Unraveling the Canvas Hack

Roughly 9,000 educational institutions across the world have been affected by a large cyberattack mounted against Instructure, the parent company of Canvas LMS. Anyone who tried to login to their student portal this morning was greeted with the following message¹:

SHINYHUNTERS
rooting your systems since '19 ;)
ShinyHunters has breached Instructure (again).
Instead of contacting us to resolve it they ignored us and did some "security patches".

⚠ WARNING
If any of the schools in the affected list(*) are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately at TOX to negotiate a settlement. You have till the end of the day by
12 May 2026 before everything is leaked.

Instructure still has until EOD 12 May 2026 to contact us.

▼ DOWNLOAD AFFECTED_SCHOOLS.TXT ▼
91.215.85.103/pay_or_leak/ instructure_affected_schools_list.txt
visit us: shnyhntww34phqoa6dcgnvps2yu7dlwzmy5
Ikvejwjdo6z7bmgshzayd.onion

Note
The full list of affected institutions (reportedly 8,809) includes major institutions like UC Berkeley, Penn, and Duke. You can find the claimed list here: https://databreaches.net/wp-content/uploads/Claimed-Victims-of-Canvas-Cyber-Incident.txt

This is the largest education data breach in history². The cybercrime group ShinyHunters claims to have exfiltrated 3.6 TB of data covering 275 million students, teachers, and staff.

Coming just eight months after Instructure’s last security incident, the question for me isn’t just how this happened, but also why is our entire education infrastructure propped up by a single point of failure? I will also try to answer what this means for students, and what lessons we should learn from this.

And first off: Who the f**k is ShinyHunters?

ShinyHunters

ShinyHunters is a financially motivated cybercrime group, active since around 2019, with a portfolio of high-blast-radius vendors: Microsoft, AT&T, Ticketmaster, and Snowflake–to name a few. Their moniker is thought to be a nod to Pokemon³ (a shiny is a rare variant of a Pokemon with a different appearance than their normal counterparts). The name is likely a reference to the fact that the group targets high-profile, valuable data, much like how shiny Pokemon are highly sought after by collectors and players alike.

Why Target an LMS?

When I first caught wind of the hack, my first thought was: why even target an LMS? Is anyone really posting anything senstitive to a Canvas discussion board? To a Canvas inbox? It seemed like a strange target.

And then I looked into the previous campaigns mounted by ShinyHunters.

They don’t primarily sell the data they exfil – they extort the vendor. Their model across every campaign is the same: pick a company whose entrenchment creates liability across thousands of downstream customers, then squeeze. AT&T reportedly paid them around $375,000 in a previous campaign to make a breached database dissappear². So, the question “is this data really that sensitive?” is the wrong question. The right question is: how much is Instructure’s reputation and customer trust worth to them?

This attack is a major breach of trust between Instructure and its customers (our educational institutions), and it raises serious concerns about their security.

What We Know About the Attack

No formal post-mortem has been released by Instructure at this time, but we can roughly sketch what happened based on public record so far. The attack followed a pattern consistent with previous ShinyHunters campaigns (specifically, it looks a lot like their previous targeting of Salesforce-integated environments). They leverage social engineering to compromise a privileged credential, then they register a malicious connected application within the cloud environment. The connected application can then politely walk the API and exfiltrate data. Below is a summary of the killchain used.

Cyber Kill Chain

Unknowns
The specific CVEs leveraged are not yet publicly known. A more detailed analysis can be found here.

Tactic	Technique	Description
Reconnaissance	T1598.004 — Phishing for Information: Spearphishing Voice	(historical) Use of vishing/social engineering to obtain credentials.
Resource Development	T1586.002 — Compromise Accounts: Email Accounts	Use of compromised email accounts for access.
Resource Development	T1585 — Establish Accounts	Creation of new accounts for malicious apps.
Initial Access / Persistence	T1671 — Cloud Application Integration	Abuse of SaaS integrations to gain access.
Execution	T1059.006 — Command and Scripting Interpreter: Python	Use of Python scripts for automation.
Exfiltration	T1567.002 — Exfiltration Over Web Service	Data exfiltration via APIs.
Exfiltration	T1020 — Automated Exfiltration	Use of automated scripts for data theft.
Command and Control	T1090 — Proxy	Use of VPNs or Tor to hide the attacker’s identity and location.

Student Impact

Imediate Impact from Downed Service

It’s Thursday, May 7th. Everyone has final exams either this week or next week. Literally everyone needs to use Canvas right now to access course materials, submit assignments, and check their grades. This is probably the worst – but also, the funniest – time for it to be inaccessible.

Impact From Leak

Personally Identifiable Information (PII) Exposed: “Confirmed exposed data includes names, email addresses, student ID numbers, and messages. Instructure states no passwords, government IDs, birth dates, or financial data were involved.” - Dataminr

From a student’s perspective, this isn’t the end of the world. The annoying part here is having both our student email and our student IDs exposed. Threat actors can leverage this to mount sophsticated phishing campaigns, constructing emails that look identical to official registrar or financial aid notices. Threat-model Update: Don’t click on any links in emails that claim to be from your school until you verify the legitimacy of the message through official channels.

Our Education System Deserves Public Infra

I’d like to take a step back and highlight the high-level issue at play here: the centralized, SaaS model of Instructure.

The Canvas learning management system is AGPL-licensed, open-source software. However, our educational institutions don’t run their own instances of Canvas! They’re all paying customers of Instructure’s hosting services. Instructure holds the master credentials, the privileged API keys, OAuth tokens, and database access. This creates a single point-of-failure. If you can compromise this layer, you gain access to 9,000+ institutions in one fell swoop. This is a bad model for an LMS that forms the backbone of our nation’s educational infrastructure, for exactly the same reason that AWS’s dominance over the internet is a bad model for the web. Central points of failure are bad. Shocker. And it’s made even more ironic by the fact that Canvas is free and open-source software! Canvas itself was not the vulnerable component here. The vulnerablility is the fact that every educational institution is relying on Instructure’s hosting services instead of running it themselves!

We have surrendered sovereignty over our data for the sake of administrative convenience.

Our education system should be built on free and open-source software, but it should also be built on distributed infrastructure. We should be running our own instances of Canvas. We should be hosting our own data. The fact that a single company’s security failures can paralyze global higher education is a failure in the design of the system. To school administrators to policymakers to the open-source community itself:

We can do better.

Closing Thought
I understand that asking our educational institutions to run their own infra isn’t as easy as it sounds. This is what I’ll be talking about in a future post: Incentive Misalignment and the Basin of Single-point Failure.