top of page
Search

ShinyHunters Hit Canvas: 275 Million Records Across 9,000 Schools. May 12 Ransom Deadline. Here's the Hunt-Tonight for School IT Teams.

  • Writer: Patrick Duggan
    Patrick Duggan
  • 5 hours ago
  • 7 min read

May 8, 2026 · DugganUSA LLC


The ShinyHunters cybercrime group has compromised Instructure's Canvas learning management system and is claiming theft of two hundred seventy-five million records across nearly nine thousand educational institutions worldwide. The list of named victims includes all eight Ivy League universities, MIT, Oxford, Harvard, Penn, the University of Missouri system, North Carolina K-12 districts, San Diego campuses, Charlotte-area school districts, and thousands more. The deadline ShinyHunters has set for ransom negotiation is end of day Tuesday, May 12 — four calendar days from this post.


The stolen data, per Instructure's own disclosure, includes names, email addresses, student ID numbers, and messages between users. ShinyHunters' claim adds that the corpus includes billions of private messages between students and teachers. If accurate, that body of communication is the most concentrated education-sector intelligence kit ever exfiltrated in a single breach.


This is a supply chain attack against the SaaS vendor. Your school did not have the vulnerability. Instructure did. But every school on that list of nine thousand has downstream exposure that does not end when Instructure publishes a remediation status update. The hunt below is what IT teams at affected institutions should be running tonight, before Monday morning.


The Timeline That Matters



April 29, 2026: Instructure detected unauthorized activity in Canvas, per their own disclosure. April 30: ShinyHunters claims the attack began. May 1: Instructure publicly confirmed the cybersecurity incident. May 3: ShinyHunters claimed responsibility publicly and published the list of nine thousand named institutions. May 7: ShinyHunters defaced Canvas login pages directly with a ransom message visible to any student or teacher attempting to log in. May 8: this post. May 12: leak deadline.


The eight-day gap between detection and login-page-defacement is the operational story. ShinyHunters had operational access to Canvas long enough to stage data exfiltration, claim responsibility, and then escalate to direct customer-facing pressure — all while Instructure's customers were continuing normal educational operations on the platform. The schools on the list did not learn they were affected from Instructure. They learned from ShinyHunters, on May 3, and from defaced login pages on May 7.


This is the same operational shape as the MOVEit breach in 2023, the Snowflake compromise in 2024, and the Change Healthcare incident in 2024. SaaS vendor gets breached. Customers have no visibility into the timeline because they had no detection on the vendor's plane. By the time the customer learns, the data has already moved. The hunt is not on the vendor's surface. The hunt is on the customer's downstream attack surface.


What ShinyHunters Actually Has



Per Instructure's disclosure: names, emails, student IDs, messages. Per ShinyHunters' claim: billions of private messages between students and teachers across nine thousand schools.


Three categories of follow-on threat the affected schools should plan for over the next thirty days:


First, spear-phishing at scale. A list of two hundred seventy-five million email addresses tied to specific schools, specific instructors, and specific courses is a phishing kit of unprecedented quality. The attacker can craft a message that references a real course, a real instructor, a real prior conversation between the student and their teacher, and the student will read it because every cue checks out. Expect a phishing wave starting within days of the deadline, regardless of whether ransom is paid.


Second, credential stuffing across other school systems. Students and faculty reuse passwords. The stolen credentials will be tested against Google Workspace for Education, Microsoft 365 Education, PowerSchool, Blackboard, Schoology, Canvas Catalog, and any institutional SSO system that the email-as-username convention reaches. Schools that have not enforced multi-factor authentication on their identity provider should expect account takeovers within the same window.


Third, OAuth token and LTI integration abuse. Canvas integrates via Learning Tools Interoperability with hundreds of third-party education tools — Turnitin, Zoom, Kaltura, McGraw-Hill Connect, Pearson MyLab, Cengage, ALEKS, Khan Academy, and many more. If ShinyHunters obtained OAuth client secrets or LTI shared secrets along with the customer data, those integrations are now potential pivots into systems beyond Canvas. The third-party tool was not breached, but its trust relationship with Canvas may have been.


Hunt Tonight - The IT Team Action Sequence



For any school IT or security team on the list of nine thousand, the action sequence over the next ninety-six hours, in order of priority:


Step one: rotate every credential and secret connected to Canvas. This includes the SSO/SAML signing certificates, OAuth client secrets for any LTI integration, API keys provisioned for Canvas API consumers, and the IDP password for any administrator account that authenticates to Canvas. The principle is the assume-breach posture: Instructure's incident reach is unknown, the OAuth trust relationships are now suspect, and rotation cost is low compared to the cost of a follow-on compromise of an integrated system. Do this regardless of whether you intend to pay ransom or wait for Instructure's full forensic report.


Step two: force password reset across the IDP for every user with Canvas access. Students, faculty, and staff. The reset should be combined with mandatory MFA enrollment for any account that does not already have it. The credentials in ShinyHunters' possession are presumably matched to email addresses that resolve to your IDP. Forcing reset before May 12 reduces the window during which credential stuffing can succeed against your downstream systems.


Step three: hunt back through Canvas API and SSO logs from April 29 forward. Pull the past ten days of authentication logs at your IDP filtered for Canvas-tied SSO sessions. Look for: authentication events from geographies that do not match your normal student or faculty population, OAuth token issuance to clients that were not approved by your administration, API requests to your own IDP from IPs associated with prior ShinyHunters infrastructure (we have indicators in our STIX feed under indicator type), and any session that originated from a Canvas-pivoting flow rather than from a normal user-driven login. The Canvas vendor may not give you log access on their side; your IDP logs are still under your control.


Step four: scan LTI-integrated third-party education tools for unauthorized activity. Each LTI tool integrated with Canvas has its own administrative interface. Pull access logs from each one for the same April 29 forward window. Look for: configuration changes you did not authorize, new admin accounts, OAuth token issuance to the Canvas integration that does not match your normal usage pattern, and any data export activity that does not match an administrator-approved workflow. The third-party tool is the most likely lateral pivot if the OAuth trust relationship was compromised.


Step five: prepare for the phishing wave. Communicate to your student, faculty, and parent population that a credible phishing campaign is expected within the next fourteen to thirty days that may reference real Canvas course content, real instructor names, and real prior interactions. The communication should explicitly warn that the unusual specificity of the phishing message is a feature of the breach, not evidence that the message is legitimate. Coordinate with your help desk on a recognition and reporting protocol before the wave begins, not after.


On The Ransom Decision



The institutional decision on whether to engage ShinyHunters' negotiation channel is not a security team decision. It is a board, general counsel, and (where applicable) state attorney general decision, with input from the FBI's regional cyber squad and (for federal-aid-receiving institutions) the Department of Education. The position we hold publicly: paying ransom does not eliminate the breach. The data is already exfiltrated. The decision is whether to pay for an unverified promise that the data will not be leaked, against an unverified threat that it will. The base rate on ransom-paid-then-data-leaked-anyway in the ShinyHunters historical pattern should inform that decision.


For schools that intend to pay, FBI cyber-division contact should be made first. For schools that intend not to pay, the leak should be assumed, and the steps above should be completed before May 12 regardless. For schools still deciding, the steps above are appropriate either way; they are insurance against the worst-case downstream cascade, not a substitute for the legal and financial decision.


The Bigger Pattern - SaaS Vendor Concentration In Education



Nine thousand schools were on a single vendor's customer list. That concentration is the structural risk. Canvas's market share in higher education in the United States is over fifty percent. Add Blackboard, Moodle, and Schoology and you have nearly the entire higher-ed and substantial K-12 LMS market consolidated across roughly four vendors. A single compromise at any one of them produces precisely the cascade we are watching today.


The defensive answer is not to abandon SaaS LMS — the alternative is institution-by-institution self-hosting at scale, which has its own security profile that is generally worse, not better. The defensive answer is to architect every SSO and LTI integration with the assumption that the vendor will eventually be breached, and to keep every credential, secret, and trust relationship rotatable on short notice. The schools that complete steps one through five above this weekend will have effectively rehearsed the breach response that the next breach will require, regardless of which vendor it hits.


This is not the last SaaS-education breach. It is the largest one we know about today. Treat it as the rehearsal, run the rotation, and write the playbook so the next one is a Tuesday afternoon, not a board emergency.


Summary



ShinyHunters has 275 million records across 9,000 educational institutions, including names, emails, student IDs, and student-teacher messages. Ransom deadline is end of day May 12. The hunt below for affected school IT teams runs tonight, before Monday:


  • Rotate every credential and secret connected to Canvas — SSO certificates, OAuth client secrets, API keys, admin passwords

  • Force IDP-wide password reset for everyone with Canvas access, with MFA enrollment

  • Hunt April 29 forward in your IDP authentication logs for anomalous Canvas sessions

  • Scan LTI-integrated tools for unauthorized activity in the same window

  • Prepare your community for a phishing wave that will reference real course detail


If you are a school IT or security lead and want a cross-check on the indicators or the action sequence, we are at [email protected].


— Patrick Duggan

DugganUSA LLC, Minneapolis


Aye.


Receipts



  • Instructure first detection: April 29, 2026 (per company disclosure)

  • Instructure public confirmation: May 1, 2026

  • ShinyHunters public claim: May 3, 2026 (with named-institution list of ~8,809)

  • Canvas login-page defacement: May 7, 2026

  • Ransom deadline: May 12, 2026 EOD

  • Affected institution count: ~9,000 worldwide (all eight Ivy League, MIT, Oxford, Harvard, Penn, University of Missouri, NC K-12, San Diego, Charlotte-area, and thousands more)

  • Records claimed: 275,000,000

  • Data categories per Instructure: names, email addresses, student ID numbers, user-to-user messages

  • Data categories per ShinyHunters: billions of student-teacher private messages

  • Coverage: TechCrunch, TIME, Inside Higher Ed, TechRepublic, TechRadar, Malwarebytes, DataBreaches.Net, Daily Pennsylvanian, Harvard Crimson, Wikipedia (2026 Canvas security incident article)

  • Pattern parallel: MOVEit (2023), Snowflake (2024), Change Healthcare (2024) — SaaS vendor breach with downstream customer cascade

  • ShinyHunters historical operations: prior Instructure breach + Vimeo breach concurrent with this one

  • Our STIX feed indicators: analytics.dugganusa.com/api/v1/stix-feed

  • Our defender plugins (13 surfaces): github.com/pduggusa





Her name was Renee Nicole Good.


His name was Alex Jeffery Pretti.

 
 
 
bottom of page