Canvas login portals hacked in mass ShinyHunters extortion campaign

Source: Bleeping Computer

Incident Overview

The ShinyHunters extortion gang breached education‑technology giant Instructure again, exploiting a vulnerability to deface Canvas login portals for hundreds of colleges and universities. The defacements were visible for roughly 30 minutes before being taken offline. The displayed message claimed responsibility for the earlier Instructure breach and threatened to leak stolen data if a ransom was not paid.

The message warned that Instructure and the affected schools had until May 12, 2026 to contact the gang and negotiate a ransom, or students’ data would be leaked.

“ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some ‘security patches’,” reads the defacement.
“If any of the schools in the affected list are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately at TOX to negotiate a settlement. You have till the end of the day by May 12 2026 before everything is leaked.”

Defacement Details

Defaced University of Texas San Antonio Canvas login page

BleepingComputer learned that threat actors defaced the Canvas login portals for approximately 330 educational institutions, replacing the standard login pages with the extortion message. The same message also appeared in the Canvas mobile app.

The defacement was allegedly caused by a vulnerability in Instructure’s systems that allowed the threat actor to modify the login portals. Instructure has since taken Canvas offline while responding to the cyberattack.

Scope of the Attack

• ~330 institutions affected (colleges, universities, K‑12 schools).
• The defacement lasted about 30 minutes before being removed.
• The compromised data reportedly includes user records, private messages, enrollment data, and other information accessed through Canvas data export features and APIs.

Instructure’s Response

• Last week, Instructure disclosed that it was investigating a cyberattack after threat actors claimed to have stolen 280 million student and staff records tied to 8,809 schools.

  • Investigating a cyberattack (BleepingComputer)
  • Stolen 280 million records claim (BleepingComputer)

• Instructure confirmed that data was stolen during the attack and continues to investigate.

  • Data breach confirmation (BleepingComputer)

• BleepingComputer has repeatedly contacted Instructure for comment on notification plans for students and staff; no response has been received to date.

Data Stolen

According to the ShinyHunters gang, the stolen data includes:

• User records (names, email addresses, IDs)
• Private messages between users
• Enrollment information (course registrations, grades)
• Additional data accessed via Canvas export features and APIs

About Canvas

Canvas is one of the most widely used learning‑management systems (LMS) in higher education and K‑12 environments. It enables schools to manage coursework, assignments, grading, and communication between students and faculty.