- ShinyHunters briefly hijacked the login portals of around 330 institutions, posting ransom demands and threats
- The group extended its deadline until May 12, warning of complete data leaks if no agreement is reached.
- Instructure confirmed the previous breach but maintains that sensitive financial and identity data was not exposed.
The Instructure cyberattack has apparently reached a new level as, in order to pressure victims into paying a ransom demand, ShinyHunters defaced the Canvas login portals of hundreds of colleges and universities.
Members of approximately 330 educational institutions received an entirely different “welcome” message when they attempted to log in to the Canvas learning system following the next stage of the group’s attack.
“ShinyHunters breached Instructure (again). Instead of contacting us to resolve the issue, they ignored us and applied some ‘security fixes,'” the post said. “If any of the schools on the affected list wish to prevent disclosure of their data, please consult a cybersecurity consulting firm and contact us privately at TOX to negotiate a settlement. You have until the end of the day, May 12, 2026, before everything is disclosed.”
Push back the deadline
The defacement message was reportedly visible for about half an hour, before being removed by the Canvas team.
Instructure, the company behind the Canvas system, recently informed its users of a cyberattack and the loss of sensitive customer data. Instructure said the scammers accessed “certain user identifying information” at the affected institutions, including names, email addresses, student ID numbers and user communications.
At the same time, ShinyHunters added Instructure to its data leak site, saying the attack affected nearly 9,000 schools and 275 people worldwide.
“Several billion private messages between students, teachers and other students involved, containing personal conversations and other personal information. Your Salesforce instance was also hacked, and much more data is involved.”
It appears Instructure wasn’t interested in negotiating with the miscreants, as earlier this week they updated their site, removed the names of several top universities, and pushed the deadline back to May 7.
Today, the deadline appears to have been pushed back again, this time to May 12.
Passwords, dates of birth, government IDs, or financial information were not involved, and the company revoked privileged credentials and access tokens associated with affected systems to mitigate the threat.
Via BeepComputer
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
