- ShinyHunters briefly hijacked login portals for ~330 institutions, posting ransom demands and threats
- The group extended its deadline to May 12, warning of a complete data leak if a deal is not reached.
- Instructure confirmed the previous breach, but maintains that sensitive financial and identification data was not exposed.
The Instructure cyberattack has apparently reached a new level as, to pressure victims to pay a ransom demand, ShinyHunters has defaced the Canvas login portals for hundreds of colleges and universities.
Members of approximately 330 educational institutions received a completely different “welcome” message when they attempted to log in to the Canvas learning system after the next stage of the group’s attack.
“ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it, they ignored us and made some ‘security patches,'” the message said. “If any of the schools on the affected list are interested in avoiding disclosure of their data, please consult with a cyber advisory firm and contact us privately at TOX to negotiate a settlement. You have until the end of the day before May 12, 2026 before everything is leaked.”
Pushing the deadline
The defacement message was reportedly visible for around half an hour, before being removed by the Canvas team.
Instructure, the company behind the Canvas system, recently notified its users that it had suffered a cyberattack and lost confidential customer data. Instructure said the criminals accessed “certain user-identifying information” at the affected institutions, including names, email addresses, student ID numbers, and user communications.
At the same time, ShinyHunters added Instructure to its data breach site, stating that the attack affected nearly 9,000 schools and 275 people worldwide.
“Several billion private messages between students, teachers, students and other students involved, containing personal conversations and other personal information. Your Salesforce instance was also breached and there is much more data involved.”
It seems that Instructure was not interested in negotiating with the bad actors, as earlier this week they updated their site, mentioned several high-profile universities, and pushed back the deadline to May 7.
Now, the deadline appears to have been pushed back again, this time to May 12.
Passwords, dates of birth, government identifiers, or financial information were not involved, and the company revoked privileged credentials and access tokens associated with the affected systems to mitigate the threat.
Through beepcomputer
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
