Another recent victim of ShinyHunters is Instructure, the supplier of the Canvas learning management system, which disrupted the login portals of 330 colleges and universities during the critical college exam schedule.
According to Dataminr, ShinyHunters “claimed to have stolen 3.654TB of data affecting about 275 million individuals and 9,000 institutions worldwide.” The stolen data included names, email addresses, student ID numbers and messages, but not passwords, government IDs, birth dates, or financial data. The company admitted that the threat actors obtained access on April 29, 2026. After remediation and revoking the threat actors’ access, it identified additional unauthorized activity on May 7, 2026. The incident caused Instructure to take Canvas offline, affecting its 8,800 customers during exam season.
This is a repeated another? attack by ShinyHunters against Instructure. Not only did it maintain persistence in April and May, but ShinyHunters also attacked Instructure by in September 2025, in a social engineering attack that provided the threat actors with access to its Salesforce instance.
Instructure confirmed on May 11, 2026, that it has “reached an agreement with the unauthorized actor involved in this incident” and had “received digital confirmation of data destruction (shred logs)” and that “no Instructure customers will be extorted as a result of this incident, publicly or otherwise.” The Cybersecurity & Infrastructure Security Agency issued an alert on the incident, and Congress started an inquiry. In addition, the Federal Trade Commission (FTC) warns consumers to be cautious about texts or emails pretending to be from Canvas “to trick you into giving them your information,” and providing tips about responding to any messages related to the Canvas hack. Importantly, the FTC advises to alert children to be cautious about texts and emails. It’s a good reminder to discuss with your children how threat actors launch social engineering campaigns using the data stolen from an incident such as this one.