Summary:
Halcyon is monitoring increased threats to educational institutions following ShinyHunters’ late April 2026 compromise of Instructure, the company behind the Canvas Learning Management System. ShinyHunters exploited a vulnerability in its Free-For-Teacher service, claiming exfiltration of 3.65 TB of data across approximately 275 million records from 8,809 educational institutions. After the initial negotiation deadline passed, ShinyHunters escalated by defacing Canvas login portals at roughly 330 institutions and pivoting to direct school-by-school extortion, with a final deadline of 12 May 2026. The risk of full data publication remains active.
The exfiltrated data provides threat actors enough personal context to conduct targeted phishing campaigns against staff, students, and parents alike. Leaked records can be used to impersonate school administrators, IT support, or financial aid offices in follow-on attacks. Students, parents, and personnel at affected institutions should be considered, and institutions should issue phishing advisories and direct communications immediately.
Background:
ShinyHunters is a financially motivated data theft and extortion gang that formed in 2019 and first emerged publicly in January 2020. ShinyHunters does not currently employ ransomware encryption as part of its campaigns. Instead, the gang operates under a “pay or leak” extortion model where they exfiltrate data from cloud platforms, software environments, and third-party integrators, then demand ransom under threat of public release.
The group maintains a loosely decentralized structure with operational overlap among Scattered Spider (UNC3944), LAPSUS$, and Scattered LAPSUS$ Shiny Hunters (SLSH). ShinyHunters has demonstrated a consistent pattern of evolving its targeting methodology, from bulk consumer database theft (2020-2021), large-scale cloud credential theft against Snowflake customers (2024), AI-generated voice calls (vishing) and token-based access abuse against Salesforce environments (2025), to most recently compromising third-party integrators to reach downstream victims (2026). The group remains highly active, even outside of its most recent campaign against Instructure. Instructure is the parent company of Canvas, a web-based software application used by schools and universities to manage educational assignments, courses, exams, and grades.
Timeline:
Analysis:
On 25 April 2026, ShinyHunters gained access to Instructure, the educational technology company that operates the Canvas Learning Management System (LMS), after exploiting a vulnerability in the Free-For-Teacher version of Canvas. The ransomware gang claimed to exfiltrate over 3.65 TB of data, which included 275 million records for 8,809 educational institutions. These records are reportedly for both staff and student data:
- Full Names
- Email Addresses
- Student ID numbers
- Canvas Chats between students, parents, and staff
Instructure stated there is no evidence that account passwords, financial data, or SSNs were stolen.
ShinyHunters initially attempted to extort Instructure by posting the claims on its data leak blog. Instructure did not contact ShinyHunters by the original 6 May 2026 deadline. The gang escalated by defacing Canvas login pages, attempting to extort the individual schools after initial Instructure extortion efforts fell flat. The Canvas sites of 330 educational institutions each displayed the following injected HTML:
This defacement prevented staff and students from accessing their accounts or any course materials. Instructure responded by putting Canvas into an offline maintenance mode and indefinitely suspended the Free-For-Teacher service. Remediation efforts are ongoing and as of 8 May 2026 Canvas is back online.
ShinyHunters removed Instructure from its data leak site shortly after defacing the Canvas login pages and attempting to extort individual schools. ShinyHunters has a known pattern of removing victim entries once communications and negotiations have started; however, any direct communication between Instructure and ShinyHunters has not been confirmed.
The current deadline listed by ShinyHunters for negotiations is 12 May 2026. The risk of data exposure or further escalation remains. Halcyon is monitoring for additional activity related to this campaign.
Mitigations:
- Rotate Exposed Credentials: All of the ~8800 impacted institutions included in the impacted list should assume compromise. Rotate API keys, Open Authorization (OAuth) tokens, Single Sign-On (SSO) secrets tied to Canvas, and any student/staff account passwords [M1027].
- Issue Phishing Advisories: Due to the high visibility of this campaign, all Canvas users should be alert to phishing attempts of educational resources [M1017]. Threat actors may target institutions by mimicking re-authorization prompts for credential theft.
- Deploy Dedicated Anti-Ransomware Controls: Deploy a dedicated anti-ransomware solution that detects and prevents ransomware runtime behavior and data exfiltration attempts [M1040] and prevents tampering and network intrusion that enable propagation [M1031].
References:
Source Summary:
This Alert is based on OSINT reporting, dark web monitoring, and published threat intelligence. Findings reflect the current understanding of the campaign and may be updated as new evidence emerges.
The Halcyon Ransomware Research Center unites experts, drives smart policies, and delivers actionable intelligence to detect, disrupt, and defeat ransomware. Explore the Center’s latest reports, analysis, and resources here.
Click Here For The Original Source.
