Ciphers Security News ShinyHunters Hits Instructure Canvas Again: 9,000 Schools Face May 12 Data Leak Deadline
News

ShinyHunters Hits Instructure Canvas Again: 9,000 Schools Face May 12 Data Leak Deadline

ShinyHunters Hits Instructure Canvas Again: 9,000 Schools Face May 12 Data Leak Deadline

ShinyHunters, the prolific cybercrime group behind breaches at AT&T, Ticketmaster, and dozens of other major organizations, defaced Canvas LMS (Learning Management System — software used by schools and universities to deliver coursework, manage grades, and host student communications) login pages on May 7, 2026, claiming a second breach of Instructure, the company that develops and operates Canvas. The group has set a ransom deadline of May 12, 2026 — three days from publication — threatening to publicly release data covering an estimated 275 million students and teachers across approximately 9,000 schools worldwide. Instructure has confirmed an ongoing cybersecurity incident involving user names, email addresses, student ID numbers, and internal messages.

ShinyHunters Instructure Canvas Breach: What Happened

The May 7 defacement is framed by ShinyHunters as a direct response to Instructure's handling of the initial breach. "ShinyHunters has breached Instructure (again)," the message read on affected Canvas dashboards. "Instead of contacting us to resolve it they ignored us and did some 'security patches.'" The attackers assert that Instructure's remediation was insufficient and that they retained or re-established access sufficient to exfiltrate a second dataset and deface the platform.

TechCrunch confirmed the defacement on May 7 and reported the extortion message instructed affected schools and Instructure to consult with a "cyber advisory firm" and contact the hackers to negotiate a settlement before the deadline.

The Wikipedia article on the 2026 Canvas security incident documents the initial breach's claimed scope: 275 million records comprising names, email addresses, student ID numbers, and messages exchanged between users within Canvas. Instructure disclosed it found "no indication" that passwords, dates of birth, government identifiers (such as Social Security numbers), or financial information were accessed in either incident.

Instructure has not publicly confirmed the attack vector for either breach. The scale of data claimed — 275 million records — suggests the initial compromise involved a privileged administrative credential, API token, or misconfigured access control with broad data scope, rather than exploitation of a specific user-facing vulnerability.

Exploitation Status and Threat Landscape

ShinyHunters — tracked by some researchers as UNC2727 and associated with the broader ecosystem that includes Scattered Spider — is a financially motivated extortion group with a documented methodology of targeting large-scale SaaS (Software as a Service) platforms and data aggregators. Their 2024 campaign against Snowflake customer environments compromised AT&T, Ticketmaster, LendingTree, and dozens of others by leveraging stolen or purchased credentials rather than novel technical exploits.

There is no publicly confirmed PoC (Proof-of-Concept) code associated with this breach. The attack is data-exfiltration and extortion, not a software vulnerability that end-user institutions can patch. The risk to individual schools is downstream: phishing, credential stuffing, and social engineering using the exposed PII (Personally Identifiable Information — data that can identify a specific individual, including names, email addresses, and ID numbers).

The "second attack" framing is tactically significant. It signals that ShinyHunters maintained or recovered access after Instructure's remediation attempt, demonstrating operational persistence — a capability they are explicitly advertising to maximize negotiating leverage before the May 12 deadline.

Who Is Affected

Approximately 9,000 schools across at least six countries are implicated:

  • United States: Harvard, MIT, UC Berkeley, Penn, Duke, University of Oklahoma, and thousands more K-12 and higher-education institutions
  • United Kingdom: Oxford and others
  • New Zealand
  • Australia
  • Sweden
  • Netherlands

Reporting from individual institution newspapers documents the scale at specific schools: UC Berkeley reportedly has 600,000 student and staff records at risk; Penn has over 300,000 affected users. TechRadar confirmed that MIT, Oxford, and other top-tier research universities are among those named by the attackers.

The confirmed data types exposed — names, email addresses, student ID numbers, and Canvas messages — do not include passwords, financial records, or government identifiers per Instructure's disclosure. However, this class of PII is sufficient for:

  • Targeted spear-phishing campaigns impersonating Canvas or the victim's institution
  • Credential stuffing attacks against other services where the victim reused passwords
  • Social engineering attacks against students, parents, or institution IT staff

What You Should Do Right Now

  • Prepare for a phishing surge before and after May 12. If ShinyHunters releases data, it will be weaponized for credential phishing within 24–72 hours. Alert security operations teams now to watch for phishing themes impersonating Canvas, Instructure, or the institution's IT helpdesk.
  • Force a Canvas password reset for all users as a precautionary measure. Even though passwords were not confirmed stolen, exposed email addresses are sufficient to launch credential-stuffing attacks against Canvas accounts that share passwords with other services.
  • Verify or enforce MFA (Multi-Factor Authentication — a login control requiring a second verification step beyond a password) on Canvas and all SSO (Single Sign-On) portals federated to it. MFA prevents attackers who obtain passwords from achieving account access.
  • Notify affected users under applicable law. In the US, FERPA (Family Educational Rights and Privacy Act) governs student educational record disclosures; individual state breach notification laws may impose additional 30–72 hour notification requirements. EU institutions may face GDPR (General Data Protection Regulation) reporting obligations. Legal counsel should assess notification timelines now — before May 12.
  • Prepare incident communications for students, parents, and faculty. Clearly state what data was exposed, what it was not, what the institution is doing, and what users should do (reset passwords on any service sharing their Canvas email address, watch for phishing).
  • Contact Instructure directly to obtain institution-specific scope data. Instructure's security status page and their incident response team can clarify which data sets from your institution were included in the breach.

Background: Understanding the Risk

Instructure's situation illustrates a well-documented pattern in large-scale SaaS breaches: the first breach sets the extortion clock, and how the victim responds determines whether there is a second. ShinyHunters' public statement that Instructure "ignored" them and applied patches without negotiating is consistent with the group's documented behavior in prior campaigns — they treat non-engagement as justification for escalation.

Educational platforms represent high-value targets for this class of attack. Canvas aggregates identity, communication, and academic records from millions of users in a single platform, making a single compromise of Instructure's infrastructure exceptionally high-yield. Security budgets at educational institutions are typically far below those at financial services or healthcare organizations, and access control policies are often more permissive to accommodate the open academic environment.

The 275 million record claim, if accurate, would rank the Instructure breach among the largest education sector data incidents on record, comparable in scale to the 2023 MOVEit transfer breach that affected millions of students through the National Student Clearinghouse. Unlike MOVEit, which was a known CVE, ShinyHunters has not disclosed the technical method — leaving Instructure and the research community to reverse-engineer the attack from artifacts.

Malwarebytes' analysis notes that the exposed message content — direct messages between students and teachers — could be used for targeted social engineering well beyond simple credential phishing, including attempts to impersonate teachers or administrators in follow-on attacks.

Conclusion

With three days until ShinyHunters' May 12 deadline, educational institutions using Canvas should treat this as an active, time-sensitive incident regardless of whether they have been individually contacted. The most urgent actions are MFA verification and phishing-preparedness — two defensive measures that reduce harm regardless of whether Instructure negotiates a settlement or the data is publicly released.

For any query contact us at contact@cipherssecurity.com

Tags:

Share This Post:

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Post

Braintrust AWS Breach Exposes AI Provider API Keys, All Customers Ordered to Rotate Secrets
News

Braintrust AWS Breach Exposes AI Provider API Keys, All

May 8, 2026
Zara Data Breach: 197,000 Records Now in Have I Been Pwned After ShinyHunters Attack
News

Zara Data Breach: 197,000 Records Now in Have I

May 8, 2026
ShinyHunters Disrupts 9,000 Schools After Second Canvas Breach During Finals Week
News

ShinyHunters Disrupts 9,000 Schools After Second Canvas Breach During

May 8, 2026
Vimeo Data Breach: ShinyHunters Steals 119,000 Users via Anodot Supply Chain
News

Vimeo Data Breach: ShinyHunters Steals 119,000 Users via Anodot

May 6, 2026
Karakurt Ransomware Negotiator Gets 8.5 Years for $56M Extortion Campaign
News

Karakurt Ransomware Negotiator Gets 8.5 Years for $56M Extortion

May 5, 2026
ADT Data Breach Exposes 5.5 Million Customers After ShinyHunters Okta Vishing Attack
News

ADT Data Breach Exposes 5.5 Million Customers After ShinyHunters

May 4, 2026