CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Instructure breach claimed by ShinyHunters results in theft of 280 million records from 8,809 schools and universities

First reported
Last updated
3 unique sources, 6 articles

Summary

Hide ▲

Instructure, the company behind the Canvas Learning Management System, confirmed a cybersecurity incident that began with an intrusion on April 25, 2026, attributed to the ShinyHunters extortion gang. The actor claimed to have stolen approximately 3.65 TB of data, including records from 8,809 educational institutions, and escalated its extortion campaign with a school-by-school ransom approach. ShinyHunters exploited multiple cross-site scripting (XSS) vulnerabilities in Canvas’ Free-For-Teacher environment to gain access to authenticated admin sessions during a second intrusion on May 7, 2026. The threat actor defaced Canvas login portals with extortion messages demanding ransom negotiations by May 12, 2026, and temporarily took Canvas offline to contain the activity. No data was compromised during the defacement, but the 3.65 TB of exfiltrated data from the initial breach remained the primary concern. On May 13, 2026, Instructure reached an agreement with ShinyHunters, reporting that the stolen data had been returned with digital confirmation of destruction and assurances against further extortion. The company disclosed the breach originated from an undisclosed flaw in Free-For-Teacher support tickets, enabling the exfiltration of about 275 million records, including usernames, email addresses, course names, enrollment information, and messages. Course content, submissions, and credentials were not compromised. Instructure implemented further mitigations, including disabling Free-For-Teacher accounts, revoking credentials, rotating keys, and deploying additional controls. Researchers warned the leaked data could facilitate impersonation attacks, urging institutions to issue phishing advisories and direct communications to stakeholders. Congressional scrutiny has now emerged, with the U.S. House Committee on Homeland Security and the Senate Committee on Health, Education, Labor, and Pensions requesting briefings on Instructure’s response, potential ransom payment, and the company’s handling of a prior 2025 Salesforce breach linked to ShinyHunters. The incident has raised broader questions about the company’s incident response capabilities and obligations to the education sector.

Timeline

  1. 02.05.2026 02:43 6 articles · 13d ago

    Instructure initiates incident response after suspected cybersecurity breach

    On or around April 25, 2026, ShinyHunters exploited a vulnerability in the Free-For-Teacher version of Canvas to gain unauthorized access to Instructure systems. Approximately 3.65 TB of data was exfiltrated. On May 1, 2026, maintenance was initiated for Canvas Data 2 and Canvas Beta, potentially affecting API-reliant integrations and customer workflows. On May 7, 2026, ShinyHunters exploited multiple cross-site scripting (XSS) vulnerabilities in Canvas user-generated content features to obtain authenticated admin sessions and perform privileged actions during a second intrusion, defacing Canvas login portals with extortion messages demanding ransom negotiations by May 12, 2026. Instructure temporarily took Canvas offline to contain the malicious activity, determine the cause, and apply additional safeguards before restoring services on May 9, 2026. On May 8, 2026, ShinyHunters set an initial extortion deadline, followed by a school-by-school ransom campaign including defacement of approximately 330 institutional Canvas login pages. A new deadline of May 12, 2026, was set for ransom negotiations before mass data leaks. Instructure did not engage with the ransomware group and instead installed security patches. The ShinyHunters extortion gang has claimed responsibility, alleging theft of 280 million records tied to students and staff from 8,809 educational institutions (school districts, universities, and educational platforms). The threat actor published detailed impact lists per institution and claimed exfiltration via Canvas data export features, DAP queries, provisioning reports, and user APIs. Multiple universities have acknowledged awareness of the breach and initiated internal reviews. On May 13, 2026, Instructure reached an agreement with ShinyHunters, reporting that the stolen data had been returned with digital confirmation of destruction and assurances against further extortion. The company disclosed the breach originated from an undisclosed flaw in Free-For-Teacher support tickets, enabling the exfiltration of about 275 million records, including usernames, email addresses, course names, enrollment information, and messages. Course content, submissions, and credentials were not compromised. Instructure implemented further mitigations, including disabling Free-For-Teacher accounts, revoking privileged credentials and access tokens, rotating internal keys, and deploying additional security controls. The article adds that the U.S. House Committee on Homeland Security has requested Instructure appear for a briefing on the Canvas compromise and its response to the ShinyHunters attacks, citing concerns over the company’s incident response capabilities and potential negligence in fully remediating vulnerabilities within the response window. The U.S. Senate Committee on Health, Education, Labor, and Pensions also launched an investigation, questioning Instructure about the types of data affected, security improvements post-breach, and the company’s May 11 statement regarding its agreement with ShinyHunters, including whether it paid a ransom. Instructure’s May 6 declaration that the initial intrusion was 'resolved' and Canvas was 'fully operational' was contradicted by ShinyHunters’ subsequent May 7 intrusion, raising questions about the accuracy of the company’s incident response timeline. ShinyHunters removed Instructure from its data leak site following the reported agreement, which ransomware and data extortion groups typically do when a victim has paid a ransom, though Instructure did not explicitly confirm payment. The Senate committee’s letter referenced a prior 2025 Salesforce breach linked to UNC6040, a ShinyHunters-associated threat actor, raising questions about whether data from that attack was leveraged in the May 2026 offensive. Experts emphasize that ShinyHunters’ targeting of Instructure suggests the company is viewed as a high-value target, and institutions using Canvas should assume similar targeting is possible.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

ShinyHunters claims Zara data breach via compromised Anodot token impacting 197,400 customers

A data breach at Spanish retailer Zara exposed personal information for 197,400 customers after attackers gained access to databases hosted by a former technology provider. The compromised data includes unique email addresses, geographic locations, product SKUs, order IDs, and support tickets. While Inditex stated no names, phone numbers, addresses, credentials, or payment data were exposed, the incident stems from a security failure at a third-party provider. ShinyHunters has claimed responsibility, releasing a 140GB archive allegedly containing stolen BigQuery documents accessed via compromised Anodot authentication tokens. The gang previously exploited similar vectors in other high-profile breaches.

Open in new tab

ADT data breach attributed to ShinyHunters via vishing and Okta compromise

Home security provider ADT detected and confirmed an intrusion on April 20, 2026, leading to the theft of customer and prospective customer data by the ShinyHunters extortion group. The attackers accessed ADT’s Salesforce instance after compromising an employee’s Okta SSO account via voice phishing (vishing). Stolen data included names, phone numbers, addresses, and in a small subset of cases, dates of birth and partial Social Security or Tax ID numbers. No payment or authentication data was accessed, and ADT states customer security systems remained unaffected. ShinyHunters threatened to leak the data—claiming over 10 million records—unless a ransom is paid by April 27, 2026.

Open in new tab

Salesforce misconfiguration leads to non-sensitive data exposure at McGraw-Hill amid ShinyHunters extortion claims

McGraw-Hill confirmed a data breach affecting 13.5 million user accounts after ShinyHunters exploited a Salesforce environment misconfiguration to steal and leak non-sensitive data, including names, addresses, phone numbers, and email addresses. The company stated the breach did not impact its core Salesforce accounts, customer databases, courseware, or internal systems, though ShinyHunters claimed possession of 45 million records with PII. The affected webpages were secured promptly, and McGraw-Hill is collaborating with Salesforce to remediate the issue. Have I Been Pwned verified the leak of over 100GB of data tied to 13.5 million accounts. The incident remains distinct from a separate, unverified claim by a threat actor posing as ShinyHunters, who alleges breaching Vercel and selling stolen data, including API keys and employee records. Vercel has disclosed the incident and is investigating with law enforcement and incident response experts, while denying any impact to services.

Open in new tab

Rockstar Games analytics data exfiltrated via third-party Snowflake compromise linked to Anodot breach

The extortion group ShinyHunters has expanded its campaign tied to the Anodot breach, claiming unauthorized access to Vimeo’s systems and threatening to leak data unless a ransom is paid. The attack leverages authentication tokens stolen from Anodot to compromise downstream victims, including Vimeo and Rockstar Games. Vimeo confirmed that exposed data included email addresses, technical data, video titles, and metadata, but excluded video content, credentials, and payment information. Operations remained unaffected, and Vimeo disabled Anodot integration and launched an investigation with law enforcement. Rockstar Games previously acknowledged a limited breach linked to the same third-party incident, with ShinyHunters leaking approximately 78.6 million records of internal analytics data. The compromised datasets included in-game revenue metrics, player behavior tracking, and Zendesk support analytics, with Rockstar asserting no operational impact.

Open in new tab

Optimizely Data Breach After Vishing Attack

An ongoing wave of vishing-led breaches attributed to ShinyHunters has claimed a new victim: Aura, a digital safety firm. The attack exposed contact details of nearly 900,000 individuals, stemming from a marketing tool inherited in a 2021 acquisition. ShinyHunters claimed the theft of 12GB of files containing PII and corporate data, releasing it after failed extortion attempts. The company emphasized no SSNs, passwords, or financial data were compromised and is conducting an internal review with law enforcement involvement. Earlier in February, Optimizely disclosed a similar breach following a voice phishing attack that compromised basic business contact information. Both incidents underscore the continued exploitation of vishing tactics by ShinyHunters to gain initial access to organizations, with impacts focused on contact data rather than deeper system compromise.

Open in new tab