INSPECTING ARCHIVED INTELLIGENCE (OUTDATED VERSION).
ShinyHunters Exploit Canvas Extortion with School by School Ransom
| 2026-05-11 10:05 HIGH LOWExecutive Summary AI-generated
The education sector is under siege as a notorious ransomware gang, ShinyHunters, has launched a school-by-school extortion campaign following the compromise of Instructure's Canvas Learning Management System. The initial breach occurred on April 25 with around 275 million records stolen from 8809 educational institutions, and since then, the group has gained unauthorized access to systems by exploiting a vulnerability in the Free-For-Teacher version of Canvas. Over 3.65 TB of data is said to have been exfiltrated, leaving affected organizations on high alert for potential phishing attacks and ransom demands. The gang's extortion tactics are escalating as they threaten to leak sensitive information unless negotiations with victims lead to settlements. With a deadline looming - May 12 - the group has intensified its campaign, targeting schools one by one, while researchers at Halcyon note that this is not an isolated incident but part of a larger pattern of ShinyHunters' activities in the education sector.
Technical Mitigations AI-generated
• Change any Canvas-related passwords as soon as possible.
• Enable multi-factor authentication wherever it is available.
Intelligence Metadata
Actors / Malware / CVEs / Campaigns
Campaign Intensifies
SinceCampaign Intensifies
Since
Target & Sectors
Global Scope
educationeducation
Incident Timeline
April 25
ShinyHunters used the original Canvas platform to target 8809 educational institutions by exploiting a vulnerability in Instructure's software.
Click on any entity below to view its context and source!
data_breach
275 records
The original compromise of Instructure occurred on April 25 with around 275 million records from 8809 educational institutions stolen.
8 May
ShinyHunters threatened to leak data if their demands for ransom were not met by 8 May.
2026/05/11
ShinyHunters used a vulnerability in the Free-For-Teacher version of Canvas to gain unauthorized access and steal data from Instructure.
Click on any entity below to view its context and source!
organisation
ShinyHunters
The education sector has found itself in the crosshairs of a
ShinyHunters
“pay or leak” extortion campaign following the compromise of Instructure, the company behind the Canvas Learning Management System.
organisation
the Canvas Learning Management System
The education sector has found itself in the crosshairs of a
ShinyHunters
“pay or leak” extortion campaign following the compromise of Instructure, the company behind the Canvas Learning Management System.
organisation
Extortion Campaign Intensifies
Since
Extortion Campaign Intensifies
Since that deadline has passed, the group extended its deadline and began a school-by-school extortion campaign, researchers at
Halcyon noted
in a recent analysis.
organisation
Halcyon
Extortion Campaign Intensifies
Since that deadline has passed, the group extended its deadline and began a school-by-school extortion campaign, researchers at
Halcyon noted
in a recent analysis.
organisation
TB
Over 3.65 TB of data is said to have been exfiltrated by the ransomware gang.
data_breach
3.65 TB
Over 3.65 TB of data is said to have been exfiltrated by the ransomware gang.
organisation
Canvas
ShinyHunters gained unauthorized access to Instructure systems by exploiting a vulnerability in the Free-For-Teacher version of Canvas.
May 12
The ShinyHunters threat actor group sent a ransom note to affected targets, demanding payment in exchange for not releasing sensitive information on May 12.
Tactical Metrics
Metrics
data_breach
4
Tb
Click for context!
Over 3.65 TB of data is said to have been exfiltrated by the ransomware gang.
Metrics
data_breach
275,000,000
Records
The original compromise of Instructure occurred on April 25 with around 275 million records from 8809 educational institutions stolen.
Intelligence Sources
Infosecurity-Magazine
2026-05-11
ShinyHunters Escalates Canvas Extortion with School by School Ransom Campaign
Infosecurity-Magazine
Infosecurity-Magazine
2026-05-11
ShinyHunters Escalates Canvas Extortion with School by School Ransom Campaign
Infosecurity-Magazine
Unpublish from Social Media?
Are you sure you want to delete this podcast video from all synchronized social networks (YouTube, Facebook, Threads)?
Important:
Due to Meta API restrictions, Instagram Reels cannot be deleted automatically via API by third-party apps.
View Profile to Delete Manually
View Profile to Delete Manually
Tactical Intelligence
Report Intelligence Issue
Podcast Options
Generate
Incident Version History
CURRENT VERSION
Last Updated: 2026-06-29T06:22
Comprehensive Tactical Telemetry
Highly Correlated Entities
7x
organisation
Identified Entity
ShinyHunters
entity
5x
tactic
Cyber Operation Type
Extortion
tactic
3x
timeline
Temporal Reference
April 25
date
Contextual Telemetry
Context Block
4 METRICS
industry
Targeted Sector
Education
sector
data breach
Tb
4
tb
campaign
Campaign
Campaign Intensifies
Since
operation
data breach
Records
275,000,000
records
Click on any entity below to view its context in the main text!
Selective Unpublish
Selecciona las redes de las que quieres eliminar esta publicación. El sistema intentará borrar el post real de la API y limpiará la base de datos para que puedas volver a lanzarlo.
By navigating this website, you accept the use of strictly necessary technical cookies for session security and basic platform functionality. We do not use tracking or advertising cookies.
Read our Privacy Policy.