Skip to content
Tech News
← Back to articles

Canvas login portals hacked in mass ShinyHunters extortion campaign

2026-05-07 | original
read original get Security Awareness Training Course → more articles
Why This Matters

The mass hacking of Canvas login portals by ShinyHunters highlights significant vulnerabilities in educational technology systems, risking widespread data breaches and eroding trust in digital learning platforms. This incident underscores the urgent need for stronger cybersecurity measures within the edtech industry to protect sensitive student and staff information.

Key Takeaways

The ShinyHunters extortion gang has breached education technology giant Instructure again, this time exploiting a vulnerability to deface Canvas login portals for hundreds of colleges and universities.

The defacements, which were visible for roughly 30 minutes before being taken offline, displayed a message from ShinyHunters claiming responsibility for the earlier Instructure breach and threatening to leak stolen data if a ransom is not paid.

The message warns that Instructure and schools have until May 12 to contact them to negotiate a ransom, or students' data will be leaked.

"ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some 'security patches'," reads the defacement.

"If any of the schools in the affected list are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately at TOX to negotiate a settlement. You have till the end of the day by May 12 2026 before everything is leaked," continued the message.

Defaced University of Texas San Antonio Canvas login page

BleepingComputer has learned that threat actors defaced the Canvas login portals for approximately 330 educational institutions, replacing the standard login pages with an extortion message. This defacement message also appeared in the Canvas app.

The defacement was allegedly caused by a vulnerability in Instructure's systems that allowed the threat actor to modify the login portals. Instructure has since taken Canvas offline while they respond to the latest cyberattack.

Last week, Instructure disclosed that it was investigating a cyberattack after threat actors claimed to have stolen 280 million student and staff records tied to 8,809 schools, universities, and education platforms using its Canvas learning management system.

The ShinyHunters gang later told BleepingComputer that the stolen data included user records, private messages, enrollment data, and other information allegedly gathered through Canvas data export features and APIs.

... continue reading

Explore topics: shinyhunters instructure canvas cybersecurity data breach
Related:
Canvas Breach Disrupts Schools & Colleges Nationwide
Canvas (Instructure) LMS Down in Ongoing Ransomware Attack
Canvas is down as ShinyHunters threatens to leak schools’ data
Harvard, Berkeley and Thousands of Schools Suffer Cyber Outage
Hackers deface school login pages after claiming another Instructure hack

© 2026 GoKawiil

About | Editorial Policy | Contact