ShinyHunters Breached Canvas Twice: 275M Records, Ransom Paid, Hit Again

Instructure, the company behind Canvas LMS, was breached by ShinyHunters on May 1, 2026. The company said it was contained on May 2. ShinyHunters hit them again on May 7 — this time replacing the Canvas login page with a ransomware message. Instructure confirmed the ransom was paid and the data was reportedly destroyed on May 11. 275 million records were stolen in the first breach, comprising 3.65 terabytes of data from 8,809 universities and ministries of education worldwide. 41% of US higher education runs Canvas.

Getting breached, claiming containment, and then getting breached again within five days is not a security incident. It is a complete failure of incident response. Understanding why this happened matters because Canvas is infrastructure for a substantial fraction of global higher education.

The Attack Timeline

May 1: Initial breach confirmed. ShinyHunters gains access to Instructure's production database infrastructure. The exact entry point has not been publicly disclosed by Instructure. ShinyHunters later claimed access was through a misconfigured cloud storage bucket containing exposed API credentials — a pattern consistent with their Ticketmaster and Snowflake attacks.

May 2: Instructure publishes a statement describing the incident as "contained." The company says affected users will be notified, that it has "identified and closed the access vector," and that operations have returned to normal. The statement is accurate only in the narrowest sense: the specific access vector that was used on May 1 was closed.

May 7: ShinyHunters demonstrates that containment was incomplete. The Canvas login page is replaced with a custom ransomware splash screen — a display tactic meant to demonstrate ongoing access and apply public pressure. Users attempting to log in to Canvas across affected institutions encounter the defacement. ShinyHunters simultaneously contacts Instructure with a renewed demand.

May 11: Instructure confirms it has reached a "ransom agreement" with ShinyHunters. The payment amount is not disclosed. ShinyHunters confirms receipt and provides a deletion certification. Data described as "destroyed" in the agreement, though independent verification of destruction is not possible.

What Was Stolen

The 275 million records include:

• Student and faculty personally identifiable information: Names, institutional email addresses, enrollment records, assignment grades, and academic progress data
• Private course messages: Direct messages sent between students and instructors within Canvas — content that users had no expectation would leave the institution's LMS environment
• OAuth tokens: Authentication tokens for third-party integrations, including Google Workspace, Microsoft 365, and third-party education tools connected to Canvas via LTI (Learning Tools Interoperability)
• Institutional administrative credentials: Management-level access credentials for Canvas administrators at affected institutions

The private course messages are the most sensitive category. Unlike grades or enrollment records — which students understand flow through institutional systems — private messages in a course LMS carry a reasonable expectation of confidentiality equivalent to email. The breach of 275 million records means years of student-teacher private communication is now potentially in the hands of actors who claim to have deleted it.

OAuth tokens are the second-priority concern. If affected institutions have not rotated tokens since May 1, active authentication to connected third-party services remains possible.

Why the "Contained" Claim Failed

The ShinyHunters playbook is consistent across their major breaches: initial access via credential exposure (usually cloud storage or CI/CD pipeline credentials), bulk data exfiltration, followed by maintaining a secondary persistence mechanism that is not associated with the primary access vector.

When Instructure closed the May 1 access vector, ShinyHunters retained a second access path — likely an established session token or a compromised administrator account that was not included in the initial credential rotation. The "containment" actions reset the wrong credentials.

This is the same pattern that enabled ShinyHunters to leverage their Snowflake access months after their initial entry in the Ticketmaster breach. Containment is not complete until all potential persistence mechanisms are identified and removed — not just the confirmed initial vector. Instructure's May 2 containment announcement was premature.

ShinyHunters: Track Record

ShinyHunters is one of the most prolific data extortion groups active since 2020. Their major incidents:

• Ticketmaster (2024): 560 million records. Access via Snowflake credentials. Live Nation paid an undisclosed ransom.
• Snowflake customer breaches (2024): Multiple companies whose data was stored in Snowflake instances accessed via compromised credentials; AT&T, Advance Auto Parts, others
• Santander Bank (2024): 30 million customer records
• Instructure Canvas (2026): 275 million records, largest education breach on record

The common thread is credential-based access to cloud infrastructure rather than novel vulnerability exploitation. ShinyHunters does not typically use zero-days — they acquire credentials through phishing, credential stuffing, or purchasing from initial access brokers, then move laterally through cloud environments.

Institutional Exposure Assessment

For IT administrators at Canvas-using institutions:

Step 1: Audit OAuth token issuance. In Canvas admin settings, navigate to Admin > Developer Keys. Review all active tokens and integrations. Revoke and reissue tokens for all third-party integrations. This is the highest-priority action because active OAuth tokens potentially remain functional.

Step 2: Force password resets for all Canvas users. Even if user passwords were not directly in the stolen data, credential stuffing against institutional email addresses is a likely follow-on attack.

Step 3: Notify users. EU GDPR Article 33 requires data breach notification to supervisory authorities within 72 hours of awareness — several EU member state institutions are in scope. US FERPA does not require breach notification to regulators but does require notification to affected students under some circumstances. Consult your institution's legal team.

Step 4: Review audit logs from May 1-7 for unusual admin access, bulk exports, or API calls at unusual volumes. ShinyHunters may have accessed the data through the Canvas API rather than directly from the database, in which case Canvas API logs will contain the activity.

The SaaS Concentration Risk

41% of US higher education depends on a single vendor for learning management infrastructure. When that vendor's database is breached, 41% of US higher education's student records are at risk in one incident. This is not a Canvas-specific risk; it is a characteristic of any market with high SaaS concentration.

The lesson is not "don't use Canvas." The lesson is that SaaS concentration risk requires specific contractual and technical mitigations: data minimisation clauses (only store what you need in the SaaS platform), contractual breach response timelines, and independent monitoring for anomalous data access patterns rather than relying entirely on the vendor's security monitoring.

Key Takeaways

• Canvas breach May 1-11, 2026: ShinyHunters stole 275M records (3.65 TB) from 8,809 universities; Instructure claimed containment May 2; hit again May 7; ransom paid May 11 — data reportedly destroyed
• What was stolen: Student and faculty PII, private course messages, OAuth tokens for third-party integrations, institutional admin credentials
• Immediate action: Revoke and reissue all Canvas OAuth/API tokens; force institution-wide password reset; review admin API logs from May 1-7; notify affected users per GDPR/FERPA requirements
• ShinyHunters pattern: Credential-based cloud access + secondary persistence not removed in initial containment; same playbook as Ticketmaster 560M records and Snowflake customer breaches
• Premature containment: "Closed and contained" announcements before fully auditing secondary persistence mechanisms are dangerous — they give false assurance and may delay complete remediation
• SaaS concentration risk: 41% of US higher education on one vendor = 41% of US higher education records exposed in one breach; data minimisation and independent monitoring are the structural mitigations

For the BeyondTrust PAM breach with similar credential-based access patterns, read CVE-2026-1731: BeyondTrust Pre-Auth RCE, VShell and SparkRAT Deployed. For the LiteLLM SQL injection that also exposed API credentials, read CVE-2026-42208: LiteLLM SQL Injection Leaks API Keys.