- ShinyHunters temporarily defaced Canvas login pages used by nearly 330 educational institutions.
- The group demanded ransom payments and extended its leak deadline to May 12.
- Instructure confirmed user data exposure but said passwords and financial details were not compromised.
- The hackers claim billions of private student and teacher messages were stolen in the breach.
The cyberattack targeting Instructure has taken a more aggressive turn after the ShinyHunters group briefly hijacked login portals connected to the Canvas learning platform used by schools and universities worldwide.
Students and faculty attempting to access Canvas were suddenly met with a ransom message instead of the usual login screen. The defacement reportedly appeared across portals tied to nearly 330 educational institutions before being removed within about 30 minutes.
The message accused Instructure of ignoring previous contact attempts from the hackers. It also warned affected schools that stolen data could be leaked publicly if negotiations were not opened before May 12.
The incident marks another escalation in what is becoming one of the most disruptive education sector breaches of the year.
Attackers Claim Massive Amount of Data Was Stolen
ShinyHunters has already listed Instructure on its data leak site, claiming the breach impacted close to 9,000 schools and exposed information connected to hundreds of millions of users worldwide.
According to the group, the stolen database allegedly includes billions of private messages exchanged between students and teachers, along with other personally identifiable information. The hackers also claimed that Instructure’s Salesforce environment had been compromised during the intrusion.
While cybercriminals often exaggerate the scale of attacks to increase pressure on victims, the claims have added serious concern for schools and universities that rely heavily on Canvas for day to day academic operations.
The group initially set a deadline earlier this week before extending it again, suggesting either ongoing negotiations behind the scenes or an attempt to intensify public pressure on affected organizations.
Instructure Confirms Breach but Downplays Severity
Instructure previously acknowledged that it suffered a cybersecurity incident involving unauthorized access to customer related systems.
The company said attackers obtained certain identifying information belonging to users at affected institutions. That data includes names, email addresses, student identification numbers, and user communications.
However, Instructure stressed that some of the most sensitive categories of information were not exposed during the attack. According to the company, passwords, financial records, government issued identifiers, and dates of birth were not compromised.
As part of its response, the company said it revoked privileged credentials and invalidated access tokens associated with affected systems to contain the threat and prevent further unauthorized activity.
Even so, the appearance of defaced login portals raises fresh questions about the broader impact of the breach and whether attackers may still retain some level of access to connected systems or infrastructure.
Education Sector Continues to Face Rising Cyber Threats
Educational institutions have increasingly become prime targets for cybercriminal groups due to the enormous amount of personal data they manage and the often fragmented nature of campus IT environments.
Platforms like Canvas hold sensitive academic records, communication histories, enrollment details, and institutional data spread across thousands of schools and universities. That makes them especially attractive to ransomware gangs and data extortion groups looking for leverage.
The latest developments also highlight a growing trend among cybercriminals who use public shaming tactics to pressure organizations into paying. Instead of quietly leaking stolen information, attackers are now increasingly hijacking websites, posting countdowns, and directly targeting users to maximize attention.
For schools already dealing with operational disruption and reputational concerns, the incident serves as another reminder of how deeply cyberattacks can impact modern education systems.
Instructure has not indicated whether it plans to negotiate with the attackers, and there is still no confirmation regarding how much data may ultimately be released if talks fail.
Follow TechBSB For More Updates
