Cybersecurity Q&A: Major Breaches, AI Threats, and Patches (May 2025)

Welcome to this week's threat intelligence roundup, where we break down the most significant cybersecurity events from early May 2025. From high-profile data breaches at major organizations to emerging AI-powered attack vectors and critical software updates, we've compiled the essential details in an easy-to-digest Q&A format. Dive into the questions below to stay informed about the latest risks and protective measures.

What happened in the Instructure Canvas data breach?

Instructure, the U.S. education technology company behind the widely used Canvas learning platform, confirmed a major breach affecting its cloud-hosted environment. Exposed data reportedly includes student and staff records, private messages, and other sensitive information. The threat group ShinyHunters escalated the attack by defacing hundreds of school login portals with ransom messages, demanding payment to prevent further disclosure. This incident underscores the growing risk to educational institutions and the importance of securing cloud-based learning management systems against unauthorized access and extortion campaigns.

Cybersecurity Q&A: Major Breaches, AI Threats, and Patches (May 2025) — Source: research.checkpoint.com

How did the Zara data breach occur?

Zara, the flagship brand of Spanish fashion conglomerate Inditex, experienced a data breach tied to a third-party technology provider. Inditex confirmed unauthorized access to systems, and security experts verified that 197,400 unique email addresses, order IDs, purchase history, and customer support tickets were exposed. The company has not disclosed the specific vendor involved or the root cause of the intrusion, but the incident highlights the cascading risks that arise from trusting external partners with sensitive customer data. Affected individuals should watch for phishing attempts and monitor their accounts for suspicious activity.

What was the impact of the Mediaworks extortion attack?

Hungarian media company Mediaworks, which operates dozens of newspapers and online outlets, was hit by a data-theft extortion attack. The company confirmed the intrusion after the threat actor World Leaks posted 8.5 TB of internal files online. The leaked data reportedly includes payroll records, contracts, financial documents, and internal communications. Such incidents demonstrate how media organizations can be targeted not only for financial gain but also to disrupt information flow or leak sensitive corporate information. Mediaworks has since initiated incident response procedures and is working with law enforcement.

What customer data was exposed in the Škoda online shop incident?

Czech automaker Škoda fell victim to a security incident affecting its online shop after attackers exploited a software flaw to gain unauthorized access. Exposed customer data may include names, contact details, order history, and login credentials. However, the company emphasized that passwords and payment card data were not affected. The breach serves as a reminder that e-commerce platforms remain a prime target for cybercriminals, and even if payment details are secure, personal information can still be leaked. Škoda is notifying affected customers and has patched the underlying vulnerability.

What are the most critical AI-related threats discovered this week?

Researchers uncovered several AI-related threats. First, a critical WebSocket hijacking vulnerability (CVSS 9.7) in Cline's local Kanban server—used by a popular open-source AI coding agent—allowed any website a developer visited to exfiltrate workspace data and inject commands. The flaw was patched in version 0.1.66. Second, a vulnerability in Anthropic's Claude in Chrome extension allowed other browser extensions to hijack the AI assistant, enabling malicious prompts to trigger unauthorized actions and access sensitive browser data. Third, an InstallFix campaign used fake Claude AI installer pages promoted via Google Ads to infect Windows and macOS users with multi-stage malware that stole browser data, disabled protections, and established persistence.

How did fake Claude AI installers compromise users?

The InstallFix campaign tricked users into visiting fraudulent Claude AI installer pages that appeared in Google Ads. Victims were instructed to run commands that launched a multi-stage malware process. Once executed, the malware stole browser-stored data (such as cookies and saved passwords), disabled security protections like Windows Defender, and created scheduled tasks to maintain persistence on the system. This attack chain highlights the effectiveness of social engineering through search engine advertisements and the need for users to verify software download sources, especially for popular AI tools that attackers frequently impersonate.

Which critical patches were released for MOVEit and Ivanti?

Progress Software alerted customers to two critical vulnerabilities in MOVEit Automation managed file transfer software: CVE-2026-4670, an authentication bypass that allows unauthorized access, and CVE-2026-5174, a privilege escalation flaw. Fixes are available in versions 2025.1.5, 2025.0.9, and 2024.1.8. Meanwhile, Ivanti fixed CVE-2026-6973, a high-severity vulnerability in its Endpoint Manager Mobile (EPMM) that was exploited as a zero-day. The flaw affects EPMM 12.8.0.0 and earlier and allows attackers with administrator permissions to run remote code. Organizations using these products are strongly urged to apply the patches immediately to mitigate active exploitation risks.