The notorious ShinyHunters hacking group has launched yet another cyberattack on education technology leader Instructure. By exploiting a security flaw, they took control of Canvas login pages across hundreds of colleges and universities, displaying threatening messages.
The unauthorized messages were visible for about half an hour before being removed. In them, ShinyHunters claimed credit for a previous attack on Instructure and demanded payment to prevent stolen data from being made public.
The attackers gave a clear deadline, stating that both Instructure and educational institutions have until May 12 to reach out for ransom discussions, or they will release students’ personal details.
The hijacked pages read: “ShinyHunters has Instructure (again). Instead of contacting us to resolve it they ignored us and did some ‘security patches’.”
The message continued: “If any of the schools in the affected list are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately at TOX to negotiate a settlement. You have till the end of the day by May 12 2026 before everything is leaked.”
According to BleepingComputer, hackers replaced the login screens of around 330 educational institutions with their ransom demand. It also appeared within the mobile Canvas app.
Sources indicate this attack was made possible due to a weakness in Instructure’s infrastructure that let hackers alter login portals. Instructure has now temporarily shut down Canvas while they address this latest security incident.
Previously, Instructure announced they were looking into a cyberattack after hackers said they had stolen 280 million student and staff records from 8,809 schools and education platforms that use Canvas.
ShinyHunters informed BleepingComputer that taking information included user profiles, private conversations, enrollment details, and other data they said was collected through Canvas data export tools and APIs.
Instructure verified that a data theft occurred, but stated the full scope of the incident is still under investigation.
BleepingComputer has contacted Instructure multiple times for comment on the attack and to ask whether affected students and staff will be notified, but has received no response so far.
Canvas ranks among the most popular learning management systems in higher education and K-12 schools, handling assignments, grading, and communication between students and teachers.
Who is ShinyHunters
The ShinyHunters name has been linked to various cybercriminals who have carried out data breaches since 2018.
In recent months, hackers using this alias have become some of the most active groups stealing data and demanding ransoms from organizations worldwide.
Mostly targeting Salesforce and other cloud-based platforms, they have been connected to breaches at major companies including Google, Cisco, PornHub, and dating site Match Group.
These attackers often break into third-party companies and use stolen login credentials to access connected cloud services and take customer data.
They are also known for using voice phishing techniques to trick employees at Okta, Microsoft, and Google into entering passwords and verification codes on fake websites by pretending to be IT support.
BleepingComputer was the first to report that the group has recently started using device code phishing methods to steal Microsoft Entra access tokens.
Once they obtain login details and security codes, the hackers take over single-sign-on accounts to break into business platforms like Salesforce, Microsoft 365, Google Workspace, SAP, Slack, Adobe, Atlassian, Zendesk, and Dropbox.
While ShinyHunters members carry out many attacks themselves, they also operate a service where they conduct data extortion for other hackers in exchange for part of the ransom money.
Several people connected to ShinyHunters have been arrested, including suspects involved in the Snowflake data breaches, PowerSchool hacks, and running the Breached v2 hacking forum.
Despite these arrests, businesses still receive extortion emails ending with the signature “We are ShinyHunters.”
AI chained four zero-days into one exploit that bypassed both renderer and OS sandboxes. A wave of new exploits is coming.
At the Autonomous Validation Summit (May 12 & 14), see how autonomous, context-rich validation finds what’s exploitable, proves controls hold, and closes the remediation loop.
Claim Your Spot
