Top 10 Cybersecurity News (May 04 2026): Vimeo Confirms User and Customer Data Breach, Trellix Discloses Unauthorized Access, Instructure Confirms Data Breach, and More

WEEKLY TOP TEN: May 04, 2026, 16:00 GMT

1. Vimeo Confirms User and Customer Data Breach via Third-Party Vendor
   
   Video hosting platform Vimeo confirmed that hackers stole user and customer data following an attack on its analytics provider Anodot. The ShinyHunters group leveraged compromised access to Anodot’s Salesforce integration to reach Vimeo’s data, exposing metadata, video titles, and some user email addresses. ShinyHunters gave Vimeo until April 30 to respond before threatening to release the stolen files. The incident is part of a broader wave of data theft attacks targeting organizations through Anodot, a SaaS analytics platform, with other victims reportedly including Rockstar Games and fashion retailer Zara.
2. CISA Orders Federal Agencies to Patch Windows Zero-Day Exploited by APT28
   
   The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2026-32202, a zero-click NTLM hash leak vulnerability, to its Known Exploited Vulnerabilities catalog and ordered Federal Civilian Executive Branch agencies to patch all Windows endpoints and servers by May 12, 2026. The flaw was reported by Akamai as an incomplete patch of CVE-2026-21510, a remote code execution vulnerability previously exploited by Russian APT28 (Fancy Bear) in attacks against Ukraine and European Union countries. Remote attackers can exploit CVE-2026-32202 in low-complexity attacks by inducing a victim to open a malicious file, enabling access to sensitive information. CISA urged all organizations, not only federal agencies, to prioritize deploying the fix immediately.
3. Critical GitHub RCE Vulnerability CVE-2026-3854 Exploitable with a Single Git Push
   
   Wiz Research disclosed a critical remote code execution vulnerability in GitHub’s internal git infrastructure, tracked as CVE-2026-3854 with a CVSS score of 8.7, affecting both GitHub.com and GitHub Enterprise Server. Any authenticated user with push access to a repository could execute arbitrary commands on GitHub’s backend servers using a standard git client with a single crafted push command. The flaw stems from improper sanitization of user-supplied push options in the babeld proxy, allowing injection through a semicolon delimiter. GitHub patched the issue on GitHub.com within two hours of disclosure and confirmed no exploitation in the wild. However, Wiz reported that 88 percent of self-hosted GitHub Enterprise Server instances remain unpatched.
4. Robinhood Account Creation Flaw Abused to Send Phishing Emails
   
   Online trading platform Robinhood confirmed that cybercriminals exploited a vulnerability in its account creation process to send legitimate-looking phishing emails to users. The phishing messages were delivered from the official noreply@robinhood.com address with the subject line “Your recent login to Robinhood,” directing recipients to credential-harvesting websites. The attack leveraged Robinhood’s account creation flow rather than a direct system breach, making the messages appear highly credible. Robinhood has since patched the account creation vulnerability and noted that the attack may have used email addresses from its 2021 data breach, externally sourced lists, or guessed Gmail addresses.
5. Trellix Discloses Unauthorized Access to Source Code Repository
   
   Cybersecurity vendor Trellix disclosed a breach in which an unauthorized party accessed a portion of its source code repository. The company launched an immediate investigation with leading forensic experts and notified law enforcement. Trellix stated there is no evidence that the compromised source code was altered, misused, or weaponized following the intrusion, and said it found no sign of subsequent unauthorized activity after containment. The exact data accessed and the method of initial access were not disclosed. The incident raises broader concerns about threat actors targeting security vendors and the supply chain risks that can emerge when adversaries gain visibility into defensive tooling and detection logic.
6. cPanel Authentication Bypass Flaw CVE-2026-41940 Mass-Exploited in “Sorry” Ransomware Attacks
   
   A critical authentication bypass vulnerability in cPanel, WHM, and WP Squared, tracked as CVE-2026-41940, is being actively mass-exploited to compromise websites and deploy “Sorry” ransomware. The flaw allows attackers to gain administrative access to vulnerable hosting servers without valid credentials. Exploitation attempts have been observed in the wild since at least late February 2026, and cPanel released security updates addressing the vulnerability. Organizations running unpatched versions of cPanel, WHM, or WP Squared are urged to apply the fixes immediately, as the widespread nature of the exploitation campaign puts a large number of hosted websites and their underlying data at significant risk.
7. Medtronic Hack Confirmed After ShinyHunters Threatens Data Leak
   
   Medical device giant Medtronic confirmed that an unauthorized party accessed data in certain corporate IT systems following claims by the ShinyHunters extortion group. The group alleged it stole over nine million records containing personally identifiable information along with terabytes of internal corporate data, listing Medtronic on its leak site in mid-April with a ransom deadline. Medtronic subsequently disappeared from the leak site, suggesting possible negotiations or payment. The company stated its medical device networks, manufacturing systems, and financial reporting remain unaffected and separate from the compromised corporate IT environment. Medtronic filed an 8-K disclosure with the U.S. Securities and Exchange Commission on April 24, 2026.
8. Instructure Confirms Data Breach; ShinyHunters Claims Attack on 275 Million Records
   
   Educational technology giant Instructure, the company behind the Canvas learning management system, confirmed that personal information of users was exposed in a cyberattack. ShinyHunters listed the company on its data leak site claiming to have stolen data tied to nearly 9,000 schools worldwide and covering 275 million individuals, including students, teachers, and staff. The compromised information includes names, email addresses, student ID numbers, and messages exchanged between users. ShinyHunters alleged the data was taken via a vulnerability in Instructure’s systems that has since been patched. The company engaged third-party cybersecurity experts and law enforcement and continues to investigate the full scope of the incident.
9. Palo Alto Networks Patches GlobalProtect DoS Vulnerability with Public Proof of Concept
   
   Palo Alto Networks addressed a high-severity vulnerability, tracked as CVE-2026-0227 with a CVSS score of 7.7, affecting GlobalProtect Gateway and Portal in PAN-OS. The flaw allows an unauthenticated remote attacker to cause a denial of service condition, potentially forcing the firewall into maintenance mode through repeated exploitation attempts. A proof-of-concept exploit is publicly available, heightening the urgency of patching. The vulnerability affects only PAN-OS and Prisma Access configurations where the GlobalProtect gateway or portal is enabled and does not impact Cloud Next-Generation Firewall deployments. Palo Alto Networks stated it is not aware of active exploitation in the wild at the time of disclosure.
10. FBI Warns of Surge in Hacker-Enabled Cargo Theft Targeting Logistics Industry
    
    The FBI issued a new alert warning the transportation and logistics sector of a sharp increase in cyber-enabled cargo theft operations, with criminal enterprises hacking freight brokers and carriers to steal goods for resale. Attackers are compromising broker and carrier systems to intercept shipment data, then fraudulently diverting cargo valued at millions of dollars. Estimated losses across the United States and Canada have risen significantly, with the FBI noting the attacks exploit gaps in identity verification and access controls within freight management platforms. The alert urged logistics companies to implement stronger multi-factor authentication, vet carrier identity more rigorously, and report incidents to law enforcement as part of a coordinated response.