Here’s your weekly #databreach news roundup:
Vimeo, NVIDIA, Braintrust, Trellix, and Instructure.
Vimeo
Vimeo said hackers from the ShinyHunters cybercrime group stole data from more than 119,000 users after breaking into one of its partner systems in April. The stolen information mainly included email addresses, names, video titles, and technical details, but Vimeo said passwords, payment details, and actual video content were not affected. After the company refused to pay, the hackers leaked 106GB of stolen files online. ShinyHunters is known for attacking many companies by targeting employee login systems and connected cloud apps.
NVIDIA
NVIDIA confirmed that some GeForce NOW user data was exposed due to a cyberattack on GFN.am, a regional partner that manages the service in Armenia and nearby countries. The company said NVIDIA’s own systems were not hacked, and the issue only affected the partner’s infrastructure. Exposed data may include names, email addresses, usernames, phone numbers, and dates of birth, but passwords were not leaked. A hacker using the name ShinyHunters claimed responsibility and tried to sell the stolen database online for $100,000, though reports suggest the attacker may have been an impersonator.
Braintrust
AI startup Braintrust warned customers to replace their API keys after hackers gained unauthorized access to one of its AWS cloud accounts that stored customer secrets. The company said the breach has been contained and there is currently no evidence of a wider attack, but it still advised all customers to rotate their keys as a precaution. Braintrust, which helps companies monitor and manage AI systems, is investigating the cause of the incident. Security experts warned that stolen API keys can allow hackers to access customer systems by pretending to be legitimate users.
Trellix
Cybersecurity company Trellix revealed that hackers gained unauthorized access to part of its source code repository. The company said it quickly started an investigation with forensic experts and informed law enforcement. So far, Trellix has found no signs that the stolen source code was changed, misused, or affected its software release process. The company has not yet shared details about when the attack happened or whether customer data was stolen, but it said more information may be released after the investigation is complete.
Instructure
Education technology company Instructure confirmed that hackers stole user data in a cyberattack, with the ShinyHunters extortion group claiming responsibility. The breach affected users of Canvas, a popular online learning platform used by schools and universities worldwide. Exposed information may include names, email addresses, student IDs, enrolled courses, and private messages between students and teachers, but the company said passwords, financial details, and government IDs were not affected. ShinyHunters claims the attack impacted thousands of schools and hundreds of millions of records, though these numbers have not been independently verified.
