Find notable cyber news and cases, enriched with sources, timelines, and signals.

ShinyHunters school-by-school extortion campaign targeting Canvas institutions

Campaign
First reported
Last updated
Happening score
H score 80
1 unique sources, 1 articles

Summary

Hide ▲

ShinyHunters intensified a school-by-school extortion campaign against Canvas-related institutions, increasing pressure on schools and universities as the group threatened to leak stolen data by May 12. The group had already posted a ransom demand on its data leak site and extended the deadline after the initial 8 May cutoff passed. Researchers observed defacement messages on roughly 330 institutional Canvas login pages as the operation broadened. The activity targets the education sector through the Canvas Learning Management System and related accounts.

Related Happenings

Instructure's Canvas hit by data theft breach

Incident
H score65 First: 26.06.2026 11:00 Last: 26.06.2026 11:00 Sources 1

About this happening: The **Canvas** incident at **Instructure** exposed confidential **course and user data** after **unauthorized activity** and a later access event, affecting about **160 UK higher...

Canvas Free- -Teacher actively exploited XSS vulnerabilities cross-site scripting flaw

Vulnerability
H score89 First: 11.05.2026 18:26 Last: 11.05.2026 18:26 Sources 1

How related: BleepingComputer has learned that both the breach and defacements involved multiple cross-site scripting (XSS) vulnerabilities that enabled the attacker to obtain authenticated admin sessions.

About this happening: **Canvas Free-for-Teacher** was affected by **multiple XSS vulnerabilities** that let attackers obtain **authenticated admin sessions** and carry out **privileged actions**. The f...

Instructure user personal information breach

Data Leak
H score81 First: 04.05.2026 01:16 Last: 04.05.2026 01:16 Sources 1

How related: The original compromise of Instructure occurred on April 25 with around 275 million records from 8809 educational institutions stolen.

About this happening: Instructure confirmed a **data breach** that exposed **users' personal information**, putting students, teachers, and staff at risk across affected institutions. The exposed mater...

Instructure hit by cyberattack

Incident
H score78 First: 04.05.2026 01:16 Last: 04.05.2026 01:16 Sources 1

How related: American educational technology company Instructure, the parent company of Canvas, said it reached an "agreement" with a decentralized cybercrime extortion group after it breached its network and threatened to leak stolen information from thousands of schools and universities.

About this happening: **Instructure** disclosed a **cybersecurity incident** that exposed user information and prompted an investigation with outside experts and law enforcement. The event matters beca...

Latest development: 14.05.2026 23:19

The House Committee on Homeland Security and the US Senate Committee on Health, Education, Labor, and Pensions sought briefings from Instructure over the Canvas compromise, pressing the edtech vendor on whether it paid a ransom, what data was affected, how it handled the recent attacks, and whether the incident was linked to a prior Salesforce compromise.

0APT and KryBit ransomware turf war forces rebuild and rebrand pressure

Threat Actor Meta
H score55 First: 28.04.2026 16:00 Last: 28.04.2026 16:00 Sources 1

About this happening: **0APT** and **KryBit** escalated a ransomware turf war in **April 2026** by leaking each other's operational data, defacing leak sites, and exposing infrastructure details that u...

Timeline

  1. 11.05.2026 13:05 1 articles · 1mo ago

    ShinyHunters compromises Instructure Canvas systems

    Exploitation Observed

    ShinyHunters compromised Instructure on April 25 by exploiting a vulnerability in the Free-For-Teacher version of Canvas, reportedly stealing around 275 million records from 8809 educational institutions and exfiltrating more than 3.65 TB of data.

    Show sources
  2. 11.05.2026 13:05 1 articles · 1mo ago

    ShinyHunters posts initial ransom demand for Canvas data

    Initial Disclosure

    ShinyHunters posted a ransom demand on its data leak site and set an initial 8 May deadline, warning that stolen Canvas data would be leaked if the affected organization did not negotiate a settlement.

    Show sources
  3. 11.05.2026 13:05 1 articles · 1mo ago

    ShinyHunters expands Canvas extortion across schools

    Campaign Scope Update

    ShinyHunters extended its deadline and broadened pressure across Canvas institutions, with defacement messages appearing on approximately 330 institutional Canvas login pages and a new leak deadline set for May 12.

    Show sources