The ShinyHunters group escalated its attacks against Instructure's Canvas environment by exploiting an unspecified vulnerability to deface the login portals for hundreds of institutions, displaying an extortion message directly to users. This follows their initial breach involving data exfiltration via Canvas export features and APIs. The article provides no specific vulnerability details, CVSS score, or version information, but advises affected schools to coordinate with Instructure, review SSO integrations, and prepare communication plans.
Days after confirming a major data breach, Instructure is now facing a second blow. Earlier this week, Instructure confirmed a major data breach affecting its cloud‑hosted Canvas environment, with the ShinyHunters group claiming it stole hundreds of millions of records tied to thousands of schools and universities worldwide. As discussed in our earlier blog , that incident involved data such as student and staff records, enrollment details, and private messages allegedly accessed through Canvas export features and APIs. At that stage, the focus was on large‑scale data theft and the long‑term risks for affected students and families, including identity fraud and highly targeted phishing. According to new reporting , ShinyHunters has now hit Instructure again, this time moving from quiet data theft to very visible extortion. Using another vulnerability in Instructure’s systems, the attackers were able to modify Canvas login portals for hundreds of educational institutions, defacing both web logins and the Canvas app with an on‑screen ransom message. Image credit: vx-underground The message both claimed responsibility for the earlier breach and set a deadline of May 12 for Instructure and affected schools to contact the gang or risk the public release of stolen data. This second wave matters for two reasons. First, it confirms that ShinyHunters still has meaningful access to Instructure’s environment, or at least to components that control the look and behavior of school login pages. Second, it marks a clear escalation in pressure tactics, from leaked claims and dark web posts to messages shown directly to students, parents, and staff trying to access their courses. How to deal with this data breach For students and families, the practical advice from our original blog still applies: Reset Canvas‑related passwords Enable multi‑factor authentication where possible Monitor financial and credit activity as children get older Stay wary of highly personalized phishing that references real schools, courses, or teachers For schools and districts, this latest extortion campaign underlines the need to coordinate closely with Instructure, review single sign-on (SSO) integrations, and prepare clear communications so that any future defacements or data leaks do not catch staff and parents by surprise. “One of the best cybersecurity suites on the planet.” According to CNET. Read their review →