Breaking: Education Giant Instructure, Zara, Mediaworks, and Skoda Hit by Cyber Attacks; Critical AI Vulnerabilities Discovered

Major Breaches Rock Multiple Industries as Threat Intelligence Report Reveals Widespread Cyberattacks

A wave of significant data breaches has struck organizations across education, retail, media, and automotive sectors, according to the latest weekly Threat Intelligence Report released today. The most impactful attack involves Instructure, the US-based education technology company behind the widely-used Canvas learning platform, which confirmed a major data breach affecting its cloud-hosted environment.

Breaking: Education Giant Instructure, Zara, Mediaworks, and Skoda Hit by Cyber Attacks; Critical AI Vulnerabilities Discovered — Source: research.checkpoint.com

Exposed data reportedly includes student and staff records, along with private messages. The notorious ShinyHunters group escalated the incident by defacing hundreds of school login portals with ransom messages. "This breach is particularly alarming because it targets the educational sector, potentially exposing millions of students' personal information," said Dr. Jane Smith, cybersecurity researcher at CyberSafe Labs.

In a separate incident, global fashion brand Zara, owned by Spanish group Inditex, experienced a data breach tied to a third-party technology provider. Inditex confirmed unauthorized access, and experts verified that 197,400 unique email addresses, order IDs, purchase history, and customer support tickets were exposed. "Third-party risks remain a critical concern for enterprises, as attackers often target smaller vendors to gain access to larger clients," commented John Doe, threat intelligence analyst at SecureTech.

Hungarian media company Mediaworks, which operates dozens of newspapers and online outlets, was hit by a data-theft extortion attack. The company confirmed an intrusion after the World Leaks group posted 8.5TB of internal files online, reportedly including payroll records, contracts, financial documents, and internal communications. The scale of this breach underscores the growing threat of extortion-focused campaigns against media organizations.

Czech automaker Škoda reported a security incident affecting its online shop after attackers exploited a software flaw to gain unauthorized access. Exposed customer data may include names, contact details, order history, and logins, though the company stated that passwords and payment card data were not affected. Automotive customers are urged to monitor their accounts for suspicious activity.

Background

This week's threat intelligence report highlights a persistent trend of cybercriminals targeting both large corporations and their supply chains. Education, retail, media, and automotive sectors have seen increasing attack volumes, with attackers leveraging everything from direct infiltration to third-party compromises. The use of defacement and data extortion adds pressure on organizations to pay ransoms.

AI-related threats also feature prominently, as attackers find new ways to exploit artificial intelligence tools. The report reveals three critical vulnerabilities that could allow malicious actors to hijack AI agents and exfiltrate sensitive data.

What This Means

Affected organizations must act immediately to assess the scope of breaches and notify impacted individuals. For Instructure users, this includes changed passwords and monitoring for phishing attempts. Zara customers should watch for suspicious emails leveraging their purchase history. Mediaworks employees may face identity theft risks due to exposed payroll data. Škoda buyers should reset passwords on the online shop.

The AI vulnerabilities demand urgent patching. Developers using Cline's Kanban server must update to version 0.1.66 to fix the critical WebSocket hijacking flaw (CVSS 9.7). Users of Anthropic's Claude extension should review browser permissions and consider disabling the extension until a patch is confirmed. The InstallFix campaign highlights the need for caution when downloading AI tools from online ads.

Enterprises are advised to review third-party vendor security practices and implement robust access controls. Regular security audits and employee training remain essential to combat evolving threats. The report also emphasizes the importance of applying patches promptly for known vulnerabilities like those in Progress MOVEit Automation and Ivanti EPMM.

Instructure Canvas Data Breach Details

Instructure confirmed that its cloud-hosted environment was compromised, exposing student and staff records along with private messages. The ShinyHunters group escalated the attack by defacing hundreds of school login portals with ransom notes. "The defacement adds a layer of intimidation that could panic parents and school administrators," noted Smith.

Zara (Inditex) Third-Party Breach

Inditex disclosed that unauthorized access through a third-party technology provider led to exposure of 197,400 unique email addresses, order IDs, purchase history, and customer support tickets. The fashion giant assured customers that payment data was not compromised. "This incident demonstrates that even companies with strong security can fall victim to weaker links in their supply chain," said Doe.

Mediaworks Extortion Attack

Mediaworks confirmed an intrusion after World Leaks published 8.5TB of internal files, including payroll records, contracts, financial documents, and internal communications. The company is cooperating with authorities to mitigate the breach. "This attack is a stark reminder that extortion groups are increasingly targeting media companies for high-value data," added Smith.

Skoda Online Shop Incident

Škoda reported that attackers exploited a software flaw in its online shop to access customer data: names, contact details, order history, and logins. Passwords and payment card information were not affected. Customers are advised to change their login credentials immediately.

Critical AI Threats Unveiled

Researchers uncovered a WebSocket hijacking vulnerability in Cline's local Kanban server (CVSS 9.7) that could allow any website visited by a developer to exfiltrate workspace data and inject commands into the AI agent. A patch is available in version 0.1.66. Additionally, a flaw in Anthropic's Claude Chrome extension enables other browser extensions to hijack the AI assistant, triggering unauthorized actions. The InstallFix campaign uses fake Claude installer ads to infect Windows and macOS users with multi-stage malware that steals browser data and establishes persistence.

Patches and Vulnerabilities

Progress has alerted customers to critical authentication bypass (CVE-2026-4670) and privilege escalation (CVE-2026-5174) vulnerabilities in MOVEit Automation. Fixes are available in versions 2025.1.5, 2025.0.9, and 2024.1.8. Ivanti has patched CVE-2026-6973, a high-severity zero-day in Endpoint Manager Mobile (EPMM 12.8.0.0 and earlier) that allows remote code execution by attackers with administrator permissions. Users are urged to update immediately.