Massive Cyber Attack: ShinyHunters Target Canvas Login Portals in Extortion Scheme

Recently, the ShinyHunters group targeted education technology giant Instructure once again, this time exploiting a vulnerability to deface Canvas login portals for numerous colleges and universities.

Within a span of 30 minutes, the defaced portals displayed a message from ShinyHunters, claiming responsibility for the breach and threatening to leak stolen data unless a ransom is paid.

The message issued a warning to Instructure and educational institutions, stating that they have until May 12 to initiate negotiations for a ransom, or else students’ data will be exposed.

The defacement message emphasized the breach by stating, “ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some ‘security patches’.”

The message further urged affected schools to seek assistance from a cyber advisory firm and reach out privately to ShinyHunters at TOX to discuss a settlement before the data leak deadline on May 12, 2026.

Reports indicate that threat actors defaced Canvas login portals for approximately 330 educational institutions, replacing standard login pages with extortion messages. The defaced message also appeared in the Canvas app.

The breach was allegedly facilitated by a vulnerability in Instructure’s systems, enabling the threat actor to modify the login portals. In response, Instructure temporarily took Canvas offline to address the cyberattack.

Recently, Instructure disclosed an ongoing investigation into a cyberattack where threat actors claimed to have obtained 280 million student and staff records from 8,809 schools, universities, and education platforms utilizing the Canvas learning management system.

ShinyHunters later informed BleepingComputer that the stolen data included user records, private messages, enrollment data, and other information acquired through Canvas data export features and APIs.

Instructure confirmed the data breach but continues to investigate the incident further.

Despite repeated attempts to reach Instructure for comments on the attack and their plans to notify students and staff about the breach, BleepingComputer’s inquiries remain unanswered.

Canvas stands as a widely utilized learning management system in higher education and K-12 settings, aiding schools in managing coursework, assignments, grading, and student-faculty communication.

Exploring ShinyHunters

The name ShinyHunters has been associated with various threat actors conducting data breaches since 2018.

This year, threat actors under the ShinyHunters moniker have emerged as prominent figures in data theft and extortion attacks against global companies.

Focusing primarily on Salesforce and other cloud SaaS environments, these threat actors are linked to breaches involving companies like Google, Cisco, PornHub, and Match Group.

The group commonly breaches third-party integration companies, utilizing stolen authentication tokens to access connected SaaS environments and pilfer customer data.

ShinyHunters are also known for executing voice phishing attacks on Okta, Microsoft, and Google single sign-on accounts, posing as IT support staff to deceive employees into divulging credentials and multi-factor authentication codes on phishing websites.

Recent reports indicate that the ShinyHunters group has adopted device code vishing attacks to acquire Microsoft Entra authentication tokens.

After obtaining credentials and authentication codes, the threat actors exploit SSO accounts to breach connected enterprise services such as Salesforce, Microsoft 365, Google Workspace, SAP, Slack, Adobe, Atlassian, Zendesk, and Dropbox.

While the ShinyHunters gang is responsible for multiple attacks, they also operate as an extortion-as-a-service group, conducting extortion on behalf of other threat actors in exchange for a portion of ransom payments.

Despite several arrests linked to the ShinyHunters name, companies continue to receive extortion emails signed with the message, “We are ShinyHunters.”