ShinyHunters escalates Canvas attacks with school login defacements

Days after confirming a major data breach, Instructure is now facing a second blow.

Earlier this week, Instructure confirmed a major data breach affecting its cloud‑hosted Canvas environment, with the ShinyHunters group claiming it stole hundreds of millions of records tied to thousands of schools and universities worldwide. As discussed in our earlier blog, that incident involved data such as student and staff records, enrollment details, and private messages allegedly accessed through Canvas export features and APIs. At that stage, the focus was on large‑scale data theft and the long‑term risks for affected students and families, including identity fraud and highly targeted phishing.

According to new reporting, ShinyHunters has now hit Instructure again, this time moving from quiet data theft to very visible extortion. Using another vulnerability in Instructure’s systems, the attackers were able to modify Canvas login portals for hundreds of educational institutions, defacing both web logins and the Canvas app with an on‑screen ransom message.

Image credit: vx-underground

The message both claimed responsibility for the earlier breach and set a deadline of May 12 for Instructure and affected schools to contact the gang or risk the public release of stolen data.

ShinyHunters escalates Canvas attacks with school login defacements

Other newsrooms on this story

Related reading

ShinyHunters demands ransom after Canvas hack

Instructure strikes deal with ShinyHunters before ransom deadline

Canvas owner secures student data in deal with hacking group

Instructure reaches 'agreement' with ShinyHunters to stop data leak

What we learned from the Canvas hack

Instructure strikes deal with hackers who breached it twice | TechCrunch