ShinyHunters Claims Second Attack Against Instructure TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsСloud SecurityHackers Use AI for Exploit Development, Attack AutomationHackers Use AI for Exploit Development, Attack AutomationbyAlexander CulafiMay 11, 20264 Min ReadСloud SecurityAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsAfter Replacing TeamPCP Malware, 'PCPJack' Steals Cloud SecretsbyNate NelsonMay 7, 20265 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryCyberattacks & Data BreachesCyber RiskData PrivacyСloud SecurityNewsShinyHunters Claims Second Attack Against InstructureThe edtech company is struggling to wrest control from its hackers. PII belonging to hundreds of millions of people is on the line.Nate Nelson,Contributing WriterMay 8, 20266 Min ReadSource: Kristoffer Tripplaar via Alamy Stock PhotoThe ShinyHunters gang has claimed a second successive breach of Instructure, the supplier of the Canvas learning management system (LMS), mere hours after the company claimed the whole affair was over. On April 25, the ShinyHunters cybercrime operation did what it's been doing for years now: it took advantage of some large, well-connected organization's exposed cloud infrastructure to access, steal, and then threaten to leak some huge trove of data. The old story followed a non-linear path this time, though. Instructure claimed the breach was done for, then ShinyHunters claimed a second attack, and meanwhile disruptive activity as of this posting is ongoing. All this as final exam week commences across the US.Dark Reading reached out to Instructure to square its previous claims with accounts from students and teachers online. In a statement, the company acknowledged that it is experiencing an "ongoing security incident" thanks to a follow-on compromise of "free-for-teacher" accounts.Related:Instructure Breach Exposes Schools' Vendor DependenceDid ShinyHunters Breach Instructure Twice?Since its breach, public messaging from Instructure has emphasized its quick and diligent incident response (IR). The timeline circulated to customers suggests that it first discovered the intrusion four days late, on April 29, and immediately revoked the attackers' system access. Yet on April 30, it had to take more steps to address "additional suspicious access."On May 2, chief information security officer (CISO) Steve Proud stated, "We believe the incident has been contained." He cited a few steps taken to ensure the attackers couldn't get back in, like patching and rotating keys. On May 6, the company reemphasized that "we are not seeing any ongoing unauthorized activity."These claims have been challenged by disaffected students and teachers online, who report that their education has been interrupted, and that they've been hit with ShinyHunters splash messages as recently as May 7. Some affected schools are now walking back earlier, more optimistic reports passed down from the vendor. And a new ShinyHunters ransom note is circulating, in which the hackers claim to have re-infected the company. The note offers affected schools the option to negotiate with them directly and pushes back its leak deadline from the previously reported May 6 to May 12.Dark Reading cannot confirm any specific claims online, but one affected student sent Dark Reading screenshots of the newly circulating splash page, which he says interrupted him on May 7. Dennis Pomazanov, studying at Georgia Tech, recalls, "When I tried to view my grades, I was greeted by the ransom message instead of the normal Canvas page. At the time, I was also unable to use Canvas to contact professors or classmates about questions I had, which made the situation more frustrating."Related:Attacks Abuse Windows Phone Link to Steal Texts & Bypass 2FAIn a May 8 statement to Dark Reading, Instructure acknowledged what students like Pomazanov were experiencing. It reported that on May 7, it took Canvas offline, again, to contain the ongoing incident. "We have confirmed that the unauthorized actor exploited an issue related to our Free-For-Teacher accounts," a company spokesperson wrote, without detailing the exact nature of the vulnerability. "As a result, we have made the difficult decision to temporarily shut down our Free-For-Teacher accounts. This gives us the confidence to restore access to Canvas, which is now fully back online and available for use.”"Personally, I was lucky because I had already finished my finals and homework," Pomazanov says, "but I know several friends who were still trying to study, finish assignments, or prepare for exams, and the outage made that much harder for them."Which Schools Were Breached via Canvas?Instructure's Canvas is one of the most ubiquitous software platforms in education today. It's an online companion to classrooms, where students message their teachers and submit homework, teachers post assignments and post grades, etc. Industry analysts place Canvas' marketshare in the LMS space at 47% among higher education institutions in North America, and 28% in K-12. It's also used widely in adult professional education settings.Related:Middle East Cyber Battle Field Broadens — Especially in UAEShinyHunters claims to have stolen around 3.65TB of names, emails, student ID numbers — and, perhaps most interestingly, "several billions of private messages" between students and teachers — from just under 9,000 institutions, representing somewhere around 275 million individuals. Some back of the napkin math suggests that ShinyHunters left no Canvas customer untouched: in North America there are only around 4,000 accredited higher institutions, and around 10,000 K-12 schools using LMS's.Intrepid students and interested parties have visited ShinyHunters' leak site and pulled its tally of its victims, which is now circulating online. The laundry list includes numerous North American higher education institutions and K-12 schools, plus educational institutions in Europe, Central America, and elsewhere abroad. It also includes major corporations like Amazon and Apple, healthcare institutions, and cities and states, which may be in reference to government organizations. Dark Reading did not independently download this list, but cross-referenced it with data reported by cybersecurity researchers, as well as publicly known information about Canvas' user base.Risks to Schools, Companies, and MinorsPublic statements from Instructure and its customers have emphasized that while the attackers stole some personal information, some other particularly sensitive data like passwords, birthdays, and financial information may not have been among the trove.If that's the good news, the bad news is the sheer scope and variety of risks associated with the data the company lost. Unlike most data breaches, which affect certain kinds of people in certain ways, Canvas' customers span the government, healthcare, and major business sectors, all of which are subject to their own legal and regulatory frameworks and follow-on risks. Most glaring of all, though, is that by compromising thousands of K-12 schools, criminals now have access to, and are threatening to leak, a massive amount of data belonging to minors."When a breach involves the personal data of minors, the severity and the stakes escalate significantly," says Darren Guccione, CEO and co-founder at Keeper Security. "Unlike a compromised credit card or a rotated password, a child's name, date of birth, institutional records and private communications cannot be replaced. That exposure follows them. For institutions and the students they serve, the consequences can persist for years through identity fraud, targeted social engineering and other scams long after the headlines fade.""The hard question this incident raises is about what the industry should expect from platforms that operate at this scale and steward this kind of data," he says. "When a single vendor serves thousands of institutions globally, the security standard has to reflect that responsibility."Don't miss the latest Dark Reading Confidential podcast, How the Story of a USB Penetration Test Went Viral. Two decades ago Dark Reading posted its first blockbuster piece — a column by a pen tester who sprinkled rigged thumb drives around a credit union parking lot and let curious employees do the rest. This episode looks back at the history-making piece with its author, Steve Stasiukonis. Listen now!About the AuthorNate NelsonContributing WriterNate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost.See more from Nate NelsonWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security Management2025 State of MalwareAccess More ResearchWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspacePrompt Injection Is Just the Start: Securing LLMs in AI SystemsAnatomy of a Data Breach: What to Do if it Happens to YouHow Well Can You See What's in Your Cloud?Implementing CTEM: Beyond Vulnerability ManagementMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspaceWed, June 24,2026 at 1pm ESTPrompt Injection Is Just the Start: Securing LLMs in AI SystemsTues, May 26, 2026, at 1pm ESTAnatomy of a Data Breach: What to Do if it Happens to YouJune 18th, 2026 | 11:00am -5:00pm ET | Doors Open at 10:30am ETHow Well Can You See What's in Your Cloud?Thurs, June 4, 2026 at 1:00pm ESTImplementing CTEM: Beyond Vulnerability ManagementThurs, May 21, 2026 at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

The ShinyHunters cybercrime operation has launched a second attack against Instructure, the provider of the Canvas learning management system (LMS), mere hours after the company initially claimed the breach was resolved. This escalating situation sees ongoing disruptive activity, including splash pages interrupting student access, as the group has claimed to steal approximately 3.65TB of data, encompassing names, email addresses, student IDs, and “several billions of private messages” exchanged between students and teachers across nearly 9,000 institutions worldwide. Initially, the attack targeted free-for-teacher accounts, following a pattern of exploiting exposed cloud infrastructure. Instructure initially responded by taking steps to contain the intrusion, including revoking attacker access and patching systems, but subsequently re-isolated Canvas due to continued unauthorized access and a newly circulating ransom note. The group now demands a payment and extends the deadline for releasing the stolen data.

The incident involves a significant number of educational institutions, including North American higher education and K-12 schools, as well as international entities. The stolen data includes information on approximately 275 million individuals, compounding the risk of identity fraud and other security exploits. Dark Reading reports that Dennis Pomazanov, a Georgia Tech student, experienced firsthand the disruption when a ransom message replaced the Canvas interface, hindering his studies. Instructure’s spokesperson stated that the intrusion stemmed from a vulnerability in the free-for-teacher accounts, leading to a temporary shutdown of this feature. The organization’s initial claims of containment have been challenged by affected students and teachers, highlighting vulnerabilities in the company’s incident response and highlighting the widespread impact of the breach. Industry analyst Darren Guccione emphasizes the heightened risks associated with minors' data and calls for a stronger security standard from vendors serving large, global user bases. This second attack underscores the complex challenges of securing educational platforms and the potential consequences of compromised data, particularly for vulnerable populations.