ShadowByt3s Claims Ellucian PowerCampus Breach Exposed Indian School Records
ShadowByt3s claimed it breached the Ellucian PowerCampus education platform by exploiting misconfigured Amazon S3 buckets and Azure Blob storage operated by Indian managed service provider Neoskool, exposing data tied to more than eight schools in Manipur and Meghalaya. The leaked information reportedly includes student and staff photos, Aadhaar numbers, plaintext passwords, medical alerts, marksheets, fee records, certificates, class schedules, and daily database exports, affecting children from Nursery through Class 12 as well as school personnel.
The actor said it is extorting Ellucian PowerCampus rather than the individual schools and has posted sample data on both clearnet and Tor leak sites. Reports also cite AWS canary evidence indicating write and delete access to cloud storage, raising the risk of destructive tampering in addition to data theft, while the group has simultaneously advertised for insiders with a 30/70 revenue split as part of its broader "Campaign Operation Cloud."
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
ShadowByt3s publishes samples and extorts Ellucian over the school data exposure
On 2026-04-17, the actor reportedly posted sample data on clearnet and Tor leak sites and said it was extorting Ellucian PowerCampus rather than the individual schools. The claim also included alleged AWS canary evidence suggesting write and delete access to cloud storage, indicating risks of both data theft and destructive tampering.
ShadowByt3s claims breach of Ellucian PowerCampus affecting Indian schools
On 2026-04-17, ShadowByt3s claimed it breached the Ellucian PowerCampus education platform through misconfigured Amazon S3 buckets and Azure Blob storage operated by Neoskool. The actor said the incident affected more than eight schools in Manipur and Meghalaya, exposing sensitive student and staff data including Aadhaar numbers, photos, plaintext passwords, medical alerts, marksheets, fee records, certificates, schedules, and database exports.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
ShadowByt3s Breaches Ellucian PowerCampus Platform, Exposing Student Photos, Aadhaar Numbers, and Medical Data From Multiple Indian Schools
darkwebinformer.com
Open sourceMultiple Indian Schools Hit After Ellucian PowerCampus Platform Compromised, Children's Photos, Aadhaar Numbers, and Medical Data Exposed
darkwebinformer.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ShinyHunters Breached Canvas, Stole Student Data, and Forced Global School Outages
Instructure, the company behind the Canvas learning management system, disclosed that a criminal threat actor breached its environment and stole user data from affected educational institutions. The company said the exposed information included **names, email addresses, student ID numbers, course and enrollment details, and messages between users**, while it found no evidence that passwords, dates of birth, government identifiers, financial information, course content, or student submissions were compromised. Reporting tied the intrusion to the **ShinyHunters** extortion group, which claimed far broader impact—up to **3.65 TB** of data and roughly **275 million records** across nearly **9,000 schools**—though those figures were not independently verified. Instructure said the attackers exploited flaws in its **Free-for-Teacher** environment, brought in outside forensic experts, notified law enforcement, revoked privileged credentials and access tokens, rotated keys, patched systems, and required some customers to reauthorize API access. The incident escalated when attackers allegedly reused the same access path to deface Canvas login portals with ransom messages, prompting Instructure to temporarily take Canvas offline and suspend Free-for-Teacher accounts while it contained the activity. The outage disrupted universities and schools across the U.S., Canada, Australia, Europe, and Asia during final exams, forcing some institutions to postpone tests, extend deadlines, or block access as a precaution. Instructure later said it reached an agreement with the threat actor under which the stolen data was returned and deletion was purportedly confirmed, but the company acknowledged there is no guarantee criminals actually destroyed their copies. The breach has since triggered warnings about follow-on phishing and impersonation campaigns, lawsuits, and scrutiny from the **U.S. House Homeland Security Committee** over how the same platform was compromised twice in quick succession.
Jun 8, 2026
Canvas Breach Disrupted Schools and Exposed User Data via Free-for-Teacher Flaw
A cyberattack against Instructure’s **Canvas** platform disrupted universities and K-12 schools across the United States, with major California institutions including UC, CSU, USC, Stanford, and community colleges reporting outages and academic disruption during finals. Ransom notes attributed to **ShinyHunters** appeared on some school homepages, and the FBI said it was assisting victims in multiple states while warning students and staff not to engage with extortionists or scammers. Schools extended deadlines, changed exam schedules, and shifted to alternate communication channels as Canvas services were restored. Instructure said an unauthorized actor exploited a vulnerability tied to support tickets in its **Free for Teacher** environment, which the company temporarily disabled while conducting a broader security review. The company later confirmed unauthorized access to part of its environment and said exposed data could include usernames, email addresses, course names, enrollment information, student ID numbers, and user messages, while passwords, dates of birth, government identifiers, financial data, course content, submissions, and credentials were not compromised. The incident renewed scrutiny of centralized education technology providers after earlier education-sector extortion cases, including reports that **PowerSchool** paid a ransom following claims that data on **62 million students** had been stolen.
Jun 3, 2026
ShinyHunters Defaces Canvas Login Portals in Instructure Extortion Attack
ShinyHunters defaced **Canvas** login portals used by hundreds of colleges and universities after claiming a second compromise of Instructure, the education technology company behind the platform. The attackers displayed ransom messages on school login pages and in the Canvas app, threatening to leak stolen student and staff data unless Instructure entered negotiations by **May 12**. Reports said roughly **330 institutions** saw the defacement, which was linked to an injected HTML file and forced Instructure to take parts of Canvas offline while investigating. The disruption hit during a critical academic period, causing login failures, coursework interruptions, and warnings from universities about phishing and delayed assignments. The defacement followed Instructure’s earlier disclosure that attackers had stolen data tied to thousands of schools using Canvas. ShinyHunters claimed the haul included hundreds of millions of records from nearly **9,000 schools and education platforms**, including user records, private messages, and enrollment data obtained through Canvas export features and APIs. Instructure said stolen information included certain identifying data and user messages, but that it found no evidence of exposure of passwords, dates of birth, government identifiers, or financial information. Subsequent reporting said the intrusion was tied to an issue involving **Free-for-Teacher** accounts, those accounts were temporarily shut down, affected organizations were notified, and Instructure later said it paid the extortionists, received the data back, and obtained confirmation that the stolen files were destroyed.
May 10, 2026