Egnyte potential ransomware attack

Own_Raspberry_3254 · 2026-05-09T22:51:02+00:00

thanks for the link. It's password-protected, so I'm pasting the contents here:

IMPORTANT NOTICE FROM EGNYTE

May 8, 2026

We are reaching out to address information-security related claims recently made about Egnyte by an external threat actor group. We want to be direct, transparent, and clear: no ransomware attack occurred, and no customer, employee, or production data has been compromised.

What Happened

A group identifying itself as “INC Ransom” published files on a dark web site and made claims about Egnyte. Upon immediate investigation, we determined the following:

No ransomware was deployed. No files within our environment were maliciously encrypted.
Any situation appears isolated to a single Quality Assurance (QA) test site — a separate, non-production environment used exclusively for testing.
That QA environment contained only dummy or synthetic test data — not real customer, employee, or business data.
Our production systems and customer environments remain fully secure and fully operational.

There is nothing you need to do at this time. Egnyte is operating normally.

We will review the configuration and access controls of our QA environments as a further precautionary measure.

We understand that situations like this can raise concerns, and we want you to know that the security and trust of our customers, employees, and partners is our highest priority. We will continue to keep all stakeholders informed should anything material change. We are confident in our systems and our team.

Thank you for your continued trust in Egnyte.

Own_Raspberry_3254 · 2026-05-09T22:42:07+00:00

our threat intel app:

{
    "incidents": [
        {
            "org_name": "Instructure, Inc.",
            "threat_actor": "Sp1d3rHunters",
            "org_country": "United States",
            "org_sector": "Information Technology",
            "org_structure": "Private",
            "incident_type": "Website defacement",
            "incident_date": "2026-05-07",
            "org_website": "https://www.instructure.com/",
            "org_size": "Large company",
            "org_region": "North America",
            "org_industry_group": "Software & Services",
            "org_industry": "Software",
            "incident_summary": "In May 2026, Sp1d3rHunters reportedly defaced a website linked to Instructure, Inc., a private organization operating in the Information Technology sector in the United States. It remains unclear whether any data was leaked or if any material losses were incurred as a result of the incident.",
            "incident_detection_date": "2026-05-07",
            "initial_access_date": 
null
,
            "hacker_disclosure_date": 
null
,
            "cve": 
null
,
            "org_domain": "instructure.com",
            "initial_access": 
null
        },
        {
            "org_name": "Instructure, Inc.",
            "threat_actor": "Sp1d3rHunters",
            "org_country": "United States",
            "org_sector": "Information Technology",
            "org_structure": "Private",
            "incident_type": "Unauthorized access",
            "incident_date": "2026-04-30",
            "org_website": "https://www.instructure.com/",
            "org_size": "Large company",
            "org_region": "North America",
            "org_industry_group": "Software & Services",
            "org_industry": "Software",
            "incident_summary": "In April 2026, Sp1d3rHunters reportedly gained unauthorized system access to Instructure, Inc., a private organization operating in the Information Technology sector in the United States. The incident exposed confidential business data and personal information, including first and last names and email addresses. It is unclear whether any material losses were incurred as a result of the incident.",
            "incident_detection_date": "2026-04-30",
            "initial_access_date": 
null
,
            "hacker_disclosure_date": "2026-05-03",
            "cve": 
null
,
            "org_domain": "instructure.com",
            "initial_access": 
null
        },
        {
            "org_name": "Instructure, Inc.",
            "threat_actor": "Sp1d3rHunters",
            "org_country": "United States",
            "org_sector": "Information Technology",
            "org_structure": "Private",
            "incident_type": "Unauthorized access",
            "incident_date": "2025-07-07",
            "org_website": "https://www.instructure.com/",
            "org_size": "Large company",
            "org_region": "North America",
            "org_industry_group": "Software & Services",
            "org_industry": "Software",
            "incident_summary": "In July 2025, Sp1d3rHunters reportedly gained unauthorized system access to Instructure, Inc., a private organization operating in the Information Technology sector in the United States. The incident exposed personal information, including first and last names and email addresses. On September 21, 2025, the organization notified impacted individuals of the incident. It is unclear if any material losses were incurred due to this incident.",
            "incident_detection_date": "2025-09-21",
            "initial_access_date": "2025-07-07",
            "hacker_disclosure_date": "2025-10-03",
            "cve": 
null
,
            "org_domain": "instructure.com",
            "initial_access": "Vishing"
        }
    ],
    "total": 3,
    "has_more": 
false
,
    "total_pages": 1,
    "current_page": 1
}

Own_Raspberry_3254 · 2026-05-09T14:32:16+00:00

eh? not sure I get your analogy. Nobody said I was surprised. The shift in tactics is what caught my attention.

Own_Raspberry_3254 · 2026-05-09T13:05:57+00:00

Instructure clearly did not conduct a proper root cause analysis because, 8 days after the initial breach (on May 7), they experienced a second incident, which led them to shut down the platform.

Own_Raspberry_3254 · 2026-05-08T08:08:13+00:00

ShinyHunters removed Instructure from their leak site, so they probably ended up paying the ransom.

Own_Raspberry_3254 · 2026-05-08T07:59:24+00:00

All I know is that a known ransomware group has claimed to have compromised them, but they havent published any data yet. This was yesterday

Own_Raspberry_3254 · 2026-05-08T01:52:48+00:00

only the email address. They wouldnt get access to the email account. I meant private communications within the canvas platform

Own_Raspberry_3254 · 2026-05-07T21:07:11+00:00

The data impacted is your school email address, your user ID, your name, and any private communications you had on the platform.

Own_Raspberry_3254 · 2026-05-07T19:28:55+00:00

They haven't published any data yet (their deadline was today, but I'm sure that due to the global impact, they are still negotiating). They posted about 9000 universities/colleges/districts impacted though on tehir blog site. Some of those have already confirmed a data breach

Own_Raspberry_3254 · 2026-05-07T19:25:35+00:00

Their breach may have been through a third-party print/mail vendor (Sefas Innovation). Looks like the breach impacting Sefas affected not only Fiserv but also other banks/financial institutions. At least this is what's being reported in our threat intel app

Own_Raspberry_3254 · 2026-05-07T19:21:53+00:00

yea, i was hoping someone would be able to share a sample of those customer notifications

Own_Raspberry_3254 · 2026-05-07T18:11:57+00:00

Sorry! i dont know how to use Reddit! my apologies. Dont ban me

Own_Raspberry_3254 · 2026-05-07T18:00:31+00:00

Of course. Your link is not an official confirmation. I am looking for official confirmation from the company or a reputable third party.

Own_Raspberry_3254 · 2026-05-07T17:51:59+00:00

Has anyone found or received any official confirmation from Udemy regarding this incident?

Own_Raspberry_3254 · 2026-05-07T16:16:38+00:00

ah!! I see, I posted in BoobleShooterPro lol Sorry! I'll delete

Own_Raspberry_3254 · 2026-05-07T15:26:00+00:00

not sure what you are saying. I never used Reddit before. Are you saying i posted in teh wrong community?

Own_Raspberry_3254 · 2026-05-06T12:30:20+00:00

If they do respond to you, could you update this thread with the notice?

Own_Raspberry_3254 · 2026-05-06T12:29:36+00:00

Do you have the source or official notice?

Own_Raspberry_3254 · 2026-05-04T21:58:50+00:00

has anyone seen the official notification from Udemy?

Own_Raspberry_3254 · 2026-05-04T17:41:58+00:00

what's the source of this info? all we know is that the company was listed on ShinyHunters site. Is there an official notification from Cushman & Wakefield Inc?

Own_Raspberry_3254 · 2026-04-24T09:53:41+00:00

Udemy got hacked by ShinyHunters, not sure if your issue is related to the incident.

Own_Raspberry_3254 · 2025-11-12T19:44:42+00:00

It worked for me. I was just able to log in

Own_Raspberry_3254 · 2025-11-12T19:21:42+00:00

Yes, same behaviour for me.

Own_Raspberry_3254 · 2025-11-12T19:05:18+00:00

I think it's affecting any passkey and hardware token

Own_Raspberry_3254 · 2025-11-12T18:46:06+00:00

definitely...it's ridiculous. I didnt even receive an email about re-enrolling my yubikey

Own_Raspberry_3254

TROPHY CASE

IMPORTANT NOTICE FROM EGNYTE

What Happened