Cramming for finals is bad enough without the platform you use to do your schoolwork suddenly shutting down. Unfortunately for countless students across the US, that’s exactly what they faced on Thursday after Canvas went into “maintenance mode” following a ransomware attack on education tech firm Instructure. Hackers using the name ShinyHunters claimed responsibility for the breach, and experts say the chaos they caused shows how far these actors will go to extort their victims.
Did you know that Google Chrome includes an automatic download of the Gemini Nano AI model? If not, you wouldn’t be alone. People who use Google’s wildly popular browser realized this week that Gemini Nano has been taking up 4 GB of space on their desktops since 2024, sparking annoyance and concerns over privacy. Fortunately, you can disable the AI model—but not without losing some helpful security features. Obviously, you can also just download a different browser for free.
Researchers this week revealed that thousands of vibe coded apps were left exposed on the open internet, revealing sensitive corporate and personal data. The security failings are a reminder: Just because you can vibe code something doesn’t necessarily mean you should.
The Department of Homeland Security subpoenaed Google in an attempt to obtain the location data and account activity of a Canadian man who criticized US immigration enforcement tactics following the killings of Renee Good and Alex Pretti in Minneapolis early this year. The American Civil Liberties Union this week filed a complaint against DHS on behalf of the man, who has not visited the US in more than 10 years.
Scammers, low-level hackers, and other cybercriminals have joined the ranks of humanity yearning to be free of AI slop, according to new research. Meta, meanwhile, is sprucing up its age-verification tech after a study found that kids are tricking online age checks using simple techniques—including one child hero who circumvented online age verification by drawing on a fake mustache. Finally, we detailed Russia’s effort to create a local competitor to Starlink satellite internet service—with all the privacy and security concerns that entails.
And there’s more. Each week, we round up the security and privacy news we didn’t cover in depth ourselves. Click the headlines to read the full stories. And stay safe out there.
Robot Lawn Mower Is a Security Nightmare
Most people hope that the 200-pound robot with blades in their backyard cannot be easily hacked. Unfortunately for the owners of Yarbo, a $5,000 lawn mower robot that can also work as a leaf blower, snowblower, and edger, that was not the case. The Verge reports that a security researcher found numerous vulnerabilities in the lawn bots that could allow hackers to remotely take over the machines (including their camera feeds,) as well as extract owners' email addresses, Wi-Fi passwords, and home locations.
After a Yarbo spokesperson told The Verge that the robots' “diagnostic environment is not publicly accessible,” the reporter and researcher demonstrated the security flaws and their potential consequences by nearly running over the reporter with a hijacked robot. The company has since reported that they are developing a fix to at least one of the flaws the researcher identified.
Meta Strips Encryption From Instagram DMs
Mark Zuckerberg’s Meta has pulled support for end-to-end encrypted messages on Instagram, backtracking on its plans to protect people’s privacy by providing messaging the company could not snoop on. The company stopped offering encryption on Instagram on May 8, making it easier than before for the firm to technically access DMs.
After spending years building out the encryption systems needed to secure its chat apps, Meta said in 2023 that it had rolled out default encryption for Messenger. It also said it was introducing an opt-in version for Instagram, which it had planned would eventually become the default setting. However, that day never arrived with Meta deciding in March this year that not enough people had opted-in and it would remove the option to encrypt Instagram chats. The U-turn has infuriated privacy and security experts who fear the rollback could damage end-to-end encryption efforts around the world.
Trump’s New Counterterrorism Strategy Targets “Antifa,” “Radically Pro-Transgender” Ideology
The Trump administration unveiled a new counterterrorism strategy, which President Donald Trump describes as a “return to common sense and Peace through Strength” in a foreword included in the document. The three biggest types of terror groups, according to the document, are cartels, Islamist terror groups, and “violent left wing extremists,” which the memo says includes anarchists and anti-fascists and have ideologies that are “anti-American” and “radically pro-transgender.”
The memo promises, "We will use all the tools constitutionally available to us to map them at home, identify their membership, map their ties to international organizations like Antifa, and use law enforcement tools to cripple them operationally before they can maim or kill the innocent."
Notably, during a congressional hearing last year, the operations director of the FBI's National Security Branch was unable to answer questions about how many people were in “Antifa,” where it was located, or other specifics.
Elite Russian Hacking School Unmasked by Leaked Documents
Russia’s GRU military intelligence agency has launched some of the most brazen and destructive cyberattacks in history. While some of its operatives have been publicly named and hit with international sanctions, a consortium of journalists revealed this week how a special unit inside Bauman Moscow State Technical University, named Department 4, allegedly provides training and a suspected pipeline into GRU units, including those involved in hacking and disinformation.
Documents obtained by the consortium—which includes Le Monde, the Guardian, Der Spiegel, and other outlets—allegedly show how GRU intelligence officers, including those linked to the hacking group known as Fancy Bear, teach at Department 4. Students learn a range of hacking skills and must conduct penetration tests, according to the reporting. Some have graduated and joined both Fancy Bear and the notorious Sandworm group, which has been linked to attacks on Ukraine’s power grid, the Winter Olympics, and the NotPetya malware that caused billions of damage around the world.
Hackers Breached Poland’s Water Utilities, Its Intelligence Agency Says
While Ukraine has, for more than a decade, served as Russia’s number one testing ground for cyberwar techniques, Poland has come to represent its second favorite target. So it’s notable that this week Poland’s domestic intelligence agency, the ABW, warned that hackers infiltrated the networks of water utilities in five Polish towns last year. In some cases, the attackers penetrated deeply enough to access industrial control systems that could have affected the physical operations of those facilities—“a direct risk” to the continuity of the towns’ water supply, according to the ABW.
The report didn’t attribute the breaches to any country’s state-sponsored hackers, but noted more generally that Poland had faced escalating hacking operations “with particular emphasis on the special services of the Russian Federation.” The report also described Russia as carrying out a broader campaign of reconnaissance in preparation for cyber-sabotage operations that appeared to target the Polish military and the country’s critical infrastructure.
Facts Only
Canvas, an education platform, went into maintenance mode on Thursday due to a ransomware attack on Instructure.
The hacking group ShinyHunters claimed responsibility for the breach.
Google Chrome automatically downloaded the Gemini Nano AI model, occupying 4 GB of storage since 2024.
Meta removed end-to-end encryption for Instagram DMs on May 8, reversing previous plans to expand encryption.
Security researchers found vulnerabilities in Yarbo robot lawn mowers, allowing remote hijacking and data extraction.
Poland’s domestic intelligence agency (ABW) reported hackers breached water utilities in five towns, potentially accessing industrial control systems.
Leaked documents revealed Russia’s GRU allegedly trains hackers at Bauman Moscow State Technical University’s Department 4.
The Trump administration’s counterterrorism strategy targets "Antifa" and "radically pro-transgender" ideologies as threats.
The FBI could not provide details on Antifa’s membership or structure during a congressional hearing.
Russia is developing a local competitor to Starlink, raising privacy and security concerns.
The Department of Homeland Security subpoenaed Google for data on a Canadian critic of U.S. immigration enforcement.
Scammers and low-level hackers are increasingly avoiding AI-generated content, according to new research.
Meta is improving age-verification tech after studies showed children bypassing checks with simple methods.
Executive Summary
This week saw a series of cybersecurity and privacy incidents with significant implications. A ransomware attack on Instructure disrupted Canvas, a widely used education platform, affecting students during finals. The hacking group ShinyHunters claimed responsibility, highlighting the growing threat of extortion-driven cyberattacks. Meanwhile, Google Chrome users discovered that the Gemini Nano AI model had been automatically downloaded, consuming 4 GB of storage, raising privacy concerns. Meta reversed its stance on end-to-end encryption for Instagram DMs, removing the option entirely, which has drawn criticism from privacy advocates. Additionally, security researchers exposed vulnerabilities in Yarbo robot lawn mowers, allowing remote hijacking and data extraction. Poland's intelligence agency reported breaches in water utilities, suspected to be part of broader Russian cyber reconnaissance efforts. Other notable events included leaked documents revealing a Russian GRU-linked hacking school and a Trump administration counterterrorism strategy targeting "Antifa" and "radically pro-transgender" ideologies.
The incidents underscore ongoing tensions between privacy, security, and state surveillance, as well as the escalating sophistication of cyber threats. While some vulnerabilities have been acknowledged by affected companies, others—like Meta's encryption rollback—reflect deliberate policy shifts with broader implications for digital rights.
Full Take
The pattern of cybersecurity failures and privacy rollbacks this week reveals a broader tension between technological convenience, corporate control, and state surveillance. The Canvas outage and Yarbo vulnerabilities demonstrate how critical infrastructure—whether educational or physical—remains exposed to both criminal and state-sponsored threats. Meanwhile, Meta’s reversal on Instagram encryption and Google’s opaque AI deployment highlight how corporations prioritize data access over user privacy, often under the guise of security or innovation. The Trump administration’s counterterrorism strategy, framing "Antifa" and transgender advocacy as threats, echoes historical patterns of politicizing security to target ideological opponents, a tactic that risks normalizing state overreach.
The Russian GRU’s alleged hacking school and Poland’s water utility breaches underscore the persistent use of cyber warfare as a tool of geopolitical pressure. These incidents fit a long-standing pattern of hybrid warfare, where digital sabotage precedes or accompanies physical conflict. The DHS subpoena against a Canadian critic further illustrates how surveillance powers, initially justified for counterterrorism, expand to target dissent—even from non-citizens with no direct ties to violence.
**Bridge Questions:**
How might the normalization of corporate data access (e.g., Meta’s encryption rollback) shape public expectations of privacy in the long term?
What safeguards could prevent counterterrorism strategies from being weaponized against political or social movements?
If cyberattacks on critical infrastructure become routine, how should societies balance resilience with the risks of over-militarized digital defenses?
**Patterns detected:** ARC-0024 Ambiguity (vague framing of "Antifa" as a structured threat), ARC-0043 Motte-and-Bailey (privacy vs. security trade-offs presented as binary choices).
**Counterstrike Scan:** If this were a coordinated influence campaign, the playbook would amplify corporate and state overreach while downplaying systemic vulnerabilities. The actual content aligns with this pattern in parts (e.g., Meta’s encryption reversal framed as inevitable), but the inclusion of critical perspectives (e.g., privacy advocates’ pushback) mitigates full alignment. No clear evidence of malicious coordination.
Sentinel — Human
The text exhibits strong signs of human journalistic curation and narrative construction, focusing on synthesizing diverse, high-stakes topics into a coherent, albeit sensational, overview.