ShinyHunters Claims Second Attack Against Instructure

CYBERATTACKS & DATA BREACHES CYBER RISK DATA PRIVACY СLOUD SECURITY NEWS ShinyHunters Claims Second Attack Against Instructure The edtech company is struggling to wrest control from its hackers. PII belonging to hundreds of millions of people is on the line. Nate Nelson,Contributing Writer May 8, 2026 5 Min Read SOURCE: KRISTOFFER TRIPPLAAR VIA ALAMY STOCK PHOTO The ShinyHunters gang has claimed a second successive breach of Instructure, the supplier of the Canvas learning management system (LMS), mere hours after the company claimed the whole affair was over.  On April 25, the ShinyHunters cybercrime operation did what it's been doing for years now: it took advantage of some large, well-connected organization's exposed cloud infrastructure to access, steal, and then threaten to leak some huge trove of data. The old story followed a non-linear path this time, though. Instructure claimed the breach was done for, then ShinyHunters claimed a second attack, and meanwhile disruptive activity as of this posting is ongoing. All this as final exam week commences across the US. Dark Reading reached out to Instructure to square its previous claims with accounts from students and teachers online. In a statement, the company acknowledged that it is experiencing an "ongoing security incident" thanks to a follow-on compromise of "free-for-teacher" accounts. Related:Instructure Breach Exposes Schools' Vendor Dependence Did ShinyHunters Breach Instructure Twice? Since its breach, public messaging from Instructure has emphasized its quick and diligent incident response (IR). The timeline circulated to customers suggests that it first discovered the intrusion four days late, on April 29, and immediately revoked the attackers' system access. Yet on April 30, it had to take more steps to address "additional suspicious access." On May 2, chief information security officer (CISO) Steve Proud stated, "We believe the incident has been contained." He cited a few steps taken to ensure the attackers couldn't get back in, like patching and rotating keys. On May 6, the company reemphasized that "we are not seeing any ongoing unauthorized activity." These claims have been challenged by disaffected students and teachers online, who report that their education has been interrupted, and that they've been hit with ShinyHunters splash messages as recently as May 7. Some affected schools are now walking back earlier, more optimistic reports passed down from the vendor. And a new ShinyHunters ransom note is circulating, in which the hackers claim to have re-infected the company. The note offers affected schools the option to negotiate with them directly and pushes back its leak deadline from the previously reported May 6 to May 12. Dark Reading cannot confirm any specific claims online, but one affected student sent Dark Reading screenshots of the newly circulating splash page, which he says interrupted him on May 7. Dennis Pomazanov, studying at Georgia Tech, recalls, "When I tried to view my grades, I was greeted by the ransom message instead of the normal Canvas page. At the time, I was also unable to use Canvas to contact professors or classmates about questions I had, which made the situation more frustrating." Related:Attacks Abuse Windows Phone Link to Steal Texts & Bypass 2FA In a May 8 statement to Dark Reading, Instructure acknowledged what students like Pomazanov were experiencing. It reported that on May 7, it took Canvas offline, again, to contain the ongoing incident. "We have confirmed that the unauthorized actor exploited an issue related to our Free-For-Teacher accounts," a company spokesperson wrote, without detailing the exact nature of the vulnerability. "As a result, we have made the difficult decision to temporarily shut down our Free-For-Teacher accounts. This gives us the confidence to restore access to Canvas, which is now fully back online and available for use.” "Personally, I was lucky because I had already finished my finals and homework," Pomazanov says, "but I know several friends who were still trying to study, finish assignments, or prepare for exams, and the outage made that much harder for them." Which Schools Were Breached via Canvas? Instructure's Canvas is one of the most ubiquitous software platforms in education today. It's an online companion to classrooms, where students message their teachers and submit homework, teachers post assignments and post grades, etc. Industry analysts place Canvas' marketshare in the LMS space at 47% among higher education institutions in North America, and 28% in K-12. It's also used widely in adult professional education settings. Related:Middle East Cyber Battle Field Broadens — Especially in UAE ShinyHunters claims to have stolen around 3.65TB of names, emails, student ID numbers — and, perhaps most interestingly, "several billions of private messages" between students and teachers — from just under 9,000 institutions, representing somewhere around 275 million individuals. Some back of the napkin math suggests that ShinyHunters left no Canvas customer untouched: in North America there are only around 4,000 accredited higher institutions, and around 10,000 K-12 schools using LMS's. Intrepid students and interested parties have visited ShinyHunters' leak site and pulled its tally of its victims, which is now circulating online. The laundry list includes numerous North American higher education institutions and K-12 schools, plus educational institutions in Europe, Central America, and elsewhere abroad. It also includes major corporations like Amazon and Apple, healthcare institutions, and cities and states, which may be in reference to government organizations. Dark Reading did not independently download this list, but cross-referenced it with data reported by cybersecurity researchers, as well as publicly known information about Canvas' user base. Risks to Schools, Companies, and Minors Public statements from Instructure and its customers have emphasized that while the attackers stole some personal information, some other particularly sensitive data like passwords, birthdays, and financial information may not have been among the trove. If that's the good news, the bad news is the sheer scope and variety of risks associated with the data the company lost. Unlike most data breaches, which affect certain kinds of people in certain ways, Canvas' customers span the government, healthcare, and major business sectors, all of which are subject to their own legal and regulatory frameworks and follow-on risks. Most glaring of all, though, is that by compromising thousands of K-12 schools, criminals now have access to, and are threatening to leak, a massive amount of data belonging to minors. "When a breach involves the personal data of minors, the severity and the stakes escalate significantly," says Darren Guccione, CEO and co-founder at Keeper Security. "Unlike a compromised credit card or a rotated password, a child's name, date of birth, institutional records and private communications cannot be replaced. That exposure follows them. For institutions and the students they serve, the consequences can persist for years through identity fraud, targeted social engineering and other scams long after the headlines fade." "The hard question this incident raises is about what the industry should expect from platforms that operate at this scale and steward this kind of data," he says. "When a single vendor serves thousands of institutions globally, the security standard has to reflect that responsibility." About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management 2025 State of Malware Access More Research Webinars The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud Workspace Prompt Injection Is Just the Start: Securing LLMs in AI Systems Anatomy of a Data Breach: What to Do if it Happens to You How Well Can You See What's in Your Cloud? Implementing CTEM: Beyond Vulnerability Management More Webinars You May Also Like CYBERATTACKS & DATA BREACHES Critical Fortinet Flaws Under Active Attack by Jai Vijayan, Contributing Writer DEC 17, 2025 CYBERATTACKS & DATA BREACHES CISA Warns of 'Ongoing' Brickstorm Backdoor Attacks by Rob Wright DEC 04, 2025 CYBERATTACKS & DATA BREACHES F5 BIG-IP Environment Breached by Nation-State Actor by Alexander Culafi OCT 15, 2025 CYBERATTACKS & DATA BREACHES Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business by Robert Lemos, Contributing Writer OCT 03, 2025 Editor's Choice THREAT INTELLIGENCE From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber byDark Reading Editorial Team MAY 6, 2026 31 MIN READ CYBER RISK Physical Cargo Theft Gets a Boost From Cybercriminals byRobert Lemos MAY 4, 2026 5 MIN READ CYBER RISK NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later byDark Reading Editorial Team APR 28, 2026 Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud Workspace WED, JUNE 24,2026 AT 1PM EST Prompt Injection Is Just the Start: Securing LLMs in AI Systems TUES, MAY 26, 2026, AT 1PM EST Anatomy of a Data Breach: What to Do if it Happens to You JUNE 18TH, 2026 | 11:00AM -5:00PM ET | DOORS OPEN AT 10:30AM ET How Well Can You See What's in Your Cloud? THURS, JUNE 4, 2026 AT 1:00PM EST Implementing CTEM: Beyond Vulnerability Management THURS, MAY 21, 2026 AT 1PM EST More Webinars BLACK HAT USA | MANDALAY BAY, LAS VEGAS The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass. GET YOUR PASS