suffered a significant data breach orchestrated by the hacking group ShinyHunters. The attackers exploited vulnerabilities to access and exfiltrate approximately 3.65 terabytes of data, affecting nearly 275 million individuals across 8,809 educational institutions worldwide. The compromised information included names, email addresses, student ID numbers, and private messages between students and staff. Following the initial breach, ShinyHunters escalated their attack by defacing Canvas login portals, disrupting access during critical academic periods and demanding a ransom to prevent the public release of the stolen data. This incident underscores the escalating threat posed by cybercriminal groups targeting educational institutions, highlighting the critical need for robust cybersecurity measures and incident response strategies. The breach also raises concerns about the effectiveness of paying ransoms, as Instructure's decision to negotiate with the attackers has sparked debate over best practices in handling such extortion attempts.
1 month ago
Kill Chain
Instructure's 2026 Data Breach: A Wake-Up Call for Educational Cybersecurity
In May 2026, Instructure, the company behind the Canvas learning management system, experienced a significant data breach orchestrated by the ShinyHunters extortion group. The attackers exploited vulnerabilities in the Free-for-Teacher environment, gaining access to over 3.6 terabytes of data, including usernames, email addresses, course names, enrollment information, and private messages from nearly 9,000 educational institutions worldwide. Following the initial breach, ShinyHunters defaced Canvas login portals, demanding a ransom to prevent the public release of the stolen data. Instructure reached an agreement with the attackers, who provided evidence of data destruction and assured that no extortion would occur against Instructure's customers. However, the FBI warns that paying ransoms does not guarantee that stolen data won't be sold or used in future attacks. This incident underscores the critical need for robust cybersecurity measures in educational platforms, especially as cybercriminal groups like ShinyHunters continue to target sensitive data for financial gain. Educational institutions must prioritize securing their digital infrastructures to protect against such threats.
1 month ago
Kill Chain
Instructure Canvas 2026 Cyberattacks: A Wake-Up Call for Educational Cybersecurity
In April and May 2026, Instructure's Canvas learning management system suffered two significant cyberattacks orchestrated by the ShinyHunters extortion group. The initial breach on April 29 led to the theft of personal information—including names, email addresses, student ID numbers, and user communications—from approximately 275 million individuals across nearly 9,000 educational institutions. Shortly after, on May 7, ShinyHunters executed a second attack, defacing Canvas login portals with ransom messages, disrupting access during critical final exams. Instructure responded by revoking compromised credentials, implementing security patches, and engaging forensic experts to investigate the incidents. ([apnews.com](https://apnews.com/article/3d55b9399ae87d49276f354e1c34c180?utm_source=openai)) These breaches underscore the escalating threats faced by educational institutions, particularly during pivotal academic periods. The incidents highlight the necessity for robust cybersecurity measures, proactive threat detection, and comprehensive incident response plans to safeguard sensitive student and staff data against increasingly sophisticated cybercriminal activities. ([apnews.com](https://apnews.com/article/209a51692f043a959459dbe37fb34e4b?utm_source=openai))
1 month ago
Kill Chain
Instructure's 2026 Data Breach: A Wake-Up Call for Educational Cybersecurity
In early May 2026, Instructure, the parent company of the Canvas learning management system, experienced a significant data breach executed by the cybercriminal group ShinyHunters. The attackers accessed 3.65 terabytes of data, affecting nearly 9,000 educational institutions and compromising personal information of approximately 275 million individuals, including names, email addresses, student ID numbers, and private messages. Although passwords and financial data were reportedly not compromised, the breach led to widespread disruptions, particularly during the critical final exam period. In response, Instructure reached an agreement with ShinyHunters to prevent the public release of the stolen data, receiving assurances of its destruction. The company has since implemented enhanced security measures and is conducting a comprehensive forensic analysis to prevent future incidents. ([apnews.com](https://apnews.com/article/3d55b9399ae87d49276f354e1c34c180?utm_source=openai)) This incident underscores the escalating threat posed by sophisticated cybercriminal groups targeting educational institutions. The breach highlights the critical need for robust cybersecurity frameworks, proactive threat detection, and comprehensive incident response plans to safeguard sensitive data and maintain operational continuity in the education sector.
1 month ago
Kill Chain
Stop Active Cloud Data Exfiltration
Aviatrix Breach Lock helps teams instantly identify what data is leaving the environment, from which workload, and where it’s going — during an active breach.
Looking for threats in a different sector?
Browse All Threat Reports