The ShinyHunters gang has breached education technology giant Instructure again, this time using a vulnerability to compromise the Canvas login portals of hundreds of colleges and universities.
The breach, which appeared about 30 minutes before being taken offline, featured a message from ShinyHunters claiming responsibility for previous Instructure breaches and threatening to leak the stolen data if the ransom was not paid.
The message warns that Instructure and the schools have until May 12 to contact them to discuss the ransom, otherwise the students’ information will be leaked.
“ShinyHunters broke Instructure (again). Instead of contacting us to fix it they ignored us and made ‘security patches’,” the defacement read.
“If any of the schools on the affected list are interested in preventing the release of their data, please contact an online consulting firm and contact us privately at TOX to negotiate an agreement. You have until the end of the day on May 12 2026 before everything is leaked,” the message continued.
BleepingComputer has learned that threat actors have hijacked Canvas login sites at around 330 educational institutions, replacing standard login pages with a criminal message. This error message also appeared in the Canvas app.
The vulnerability is suspected to be caused by a vulnerability in Instructure systems that allowed a threat actor to modify login portals. Instructure has since taken Canvas offline while responding to the latest cyberattack.
Last week, Instructure disclosed that it was investigating a cyberattack after threat actors claimed to have stolen the records of 280 million students and staff from 8,809 schools, universities and educational institutions using its Canvas learning system.
The ShinyHunters gang later told BleepingComputer that the stolen data included user records, private messages, registration data, and other information allegedly collected through Canvas’ data export features and APIs.
The Ministry confirmed that information was stolen during the attack but they are still investigating the incident.
BleepingComputer has repeatedly contacted Instructure with questions about the attacks, including today’s, and whether they plan to notify students and staff about the data breach. However, our emails have so far gone unanswered.
Canvas is one of the most widely used learning management systems in higher education and K-12 environments, helping schools manage coursework, assignments, grading, and communication between students and instructors.
Who is ShinyHunters?
The name ShinyHunters has been associated with many malicious actors who have committed data breaches since 2018.
This year, scary actors using the name ShinyHunters have been among the most active groups conducting data theft and corporate extortion attacks around the world.
Focused primarily on Salesforce and other cloud SaaS areas, threat actors have been linked to a growing number of breaches involving companies such as Google, Cisco, PornHub, and online dating giant Match Group.
Hackers often breach third-party integration companies and use stolen authentication tokens to access connected SaaS environments and steal customer data.
Threat actors have also been known to launch phishing attacks targeting Okta, Microsoft, and Google single sign-on (SSO) accounts, impersonating IT support staff to trick employees into entering credentials and multi-factor authentication (MFA) codes on phishing sites.
As BleepingComputer first reported, the ShinyHunters team recently adopted a device code attack to obtain Microsoft Entra authentication tokens.
After stealing credentials and authentication codes, threat actors hijack SSO accounts to breach connected business services such as Salesforce, Microsoft 365, Google Workspace, SAP, Slack, Adobe, Atlassian, Zendesk, and Dropbox.
While members of the ShinyHunters gang are responsible for many of the attacks, they are also known to operate as a service fraud group, defrauding other threat actors in order to receive a share of the ransom payments.
There have been several arrests linked to the ShinyHunters name, including suspects linked to the Snowflake data theft attack, the PowerSchool breach, and the operation of the Breached v2 hacking forum.
Yet despite these arrests, companies continue to receive phishing emails signed with the message, “We are ShinyHunters.”
AI has tied four zero days to a single exploit that bypasses both renderer and OS sandboxes. A wave of new exploits is coming.
At the Automated Validation Conference (May 12 & 14), see how autonomous, context-rich validation finds usability, validates controls, and closes the correction loop.
Find Your Place
