ShinyHunters Defaces Canvas Logins, Demands Ransom

ShinyHunters altered Canvas web and mobile login pages for hundreds of educational institutions, posting an on-screen ransom message that claims responsibility for a recent data breach and sets a May 12 deadline to make contact or face public release of stolen data.

The display affected both browser-based login portals and the Canvas mobile app. The group reported earlier that it had obtained data from Canvas, and the new on-screen message repeated that claim while demanding direct contact before the deadline.

Instructure confirmed the earlier breach of its cloud-hosted Canvas environment and is working on containment and remediation. According to reporting and statements associated with the incident, the initial theft included student and staff records, enrollment information and private messages that the attackers say were accessed through Canvas export features and application programming interfaces.

Security teams and investigators attribute the recent login-page changes to exploitation of another vulnerability in Instructure’s systems. The alterations indicate the attackers retain access to at least some components that control the appearance and behavior of Canvas sign-in flows.

The visible defacements placed the ransom message directly in front of students, parents and staff as they tried to access courses. Security specialists note that public-facing messages on login pages increase the urgency for administrators and raise the risk that exposed personal and enrollment data will be used in targeted phishing and identity-fraud campaigns.

Instructure and affected schools and districts are coordinating incident responses and technical remediation. Schools are reviewing single sign-on integrations and identity systems tied to Canvas to determine whether those connections provided further access or need additional protection.

Immediate steps recommended for individual users include resetting passwords tied to Canvas accounts, enabling multi-factor authentication where available and monitoring financial and credit activity as students age. Families are advised to be alert to highly personalized phishing that references real classes, teachers or school details.

Districts and universities are preparing communications to explain the incident to staff, students and families and to provide guidance on account security. Officials are investigating the scope of access, the systems affected and the timeline of the breaches as they work to restore normal service ahead of the attackers’ stated deadline.

The situation remains fluid. Schools, Instructure and external security teams continue containment, recovery and notification efforts while monitoring whether additional defacements or data disclosures occur before or after May 12.