ShinyHunters Hijacks Canvas Login, Threatens Data of 275 Million Students

*TL;DR ShinyHunters seized Canvas’ login page, demanding payment and threatening to leak personal data of 275 million students and faculty.

Context The education platform Canvas, operated by Instructure, powers coursework for thousands of U.S. schools. On May 7, the login screen was replaced with a ransom note from the cybercrime group ShinyHunters. The group had already claimed a breach earlier in the week, prompting Instructure to temporarily disable the service.

Key Facts - ShinyHunters announced they had stolen names, email addresses, student IDs and user messages from roughly 9,000 institutions. No evidence shows passwords, birth dates, government IDs or financial data were taken. - The extortion note accused Instructure of ignoring the breach and applying only superficial security patches. - Initial ransom deadline was May 6; it was extended to May 12. Some schools have begun negotiating directly with the attackers. - This is at least the third confirmed Canvas intrusion by ShinyHunters in the past eight months. A September 2025 breach of the University of Pennsylvania used the same platform as an access vector. - Instructure’s response has been to label the outage as “scheduled maintenance” while working to restore service.

What It Means The incident highlights persistent weaknesses in the supply‑chain security of widely adopted SaaS education tools. Attackers likely exploited a web‑application vulnerability—potentially a mis‑configured authentication endpoint—to gain admin access and replace the login page. The repeated targeting suggests the group has refined a playbook that includes data exfiltration, public defacement, and extortion.

Mitigations - Apply all vendor‑issued patches immediately; verify that patches address the specific CVE (Common Vulnerabilities and Exposures) cited by Instructure. - Deploy Web Application Firewall (WAF) rules that block unauthorized HTML injection and monitor for anomalous changes to login pages. - Enable multi‑factor authentication for all admin accounts and enforce least‑privilege access controls. - Conduct continuous monitoring for MITRE ATT&CK techniques T1190 (Exploit Public‑Facing Application) and T1566.002 (Phishing – Spearphishing Link) that ShinyHunters commonly uses. - Prepare an incident‑response playbook that includes rapid communication with affected institutions and law‑enforcement coordination.

Looking Ahead Watch for any data dumps on ShinyHunters’ leak sites after the May 12 deadline and for further defacement attempts on other education‑technology platforms.