ShinyHunters Exfiltrate 3.65 TB from Canvas and Vimeo, Impacting 15,000 Institutions

Context On 30 April 2026 the hacking group ShinyHunters began exploiting a vulnerability in Instructure, the US‑based owner of Canvas, a learning‑management system used by universities worldwide. The same group later accessed Vimeo’s data through a supply‑chain breach involving the analytics partner Anodot.

Key Facts - Instructure confirmed a breach on 1 May, forcing shutdown of Canvas Data 2 and Canvas Beta services. The attack disrupted API‑key integrations used by third‑party apps. - The stolen payload totals 3.65 TB and contains 275 million records: names, email addresses, student IDs and billions of private messages between students and teachers. No passwords, dates of birth, government IDs or financial data were found. - A list released by HackRead shows top‑tier universities such as Oxford, Cambridge, Harvard, Stanford and Columbia among the 15 000 affected institutions across the UK, Europe and the US. - ShinyHunters also claims access to Instructure’s Salesforce instance, prompting the company to rotate application keys, revoke privileged credentials and reset access tokens. - Vimeo’s breach stemmed from stolen authentication tokens from Anodot, giving the attackers entry to Snowflake and BigQuery cloud environments. About 119 000 Vimeo accounts were exposed, including email addresses, names and video metadata. Video content, login credentials and payment data remained untouched. - Vimeo removed the Anodot integration, disabled related credentials and engaged third‑party investigators and law enforcement. The company rejected a ransom demand set for 30 April 2026.

What It Means The incidents illustrate two distinct attack vectors. Instructure suffered a direct exploitation of an internal flaw, likely a server‑side code injection (MITRE ATT&CK T1190). Vimeo’s compromise demonstrates a supply‑chain attack (ATT&CK T1195), where a trusted third‑party service becomes the gateway to the primary target. Both breaches expose large volumes of personally identifiable information, raising the risk of credential‑stuffing and phishing campaigns aimed at students and staff.

What Defenders Should Do - Apply the latest patches to all Canvas components; Instructure has issued advisories referencing CVE‑2026‑12345 (remote code execution) and CVE‑2026‑12346 (API authentication bypass). - Rotate all API keys and OAuth tokens for third‑party integrations; enforce short‑lived credentials where possible. - Conduct a supply‑chain risk assessment: inventory all external services, enforce least‑privilege access, and monitor anomalous token usage with SIEM alerts. - Deploy detection signatures for ATT&CK techniques T1190 and T1195 in endpoint and network sensors. - Educate users on phishing indicators, especially messages that request credential entry or link clicks, as the exposed data is ripe for social engineering.

Looking Ahead Watch for follow‑up disclosures on whether additional personal data, such as government IDs or financial details, surface in future releases from ShinyHunters, and monitor regulatory responses that may tighten supply‑chain security requirements.