ShinyHunters Defaces 330 Canvas Portals in Instructure Extortion Escalation

The ShinyHunters criminal extortion group escalated its campaign against educational technology giant Instructure on May 7, 2026, defacing Canvas learning management system login portals at approximately 330 colleges and universities. The defacement — which replaced standard Canvas login pages with a ransom demand for roughly 30 minutes before removal — is the latest escalation in an extortion operation tied to a claimed breach of 275 million student, faculty, and staff records, and sets a May 12, 2026 deadline for institutions to pay or face public data release.

What Happened: Timeline

May 3, 2026: ShinyHunters publicly claimed responsibility for a breach of Instructure, the company behind Canvas — an LMS (Learning Management System) used by approximately 9,000 educational institutions worldwide, from community colleges to Ivy League universities. The group alleged it had stolen roughly 275 million records containing PII (Personally Identifiable Information — names, email addresses, student ID numbers, private messages, and course enrollment data) gathered through Canvas data export APIs.

May 7, 2026: ShinyHunters exploited what BleepingComputer reports as a separate vulnerability in Instructure's systems — distinct from the one used in the initial breach — to modify Canvas login portals across approximately 330 institutions. The defacement was visible for approximately 30 minutes before Instructure took Canvas offline and began incident response.

Confirmed affected institutions include the University of Pennsylvania (Penn), Harvard University, and multiple North Carolina state university system campuses, among hundreds of others.

The Extortion Message

The text displayed on defaced Canvas portals read:

> "ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some 'security patches'… If any of the schools in the affected list are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately at TOX to negotiate a settlement. You have till the end of the day by May 12 2026 before everything is leaked."

The phrase "breached Instructure (again)" directly references the prior breach and frames the defacement as a consequence of Instructure's failure to engage with the group's initial extortion demand. The reference to "some 'security patches'" indicates that ShinyHunters retained sufficient access to Instructure's environment to evaluate the remediation attempts — a serious signal that the initial compromise was not fully contained.

The May 12, 2026 deadline means affected institutions and students have approximately four days from the defacement date before — if ShinyHunters follows through — the dataset is published on criminal forums or distributed to journalists.

Data at Risk

The 275 million records ShinyHunters claims to possess from the initial breach include:

• Student, faculty, and staff PII: names and institutional email addresses
• Student ID numbers: government-adjacent identifiers used for financial aid and official records
• Private messages: direct messages exchanged between users within the Canvas platform
• Course enrollment data: which students are enrolled in which courses, with timestamps
• Other data extracted through Canvas APIs: potentially including submission content, grade data, and institutional configuration details

The exposure of private messages is particularly sensitive. Canvas is used for academic advising, disability services communications, and institutional medical communications in some deployments — categories of information with significant privacy implications beyond standard breach notification requirements.

Instructure's Response

Instructure took Canvas offline during the incident response window following the defacement. As of May 8, 2026, the company has not publicly confirmed:

• The specific vulnerability used in the portal defacement
• The scope of data actually exfiltrated
• When breach notifications will be issued to affected students and staff
• Whether the group's claim of 275 million records is accurate

Instructure has not responded to repeated media inquiries from BleepingComputer, TechCrunch, or The Harvard Crimson.

Who ShinyHunters Is

ShinyHunters is a financially motivated criminal group with a documented history of large-scale data theft and extortion. Their confirmed prior breaches include:

• AT&T: 70 million records (2024)
• Ticketmaster: 560 million records (2024), sold on BreachForums
• Santander Bank: customer and employee data (2024)
• ADT and Medtronic: breached in early 2026

The group's operational pattern is consistent: breach a large platform, extract data via APIs or credentials, demand payment, and publish or sell the data if payment is not received. The portal defacement tactic is a calculated escalation that demonstrates continued access and creates maximum institutional reputational pressure without yet releasing the underlying data.

Who Is Affected

The 330 institutions whose Canvas portals were visibly defaced are confirmed to be within ShinyHunters' operational scope. However, Canvas serves approximately 9,000 institutions globally, and if the 275-million-record claim is accurate, the affected population extends well beyond the 330 institutions whose portals were modified.

Students, faculty, and staff at all Canvas-using institutions should assume their data may have been included in the exfiltrated dataset, even if their institution's login page was not visibly altered. The breach allegedly harvested data through Canvas data export APIs, which means any user whose institution was connected to Instructure's platform during the data collection window is potentially affected.

What You Should Do Right Now

• Institutions: act now on notification, independent of Instructure. Do not wait for Instructure to confirm breach scope before notifying affected students and staff. Under FERPA (Family Educational Rights and Privacy Act) and applicable state breach notification laws, timely user notification may be legally required independently of the vendor's disclosure timeline.

• Students and staff: monitor for targeted phishing. Stolen Canvas data includes institutional email addresses tied to real enrollment records. Expect highly targeted phishing attempts that reference real course names, professors, or institutional details to add credibility.

• Change all Canvas-reused passwords. If you used the same password for Canvas as for any other service — personal email, banking, government portals — change those passwords now and enable multi-factor authentication where available.

• Consider a fraud alert or credit freeze. If student ID numbers and full names are confirmed in the breach, individuals should place a fraud alert with Equifax, Experian, and TransUnion to prevent new-account identity fraud.

• IT and security teams: audit Canvas API access logs. Review API token issuance and data export activity in your Canvas admin console for the 30 days prior to May 3, 2026. Look for API calls to bulk export endpoints originating from unfamiliar IP addresses or service accounts.

• Track the May 12 deadline. Monitor Have I Been Pwned and similar services for notification when and if the dataset is published. Establish an institutional response plan for the scenario where publication occurs.

Background: Understanding the Risk

The Instructure/Canvas breach follows a now-familiar pattern of attacks against large educational technology vendors that serve as consolidated repositories of student data. A single breach of a platform serving 9,000 institutions is structurally more damaging than attacking individual institutions because the data is centralized — and a platform-level compromise bypasses the security controls that individual institutions might otherwise deploy.

ShinyHunters has previously demonstrated expertise in exploiting API-level access to exfiltrate datasets at scale from cloud-hosted SaaS platforms — as with the Snowflake customer data theft campaign in 2024, which affected Ticketmaster, Santander, and dozens of other Snowflake customers. The Canvas breach mechanism — alleged exploitation of data export APIs — is consistent with this approach. APIs designed for legitimate bulk data export are inherently high-risk if access controls fail or credentials are compromised, because they provide exactly the same capability to an attacker that they provide to a legitimate administrator.

The defacement technique borrows from hacktivist playbooks but is deployed here for financial extortion. It is a calculated pressure tactic: unlike data dumps on dark web forums, a defacement of student-facing educational systems generates immediate mainstream media coverage, institutional panic, and regulatory attention — all of which increase pressure to pay.

The "again" in the defacement message is operationally significant. It communicates to institutions and Instructure that ShinyHunters maintained or re-established access after the initial breach and Instructure's remediation attempts. This should be treated as a signal that the full scope of compromise has not yet been identified or contained.

Conclusion

ShinyHunters has defaced Canvas login portals at approximately 330 educational institutions as an escalation of its Instructure extortion campaign, with a May 12, 2026 deadline for payment before the alleged release of 275 million records. Affected institutions should issue user notifications now, rotate credentials, audit Canvas API access logs, and monitor the deadline — without waiting for Instructure's own disclosure timeline. Students and staff should assume their data is compromised and take immediate protective steps.