ShinyHunters Defaces Canvas Login Portals in Instructure Extortion Attack
ShinyHunters defaced Canvas login portals used by hundreds of colleges and universities after claiming a second compromise of Instructure, the education technology company behind the platform. The attackers displayed ransom messages on school login pages and in the Canvas app, threatening to leak stolen student and staff data unless Instructure entered negotiations by May 12. Reports said roughly 330 institutions saw the defacement, which was linked to an injected HTML file and forced Instructure to take parts of Canvas offline while investigating. The disruption hit during a critical academic period, causing login failures, coursework interruptions, and warnings from universities about phishing and delayed assignments.
The defacement followed Instructure’s earlier disclosure that attackers had stolen data tied to thousands of schools using Canvas. ShinyHunters claimed the haul included hundreds of millions of records from nearly 9,000 schools and education platforms, including user records, private messages, and enrollment data obtained through Canvas export features and APIs. Instructure said stolen information included certain identifying data and user messages, but that it found no evidence of exposure of passwords, dates of birth, government identifiers, or financial information. Subsequent reporting said the intrusion was tied to an issue involving Free-for-Teacher accounts, those accounts were temporarily shut down, affected organizations were notified, and Instructure later said it paid the extortionists, received the data back, and obtained confirmation that the stolen files were destroyed.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Instructure says it paid extortionists and received deletion assurances
On May 11, Instructure said it paid the extortionists, received the stolen data back, obtained digital confirmation that the data was destroyed, and was told customers would not face further extortion.
Schools restrict Canvas access and extend deadlines amid outage
Universities responded to the Canvas disruption by restricting access, warning students about phishing risks, and in some cases extending assignment deadlines because coursework submission depended on the platform.
Instructure takes Canvas offline after widespread defacement
After the defacement spread broadly, Instructure took Canvas offline and parts of its website became only partially available or showed a scheduled maintenance notice. The disruption affected schools during a critical academic period and caused login failures for many users.
ShinyHunters defaces Canvas login portals in mass extortion push
Attackers attributed to ShinyHunters defaced Canvas login pages for hundreds of colleges and universities, and the message also appeared in the Canvas app. The extortion note claimed responsibility for the earlier breach and threatened to leak stolen data unless ransom negotiations occurred by May 12.
Instructure discloses earlier breach and says data was stolen
Before the login-page defacements, Instructure disclosed it was investigating a cyberattack after threat actors claimed to have stolen massive amounts of student and staff data tied to Canvas. The company later confirmed that data was stolen, including certain identifying information and user messages, while saying there was no evidence passwords, dates of birth, government identifiers, or financial information were exposed.
Instructure notifies affected organizations and shuts down Free-for-Teacher
Subsequent updates said affected organizations were notified on May 6 and that Free-for-Teacher accounts were temporarily shut down as part of the response. Instructure also said the attackers exploited an issue tied to Free-for-Teacher accounts.
Instructure says it is investigating a cybersecurity incident
Instructure CISO Steve Proud said on May 2 that the company was investigating the incident with outside forensic experts and taking steps to minimize impact on Canvas users.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
ShinyHunters claims Indiana University data breach affecting Canvas users | UpGuard
upguard.com
Open sourceMizzou data breach: ShinyHunters claims attack on Canvas platform | UpGuard
upguard.com
Open sourceHackers ate my homework: Educational SaaS Canvas down after cyberattack
theregister.com
Open sourceCanvas login portals hacked in mass ShinyHunters extortion campaign
bleepingcomputer.com
Open sourceHackers deface school login pages after claiming another Instructure hack | TechCrunch
techcrunch.com
Open sourceCanvas Breach Disrupts Schools & Colleges Nationwide - Krebs on Security
krebsonsecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ShinyHunters Breached Canvas, Stole Student Data, and Forced Global School Outages
Instructure, the company behind the Canvas learning management system, disclosed that a criminal threat actor breached its environment and stole user data from affected educational institutions. The company said the exposed information included **names, email addresses, student ID numbers, course and enrollment details, and messages between users**, while it found no evidence that passwords, dates of birth, government identifiers, financial information, course content, or student submissions were compromised. Reporting tied the intrusion to the **ShinyHunters** extortion group, which claimed far broader impact—up to **3.65 TB** of data and roughly **275 million records** across nearly **9,000 schools**—though those figures were not independently verified. Instructure said the attackers exploited flaws in its **Free-for-Teacher** environment, brought in outside forensic experts, notified law enforcement, revoked privileged credentials and access tokens, rotated keys, patched systems, and required some customers to reauthorize API access. The incident escalated when attackers allegedly reused the same access path to deface Canvas login portals with ransom messages, prompting Instructure to temporarily take Canvas offline and suspend Free-for-Teacher accounts while it contained the activity. The outage disrupted universities and schools across the U.S., Canada, Australia, Europe, and Asia during final exams, forcing some institutions to postpone tests, extend deadlines, or block access as a precaution. Instructure later said it reached an agreement with the threat actor under which the stolen data was returned and deletion was purportedly confirmed, but the company acknowledged there is no guarantee criminals actually destroyed their copies. The breach has since triggered warnings about follow-on phishing and impersonation campaigns, lawsuits, and scrutiny from the **U.S. House Homeland Security Committee** over how the same platform was compromised twice in quick succession.
Jun 8, 2026
Canvas Breach Disrupted Schools and Exposed User Data via Free-for-Teacher Flaw
A cyberattack against Instructure’s **Canvas** platform disrupted universities and K-12 schools across the United States, with major California institutions including UC, CSU, USC, Stanford, and community colleges reporting outages and academic disruption during finals. Ransom notes attributed to **ShinyHunters** appeared on some school homepages, and the FBI said it was assisting victims in multiple states while warning students and staff not to engage with extortionists or scammers. Schools extended deadlines, changed exam schedules, and shifted to alternate communication channels as Canvas services were restored. Instructure said an unauthorized actor exploited a vulnerability tied to support tickets in its **Free for Teacher** environment, which the company temporarily disabled while conducting a broader security review. The company later confirmed unauthorized access to part of its environment and said exposed data could include usernames, email addresses, course names, enrollment information, student ID numbers, and user messages, while passwords, dates of birth, government identifiers, financial data, course content, submissions, and credentials were not compromised. The incident renewed scrutiny of centralized education technology providers after earlier education-sector extortion cases, including reports that **PowerSchool** paid a ransom following claims that data on **62 million students** had been stolen.
Jun 3, 2026
Stored XSS in Canvas Support Workflow Exposed Data on 275 Million Students
Instructure's Canvas learning platform was reportedly breached after attackers used a **stored cross-site scripting (`XSS`) payload** embedded in a support ticket attachment, which executed when a support representative opened it. The intrusion was attributed to **ShinyHunters**, which allegedly hijacked the employee's authenticated session and used it to exfiltrate data tied to thousands of educational institutions, affecting an estimated **275 million students**. Reporting on the incident says Instructure detected suspicious API activity on April 29, revoked access by April 30, and later faced scrutiny over weak browser-side protections, broad session scope, and unsafe rendering of untrusted content. The attackers were also reported to have exploited a second stored `XSS` flaw in Canvas discussions to gain administrator-level access and deface about **300 school login portals** with ransom messages during finals and AP exams. The fallout included a **Federal Student Aid** security alert, a congressional inquiry, and claims that Instructure later shut down its **Free-for-Teacher** program permanently. Separate reporting also said the company reached an agreement with the attackers amid reports of a **$10 million ransom payment**, turning the incident into one of the most consequential education-sector breaches tied to application-layer trust failures.
Jun 17, 2026