ShinyHunters — the cybercriminal group responsible for major breaches of Ticketmaster, AT&T, Santander, and Snowflake customers — has escalated its attack on Instructure's Canvas, the learning management system (LMS — software that hosts course materials, assignments, grades, and communications for educational institutions) used by more than 30 million students and educators globally. The group defaced school login portals with ransom messages on May 7, 2026, and is threatening to publicly release 275 million stolen records unless Instructure pays a ransom by May 12, 2026. The group claims nearly 9,000 educational institutions across six countries are affected.
What ShinyHunters Has Done
ShinyHunters replaced Canvas login pages at affected institutions with a message claiming it had breached Instructure "again" — a direct reference to a prior security incident — and accusing the company of issuing only "small security patches" in response to previous outreach. The defacement is specifically timed to coincide with end-of-semester finals, when platform availability is critical for millions of students submitting coursework and faculty uploading grades.
According to Malwarebytes reporting and posts on criminal data marketplaces, ShinyHunters claims to have stolen approximately 275 million records linked to students, teachers, and administrators. The ransom message demands payment before May 12, 2026, with the threat of full public dataset release if Instructure does not comply.
Instructure told customers it found no indication that passwords, dates of birth, government identification numbers, or financial information were compromised. The company confirmed that "certain identifying information" was exposed: names, email addresses, student ID numbers, and messages exchanged between users within the Canvas platform.
Canvas was taken offline for significant periods on May 7–8, disrupting academic operations at institutions worldwide.
Exploitation and Threat Landscape
ShinyHunters has not disclosed the initial access method for this Instructure breach. The group's historical playbook combines credential stuffing (using leaked username/password pairs from other breaches to log into accounts at scale), SaaS-level access escalation, and direct database extraction. In the 2024 Snowflake campaign, ShinyHunters obtained credentials through information-stealing malware distributed earlier in the year and used them to access Snowflake customer tenants without exploiting any Snowflake software vulnerability.
CyberScoop reported the group posted on criminal forums claiming it breached Instructure's infrastructure and extracted a database containing student and educator records across the entire cloud-hosted Canvas platform. Instructure has not confirmed the claim's scope or disclosed how initial access was obtained.
This breach is a follow-on to a prior ShinyHunters Instructure incident — the defacement message's "again" language and accusation of inadequate remediation indicate ShinyHunters had prior access and returned after previous compromise was not fully eradicated.
Who Is Affected
ShinyHunters claims approximately 9,000 educational institutions worldwide have data in the stolen dataset. Countries with confirmed affected institutions as of May 8, 2026 include the United States, United Kingdom, New Zealand, Australia, Sweden, and the Netherlands.
Confirmed impacted major institutions include Harvard University, Duke University, and the University of Pennsylvania. The full scope has not been independently verified as of this writing.
Confirmed exposed data types:
- Student, teacher, and staff names
- Email addresses
- Student ID numbers
- Private messages sent within Canvas between users
Data Instructure reports no evidence of compromise: passwords, dates of birth, government identifiers (Social Security numbers, passport numbers), and financial information.
Any user with a Canvas account at an institution that uses Instructure's cloud-hosted platform should assume their name, email, student/staff ID, and Canvas messages are in the stolen dataset until Instructure provides per-institution confirmation otherwise.
What You Should Do Right Now
For IT administrators and institution security teams:
- Contact Instructure immediately for your institution's incident status. Your institution's Instructure account team can confirm whether your organization's data is in the compromised dataset and what Instructure's investigation has found to date.
- Enable multi-factor authentication (MFA — a login method requiring both a password and a second verification factor, such as an authenticator app) for all Canvas accounts now. Although passwords are reportedly not in the stolen dataset, the combination of harvested email addresses and student ID numbers could enable account takeover through password reset flows at institutions that use student ID as a recovery factor.
- Notify affected users via out-of-band channels. Do not use Canvas for breach notification while the platform is disrupted. Use institutional email systems or student portal announcements. Under FERPA (Family Educational Rights and Privacy Act — U.S. law protecting student educational records), and equivalent laws in the UK (GDPR), Australia (Privacy Act), and other jurisdictions, institutions may have breach notification obligations. Engage legal counsel promptly.
- Warn users about phishing. ShinyHunters and associated actors routinely follow data breaches with targeted phishing campaigns using harvested email addresses. Broadcast a warning — via email, SMS, or institutional portals — that students and staff should treat unexpected emails requesting credentials or personal information with elevated suspicion.
- Track the May 12 deadline. Regardless of Instructure's ransom decision, institutions should prepare contingency communications for the possibility that the full 275 million record dataset is released publicly. A public release would enable broad downstream fraud, account takeover attempts, and targeted social engineering of students and faculty.
For students and educators:
- Change passwords on any account that shares credentials with Canvas. Even though Canvas passwords are reportedly not in the stolen set, credential reuse across services remains a significant risk. Use a password manager to generate unique passwords per service.
Background: Understanding the Risk
LMS platforms aggregate contact information for entire student bodies and faculty — tens of thousands of individuals at a large research university — along with private academic communications, assignment submissions, and course content. This makes them high-leverage targets: a single breach can expose the personal data of hundreds of thousands of individuals, create significant operational disruption at a critical academic period, and generate substantial ransom leverage.
ShinyHunters emerged in 2020 and has operated persistently across multiple personas and infrastructure, surviving arrests of individual members. The group demonstrated with the 2024 Snowflake campaign — which affected AT&T, Ticketmaster, Santander, and hundreds of other Snowflake customers from a single SaaS-layer breach — that it specifically targets platforms which aggregate customer data for many downstream organizations, maximizing the blast radius and ransom leverage of a single compromise.
The 275 million record claim, if verified, would represent one of the largest education sector breaches in history. For comparison, the 2023 MOVEit transfer supply chain attack — which affected government agencies, universities, and healthcare organizations — exposed an estimated 95 million records across all victim organizations combined. The exposure of names, email addresses, and student ID numbers enables targeted phishing, social engineering, and at some institutions, access to administrative systems that accept student IDs as authentication factors.
The timing — end-of-semester finals — is not coincidental. ShinyHunters maximized institutional pressure by disrupting a platform that students and faculty depend on for grade submissions, final exams, and course access, increasing the urgency of ransom payment.
Conclusion
ShinyHunters' Canvas breach has escalated from a data theft claim to active platform disruption, login-page defacement across thousands of institutions, and a May 12 ransom deadline. Institutions should activate incident response procedures immediately, notify affected populations through out-of-band channels, and prepare for public dataset release regardless of Instructure's ransom decision.
For any query contact us at contact@cipherssecurity.com
