Full Report
What Happened:On 3 May 2026, ShinyHunters, the English-speaking adolescent cybercrime collective, claimed they breached Instructure by listing them on their Tor data leak site.Instructure is a US-based software provider behind the widely adopted Canvas Learning Management System (LMS). ShinyHunters reportedly exfiltrated 3.65 terabytes of data, spanning 275 million global records from up to 9,000 institutions, before posting extortion messages across university login portals demanding Bitcoin.The outage forced prominent UK higher education institutions, including the University of Liverpool, Queen’s University Belfast, and the University of Manchester, to take systems offline and hastily rewrite their end-of-year exam submission schedules.Instructure confirmed the affected data includes names, student ID numbers, email addresses, and private student-instructor messages. Instructure also confirmed no passwords, financial data, or government IDs were pilfered.When the initial negotiation deadline passed, ShinyHunters then escalated by defacing Canvas login portals at roughly 330 institutions and pivoting to direct school-by-school extortion.Following the initial investigation into the breach, Instructure confirmed that ShinyHunters had exploited a vulnerability in its “Free-for-Teacher” account creation system. To prevent the data from being leaked, Instructure announced it had “reached an agreement with the unauthorised actor” behind the data extortion attack.According to an expert interviewed by ABC News, while a ransom amount hadn't yet been verified or publicly confirmed, people claiming to have knowledge of the situation estimated the amount was $10 million USD.Analyst Comment:Canvas is reportedly the UK’s primary digital learning platform, whose usage grew significantly during the pandemic. The timing of the attack also couldn’t come at a worse time for UK universities. In May, thousands of undergraduate students will be uploading their dissertations and trying to access their course content to prepare for their exams.Active since 2019, ShinyHunters is a financially motivated data-theft-extortion collective that first emerged publicly in January 2020. Notably, ShinyHunters does not currently deploy ransomware as part of their intrusions. Instead, they exfiltrate data from cloud platforms, software environments, and third-party integrators, then demand a ransom to avoid its public release. SaaS Platforms such as Salesforce, Snowflake, GainSight, SalesLoft Drift and their customers have been targeted by ShinyHunters and adjacent groups in the last couple years.Instructure is one of the few victims who have likely paid ShinyHunters. Most victims refuse due to not being able to trust that the cybercriminals will stick to their word and delete the stolen data. The consensus across the industry is paying the ransom is never the appropriate option for multiple reasons, such as fuelling future attacks, making your company look like an easy target, and possibly violating sanctions and local ransom payment ban laws. The most likely scenario is that Instructure felt they should pay the ransom to prevent further harm from the release of personal information of millions of students in their system.Defensive Takeaways:Enhance Platform Security: ShinyHunters reportedly exploited a vulnerability in Instructure’s Free-for-Teacher system, which highlights the importance of identity security audits alongside standard application penetration testing. Enhance Logging and Round-the-Clock Monitoring: ShinyHunters reportedly exfiltrated 3.65 terabytes of data from Instructure. Enhanced activity logs and a certified 24/7 SOC monitoring service could have detected these actions by identifying anomalous login events and data exfiltration events to unknown IP addresses. Create and Test Backup Processes: While Canvas was down, the universities shifted to alternative methods like email and printed paper. This case highlights the importance of business continuity plans (BCPs) along with making sure they are updated and tested.Be Wary of Second-Order Effects: After a breach of this size, its key to warn users and SOC teams to be vigilant for new waves of phishing emails, brute forcing attacks, and other account takeover methods leveraging the stolen data.Never Trust a Cybercriminal: In Instructure’s case, the company says it received “digital confirmation of data destruction (shred logs).” However, as Allison Nixon says, it’s completely unprovable because such shred logs or videos can be easily faked.Relevant Sources:https://www.instructure.com/incident_updatehttps://www.bbc.com/news/articles/ce3pq0136eqohttps://www.academicjobs.com/uk/higher-education-news/canvas-cyber-attack-hits-uk-universities-or-academicjobs-uk-18738https://www.theguardian.com/technology/2026/may/17/canvas-hack-cyber-criminals-data-ransom-paidhttps://www.abc.net.au/news/2026-05-14/instructure-dealing-with-canvas-cyberhackers-dangerous-tactic/106674686Relevant CTI Resources:https://www.ransomware.live/id/SW5zdHJ1Y3R1cmUgSG9sZGluZ3MsIEluYy4gKENhbnZhIExNUywgaW5zdHJ1Y3R1cmUuY29tKUBzaGlueWh1bnRlcnMhttps://www.ransomware.live/group/shinyhuntershttps://www.halcyon.ai/ransomware-alerts/education-sector-in-the-crosshairs-shinyhunters-extortion-campaign-against-instructure https://www.halcyon.ai/threat-group/shinyhuntershttps://blog.unit221b.com/dont-read-this-blog/harassment-scare-tactics-why-victims-should-never-pay-shinyhuntershttps://www.sans.org/blog/hunting-saas-threats-insights-for589-course-cybercriminal-campaigns
Analysis Summary
# Incident Report: Massive Data Extortion of Instructure Canvas LMS by ShinyHunters
## Executive Summary
In May 2026, the cybercrime collective ShinyHunters breached Instructure, the provider of the Canvas Learning Management System, by exploiting a vulnerability in a legacy account creation system. The attackers exfiltrated 3.65 terabytes of data involving 275 million records from 9,000 institutions and engaged in aggressive extortion tactics, including portal defacement. To prevent the public release of student data, Instructure reportedly paid an estimated $10 million ransom.
## Incident Details
- **Discovery Date:** 3 May 2026
- **Incident Date:** May 2026
- **Affected Organization:** Instructure (Canvas LMS)
- **Sector:** Education Technology (EdTech) / Software as a Service (SaaS)
- **Geography:** Global (US-based provider; major impact in the UK)
## Timeline of Events
### Initial Access
- **Date/Time:** Early May 2026 (prior to 3 May)
- **Vector:** Exploitation of an application vulnerability.
- **Details:** Attackers exploited a vulnerability in the “Free-for-Teacher” account creation system to gain unauthorized access to the environment.
### Lateral Movement
- **Details:** While specific lateral movement steps were not detailed in the report, the attackers successfully pivoted from the entry point to access bulk data storage containing student and institutional records.
### Data Exfiltration/Impact
- **Details:** ShinyHunters exfiltrated 3.65 terabytes of data, encompassing approximately 275 million records. This included names, student ID numbers, email addresses, and private student-instructor communications.
### Detection & Response
- **3 May 2026:** ShinyHunters publicly claimed the breach on their Tor data leak site.
- **Post-3 May:** Attackers posted extortion messages on university login portals.
- **Negotiation Phase:** After a missed deadline, ShinyHunters defaced portals at 330 institutions and began direct extortion of individual schools.
- **Resolution:** Instructure confirmed reaching an "agreement" with the actors and received "shred logs" as proof of data destruction.
## Attack Methodology
- **Initial Access:** Vulnerability exploitation (Free-for-Teacher system).
- **Persistence:** Not explicitly detailed; common for ShinyHunters to use stolen cloud credentials or API keys.
- **Collection:** Bulk gathering of student and instructor data from SaaS environment.
- **Exfiltration:** Transfer of 3.65 TB of data to attacker-controlled infrastructure.
- **Impact:** Financial extortion through data theft (non-encrypting) and public defacement of login portals to increase pressure.
## Impact Assessment
- **Financial:** Estimated $10 million USD ransom payment (unconfirmed but reported by industry experts).
- **Data Breach:** 275 million records (Personally Identifiable Information/PII).
- **Operational:** System outages at prominent UK universities (Liverpool, Manchester, QUB); disruption of end-of-year exam schedules.
- **Reputational:** Public defacement of 330 institutional portals; loss of trust regarding "Free-for-Teacher" security.
## Indicators of Compromise
- **Network indicators:** Data exfiltration to unknown IP addresses (IPs not specified in text).
- **Behavioral indicators:**
- Anomalous login events via the "Free-for-Teacher" system.
- Large-scale data egress (3.65 TB) from cloud environments.
- Unauthorized modification/defacement of Canvas login portal HTML/UI.
## Response Actions
- **Containment:** Targeted UK universities took Canvas systems offline to prevent further interaction during the heat of the attack.
- **Eradication:** Vulnerability in the Free-for-Teacher system was identified and addressed.
- **Recovery:** Universities implemented manual/alternative exam submission processes (email/paper); Instructure initiated ransom negotiations to secure data destruction.
## Lessons Learned
- **Legacy/Free Tier Risk:** Vulnerabilities in non-core or "free" features can provide a gateway to sensitive enterprise production data.
- **Extortion Escalation:** ShinyHunters utilizes "second-order" pressure by defacing client-facing portals and contacting victims' customers directly.
- **Ransom Reliability:** Payment provides no guarantee of data destruction; "shred logs" provided by the attacker are easily faked and unprovable.
## Recommendations
- **Identity Security Audits:** Conduct deep-dive audits of identity and access management (IAM) for all account types, specifically "Free" or "Trial" tiers.
- **Enhanced Egress Monitoring:** Implement 24/7 SOC monitoring with alerts for high-volume data exfiltration to unrecognized destinations.
- **Business Continuity Planning (BCP):** Ensure institutions have offline or alternative submission workflows (as seen with the UK universities) to handle SaaS outages during critical periods.
- **Attack Surface Management:** Regularly inventory and pen-test peripheral platform features that may not be part of the primary user workflow but share the same backend infrastructure.
***
**Relevant Sources (Defanged):**
- hxxps[://]www[.]instructure[.]com/incident_update
- hxxps[://]www[.]bbc[.]com/news/articles/ce3pq0136eqo
- hxxps[://]blog[.]bushidotoken[.]net/2026/05/uk-cybercrime-journal-british.html