Canvas Login Portals Hacked in ShinyHunters Attack

ShinyHunters Defaces Canvas Login Portals at 330 Schools

The ShinyHunters extortion gang has hit Instructure again. This time, the threat actors exploited a vulnerability in the Canvas learning management system to deface login portals across approximately 330 colleges and universities. The Canvas login portal defacements were visible for roughly 30 minutes before Instructure pulled the platform offline. The attack escalates an already serious breach campaign that began just days earlier.

The defacement message was blunt. ShinyHunters claimed they had breached Instructure again after being ignored following their initial intrusion. Schools and Instructure were given until May 12, 2026 to negotiate a ransom, or student and staff data would be published. The message also appeared inside the Canvas mobile app, not just the browser-based login pages.

Last week, Instructure disclosed it was investigating a cyberattack after threat actors claimed to have stolen 280 million student and staff records tied to 8,809 institutions. Instructure has since confirmed that data was stolen, but has not publicly addressed whether it plans to notify affected students and staff.

How the Canvas Defacement Attack Worked

The defacement was reportedly enabled by a vulnerability in Instructure's own infrastructure that allowed ShinyHunters to modify the content served on Canvas login portals. This is not a typical SQL injection or XSS defacement against individual school servers. Instructure hosts Canvas centrally, so a single vulnerability affecting the platform's customization or tenant management layer could cascade across every institution using the service.

ShinyHunters has a documented pattern of breaching third-party integrators and SaaS platforms rather than targeting end users directly. In previous campaigns, they have used stolen authentication tokens to pivot from one connected service to another. The group has also leveraged Canvas data export features and APIs to extract enrollment data, private messages, and user records at scale.

Impact on Developers and IT Teams Running Canvas Integrations

If your institution or product integrates with Canvas via LTI tools, OAuth tokens, or the Canvas REST API, the exposure here extends beyond just the login page defacement. API credentials and OAuth tokens stored in your integration layer may have been accessible during the breach window. Any service that authenticates users through Canvas SSO should be treated as potentially compromised until Instructure provides a clearer incident timeline.

The broader risk is data correlation. ShinyHunters has 280 million records allegedly in hand. That data could be used to craft targeted phishing campaigns against students, faculty, and administrators at the affected institutions. Attackers with enrollment data and contact information can build convincing pretexts for follow-on attacks.

How to Protect Your Systems After the Canvas Breach

Rotate credentials and tokens immediately. Any API keys, OAuth tokens, or service account credentials connected to Canvas integrations should be revoked and reissued. Do not wait for Instructure's investigation to conclude before taking this step.

Review your LTI and API integration logs for anomalous data export activity over the past 30 days. ShinyHunters reportedly used Canvas's own export features to pull data, which means the activity may look like legitimate usage at first glance.

Enable login anomaly detection on any service connected to Canvas SSO. ShinyHunters is also known for vishing attacks targeting Okta, Microsoft, and Google SSO accounts, so credential-based pivoting is a realistic follow-on threat here. You can also scan your web login pages and integrations for exposed vulnerabilities before attackers find them first.

Monitor for phishing campaigns using student and staff data from the breach. Internal security teams should brief faculty and students on the risk of targeted emails using accurate enrollment details. Check out our guide on protecting SaaS integrations from token theft for more context.

What data did ShinyHunters steal from Canvas? ShinyHunters claims to have stolen 280 million records including user accounts, private messages, and enrollment data from 8,809 institutions. They reportedly used Canvas's own data export features and APIs to collect the data.

Should developers rotate Canvas API keys even if their school was not in the defaced list? Yes. Instructure hosts Canvas centrally, so the underlying vulnerability potentially affected all tenants. Rotate any API credentials or OAuth tokens connected to Canvas integrations regardless of whether your institution appeared on the defacement list.

How does ShinyHunters typically move from one breach to the next? The group steals authentication tokens from one platform and uses them to pivot into connected SaaS environments. They also conduct vishing attacks to capture MFA codes and SSO credentials, then use those credentials to access Salesforce, Microsoft 365, Google Workspace, Slack, and other enterprise tools.

Run a free scan of your login portals and web integrations at VibeWShield