ShinyHunters and the Instructure / Canvas Breach: A Vendor Compromise at the Center of American Education

OSRS — OGUN Security Research and Strategic Consulting Issued: May 7, 2026 Classification: Open Source — Strategic Distribution

ShinyHunters, a financially motivated extortion group operating within the Scattered LAPSUS$ Hunters alliance, has breached Instructure twice in eight months. The May 2026 incident is the largest education-sector compromise on record. The threat actor claims 3.65 terabytes of stolen data, roughly 275 million user records, and access to Canvas messaging across nearly 9,000 schools, universities, and ministries of education worldwide. Confirmed exposed elements are names, institutional email addresses, student ID numbers, and private Canvas inbox messages between students, teachers, and staff. On May 7,

ShinyHunters escalated by defacing the Canvas login pages of multiple schools with a fresh extortion demand and a May 12 deadline. The incident is not a single failure of one vendor. It is a structural failure of education-sector vendor concentration, Salesforce data governance, and post-incident remediation discipline, repeating a pattern already established by PowerSchool, Infinite Campus, and McGraw-Hill.

1. INCIDENT TIMELINE

April 30, 2026 — Instructure observes anomalous activity in its cloud environment. The company posts a vague status update referencing limited disruption to tools relying on API keys and places Canvas Data 2 and Canvas Beta into maintenance.

May 1, 2026 — Instructure confirms a cybersecurity incident and engages outside forensic experts. The company states the intrusion has been contained.

May 2, 2026 — ShinyHunters posts Instructure on its Tor-based leak site. The message reads PAY OR LEAK and lists 8,809 affected institutions with per-institution record counts.

May 3, 2026 — ShinyHunters publishes a ransom letter on Ransomware.live, demanding negotiation by May 6 or face release of the dataset and additional digital harassment. TechCrunch later reviews data samples from a Tennessee university and a Massachusetts university and verifies the presence of names, emails, and phone numbers in user messages.

May 5, 2026 — Instructure begins notifying customer institutions including Duke University, Wake County Public Schools, Charlotte-Mecklenburg Schools, Rutgers, and the University of Pennsylvania. The original deadline is extended to May 8.

May 7, 2026 — ShinyHunters defaces the Canvas login pages of several schools by injecting an HTML file that overlays the login screen with a new extortion message and a revised deadline of May 12. The group describes this as a second, separate intrusion. Canvas displays a scheduled maintenance notice. Instructure does not confirm the new compromise.

2. THREAT ACTOR PROFILE

ShinyHunters has operated since 2020 as a financially motivated data theft and extortion crew. The group does not deploy ransomware in the traditional sense. Its playbook is hack, publicize, and extort. Prior named victims include AT&T Wireless, Santander Bank, Ticketmaster, Google, Qantas, Jaguar Land Rover, Rockstar Games, the European Commission, and a series of Ivy League institutions including Princeton, Harvard, and the University of Pennsylvania.

The group is now assessed by Trustwave SpiderLabs to operate within Scattered LAPSUS$ Hunters, a situational alliance that fuses ShinyHunters, LAPSUS$, and Scattered Spider tradecraft. The umbrella sits inside the broader Com cybercrime ecosystem. The collective specialization is social engineering against cloud service providers, abuse of OAuth-connected applications inside SaaS environments, and credential and token theft to enable bulk data exfiltration through legitimate APIs.

The group's edtech campaign is now the most consistent thread in its 2025 and 2026 activity. Confirmed targets include PowerSchool, Infinite Campus, McGraw-Hill, and Instructure twice. The recurring infrastructure target is Salesforce.

3. DATA EXPOSURE

Confirmed exposed by Instructure:

• Full names

• Institutional email addresses (predominantly .edu accounts)

• Student identification numbers

• Canvas Inbox and Discussion messages between users, including in some cases personal email addresses and phone numbers shared inside messages

Confirmed not exposed by Instructure:

• Passwords

• Dates of birth

• Government identifiers

• Financial information

Claimed by ShinyHunters and not independently verified:

• 3.65 terabytes of total exfiltrated data

• 275 million unique user records

• Billions of private messages between students, teachers, and staff

• Compromise of Instructure's Salesforce instance with adjacent CRM data

TechCrunch revised its on-the-record figure to 231 million people in a follow-up report on May 7 after reviewing additional data samples. The 275 million figure remains the threat actor claim and is the number circulating in mainstream coverage.

4. ATTACK VECTOR AND TECHNIQUES

Public reporting, Instructure status updates, and analyst attribution converge on the following technical picture, although Instructure has not released a full incident report.

The May 2026 intrusion was enabled by exploitation of a vulnerability in Instructure's cloud environment. Attackers compromised privileged credentials and application keys, then abused legitimate APIs and connected applications to extract data at scale. There is no evidence of endpoint malware or ransomware deployment. The behavior maps to the MITRE ATT&CK techniques T1671 (cloud application abuse), T1567 (exfiltration over web services), and T1020 (automated data extraction), aligned to ShinyHunters' Campaign C0059 reference profile.

The Salesforce dimension is critical. Multiple analysts including Sentra and Security Magazine have documented that ShinyHunters has used Salesforce misconfiguration as a repeat attack vector across Instructure, McGraw-Hill, Infinite Campus, Amtrak, and ADT. Instructure's September 2025 incident was a vishing-led compromise of its Salesforce instance, part of the broader campaign that exfiltrated an alleged 1.5 billion Salesforce records from approximately 760 organizations. The May 2026 incident appears to have re-touched Salesforce as well, although Instructure has not confirmed whether the access path is connected to or independent of the September 2025 intrusion.

The May 7 login-page defacement is a separate technical event and indicates either a third intrusion path, a residual foothold, or a compromise at the customer-tenant level rather than the platform core. The attackers injected an HTML file that altered the login screen presentation. Instructure has not commented on root cause.

5. AFFECTED INSTITUTIONS AND POPULATIONS

The leaked target list reviewed by Hackread, BleepingComputer, and SOCRadar covers approximately 8,809 to 15,000 institutions across the United States, Canada, the United Kingdom, the European Union, parts of Asia, and Oceania. Confirmed and reported affected institutions include:

Higher education

• Harvard University, Stanford University, Columbia University, MIT, Princeton, Yale, Penn State, Duke University, the University of Pennsylvania (over 300,000 Penn users), Rutgers, and most of the Ivy League

K-12 systems

• Wake County Public Schools, Charlotte-Mecklenburg Schools, Clark County School District (Las Vegas), Broward County, Houston ISD, the entire North Carolina Department of Public Instruction footprint

International

• 44 confirmed Dutch universities and schools, plus institutions across the United Kingdom, Germany, France, Australia, and several African countries that operate Canvas as a national or institutional LMS

Non-education enterprises using Canvas for training

• Apple, several state agencies, healthcare and financial services firms

Canvas is used by 41 percent of higher education institutions in North America. Instructure operates in more than 100 countries following its $4.8 billion 2024 acquisition by KKR and Dragoneer.

6. REGULATORY AND LEGAL EXPOSURE

The breach activates four overlapping regulatory regimes, and the notification burden falls predominantly on the schools and not on Instructure.

FERPA (Family Educational Rights and Privacy Act) — Names matched with student ID numbers and institutional emails fall inside FERPA's covered records. Schools, not the vendor, hold the disclosure obligation. Instructure operates under the school official exception. Loss of federal funding eligibility and civil liability are the headline risks.

COPPA (Children's Online Privacy Protection Act) — The FTC's updated COPPA rule took effect on April 22, 2026 and tightens parental notification and consent requirements for under-13 data. Civil penalties reach $51,744 per affected child. Canvas serves elementary through high school populations, so a meaningful fraction of the exposed dataset falls inside the COPPA perimeter.

GDPR — A 72-hour notification window to supervisory authorities applies for any institution serving EU subjects. The 44 Dutch institutions and other European victims are now inside that clock.

State student privacy laws — Approximately 130 statutes apply in the United States, including New York Education Law 2-d, California's SOPIPA, and Texas Senate Bill 820. State attorneys general are watching the edtech sector with elevated attention after the PowerSchool litigation.

Litigation precedent — PowerSchool's January 2025 breach exposed 62 million student records, generated a $17.25 million settlement, and triggered class actions in 11 states. The Instructure breach already has plaintiff-side firms advertising for affected users. Class certification at four times PowerSchool's user count is foreseeable.

7. STRATEGIC IMPLICATIONS

For the education sector. This is the second time in fifteen months that a single SaaS provider has lost the records of tens of millions of students at once. The structural pattern is clear. Education technology has consolidated around a small number of vendors holding irreplaceable, regulated datasets. When any one of them falls, every dependent institution inherits the breach simultaneously. Migrating off Canvas is not trivial for institutions that have built course delivery, grading, and credentialing on top of it. Most affected institutions will stay.

For ShinyHunters' campaign trajectory. The group has now demonstrated the willingness to return to a victim, exploit incomplete remediation, and escalate when ignored. The May 7 login-page defacement is a tactical innovation. It transfers the public pressure from the leak site to the user's own login experience. Other extortion crews are likely to copy this technique.

For Salesforce-dependent organizations. The repeat Salesforce dimension across Instructure, McGraw-Hill, Infinite Campus, Amtrak, and ADT is no longer a single-vendor problem. It is a CRM-platform governance problem. Salesforce environments accumulate sensitive PII through support ticket integrations, custom objects, and cross-platform workflows. Most security teams have not classified that data, mapped the integrations, or restricted privileged access with the rigor the threat now requires.

For African and global higher education. Canvas adoption across African universities and ministries of education is meaningful. Institutions that operate Canvas under sovereign data assumptions need to confirm whether their tenants appear on the leaked target list and assess data residency and notification obligations under their national frameworks.

For Nigeria specifically. Several Nigerian universities and private secondary schools use Canvas. The Nigeria Data Protection Commission notification window under the NDPA 2023 is 72 hours from awareness. Affected institutions need to move now.

8. RECOMMENDATIONS

For institutions running Canvas:

1. Confirm tenant exposure against the leaked target list. Request a written statement from Instructure scoped to your institution, naming the data elements affected.

2. Force re-authorization of every third-party LTI tool, OAuth integration, and external app connected to your Canvas tenant. Rotate institutional API keys.

3. Audit data flows from Canvas into Salesforce, identity providers, and downstream analytics platforms. Treat any system that ingested Canvas data as a possible secondary exposure.

4. Stand up a phishing watch for the next 90 days. The exposed dataset, names plus institutional emails plus message context, is the highest-quality phishing input available on the criminal market right now.

5. Engage counsel for FERPA, COPPA, GDPR, and applicable state notifications. Document the response timeline as if a regulator will read it next quarter, because one will.

6. Review Instructure's contractual liability, indemnification, and breach response language. Negotiate explicit security commitments at the next renewal cycle.

For vendors and SaaS operators in adjacent sectors:

1. Treat repeat targeting as the realistic threat model. ShinyHunters returned to Instructure because the September 2025 remediation was incomplete. Patching the vulnerability and rotating the credentials are necessary but not sufficient. Hunt for persistence and reconnaissance artifacts from the prior breach.

2. Classify Salesforce data continuously. Map every integration, service account, and connected application to the sensitive records it can reach. Remove what does not need to be there.

3. Enforce phishing-resistant MFA on all privileged and developer accounts. Vishing remains the entry path of choice for this threat ecosystem.

For policymakers:

1. The vendor concentration risk in education is now a national security posture issue. Federal and state education authorities should examine procurement standards, breach notification minimums, and security baseline requirements for LMS, SIS, and assessment vendors.

2. The FTC's updated COPPA rule should be paired with active enforcement. Per-child penalties at the new rate change the cost calculus for vendors that have treated K-12 data with adult-grade controls.

9. INTELLIGENCE GAPS

Several material questions remain open as of this writing.

• The specific vulnerability exploited in the May 2026 intrusion has not been disclosed.

• The dwell time between initial access and exfiltration detection is unknown. The 3.65 TB exfiltration claim implies sustained data movement that should have been visible.

• The relationship between the September 2025 Salesforce compromise and the May 2026 cloud environment compromise has not been confirmed by Instructure.

• The mechanism behind the May 7 login-page defacement is unknown. The hypothesis ranges from a residual foothold to a customer-tenant compromise to a third independent intrusion.

• Whether ShinyHunters will publish the dataset on May 12 if no payment is made is the most consequential near-term variable. The group's historical behavior strongly suggests it will.

10. SOURCES

Primary reporting and analyst sources consulted: TechCrunch, Inside Higher Ed, BleepingComputer, Hackread, DataBreaches.net, The Daily Pennsylvanian, Duke Chronicle, WRAL, ABC11 Raleigh-Durham, 6abc Philadelphia, WCNC Charlotte, Malwarebytes, Dataminr, SOCRadar, Sentra, Rescana, Lumu, Dark Reading, Security Boulevard, The Next Web, Rutgers Office of Information Technology, Instructure status page (Steve Proud, Chief Information Security Officer).

About the author

Dr. Sunday Oludare Ogunlana is Founder and Chief Executive Officer of OGUN Security Research and Strategic Consulting LLC, a Texas-licensed intelligence and security firm. He is a Professor of Cybersecurity and a national security scholar with more than fifteen years of experience across cybersecurity, intelligence analysis, and AI governance. He advises global intelligence and policy bodies and writes regularly on threat intelligence, vendor risk, and the security posture of the global education technology sector.

Intelligence. Protection. Strategy.