NEWS
ShinyHunters Defaces Canvas Login Pages, Sets May 12 Leak Deadline
Just before 4 p.m. Eastern on Thursday, students at Harvard, Princeton, Columbia and Georgetown opened their Canvas dashboards and saw the same thing: a black screen, a winking emoji, and a ransom note signed ShinyHunters. “Rooting your systems since ’19,” it read. Instructure had been breached again.
The defacement landed during finals week. By 4:30 p.m., Instructure’s status page showed Canvas, Canvas Beta and Canvas Test all in maintenance mode. By 9:17 p.m. Mountain Time, the company said the platform was “available for most users.” The crew behind the takedown gave Instructure and every affected school until end of day on May 12, 2026, to pay or watch 3.65 terabytes of student data go public.
The Second Hit In Eight Months Is The Story
One breach is bad luck. Two breaches against the same vendor by the same group, using a near-identical extortion script, is a pattern. Instructure was first compromised by ShinyHunters in September 2025 as part of the wider Google Threat Intelligence Group analysis of ShinyHunters-branded SaaS data theft, which traced the original campaign to vishing calls that tricked staff into approving a malicious Salesforce Data Loader app.
This time the attacker says it wanted Instructure to talk and Instructure didn’t. The defacement note read, in part: “Instead of contacting us to resolve it they ignored us and did some ‘security patches.'” The line is a direct shot at the vendor’s response posture. It’s also the part edtech procurement teams will remember when Canvas contracts come up for renewal next quarter.
Instructure CISO Steve Proud said in the company’s May 1 disclosure that outside forensics experts had been engaged and the incident was being investigated. By May 6, the company said the matter was “contained.” Less than 24 hours later, ShinyHunters defaced login portals at thousands of schools.

What ShinyHunters Says It Took
The numbers are what make this a top-three education breach of the decade.
- 275 million records of students, teachers and staff, according to the group’s leak-site posting.
- 3.65 terabytes of data exfiltrated from Instructure’s environment.
- 8,809 schools and districts named on the affected list, spanning K-12 and higher education.
- 41% of North American higher-education institutions use Canvas to deliver coursework, putting Instructure among the most concentrated single points of failure in U.S. edtech.
Instructure’s own disclosure narrows the data set. The company says names, institutional email addresses, student ID numbers and Canvas inbox messages were taken. Passwords, dates of birth, government identifiers and financial fields are, so far, not in the dump. That is meaningful but it is not protective. Names plus .edu addresses plus inbox content is enough to build the most convincing phishing run of any student’s life.
The Schools Already Named
The Harvard Crimson reporting on the Canvas outage at Harvard confirmed that university IT spokesperson Tim Bailey acknowledged the incident and said HUIT was “actively investigating.” Harvard appeared on the leaked list. So did Stanford, MIT, Yale, Princeton, Columbia, Penn State, Duke, Georgetown, Oxford and the University of California system.
At Penn, the Daily Pennsylvanian’s count of Penn users affected reached 306,000. UC Berkeley’s student paper put its number at roughly 600,000 records. K-12 districts on the list include Clark County in Las Vegas, Broward County, Houston ISD and Charlotte-Mecklenburg, plus the entire North Carolina public school system.
How The Attack Chain Actually Worked
This isn’t a Canvas zero-day. The whole ShinyHunters operation is social engineering plus OAuth abuse, and Mandiant has documented every step.
- The phone call. A caller posing as IT support reaches a finance, support or admin employee at the target. English-speaking branches of multinational customers are the preferred targets.
- The fake app. The victim is walked through approving a connected app that looks like a legitimate Salesforce or LMS data loader. The OAuth Device Flow generates an 8-character code; the caller reads it out and the employee enters it.
- The token. Once approved, the attacker’s instance gets an access token that mirrors the employee’s permissions. Subsequent reads look like that employee’s traffic.
- The slow drain. Data is pulled in small chunks over hours or days, often via TOR exit nodes hosted in the Netherlands or Poland.
- The wait. Months can pass between exfiltration and extortion. Then a 72-hour deadline lands in the inbox of a victim CISO.
That last step is what makes ShinyHunters distinctive. Most ransom crews lock systems first and demand fast. ShinyHunters works on patience. The extortion email arrives months after the data is gone, and by then nobody can revoke the access that was approved during the call.
Why Finals Week Was Not An Accident
The defacement timing is leverage. Canvas hosts grade books, exam submissions, assignment timelines and instructor messaging at University of California system schools and thousands of other institutions running their finals window. Faculty across multiple campuses reported being unable to enter grades on Thursday afternoon. Some schools shifted exam deadlines on the fly.
That is not a coincidence. Hitting an LMS during finals raises the cost of “don’t pay” for every administrator on the affected list, because the operational damage compounds the data damage. Brett Callow, threat analyst at Emsisoft, has described ShinyHunters as a loose collective of teenagers and young adults in the U.S. and U.K. They time leverage well. They also lie when it suits them.
“Make the right decision, don’t be the next headline.”
That message, sent by ShinyHunters to school negotiators according to TechCrunch’s coverage of the defaced login pages, is a direct reference to what happened to Harvard and Penn in 2025. Both institutions were hit, both refused to pay, and more than 1 million alumni and development records leaked anyway. The crew is using its own track record as a sales pitch.
First Breach Versus Second Breach
The two Instructure incidents look almost identical on the surface. They are not. The differences explain why the second one is more dangerous for the company.
| Attribute | September 2025 Breach | May 2026 Breach |
|---|---|---|
| Initial vector | Vishing into Salesforce Data Loader | Vulnerability exploited; Canvas Data 2 and Beta shut down |
| Disclosed scope | Subset of CRM-style records | 275 million users, 9,000 schools, 3.65 TB |
| Public attribution | Bundled into wider Salesforce campaign | Standalone Instructure listing on dark-web leak site |
| Negotiation status | Instructure declined to engage | Active extortion, May 12 deadline |
| Operational impact | Limited customer-facing disruption | Canvas downtime during finals week |
The escalation matters. ShinyHunters isn’t just running the same play twice; it has moved from harvesting CRM data quietly to defacing customer-facing portals loudly. That is a tactic borrowed from Scattered Spider, the affiliated crew named in SOCRadar’s threat profile of the Instructure breach.
What Instructure Has Actually Said
The company’s public timeline is short and clinical.
- April 30, 2026: Canvas tooling begins to show disruption.
- May 1, 2026: Instructure confirms a criminal cybersecurity incident.
- May 6, 2026, 15:15 MDT: Status page declares the incident “contained” and Canvas “fully operational,” with a recommendation that customers enforce MFA on privileged accounts and rotate API tokens.
- May 7, 2026, 17:37 MDT: Canvas, Canvas Beta and Canvas Test placed back into maintenance mode after defacement appears.
- May 7, 2026, 21:17 MDT: Canvas declared available for most users.
Notice what’s missing. The status page says nothing about how long ShinyHunters had access, when exfiltration ended, or whether the May 6 “contained” statement was based on telemetry or assumption. Customers are being told to rotate API tokens. That instruction implies the company believes integration credentials may have been exposed and never says so directly.
What Schools And Students Should Actually Do
The first 72 hours after a breach like this are when phishing volume against the affected population spikes. Students get fake “reset your Canvas password” emails. Faculty get fake “verify your account” prompts that look identical to the real ones. The stolen inbox content lets attackers reference real assignments, real instructor names and real course numbers, which makes the lure roughly an order of magnitude more convincing than a generic edu-themed phish.
Treat any unsolicited message that mentions Canvas, Instructure or your school’s IT department as suspicious until you verify it through a known-good channel. Don’t click password-reset links from email; navigate directly to your school’s SSO portal and reset there. If you reused your Canvas inbox password anywhere else, change those other accounts now.
Schools that maintain their own threat intelligence should also watch for credential-stuffing waves over the next 30 to 60 days. Even though Instructure says no passwords were exposed in the platform breach, the .edu address lists pair with leaked credentials from older breaches to feed automated login attempts at financial aid portals, library proxies and university single sign-on. We covered a similar downstream pattern after the DAEMON Tools installer backdoor that planted persistence on PCs across more than 100 countries, where the leaked email lists fueled secondary phishing for months.
The Vendor-Risk Question Boards Will Ask Next
Higher-ed CISOs are about to face a board-level question they have spent two years deferring: should one vendor host coursework, messaging and grade data for tens of millions of students at the same time? Canvas’s market position made it the default. The market position also made it the highest-value target in the segment.
Instructure’s revenue base, roughly $530 million in fiscal 2023 with low double-digit growth, is built almost entirely on multi-year institutional contracts. Procurement officers don’t switch LMS providers casually because the migration cost is enormous. That gives Instructure pricing power and it also gives the company time to absorb a reputational hit. The question is whether boards now demand contractual security warranties with real teeth: SLA-backed breach notification timelines, third-party penetration testing reports shared annually, and indemnification language for downstream phishing damage.
The Five Eyes intelligence alliance issued joint guidance earlier this year warning that the rapid rollout of agentic AI and connected SaaS systems has outpaced organizational defenses. That guidance reads differently after Canvas. Instructure was not breached because of an exotic AI exploit. It was breached because somebody got tricked on the phone, and then it was breached again because the patch didn’t address the human layer that allowed the first breach. The same general failure mode appears across SaaS providers and even in OS-level vulnerabilities like the FreeBSD dhclient bug that hands root to anyone on a Wi-Fi network: the technical layer is fixable, the operational layer is the problem.
If schools pay, the May 12 deadline passes quietly and the data stays off the leak site. If enough don’t pay, ShinyHunters publishes, downstream phishing rolls for months, and Instructure spends the rest of 2026 negotiating notification settlements with attorneys general in every state where a Canvas customer operates.
Frequently Asked Questions
Is My Canvas Password Compromised?
No, based on Instructure’s current disclosure. The company says passwords, dates of birth, government identifiers and financial information were not part of the stolen dataset. What was taken: your name, institutional email, student ID number and the contents of Canvas inbox messages. Change your password anyway if you reused it on other accounts, and turn on multi-factor authentication through your school’s SSO portal today.
How Do I Tell If My School Is On The Affected List?
Check your school’s IT or information security webpage directly, not links sent by email. Most affected institutions including Harvard, Penn, Duke, UC Berkeley, Stanford, MIT, the UC system, Rutgers and the entire North Carolina public school system have posted official advisories. If your institution uses Canvas and has not posted a statement, contact your IT helpdesk by phone using a number listed on the school’s main website.
What Should I Do If I Get A Suspicious Canvas Email?
Do not click links. Forward the email to your school’s abuse or phishing reporting address (usually phishing@yourschool.edu or reportphish@yourschool.edu) and delete it. Real Canvas password-reset flows always start at your school’s single sign-on page, never at a Canvas-branded link inside an email. If a message references a real assignment or instructor, that is not proof it is real, because the attackers stole inbox content.
Will Schools Pay The Ransom?
Most won’t and most can’t legally. Federal guidance from CISA and the FBI consistently advises against paying, and many state laws now restrict public institutions from using public funds for ransom. Harvard and Penn refused in 2025 and saw alumni records leaked anyway. Expect a small number of K-12 districts with cyber-insurance coverage to negotiate quietly while flagship universities decline publicly.
Are My Old Canvas Messages Really Leaked?
If your school is on the affected list and the May 12 deadline passes without a settlement, yes. ShinyHunters has explicitly threatened to publish “several billions of private messages” between students and teachers. Treat anything you sent over Canvas inbox as potentially public starting May 12, 2026, and assume that information may surface in targeted social-engineering attempts later this year.
Can I Sue Instructure?
Class actions are almost certain and several plaintiffs’ firms began soliciting affected users within 48 hours of the May 1 disclosure. Standing and damages will turn on whether identity-theft monitoring is offered and whether downstream harms can be linked to this specific breach. If you receive a notification letter from your school or Instructure, save it; the document is the evidentiary anchor for any future claim and usually includes a deadline for opting into a settlement class.
The May 12 deadline lands on a Tuesday, the day Instructure’s communications team usually pushes routine updates. Whatever the company posts that morning will be the most carefully lawyered paragraph in edtech this year. Schools, students and the people who trusted Canvas with their messages will be reading every word for what isn’t in it.
Disclaimer: This article describes a publicly disclosed cybersecurity incident and general guidance for users of an affected platform. The information is for general awareness only and does not replace formal incident response procedures, institutional advisories, or legal advice. Affected users should follow guidance issued by their own school’s information security office and consult a licensed professional for personal legal or financial questions. All facts and figures cited reflect publicly available reporting and primary statements as of May 8, 2026, and may change as the investigation continues.
-
GAMING4 weeks agoMicrosoft Xbox Layoffs Start in July as Sharma Slams 3% Margin
-
NEWS1 month agoGoogle Search Profiles Build a Follow Graph Inside Discover
-
AI2 weeks agoGoogle DeepMind and A24 Sign $75 Million AI Partnership Deal
-
APPS4 weeks agoDGO App Brings Rs 549 Mobile Pass for FIFA World Cup 2026 in Nepal
-
AI2 weeks agoOracle Cuts 21,000 Jobs in a Year, Cites AI in 10-K Filing
-
NEWS1 month agoOppo’s ColorOS 17 Eligibility List Leaves A-Series Buyers Behind
-
AI2 weeks agoAnthropic Tells Senators Alibaba Ran the Largest Claude Distillation Attack
-
NEWS2 months agoApple Strikes Preliminary Deal For Intel To Make iPhone And Mac Chips
