ShinyHunters Defaces Canvas Login Portals at 330 Schools in Extortion Escalation

The ShinyHunters extortion group has defaced Canvas learning management system login portals at approximately 330 colleges, universities, and schools, exploiting a vulnerability in systems operated by education technology company Instructure in what appears to be a direct escalation of an ongoing ransom campaign.

The defacements were visible for roughly 30 minutes on May 7 before Instructure pulled Canvas offline to respond to the attack.

The message displayed on compromised login portals accused Instructure of ignoring the gang's earlier outreach and claimed the company had attempted to address the situation with "security patches" rather than negotiating. "ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some 'security patches,'" the defacement read.

The message also extended a deadline to affected schools. "If any of the schools in the affected list are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately at TOX to negotiate a settlement. You have till the end of the day by May 12 2026 before everything is leaked," the notice continued.

The defacement appeared not only on browser-based login pages but also within the Canvas mobile app, according to details from the incident.

The attack follows a disclosure last week in which Instructure confirmed it was investigating a cyberattack after ShinyHunters claimed to have stolen 280 million student and staff records tied to 8,809 schools, universities, and education platforms using its Canvas platform. The group subsequently said the stolen data included user records, private messages, enrollment data, and information gathered through Canvas data export features and APIs. Instructure confirmed that data was taken but said the investigation was ongoing.

Canvas is one of the most widely deployed learning management systems in both higher education and K-12 environments, used to manage coursework, assignments, grading, and communication between students and faculty.

Instructure did not respond to questions about the latest defacement, whether it plans to notify affected students and staff, or the scope of data potentially at risk.

ShinyHunters has previously been linked to high-profile data theft campaigns targeting major platforms, underscoring the group's continued operational activity and willingness to apply public pressure when targets do not engage.

With the May 12 deadline now in place, institutions using Canvas face a narrow window to assess their exposure and determine next steps, even as Instructure has yet to provide a detailed public accounting of the earlier breach or the systems affected by Thursday's defacement.