Days after confirming one of the largest data breaches in education technology history, Instructure is now facing a second, more aggressive blow: defaced school login pages and a public extortion deadline.
The cybercriminal group ShinyHunters, notorious for high-profile attacks on AT&T, Ticketmaster, ADT, and Vercel, has launched a two-stage assault on Instructure, the company behind the Canvas learning management system (LMS) used by thousands of schools and universities globally.
What began as a large-scale data theft operation has now escalated into a brazen public extortion campaign, with student and staff login portals visibly hijacked to broadcast a ransom demand.
Instructure first disclosed a cyber incident in late April 2026, confirming that a criminal threat actor had compromised its cloud-hosted Canvas environment. The company took services offline, including Canvas Data 2 and Canvas Beta, and brought in outside forensics experts to investigate.
ShinyHunters quickly claimed responsibility, asserting they had exfiltrated approximately 3.65 terabytes of data covering over 275 million students, educators, and staff across nearly 9,000 institutions worldwide.
ShinyHunters Hacks Canvas Again
The stolen data is reported to include student names, email addresses, identification numbers, enrollment details, private messages exchanged between students and teachers, and staff records accessed through Canvas export features and APIs.
High-profile institutions named as victims include MIT, Harvard, Oxford, and the University of Michigan, with institutions from 44 Dutch universities also confirmed as affected.
ShinyHunters published a list of 8,809 impacted school districts and universities on its data leak site, with per-institution record counts ranging from tens of thousands to several million. This scale places the incident among the largest education-sector data breaches ever recorded.
This was not ShinyHunters’ first encounter with Instructure. A separate September 2025 breach, executed through social engineering, had already exposed Salesforce data linked to Instructure a warning sign that went insufficiently addressed. Rather than quietly negotiating in the shadows, ShinyHunters chose maximum visibility for their second attack.
Using what appears to be continued or renewed access to Instructure’s systems, the group modified Canvas login portals for hundreds of educational institutions, defacing both web-based login pages and Canvas mobile app with a full-screen extortion message.
The message read: “ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it, they ignored us and did some ‘security patches.’ A WARNING: If any of the schools in the affected list are interested in preventing the release of their data, please contact us privately at TOX to negotiate a settlement. You have till the end of the day by May 12, 2026, before everything is leaked.”
The defacement triggered widespread disruption. On May 7, Canvas experienced several hours of downtime, prompting universities, including Harvard and the University of Michigan, to send emergency alerts to students, many of whom were preparing for or taking final examinations.
This second wave carries two critical implications for the cybersecurity community. First, it confirms that ShinyHunters retains meaningful access to components of Instructure’s infrastructure or, at a minimum, to systems that control the behavior of school login pages, despite the “security patches” Instructure claimed to have implemented after the initial breach.
Second, it marks a deliberate tactical shift from covert data exfiltration to public-facing intimidation: the ransom note was displayed directly to students, parents, and faculty attempting to access coursework.
This tactic is increasingly common among sophisticated extortion groups. By bypassing dark web forums and going straight to the end user, threat actors amplify reputational pressure on the vendor, forcing faster compliance or payment. The education sector is an ideal target for this strategy.
Institutions face intense regulatory scrutiny around student data, tight operational deadlines (such as exam periods), and a broad base of technically unsophisticated users who may panic at an on-screen ransom message.
ShinyHunters is a well-documented cybercriminal organization with a history of large-scale data theft and extortion. The group employs a range of initial access techniques, including social engineering, API abuse, and the exploitation of cloud misconfigurations.
It has previously targeted telecom giants, gaming platforms, and financial services firms. Their targeting of an EdTech vendor managing 275 million user records reflects a calculated understanding of where the most valuable, least secured personal data sits in 2026.
Mitigation
For students and families, the following protective measures are strongly advised. Reset all Canvas-linked passwords immediately and avoid reusing them across other platforms.
Enable multi-factor authentication (MFA) wherever available. Malwarebytes research shows that approximately 86% of web application breaches in education begin with compromised credentials. Monitor financial accounts and credit reports as affected children age into financial adulthood, since stolen records remain exploitable for years.
Remain vigilant against personalized phishing attempts that reference real teachers, course names, or school communications, as threat actors commonly weaponize stolen educational data for social engineering.
For school IT and district administrators, this incident underscores the urgent need to audit third-party vendor access, review SSO integrations connected to Canvas, and deploy real-time monitoring tools capable of detecting unauthorized changes to login pages.
Institutions should coordinate directly with Instructure for breach-specific guidance, prepare transparent communications for staff and parents in anticipation of further leaks, and evaluate whether vendor concentration risk, by placing critical student data with a single EdTech provider, aligns with their security posture.
FAQ
Q: What data was stolen in the Instructure Canvas breach?
ShinyHunters claim to have stolen 275 million records, including student names, email addresses, ID numbers, private messages, enrollment details, and staff data from nearly 9,000 institutions.
Q: Is Canvas still down after the ShinyHunters attack?
Canvas experienced several hours of downtime on May 7, 2026, and has since been partially restored, though the platform’s full security posture remains under investigation.
Q: What is the May 12, 2026, deadline ShinyHunters set?
The group gave Instructure and affected schools until the end of the day on May 12, 2026, to privately negotiate a settlement or face the public release of all stolen data.
Q: Who are ShinyHunters, and why do they target education?
ShinyHunters is a sophisticated cybercriminal extortion group known for large-scale data theft targeting AT&T, Ticketmaster, and now Instructure, exploiting cloud misconfigurations and APIs where vast amounts of personal data are stored with insufficient security controls.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
