Cybersecurity Today

Cybersecurity Today examines a troubling set of new security developments affecting schools, software supply chains, and account security.
Instructure says it reached an "agreement" with the ShinyHunters threat group after the massive Canvas breach that may have affected up to 275 million users across 9,000 educational institutions. Reports indicate attackers exploited multiple cross-site scripting (XSS) vulnerabilities to hijack administrator sessions and post extortion demands.
Checkmarx has been breached again. This time, attackers reportedly inserted a malicious Jenkins Application Security Testing (AST) plugin designed to steal credentials. The same threat actor, believed to be Team46/TeamTNT-linked infrastructure or Team PCP depending on reporting attribution, appears to have reused secrets allegedly stolen in the earlier Trivy supply-chain compromise.
Microsoft and Google are warning organizations not to treat passkeys as a complete security solution. If weaker recovery methods or legacy credentials remain active, attackers can still bypass them.
Google's Threat Intelligence Group also reports what it describes as the first observed evidence of hostile actors using AI to assist in zero-day vulnerability research and exploit development, signalling a new phase in attacker industrialization.
Also in today's show: Santa Clara County sues Meta over alleged scam-ad profits.
Chapters
00:00 Headlines Overview
00:28 Canvas Breach Deal Fallout
01:59 How the XSS Attack Worked
03:15 Checkmarx Supply Chain Attack
05:01 Credential Rotation Lessons
05:37 Why Passkeys Aren't Enough
07:19 Layered Defence Takeaways
08:35 AI-Assisted Zero-Day Development
10:10 Industrialized AI Threats
13:08 Meta Scam Ads Lawsuit
15:19 Wrap Up

A massive cybersecurity week.
On this episode of Cybersecurity Today, David Shipley breaks down the reported breach of Instructure's Canvas learning platform, where attacks linked to the ShinyHunters extortion group may have exposed data tied to up to 275 million user accounts across more than 9,000 educational institutions. The incident disrupted access, delayed exams, and forced Instructure to disable its "Free for Teacher" program after attackers allegedly used it to post extortion messages.
Also in this episode: the Gentlemen ransomware group suffers a major internal leak, exposing affiliate chats, tooling, victim data, and operational details — a rare look inside a live ransomware operation.
Then, General Motors agrees to a $12.75 million California settlement over allegations involving OnStar-linked driver data collection and sharing, raising fresh questions about privacy in connected vehicles.
And finally: security researchers report what appears to be the first documented AI-assisted operational technology (OT) cyberattack attempt targeting a water utility in Monterrey, Mexico. The attempt failed to reach industrial control systems, but combined with confirmed attacks on water infrastructure in Poland, it signals a worrying shift in critical infrastructure threats.
If you work in cybersecurity, IT, infrastructure, education, or privacy, this episode matters.
Chapters
00:00 Top Headlines Rundown
00:41 Canvas Mega Breach
02:44 ShinyHunters Background
03:26 Ransom Pressure Fallout
04:25 Gentlemen Ransomware Leak
05:18 Inside the Data Dump
06:18 GM OnStar Privacy Settlement
08:17 What Drivers Should Know
09:39 AI Meets OT Attacks
11:52 Monterrey Water Near Miss
13:29 Poland Water Systems Hit
15:07 Defending Critical Infrastructure
16:29 Wrap Up And Thanks
#Cybersecurity #Canvas #ShinyHunters #Ransomware #OnStar #GeneralMotors #DataBreach #CriticalInfrastructure #WaterUtility #OperationalTechnology #ICS #CyberAttack #Privacy #DavidShipley #CybersecurityToday

This week's panel dives into the cybersecurity stories that matter most for security leaders, IT teams, and anyone watching how AI is changing risk.
Jim Love is joined by David Shipley (Beauceron Security), Laura Payne (White Tuque), and Jeff Williams (Contrast Security).
Cybersecurity Today would like to thank Material Security for supporting this podcast.  Material security provides. faster, more complete detection and response for email, identity, and data threats inside Google Workspace and Microsoft 365.  Contact them at  material[dot]security 

Topics include:
Anthropic's Mythos AI security research and whether large language models can realistically replace traditional vulnerability testing
Why "vibe coding" may be creating a wave of insecure software
The growing risk of autonomous AI agents making damaging decisions
The massive Instructure Canvas data breach affecting schools, students, and educators
Alberta's voter list privacy failure and what it says about public sector data protection
Microsoft's warning about the rapid surge in QR code phishing attacks bypassing traditional email security
AI is accelerating software development. It may also be accelerating software insecurity.
If your organisation is experimenting with AI coding tools, AI agents, or automated application development, this conversation is worth your time.
#Cybersecurity #AI #DataBreach #QRPhishing #ApplicationSecurity #VibeCoding #Canvas #CyberSecurityToday #JimLove
00:00 Sponsor Message
00:22 Meet the Panel
00:55 Jeff Williams Introduction
02:21 AI Bug Hunting with Mythos
05:40 Cost and Limits of AI Security Testing
10:16 The Vibe Coding Security Problem
13:24 Context Window and Data Flow Limits
16:59 Spec-Driven AI Development
18:29 Software Liability and EU Regulation
24:47 When AI Agents Go Rogue
27:05 Trust in the AI Era
28:24 Enterprise Reality Check
29:03 Critical Thinking vs AI
30:31 Testing AI Agents Safely
31:30 Canvas Data Breach Fallout
34:45 Real-World Data Harm
38:00 Liability and Attack Methods
41:39 Alberta Voter List Privacy Failure
48:56 Government Breach Lessons
51:26 QR Code Phishing Surge
55:00 Wrap Up and Sponsor

In this special edition of Cybersecurity Today, David Shipley speaks with scam-fighting expert Erin West about the global fraud crisis, the rise of AI-powered scams, and why traditional law enforcement may be falling behind.
Cybersecurity Today would like to thank Material Security for supporting this podcast.  Material security provides faster, more complete detection and response for email, identity, and data threats inside Google Workspace and Microsoft 365.  Contact them at  material[dot]security 
From David's discussion with Erin West:
The numbers are staggering.
The FBI's Internet Crime Complaint Center reported more than $21 billion in cybercrime losses, but experts say actual losses could be dramatically higher because most victims never report fraud.
Other key points of their discussion:
Why pig butchering scams continue to grow globally
How criminal operations are moving from Cambodia to Myanmar, Laos, Sri Lanka and beyond
Why AI is making scam operations faster, cheaper and harder to detect
The controversy around Meta and scam advertising revenue
Why crypto ATMs remain a major fraud tool
How cloned celebrity voices are being used in romance and impersonation scams
Why banks, law enforcement, governments and tech platforms must act together
How Operation Shamrock is trying to fight back through public education
This is not just a story about money.
It's about organized crime, industrial-scale fraud, and ordinary people being manipulated through trust, loneliness, and increasingly sophisticated technology, featuring scam-fighting prosecutor and Operation Shamrock founder Erin West.
#Cybersecurity #Scams #Meta #OnlineFraud #AI #Cybercrime #PigButchering #CryptoScams #FacebookScams #CybersecurityToday

QR-code phishing is no longer a niche attack. Microsoft says QR phishing attacks jumped from 7.6 million in January to 18.7 million in March 2026 — a 146% increase in just three months. In this episode of Cybersecurity Today, David Shipley explains why QR-based attacks are bypassing traditional corporate defences and why security teams need to rethink phishing awareness immediately.
We also cover a critical new Apache HTTP Server vulnerability with both denial-of-service and potential remote code execution impacts, a sustained DDoS and extortion campaign targeting Ubuntu developer Canonical, and a remarkable case in Taiwan where a university student allegedly used software-defined radio gear to trigger emergency braking on four high-speed trains.
Finally, CISA's new "CI Fortify" guidance urges critical infrastructure operators to prepare for scenarios where they may need to disconnect from the internet and continue operating manually during a geopolitical cyber crisis.
Cybersecurity Today would like to thank Material Security for supporting this podcast.  Material security provides. faster, more complete detection and response for email, identity, and data threats inside Google Workspace and Microsoft 365.  Contact them at  material[dot]security 
Stories include:
• Microsoft reports QR phishing attacks surged 146% in Q1 2026
• Apache HTTP Server CVE-2026-23918 urgent patch warning
• Ubuntu developer Canonical hit by ongoing DDoS and extortion campaign
• Taiwanese student allegedly halts high-speed trains with fake emergency radio signal
• CISA tells critical infrastructure operators to prepare for isolation and manual operations
Chapters:
00:00 Intro
01:02 QR phishing explodes in Q1 2026
06:15 Critical Apache HTTP Server flaw patched
09:15 Ubuntu maintainer Canonical hit by extortion DDoS attack
14:25 Taiwanese student wirelessly halts high-speed trains
20:32 CISA warns critical infrastructure to prepare for isolation
26:10 Closing thoughts