A $5,000 robot lawn mower, Meta’s reversal on encrypted Instagram messages, and a ransomware attack on a major education platform headlined a busy week in security and privacy news in May 2026.
Security researchers found multiple vulnerabilities in the Yarbo robot lawn mower — a device that also functions as a leaf blower, snowblower, and edger — that could allow hackers to remotely take control of the machines, access their camera feeds, and extract owners’ email addresses, Wi-Fi passwords, and home locations. After Yarbo initially told The Verge that its “diagnostic environment is not publicly accessible,” a reporter and researcher demonstrated the flaws by nearly running over the reporter with a hijacked robot. Yarbo has since said it is developing a fix for at least one of the identified vulnerabilities.
Meta removed support for end-to-end encrypted direct messages on Instagram on May 8, 2026, reversing course on privacy protections the company had previously committed to expanding. Meta had rolled out default encryption for Messenger in 2023 and introduced an opt-in version for Instagram, with plans to eventually make it the default. In March 2026, the company said too few users had opted in and announced it would remove the option entirely. Privacy and security experts have warned the rollback could damage end-to-end encryption efforts more broadly.
Students across the US faced disruption when Canvas entered “maintenance mode” following a ransomware attack on education technology firm Instructure. A group using the name ShinyHunters claimed responsibility for the breach.
The Department of Homeland Security subpoenaed Google seeking location data and account activity of a Canadian man who had criticized US immigration enforcement. The man has not visited the US in more than 10 years. The ACLU filed a complaint against DHS on his behalf.
Separately, thousands of “vibe coded” apps were found exposed on the open internet, leaking sensitive corporate and personal data, while Google Chrome users discovered the browser had been silently downloading the Gemini Nano AI model — consuming 4 GB of storage since 2024 — without their awareness.
Source: WIRED