ShinyHunters Defaces Canvas Login Portals at 330 Schools in Escalating Extortion Campaign

What happened

ShinyHunters escalated its ongoing extortion campaign against Instructure on May 7, 2026, defacing Canvas login portals at approximately 330 colleges and universities for roughly 30 minutes before Instructure took the platform offline. The defacement message claimed responsibility for the earlier Instructure breach, accused the company of ignoring contact attempts and implementing superficial security patches, and set a May 12 deadline for affected schools to initiate ransom negotiations or face public release of stolen student data.

The defacement was caused by a vulnerability in Instructure’s systems that allowed the threat actor to modify login pages. The message appeared both in browsers and in the Canvas mobile app. Instructure took Canvas offline in response to the incident. The defacement follows last week’s disclosure that ShinyHunters claimed to have stolen 280 million student and staff records from 8,809 educational institutions using the Canvas platform, with the data allegedly extracted through Canvas data export features and APIs.

Instructure has confirmed that data was stolen in the initial breach but has not responded to media inquiries about notification plans for affected students and staff. The May 12 deadline gives affected institutions and Instructure limited time to assess their options before ShinyHunters threatens to publish the alleged dataset.

Who is affected

Approximately 330 educational institutions whose Canvas login portals were defaced are the most visibly affected in this latest escalation. The broader breach claim, if accurate, encompasses up to 8,809 schools and universities. Students, teachers, and staff at those institutions face potential exposure of records, private messages, and enrollment data. The May 12 deadline creates immediate pressure on security and legal teams at affected organizations.

Why CISOs should care

ShinyHunters has now breached Instructure twice within a short window, defaced hundreds of institutional login portals, and set a public ransom deadline against a company that appears to have been communicating privately about the incident rather than engaging with the attacker’s demands. The defacement via an unpatched vulnerability in a platform Instructure had already acknowledged was compromised suggests that the initial breach response did not adequately close all attack vectors.

For security leaders at educational institutions using Canvas, the situation is moving faster than institutional decision-making typically allows. The May 12 deadline, Instructure’s lack of communication, and the public defacement of login portals are all designed to force action before a thorough assessment is possible.

3 practical actions

1. Do not wait for Instructure to initiate breach notification before beginning your own impact assessment: Instructure has not responded to media inquiries about notification plans. Educational institutions should independently assess whether their institution appears on the affected list, what data may have been exposed through their Canvas instance, and what state, federal, and international notification obligations apply to their specific situation.
2. Engage legal counsel immediately to assess notification obligations under FERPA and applicable state laws: The 280 million record claim, if accurate at your institution’s scale, likely triggers FERPA obligations and potentially state breach notification requirements. Do not defer this assessment to Instructure or assume that a third-party vendor’s breach notification handling covers your institution’s independent legal obligations.
3. Treat the May 12 deadline as an operational trigger regardless of ransom decision: Whether or not your institution engages with the ransom demand, the deadline represents a likely data publication event that should accelerate your incident response, student communication preparation, and regulatory notification timeline. Brief leadership and communications teams now rather than waiting for data to be published.

Also in the news today:

• Fake OpenAI Repository on Hugging Face Pushes Infostealer Malware
• JDownloader Website Hacked to Replace Installers With Python RAT Malware
• German Police Shut Down Crimenetwork Reboot, Arrest Administrator in Spain
• Attackers Abuse Google Ads and Claude.ai Shared Chats to Push Mac Malware
• GM to Pay $12.75 Million in California Privacy Settlement Over Driver Data Sales
• Škoda Online Shop Security Incident Exposes Customer Data