ShinyHunters school-by-school extortion campaign targeting Canvas institutions
Campaign
Summary
Hide ▲
Show ▼
ShinyHunters intensified a school-by-school extortion campaign against Canvas-related institutions, increasing pressure on schools and universities as the group threatened to leak stolen data by May 12. The group had already posted a ransom demand on its data leak site and extended the deadline after the initial 8 May cutoff passed. Researchers observed defacement messages on roughly 330 institutional Canvas login pages as the operation broadened. The activity targets the education sector through the Canvas Learning Management System and related accounts.
Related Happenings
Canvas Free- -Teacher actively exploited XSS vulnerabilities cross-site scripting flaw
Vulnerability
First: 11.05.2026 18:26
Last: 11.05.2026 18:26
Sources 1
How related:
BleepingComputer has learned that both the breach and defacements involved multiple cross-site scripting (XSS) vulnerabilities that enabled the attacker to obtain authenticated admin sessions.
About this happening:
**Canvas Free-for-Teacher** was affected by **multiple XSS vulnerabilities** that let attackers obtain **authenticated admin sessions** and carry out **privileged actions**. The f...
Canvas Free- -Teacher actively exploited XSS vulnerabilities cross-site scripting flaw
VulnerabilityHow related: BleepingComputer has learned that both the breach and defacements involved multiple cross-site scripting (XSS) vulnerabilities that enabled the attacker to obtain authenticated admin sessions.
About this happening: **Canvas Free-for-Teacher** was affected by **multiple XSS vulnerabilities** that let attackers obtain **authenticated admin sessions** and carry out **privileged actions**. The f...
Instructure user personal information breach
Data Leak
First: 04.05.2026 01:16
Last: 04.05.2026 01:16
Sources 1
How related:
The original compromise of Instructure occurred on April 25 with around 275 million records from 8809 educational institutions stolen.
About this happening:
Instructure confirmed a **data breach** that exposed **users' personal information**, putting students, teachers, and staff at risk across affected institutions. The exposed mater...
Instructure user personal information breach
Data LeakHow related: The original compromise of Instructure occurred on April 25 with around 275 million records from 8809 educational institutions stolen.
About this happening: Instructure confirmed a **data breach** that exposed **users' personal information**, putting students, teachers, and staff at risk across affected institutions. The exposed mater...
Instructure hit by cyberattack
Incident
First: 04.05.2026 01:16
Last: 04.05.2026 01:16
Sources 1
How related:
American educational technology company Instructure, the parent company of Canvas, said it reached an "agreement" with a decentralized cybercrime extortion group after it breached its network and threatened to leak stolen information from thousands of schools and universities.
About this happening:
**Instructure** disclosed a **cybersecurity incident** that exposed user information and prompted an investigation with outside experts and law enforcement. The event matters beca...
Instructure hit by cyberattack
IncidentHow related: American educational technology company Instructure, the parent company of Canvas, said it reached an "agreement" with a decentralized cybercrime extortion group after it breached its network and threatened to leak stolen information from thousands of schools and universities.
About this happening: **Instructure** disclosed a **cybersecurity incident** that exposed user information and prompted an investigation with outside experts and law enforcement. The event matters beca...
Latest development: 14.05.2026 23:19
The House Committee on Homeland Security and the US Senate Committee on Health, Education, Labor, and Pensions sought briefings from Instructure over the Canvas compromise, pressing the edtech vendor on whether it paid a ransom, what data was affected, how it handled the recent attacks, and whether the incident was linked to a prior Salesforce compromise.
0APT and KryBit ransomware turf war forces rebuild and rebrand pressure
Threat Actor Meta
First: 28.04.2026 16:00
Last: 28.04.2026 16:00
Sources 1
About this happening:
**0APT** and **KryBit** escalated a ransomware turf war in **April 2026** by leaking each other's operational data, defacing leak sites, and exposing infrastructure details that u...
0APT and KryBit ransomware turf war forces rebuild and rebrand pressure
Threat Actor MetaAbout this happening: **0APT** and **KryBit** escalated a ransomware turf war in **April 2026** by leaking each other's operational data, defacing leak sites, and exposing infrastructure details that u...
BlackFile vishing extortion campaign targeting retail and hospitality organizations
Campaign
First: 24.04.2026 21:26
Last: 24.04.2026 21:26
Sources 1
About this happening:
The **BlackFile** campaign is driving **vishing-based data theft and extortion** against **retail and hospitality organizations**, putting employee credentials and enterprise data...
BlackFile vishing extortion campaign targeting retail and hospitality organizations
CampaignAbout this happening: The **BlackFile** campaign is driving **vishing-based data theft and extortion** against **retail and hospitality organizations**, putting employee credentials and enterprise data...
Timeline
-
11.05.2026 13:05 1 articles · 16d ago
ShinyHunters compromises Instructure Canvas systems
Exploitation ObservedShinyHunters compromised Instructure on April 25 by exploiting a vulnerability in the Free-For-Teacher version of Canvas, reportedly stealing around 275 million records from 8809 educational institutions and exfiltrating more than 3.65 TB of data.
Show sources
- ShinyHunters Escalates Canvas Extortion with School by School Ransom Campaign — www.infosecurity-magazine.com — 11.05.2026 13:05
-
11.05.2026 13:05 1 articles · 16d ago
ShinyHunters posts initial ransom demand for Canvas data
Initial DisclosureShinyHunters posted a ransom demand on its data leak site and set an initial 8 May deadline, warning that stolen Canvas data would be leaked if the affected organization did not negotiate a settlement.
Show sources
- ShinyHunters Escalates Canvas Extortion with School by School Ransom Campaign — www.infosecurity-magazine.com — 11.05.2026 13:05
-
11.05.2026 13:05 1 articles · 16d ago
ShinyHunters expands Canvas extortion across schools
Campaign Scope UpdateShinyHunters extended its deadline and broadened pressure across Canvas institutions, with defacement messages appearing on approximately 330 institutional Canvas login pages and a new leak deadline set for May 12.
Show sources
- ShinyHunters Escalates Canvas Extortion with School by School Ransom Campaign — www.infosecurity-magazine.com — 11.05.2026 13:05