Cyber News Bytes: What’s Happening in Cybersecurity This Week

This week's latest cybersecurity news and industry updates

Author

Sandra L
May 19, 2026

Hey friends,

Welcome back to your weekly dose of all things cyber, this week was one of the loudest weeks of the year so far.

ICYMI: I just dropped a new YouTube video answering a question I get asked constantly: is the Security+ still a good certification to get in 2026?

I break down whether it still holds up, who it actually makes sense for, and what your next move should be if you already have it:

Now, let's get into this week’s news headlines! →

1. ShinyHunters Hits Instructure Canvas, 275 Million Student and Teacher Records Exposed

This week the fallout from the Canvas data breach went from bad to historic.

ShinyHunters claimed to have stolen more than 275 million records tied to students, teachers, and staff across roughly 9,000 schools, including Harvard, Stanford, UC Berkeley, and the National University of Singapore.

The stolen data is said to include names, email addresses, enrolled courses, and private messages totaling around 3.65 terabytes.

On May 11, parent company Instructure issued an apology for its lack of transparency and stated it had reached an agreement with the threat actor, with unconfirmed reports placing the ransom payment around 10 million dollars.

On May 13, the U.S. House Homeland Security Committee demanded answers from Instructure CEO Steve Daly, with CISA pulled in to support the investigation.

That same day, a proposed class action lawsuit was filed against Instructure in the Southern District of California.

Why it matters: This is one of the largest education sector breaches ever disclosed, and it hit during finals week for millions of students.

If you are a student, parent, or educator, your name, school email, and coursework details may already be circulating on the dark web.

Beyond the immediate identity theft and phishing risk, this is a wake up call about how much sensitive data ed tech vendors hold and how thin the security wall protecting it actually is.

2. Texas Sues Netflix for Allegedly Spying on Users, Including Kids

On May 11, Texas Attorney General Ken Paxton filed a lawsuit against Netflix alleging the company built a quiet surveillance program targeting Texans, including children, without their knowledge or consent.

The complaint claims Netflix tracked every click, pause, and viewing session, even on kids profiles, and even for subscribers on ad free plans.

That behavioral data was allegedly sold to commercial data brokers like Experian and Acxiom, and to ad tech platforms including Google Display and Video 360, The Trade Desk, Yahoo DSP, Amazon DSP, and LiveRamp.

Texas describes Netflix in the filing as "a logging company that records and monetizes billions of behavioral events, and occasionally streams movies."

The suit also accuses Netflix of using "dark patterns" like autoplay to manipulate viewing behavior and keep users glued to the screen.

Netflix denies the allegations, calling the lawsuit "inaccurate and distorted" and saying it complies with privacy laws everywhere it operates.

Why it matters: Netflix has more than 280 million subscribers worldwide, and for years it leaned on a brand promise of "we are not the ad surveillance companies."

If Texas can prove its case, the implications go well beyond one streaming platform.

Every subscription service positioning itself as the privacy friendly alternative is going to face the same questions, and consumers should start assuming their viewing history is a data product whether they pay for ads or not.

3. Microsoft Ships First Zero Day Free Patch Tuesday in 22 Months, Still 137 Bugs to Fix

On May 12, Microsoft released its monthly Patch Tuesday and for the first time since June 2024, none of the vulnerabilities were being actively exploited in the wild or publicly disclosed before patching.

That ended a 22 month streak that averaged 3.5 zero days per month.

The good news ends there.

Microsoft still fixed 137 CVEs this month, with 30 rated as Critical severity.

Standouts include CVE-2026-41089, a Netlogon remote code execution flaw rated 9.8 out of 10 that could let an unauthenticated attacker take over a domain controller.

CVE-2026-41096, a Windows DNS Client flaw also rated 9.8, could let attackers run code by sending a malicious DNS response.

Microsoft also patched four critical Word vulnerabilities that can be triggered just by previewing a malicious document, with no clicking required.

Five months into 2026, Microsoft has already patched more than 500 CVEs and is on pace to break 2020's annual record of 1,245.

Why it matters: A zero day free month is rare and worth celebrating, but it does not mean the threat level dropped.

It means defenders finally have a window to actually patch without the usual emergency scramble.

If you run Windows at work or at home, push these updates this week, especially on anything tied to domain controllers, DNS, or daily document workflows.

4. Cisco Catalyst SD-WAN Hit With Max Severity Bug, Actively Exploited

On May 14, Cisco disclosed CVE-2026-20182, a critical authentication bypass affecting Cisco Catalyst SD-WAN Controller and Manager with a perfect CVSS score of 10.0.

The flaw lets an unauthenticated remote attacker bypass authentication and gain administrative access to enterprise SD-WAN networks.

CISA added the vulnerability to its Known Exploited Vulnerabilities catalog the same day, with a federal patching deadline of May 17.

Cisco Talos attributed the active exploitation with high confidence to UAT-8616, a sophisticated threat actor that has been targeting Cisco SD-WAN infrastructure since at least 2023.

Researchers reported the attackers are adding SSH keys, modifying NETCONF configurations, and escalating to root privileges on compromised systems.

The flaw was discovered by Rapid7 while researchers were studying an earlier authentication bypass in the same Cisco service.

Why it matters: SD-WAN controllers sit at the heart of enterprise networks, routing traffic between offices, branches, and cloud services.

When attackers own the controller, they effectively own the network, with the ability to reroute traffic, intercept data, and stage further attacks.

If your organization uses Cisco Catalyst SD-WAN, patch today.

This week made one pattern obvious.

The biggest stories all hinged on trust being abused at scale, whether that was a hacker quietly inside an ed tech vendor for hundreds of millions of users, a streaming service allegedly turning every viewer into a data point, a software company shipping patches for flaws that could compromise core identity infrastructure, or a network giant racing to plug a hole attackers were already walking through.

The companies and people who pay attention to vendor risk, patch hygiene, and the fine print of their data deals are going to come out of this much better than the ones who do not.

Stay secure out there!