ShinyHunters hacks Canvas login portals in mass extortion campaign
▼ Summary
– ShinyHunters defaced Canvas login portals for roughly 330 educational institutions, displaying an extortion message that threatened to leak stolen data if a ransom is not paid by May 12, 2026.
– The defacement lasted about 30 minutes and was allegedly caused by a vulnerability in Instructure’s systems, which Instructure has since addressed by taking Canvas offline.
– This attack follows a prior breach where ShinyHunters claimed to have stolen 280 million student and staff records from 8,809 schools using Canvas.
– Instructure confirmed data was stolen in the earlier attack but has not responded to questions about notifying affected students and staff.
– ShinyHunters is a prolific extortion group that targets cloud SaaS environments, often using stolen authentication tokens and vishing attacks to breach companies.
The ShinyHunters extortion gang has struck education technology provider Instructure once again, this time exploiting a vulnerability to deface Canvas login portals across hundreds of colleges and universities.
The defacements, visible for roughly half an hour before being taken offline, displayed a message from ShinyHunters taking credit for the earlier Instructure breach. The group threatened to release stolen data unless a ransom is paid, giving Instructure and affected schools until May 12 to negotiate.
“ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some ‘security patches’,” the defacement read. “If any of the schools in the affected list are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately at TOX to negotiate a settlement. You have till the end of the day by May 12 2026 before everything is leaked.”
BleepingComputer has learned that approximately 330 educational institutions had their Canvas login portals defaced, with the extortion message also appearing within the Canvas app itself. The breach reportedly stemmed from a vulnerability in Instructure’s systems that allowed the threat actor to alter login pages. Instructure has since taken Canvas offline as it responds to the latest cyberattack.
Just last week, Instructure disclosed it was investigating a cyberattack after threat actors claimed to have stolen 280 million student and staff records tied to 8,809 schools, universities, and education platforms using its Canvas learning management system. ShinyHunters later told BleepingComputer the stolen data included user records, private messages, enrollment data, and other information allegedly gathered through Canvas data export features and APIs. Instructure confirmed data was stolen but continues its investigation.
BleepingComputer has repeatedly contacted Instructure with questions about the attack, including today’s defacement, and whether it plans to notify students and staff about the breach. Those emails have gone unanswered.
Canvas remains one of the most widely used learning management systems in higher education and K-12 environments, helping schools manage coursework, assignments, grading, and communication.
Who is ShinyHunters?
The name ShinyHunters has been linked to numerous threat actors conducting data breaches since 2018. This year, those using the ShinyHunters moniker have become among the most prolific groups carrying out data theft and extortion attacks against companies worldwide. They primarily target Salesforce and other cloud SaaS environments, with breaches tied to companies like Google, Cisco, PornHub, and Match Group.
The extortion gang commonly breaches third-party integration firms and uses stolen authentication tokens to access connected SaaS environments and steal customer data. They are also known for voice phishing (vishing) attacks targeting Okta, Microsoft, and Google single sign-on (SSO) accounts, impersonating IT support staff to trick employees into entering credentials and multi-factor authentication (MFA) codes on phishing sites.
As BleepingComputer first reported, the group has recently adopted device code vishing attacks to obtain Microsoft Entra authentication tokens. After stealing credentials and codes, the threat actors hijack SSO accounts to breach connected services such as Salesforce, Microsoft 365, Google Workspace, SAP, Slack, Adobe, Atlassian, Zendesk, and Dropbox.
While members of the ShinyHunters gang are responsible for numerous attacks, they also operate as an extortion-as-a-service group, conducting extortion on behalf of other threat actors in exchange for a share of ransom payments. There have been multiple arrests linked to the ShinyHunters name, including suspects connected to the Snowflake data-theft attacks, breaches at PowerSchool, and the operation of the Breached v2 hacking forum. Yet despite these arrests, companies continue receiving extortion emails signed with the message, “We are ShinyHunters.”
(Source: BleepingComputer)
