EXECUTIVE SUMMARY
ShinyHunters, a notorious hacking group, has launched a brazen attack on Instructure, the company behind the widely used Canvas Learning Management System (LMS). The attack, which occurred in early May 2026, targeted the Canvas platform itself, exposing user names, email addresses, student ID numbers, and private messages exchanged between Canvas users across thousands of schools worldwide. This is not the first time ShinyHunters has targeted Instructure, having previously compromised the company's Salesforce business systems in September 2024 using social engineering tactics. The group's extortion-as-a-service pattern involves voice phishing and social engineering to gain initial access, often impersonating IT support or trusted internal personnel, before launching a public extortion campaign. In this case, ShinyHunters claimed to have stolen 3.6 TB of data covering approximately 285 million users across 9,000 schools, though Instructure has not confirmed these figures.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
ShinyHunters, a notorious hacking group, has launched a brazen attack on Instructure, the company behind the widely used Canvas Learning Management System (LMS). The attack, which occurred in early May 2026, targeted the Canvas platform itself, exposing user names, email addresses, student ID numbers, and private messages exchanged between Canvas users across thousands of schools worldwide. This is not the first time ShinyHunters has targeted Instructure, having previously compromised the company's Salesforce business systems in September 2024 using social engineering tactics. The group's extortion-as-a-service pattern involves voice phishing and social engineering to gain initial access, often impersonating IT support or trusted internal personnel, before launching a public extortion campaign. In this case, ShinyHunters claimed to have stolen 3.6 TB of data covering approximately 285 million users across 9,000 schools, though Instructure has not confirmed these figures.[emaillocker id="1283"]
The malware infection vector is not explicitly stated in the provided information. However, it appears that the attackers exploited a gap in the Canvas platform's security by using a compromised free account with access to production Canvas infrastructure. Once inside, the attackers gained unauthorized access to production Canvas data and potentially achieved write access, allowing them to deface login pages at multiple institutions. The stolen data, including student IDs, email addresses, and private message content, represents high-quality material for personalized phishing campaigns targeting students and faculty. The attackers maintained control by using a compromised account with external email addresses to access courses or messages during the April 30 to May 8 exposure window, and by potentially achieving write access to the Canvas platform.
The ShinyHunters attack is a significant threat to organisations, particularly those in the education sector, as it highlights the risks of relying on compromised free accounts with access to production infrastructure. The stolen data, including student IDs, email addresses, and private message content, represents high-quality material for personalized phishing campaigns targeting students and faculty. The attack also underscores the importance of monitoring for phishing emails appearing to come from Canvas, checking login pages for unauthorized changes, and rotating API credentials. Organisations should take defensive actions to protect themselves, including rotating API credentials, monitoring for phishing emails, checking login pages for unauthorized changes, and alerting students, faculty, and staff immediately.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Reconnaissance | T1592 | Open-Source Intelligence | — |
| Initial Access | T1566.002 | Phishing | Spearphishing Link |
| Initial Access | T1190 | Exploit Public-Facing Application | — |
| Execution | T1204 | User Execution | — |
| Defense Evasion | T1027 | Obfuscated Files or Information | — |
| Defense Evasion | T1070 | Indicator Removal | — |
| Defense Evasion | T1564 | Hide Artifacts | — |
| Privilege Escalation | T1134 | Access Token Manipulation | — |
| Defense Evasion | T1112 | Modify Registry | — |
| Defense Evasion | T1140 | Deobfuscate/Decode Files or Information | — |
| Defense Evasion | T1036 | Masquerading | — |
| Defense Evasion | T1553 | Subvert Trust Controls | — |
| Defense Evasion | T1014 | Rootkit | — |
| Command and Control | T1105 | Ingress Tool Transfer | — |
| Command and Control | T1102 | Web Service | — |
| Command and Control | T1132 | Data Encoding | — |
| Collection | T1005 | Data from Local System | — |
| Collection | T1039 | Data from Network Shared Drive | — |
| Collection | T1560 | Archive Collected Data | — |
| Collection | T1113 | Screen Capture | — |
| Collection | T1114 | Email Collection | — |
| Collection | T1115 | Clipboard Data | — |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
| Exfiltration | T1048 | Exfiltration Over Alternative Protocol | — |
| Exfiltration | T1567 | Exfiltration Over Web Service | — |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/shinyhunters-breaches-instructure-canvas-lms/
[/emaillocker]