ShinyHunters Strikes Instructure Again: Hundreds of College Canvas Portals Defaced in Extortion Spree

Breaking: Instructure Confirms New Breach, Canvas Login Pages Defaced

Education technology giant Instructure has suffered a second major breach by the ShinyHunters extortion gang, with attackers exploiting a fresh vulnerability to deface Canvas login portals for hundreds of colleges and universities worldwide.

The incident, disclosed late Tuesday, saw hackers replace legitimate login screens with ransom notes demanding payment in cryptocurrency. Affected institutions include community colleges, state universities, and Ivy League schools across at least six countries.

“This is a coordinated, large-scale attack that exploits a previously unknown flaw in Canvas’s authentication flow,” said Dr. Lena Torres, a cybersecurity researcher at the Ponemon Institute. “Students and faculty attempting to log in were met with extortion demands instead of their course dashboards.”

Extortion Demands and Immediate Impact

ShinyHunters is demanding a combined ransom of $2.5 million to restore access and delete stolen data. The group claims to have exfiltrated 15 terabytes of sensitive student and faculty information, including grades, social security numbers, and financial aid records.

Several universities have already taken their Canvas instances offline, forcing instructors to rely on email and alternative learning management systems. The U.S. Department of Education has issued an alert urging all institutions using Canvas to reset passwords and enable multi-factor authentication immediately.

Background: ShinyHunters’ Escalating Campaign

ShinyHunters first breached Instructure in early 2024, compromising grade databases. The group later leaked over 30 million student records on underground forums. This new attack confirms the gang’s persistent targeting of the education sector.

“ShinyHunters has moved from data theft to active extortion,” noted cybersecurity analyst Mark Delaney of Flashpoint. “Defacing login portals is a psychological tactic to pressure institutions into paying quickly.” The group is known for exploiting zero-day vulnerabilities in popular enterprise platforms.

What This Means for Higher Education

The breach raises urgent questions about the security of centralized learning platforms. With millions of students relying on Canvas daily, a single point of failure can disrupt education on a global scale. “This attack should serve as a wake-up call,” Torres added. “Institutions must diversify their digital infrastructure and invest in third-party security audits.”

Insider threat expert James White from SANS Institute warns of long-term consequences: “Even if ransoms are paid, stolen data is rarely destroyed. Students may face identity theft for years.” The incident also renews debate over whether schools should negotiate with cybercriminals.

Response from Instructure

Instructure has acknowledged the breach in a statement, confirming that a patch is being deployed. “We are working with law enforcement and third-party forensics teams,” the company said. “Affected institutions are being contacted directly with remediation steps.” However, critics note that this is the second such incident in 18 months, eroding trust in the company’s security posture.

Meanwhile, the FBI’s Cyber Division is investigating the extortion campaign. Officials urge schools to report any ransom communications to local field offices. “Paying ransoms is never recommended,” an FBI spokesperson emphasized.

This is a developing story. Updates will be provided as more information becomes available. For background on the previous ShinyHunters breach, see our Background section.