Schools Held Hostage, AI ID Checks Rise & Cyber Threats Escalate.

A total of 18 breach events were found and analysed resulting in 35,558,431 exposed accounts containing a total of 38 different data types of personal datum. The breaches found publicly and freely available included ULP Alien Txt File - Episode 37, Stealer Log 0559, 7-Eleven, Aman Resorts and Black Sex Finder. Sign in to view the full library of breach events which includes, where available, reference articles relating to each breach.

Data Breach Impact

From convenience retail giants to luxury hospitality and the ever-present stealer log circus, the spread once again proves attackers aren’t picky, if the data’s there, it’s fair game. For third-party organisations, it’s a reminder that employee exposure can happen far beyond your own infrastructure, quietly increasing the risk of account compromise and targeted attacks. And for individuals, every new breach adds another layer to an already messy digital footprint, making phishing, fraud, and identity abuse that bit easier for the wrong crowd. Another week, another pile of exposed data with nowhere good to end up.

Cyber Update

ShinyHunters have reportedly breached Canvas, the hugely popular digital learning platform used by schools and universities worldwide. For anyone lucky enough to avoid it during their academic life, Canvas powers:
- Online coursework
- Assignments
- Exams
- Presentations
- Parent portals
- Teacher dashboards

In other words: educational civilisation itself. Last Thursday, institutions including Harvard University, the University of Liverpool, and reportedly thousands of schools temporarily lost access to their accounts. Users attempting to log in were allegedly greeted with the now-familiar ransom banner “PAY OR LEAK.”

Subtle as ever. Several hours later, Canvas appeared to partially restore services using backups. So far, no data has surfaced on the ShinyHunters leak site, suggesting one of three things:
- Negotiations are ongoing
- The attack was contained
- Or someone quietly convinced them this was a very bad idea politically

The timing couldn’t be worse. Across much of the United States, the first weeks of May are final exam season, meaning coursework, grading, submissions, and revision materials all sit squarely inside the blast radius.

Current indications suggest the intrusion may have stemmed from phishing and social engineering, which remains depressingly effective in 2026. Because no matter how advanced the infrastructure gets, sometimes the attack vector is still just “Hi, IT support here…”

Meanwhile, the US government is accelerating legislation that could introduce age verification requirements for AI systems. The proposal has already passed initial review without opposition, backed by both political parties, which in modern politics is usually the equivalent of spotting a unicorn.

Now, combine that with the fact that:
- Microsoft is embedding Copilot into Windows,
- Apple is rolling out Apple Intelligence,
- Canonical is integrating AI deeper into Ubuntu.

…and a bigger picture starts to emerge.

Critics argue this increasingly resembles the groundwork for operating-system-level identity verification, introduced gradually under the banners of AI safety, child protection and online regulation. The concern isn’t just about AI chatbots asking your age. It’s about a future where:
- Your OS knows who you are,
- Your AI assistant verifies your identity,
- And anonymity becomes increasingly optional rather than default.

The phrase “licence for the internet” keeps resurfacing for a reason.

And finally, a story that sits awkwardly in the growing grey zone between researcher, criminal, and very annoyed internet user. A threat actor who compromised one of Asia’s largest gambling platforms has released alleged chat logs showing interactions with the company before the breach became public. According to the attacker:
- They initially discovered eight critical vulnerabilities.
- Claimed they were originally approached to compromise the company.
- Decided instead to report the issues directly.

Apparently, things did not go smoothly. The attacker says they were:
- Dismissed,
- Treated rudely,
- And eventually blocked after asking whether the company operated a bug bounty programme.

So naturally, the next step was “Fine, I’ll publish everything.” The threat actor has now released a detailed report outlining all eight vulnerabilities, including technical explanations of how the systems could allegedly be exploited. It’s another reminder that vulnerability disclosure is still a messy, inconsistent space:
- Some companies engage constructively.
- Others ignore reports entirely.
- And occasionally, frustrated researchers decide to go nuclear.

Not ideal when online gambling infrastructure is involved.

Software Vulnerabilities

SAP NetWeaver flaw actively exploited before many patched.
Attackers wasted absolutely no time exploiting a newly disclosed SAP NetWeaver vulnerability, with reports of active compromise surfacing almost immediately after technical details emerged. And because it’s SAP:
- It’s deeply embedded.
- Rarely touched unless necessary.
- Often maintained with the enthusiasm of a forgotten basement server.

ERP compromise isn’t just “access” it’s finance, HR, supply chain, and sensitive business logic all in one place.

OAuth abuse attacks surge against Microsoft 365 tenants.
Threat actors increasingly shifted from password theft to malicious OAuth app abuse. Instead of stealing credentials, attackers simply convinced users to approve dodgy applications with broad permissions. No malware. No exploit. Just “This app would like full access to everything you own.”

Traditional detections struggle because technically… the login is legitimate.

PyPI malware campaign targets developers with fake AI tooling. A fresh batch of malicious Python packages impersonated:
- AI assistants
- Automation frameworks
- Productivity tooling

Because apparently every cybercriminal also wants an “AI strategy”. Several packages contained:
- Credential stealers
- Clipboard hijackers
- Persistence mechanisms

The software supply chain continues to resemble a buffet where nobody checks the labels.

Edge networking devices continue getting hammered. Multiple security firms warned that internet-facing:
- Firewalls
- Routers
- SSL VPN appliances

…remain under sustained automated scanning and exploitation attempts. This week’s flavour included:
- Credential stuffing
- Config extraction
- Session hijacking

If your edge appliance hasn’t been patched since “we’ll do it next quarter”, assume someone’s already rattled the handle.

Android spyware campaigns evolve beyond nation-state tooling. Researchers identified increasingly commercialised mobile spyware operations using:
- Fake updates
- Messaging app overlays
- Accessibility-service abuse

The worrying bit? A lot of these capabilities are drifting from elite intelligence tooling into the broader criminal ecosystem. Spyware is getting democratised. Which is not a sentence anyone wanted to write.

Data & Privacy Headlines

Genetic testing data concerns resurface.
Privacy advocates raised fresh concerns around how consumer DNA platforms handle:
- Long-term storage,
- Third-party sharing,
- Law enforcement requests.

Your ancestry results are fascinating right up until they become a searchable investigative database. Biometric and genetic data are effectively permanent identifiers. You can’t rotate your DNA like a password.

Connected vehicles quietly collecting enormous amounts of behavioural data.
Investigations highlighted how modern vehicles are harvesting:
- Driving habits
- Location history
- Cabin telemetry
- Voice interactions

Your car increasingly knows:
- Where you go
- How aggressively you brake
- Probably your taste in terrible podcasts

Most users have no meaningful understanding of the scale of collection happening behind the dashboard.

Retail loyalty programmes under renewed scrutiny.
Researchers found some retailers continuing to combine:
- Purchase histories
- Mobile identifiers
- Online browsing behaviour

…into deeply detailed customer profiles.

That “free birthday candle” suddenly feels slightly more transactional. Data aggregation creates highly monetisable behavioural intelligence — often with very murky consent boundaries.

Employee monitoring software crosses further into surveillance territory.
More organisations were criticised for deploying aggressive workplace monitoring tools tracking:
- Keystrokes
- Screenshots
- Activity levels
- Presence metrics

The line between “productivity tooling” and “digital panopticon” continues to blur beautifully. Remote work didn’t kill office surveillance. It upgraded it.

AI-generated phishing gets alarmingly convincing.
Security teams warned of phishing campaigns using:
- Better grammar
- Accurate contextual references
- Personalisation scraped from public profiles

The era of spotting scams because they said “Dear valued sir kindly” …is rapidly disappearing. Publicly available personal data is now fuelling highly tailored fraud at scale.

Smarter Protection Starts with Awareness

Third-party exposure is now a first-order risk. You can’t patch what you can’t see.
Free Data Breach Exposure Scan: Check any domain in seconds: https://breachaware.com/scan