Skip to main content
Emerging ThreatsMalware & Ransomware

ShinyHunters Targets Education Sector with School-by-School Ransom Push

Students and faculty walk down a brightly-lit school hallway, with a laptop on a desk in the foreground.

"ShinyHunters have timed this attack to sting as much as possible: with schools and universities approaching the end of their academic years, and exam season already underway."

April 25 compromise of Instructure and the stolen data

On April 25, Instructure — the company behind the Canvas Learning Management System — was compromised, and the incident resulted in the theft of around 275 million records from 8,809 educational institutions. Researchers say more than 3.65 TB of data were exfiltrated after ShinyHunters exploited a vulnerability in the Free‑For‑Teacher version of Canvas. The scale of the haul spans multiple types of records and account types tied to Canvas deployments.

ShinyHunters' extortion timeline: initial demand, extended deadline, and May 12 threat

ShinyHunters followed the breach with a “pay or leak” extortion posture, posting a ransom demand on its data‑leak site and setting an initial deadline of 8 May, after which it threatened to release stolen material. When that first deadline passed the group extended its timetable and explicitly urged affected organizations to negotiate a settlement before everything was leaked on 12 May, according to the group's posted note.

School‑by‑school escalation and visible defacements

Researchers at Halcyon reported that after extending the deadline, ShinyHunters shifted tactics toward a school‑by‑school campaign. That campaign has included a defacement message appearing on approximately 330 institutional Canvas login pages, a visible demonstration intended to pressure individual schools, districts and other Canvas customers to engage the extortion demand rather than wait for a mass leak.

Instructure's immediate measures and the attackers' claim

In a message on its leak site, ShinyHunters said Instructure had not contacted the ransomware group and that the vendor instead installed some security patches. The group's note framed the timeline and the apparent lack of negotiated contact as part of the rationale for escalating the campaign to targeted defacements and rolling extortion demands.

What this means for students, staff, and parents

  • Students and staff at affected organizations should be alert for convincing phishing emails or fake login prompts that reference real schools, classes, or teachers, and should avoid clicking links that arrive unexpectedly.
  • Those impacted are advised to change any Canvas‑related passwords as soon as possible and to enable multi‑factor authentication wherever it is available.
  • Parents and students were specifically warned to monitor financial and credit activity over time, because stolen personal data can be misused years after a breach.

Smarttech247 CEO Raluca Saceanu warned that the timing — with academic years ending and exam season underway — amplifies the pressure on Canvas customers, writing that the group’s targets "cover the gamut, including universities, colleges, school districts, education providers, corporate training environments, test/stage instances, and generic/root accounts."

The immediate record of events is concrete: an April 25 compromise, roughly 275 million records taken from 8,809 institutions, an initial 8 May deadline that passed, visible defacements at about 330 login pages, and a renewed threat to leak on 12 May unless settlements are reached. Institutions using Canvas and their communities must act on the practical advice issued alongside these findings — change passwords, enable multi‑factor authentication, and be vigilant for fraud — while watching whether attackers follow through on their public timetable.

Source: https://www.infosecurity-magazine.com/news/shinyhunters-escalates-canvas/