The criminal extortion group ShinyHunters has struck Instructure a second time in less than a year, claiming to have stolen records tied to 275 million users across nearly 9,000 schools worldwide. The targeted platform—Canvas, which supports course delivery, assignments, grades, and messaging for more than 30 million active users—went offline for stretches this week as the company scrambled to respond. The timing is particularly damaging: finals season is underway at institutions across the country.
Instructure first disclosed a cybersecurity incident on May 1, initially describing it as contained. The company confirmed that names, email addresses, student ID numbers, and messages among users were likely accessed. In a statement, Instructure said it found no evidence that passwords, dates of birth, government identifiers, or financial data were compromised. But the exposure of private messages—which on Canvas platforms frequently include disclosures of medical conditions, accommodation requests, and Title IX communications—raises the stakes considerably.
On May 7, ShinyHunters re-emerged, defacing login pages at multiple universities with an extortion message claiming Instructure had "done some security patches" rather than negotiate. The group set a new deadline of May 12 to leak data unless contacted. Among the institutions where the ransom message appeared were Harvard, Princeton, Columbia, and Georgetown universities.
Instructure identified the breach vector as its Free-For-Teacher accounts. In a statement on Friday, the company said it had "confirmed that the unauthorized actor exploited an issue related to our Free-For-Teacher accounts" and made the decision to shut down those accounts to restore confidence in the broader platform. Canvas is now reported to be fully operational for most users, though Canvas Beta and Canvas Test remain in maintenance mode.
This is the second confirmed breach of Instructure by ShinyHunters. In September 2025, the group exploited a social engineering attack against the company's Salesforce environment. That the same threat actor has now breached the same vendor twice—through different attack vectors—raises direct questions about whether the remediation following the first incident was sufficiently comprehensive.
ShinyHunters is a black-hat criminal hacking and extortion collective believed to have formed in 2019, emerging publicly in May 2020 when it offered more than 200 million stolen user records on dark web forums within a two-week span. The group's name is derived from a Pokémon video game mechanic—a nod to its members' apparent early online origins. Its operating model has remained consistent since the start: breach an organization, demand ransom, and leak or sell the data if payment is refused. The group describes this as "pay or leak."
The group has claimed responsibility for more than 400 breaches across retail, finance, telecom, aviation, and education sectors. Notable confirmed incidents include the April 2024 breach of AT&T Wireless, which exposed data on more than 110 million customers and ended with AT&T paying a $370,000 ransom; a May 2024 breach of Santander affecting staff and customers across Spain, Chile, and Uruguay; a March 2026 intrusion into the European Commission that leaked more than 350GB of data including PII and sensitive documents; and a July 2025 breach of Qantas exposing data on approximately 5.7 million customers. In April 2026, the group breached Rockstar Games via a third-party analytics integration.
Tradecraft analysis from Google's Threat Intelligence Group (GTIG), which tracks related activity under clusters UNC6661 and UNC6240, describes the group's approach as identity- and SaaS-first: voice phishing and credential harvesting to obtain SSO tokens or MFA codes, followed by lateral movement through cloud applications to exfiltrate data at scale. The group does not typically exploit exotic vulnerabilities, focusing instead on access governance failures. OAuth token misuse, misconfigured third-party integrations, and compromised contractor accounts have all served as entry points. Once inside a valid SSO session, the group moves opportunistically through any SaaS platforms the session can access.
Attribution is complicated by the fact that multiple criminal clusters have adopted ShinyHunters branding, and the group itself appears to operate as a loose collective rather than a tightly-organized hierarchy. Threat intelligence analysts describe it as arguably the most consequential financially-motivated hacking collective currently active.
[RELATED: SaaS Under Siege: Breaking Down ShinyHunters' Data Extortion Campaign]
Darren Guccione, CEO and Co-Founder at Keeper Security, placed this incident in the context of ShinyHunters' established methodology:
"ShinyHunters has previously targeted organizations including Google, AT&T, and Air France-KLM via Salesforce environments, and the group has demonstrated a sustained, systematic focus on cloud infrastructure and SaaS platforms rather than traditional network intrusion," Guccione said. "Whether the entry point is a misconfiguration, a social engineering interaction, or an exploited vulnerability, attackers are continuing to identify the weakest point in how access to cloud environments is governed, with the intention of moving quickly once inside."
Guccione stressed that the double-breach pattern demands more than reactive patching: "Two confirmed breaches by the same threat actor on the same platform suggest a pattern that demands scrutiny of whether remediation following the first incident went far enough. Every organization operating SaaS at scale must treat identity and access governance as a continuous discipline, not a post-incident checklist."
He highlighted Privileged Access Management (PAM) as critical to limiting blast radius when a breach occurs, emphasizing that "cloud environments require ongoing auditing of permissions, strict enforcement of least-privilege access, and robust controls over both human and non-human identities—including service accounts and third-party integrations that can quietly expand an attacker's access long after initial entry."
Nathaniel Jones, VP of Security & AI Strategy and Field CISO at Darktrace, pointed to structural vulnerabilities in the education sector that make platforms like Canvas high-value targets.
"The education sector is a particularly attractive target given the high volumes of sensitive student data, limited security resources, and the critical role platforms like Canvas play in the operations of thousands of schools," Jones said. "When one platform goes down, so do its 9,000+ customers."
That concentration risk is the through-line of this incident. Canvas holds a 41% share of higher education LMS deployments in North America. A single vendor compromise cascades instantly across the entire customer base—an architecture of shared dependency that amplifies the impact of any successful breach.
Tony Jarvis, VP and Field CISO at Darktrace, extended the point to the operational security posture organizations must maintain. "Visibility of the security posture of your entire supply chain and how they interact with your own systems is critical in today's world," Jarvis said. "If you don't have that visibility, then the risk to your own systems because of one of your supplier's vulnerabilities is incredibly heightened."
Jarvis also flagged the role that AI tools are playing in lowering the bar for attackers: "AI tools similar to Mythos are only going to make this easier for criminals." He added that organizations must operate under the assumption of compromise: "What we can safely assume as defenders is that systems will have vulnerabilities that we aren't aware of, and we need to assume that we've already been compromised."
For students and educators at affected institutions, the immediate steps are straightforward: change your Canvas password, enable multi-factor authentication where available, and stay alert for phishing attempts referencing Canvas or Instructure. Given that the exposed data include names, email addresses, and student ID numbers, targeted spear-phishing campaigns are a credible near-term risk.
Several institutions have already taken protective action. The University of California ordered all campuses to block or redirect access to Canvas pending a security review. The University of Michigan advised users to log out immediately. Georgetown issued alerts urging vigilance against unsolicited messages appearing to come from Canvas.
The May 12 deadline ShinyHunters has set remains active. Whether Instructure engages or not, the data—if ShinyHunters' claims hold—have already left the institution's hands. The question now is how broadly it gets distributed.
SecureWorld News will continue to monitor developments as the deadline approaches.