How ShinyHunters Broke Into the Heart of American Learning — Twice
On the afternoon of May 7, 2026, a student at the University of Washington sat down to check her Canvas account. Finals week had arrived. There were grades to review, a paper to submit, a professor to message about an extension. Instead of a login screen, she was met with a message that began: "SHINYHUNTERS rooting your systems since '19." The same thing happened to students at Harvard, Columbia, Penn, Duke, UCLA, Georgetown, Stanford, and hundreds of other institutions across the United States, Australia, the United Kingdom, Canada, and beyond. Across roughly 330 institutions, the login portals of one of the most widely used educational platforms on earth had been defaced — not by a state-sponsored intelligence apparatus, not by a sophisticated foreign cyberweapon, but by a loosely affiliated extortion crew that security researchers describe, with barely concealed disbelief, as consisting largely of teenagers and young adults.
This is the story of the largest educational data breach in recorded history. It is also the story of a company that had a clear warning, months of lead time, and a very specific threat from a known adversary — and chose, functionally, to do nothing useful about it.
The Platform and What It Holds
Canvas, operated by the Utah-based company Instructure, is not a niche product. It is the dominant learning management system in North American higher education, used by 41 percent of colleges and universities on the continent. Harvard uses it. Stanford uses it. MIT uses it. The entire California State University system and the University of California system use it. Beyond higher ed, K-12 districts across the country rely on it for assignment submission, course management, grade tracking, and daily communication between students and teachers. As of 2026, Canvas serves approximately 30 million active users across more than 8,000 institutions worldwide, spanning 50 countries.
This is not a scrappy startup running on provisional infrastructure. In 2024, Instructure was acquired by KKR and Dragon in a deal valued at $4.8 billion. When ShinyHunters came for Canvas, they were not attacking an underfunded school IT department operating on goodwill and duct tape. They were attacking a billion-dollar enterprise sitting at the operational center of global education.
What Canvas holds, by virtue of what it is, is extraordinarily sensitive. Not just names, email addresses, and student ID numbers — the relatively sanitized categories Instructure would lean on throughout its communications — but private messages. The kinds of messages students send when they are struggling: mental health disclosures, requests for accommodations, accounts of personal crises, academic integrity conversations. Messages sent in the reasonable belief that a $4.8 billion company was handling them responsibly.
Who ShinyHunters Actually Are
The group's name is borrowed, with some dark irony, from competitive Pokémon players who obsessively hunt for rare "shiny" color variants of in-game characters. ShinyHunters applied the same patient, methodical pursuit to corporate databases. They emerged publicly in May 2020, when an account operating under that name appeared on dark-web forums and, in a single two-week burst, offered for sale over 200 million user records stolen from more than a dozen companies. The debut was startling in its speed and volume, and it set the template for everything that followed: find a massive platform with sensitive data, exfiltrate at scale, and apply the simple logic of "pay or leak."
What the name actually describes, however, is considerably more complicated than a single coherent organization. Google's Threat Intelligence Group tracks ShinyHunters-branded activity across multiple distinct threat clusters — designated UNC6661, UNC6671, and UNC6240 — reflecting the reality that "ShinyHunters" functions more as a criminal brand than a hierarchical organization. Mandiant, which has studied the group extensively, describes the overlapping affiliates as sharing tactics, infrastructure, and sometimes personnel, while operating with considerable independence. Multiple researchers note significant operational overlap with Scattered Spider, also tracked as 0ktapus and Muddled Libra, a financially motivated group that uses identical social engineering methodology.
Emsisoft threat analyst Luke Connolly, speaking to the Associated Press in the immediate aftermath of the Canvas defacement, offered the most pointed description: a loose affiliation of teenagers and young adults based in the U.S. and the United Kingdom. That framing is accurate as far as it goes, but it is also somewhat misleading. "Teenagers and young adults" does not mean unskilled. The group has demonstrated, across five years of continuous operation, a capacity for sophisticated planning, operational security, and technical execution that has successfully compromised some of the largest and most well-resourced companies on earth.
Since emerging in 2020, ShinyHunters or actors operating under that banner have claimed or confirmed breaches at Ticketmaster (560 million customers), AT&T (110 million customers, with AT&T paying a $370,000 ransom), Santander, Coinbase, Qantas (5.7 million customers), the European Commission, Telus Corporation (a $65 million demand), multiple universities including Penn, Harvard, and Princeton, and dozens of other targets across retail, finance, aviation, and now education technology. The group also administered BreachForums, a major criminal data-trading forum, until law enforcement action shut it down. One version of their data-leak site proudly listed dozens of Fortune 500 companies as claimed victims.
The Technique: Walking Through Doors Left Open
ShinyHunters does not break through walls. The group's consistent playbook, refined steadily over five years, is to find an unlocked door and walk through it — preferably one that belongs to a smaller, less-defended entity that has access to the larger target. This supply-chain orientation is central to understanding both why the group is so effective and why individual companies that believe themselves to be hardened are not actually safe.
The group's technical evolution has been deliberate and well-documented by Google, Mandiant, and others. In the early years, 2020 and 2021, ShinyHunters focused on bulk consumer database theft: unsecured Amazon S3 buckets, exposed GitHub OAuth tokens, compromised analytics providers. The methodology was opportunistic and high-volume.
By 2024, the targeting had sharpened considerably. The Ticketmaster breach, along with dozens of other 2024 incidents, ran through Snowflake — a cloud data warehousing company — and specifically through Snowflake customer environments that had not enforced multi-factor authentication. The attackers did not compromise Snowflake itself. They acquired legitimate credentials through infostealer malware and credential-stuffing operations, logged in as if they were authorized users, and exfiltrated whatever the compromised accounts had access to. It was operationally clean. There was no malware to detect, no exploit signature to catch. The access pattern was, from a logging perspective, indistinguishable from a legitimate employee.
By 2025, voice phishing — AI-assisted in at least some documented cases — had become a primary initial access vector. Mandiant describes the methodology in detail: attackers call employees impersonating IT support, direct the target to a convincing company-branded credential harvesting page, and collect both the password and the MFA token in real time, using the captured session to gain access before the token expires. Google's GTIG observed clusters associated with ShinyHunters conducting these operations at scale against Okta, Salesforce, and other identity providers, then using the captured SSO sessions to move laterally through whatever SaaS applications the compromised account could reach. The lateral movement, Mandiant notes, is frequently opportunistic once inside: attackers search for documents containing terms like "confidential," "vpn," "salesforce," and "poc," harvesting whatever sensitive data the session can access.
The 2026 Canvas breach added a further wrinkle: the weaponization of a trusted program feature. Instructure operated a "Free-For-Teacher" account program designed to let individual educators pilot Canvas without requiring their institution to have a contract. The program was designed for frictionless onboarding — an educator could create a Canvas tenant with no institutional verification. This design created what researchers at Rescana describe as weaker trust boundaries between Free-For-Teacher accounts and full institutional tenants, all of which shared the same underlying infrastructure. In a multi-tenant SaaS architecture that relies on logical rather than physical isolation, that gap is not a hypothetical risk. Instructure confirmed that ShinyHunters exploited a specific vulnerability — described variously as related to "support tickets" in the FFT environment — to gain initial unauthorized access on April 29, 2026, and then leveraged the same unpatched issue to re-enter and deface login portals on May 7. The precise technical mechanism has not been publicly disclosed. What is confirmed is that the group achieved what Bitdefender's analysts describe as API-level extraction at scale, exfiltrating data through standard web service calls in a pattern consistent with ShinyHunters' established operational template.
The simultaneous Vimeo breach that ran parallel to the Canvas campaign illustrates the same supply-chain principle operating in a different direction. ShinyHunters did not attack Vimeo directly. They compromised Anodot, a third-party analytics company with access to Vimeo's data stored on Snowflake and BigQuery, stole authentication tokens from Anodot, and used those to access approximately 119,000 Vimeo customer accounts. The front door was guarded. The analytics provider's side door was not.
The Question Nobody Has Fully Answered: Why Aren't They in Prison?
Law enforcement has not been entirely passive. In May 2022, Sébastien Raoult, a 22-year-old French programmer with ties to the group, was arrested in Morocco and extradited to the United States. In January 2024, he was sentenced to three years in federal prison and ordered to pay more than $5 million for conspiracy to commit wire fraud and aggravated identity theft. The DOJ described ShinyHunters as a "notorious international hacking crew." In June 2025, French authorities arrested four additional suspected members linked to the group's administration of BreachForums. In May 2025, a 19-year-old Massachusetts student named Matthew Lane was charged with hacking and extorting PowerSchool, an education technology provider; he pleaded guilty the following month.
After each of these actions, operations continued without meaningful interruption.
The persistence is explicable, if not comforting. The decentralized brand structure is the primary obstacle. Because "ShinyHunters" is a shared identity adopted by multiple overlapping clusters of actors, arresting individual members does not dismantle the organization. Raoult, by the DOJ's own account, was not a major player. The four arrested in France in June 2025 were BreachForums administrators, which removed infrastructure but not capability. The group's use of cryptocurrency, anonymizing networks, and encrypted communications channels limits forensic tracing. Jurisdictional fragmentation compounds the problem: key actors appear to be distributed across the U.S., U.K., and France, with operations that cross borders in ways that make coordinated law enforcement action slow and cumbersome.
The brand model also creates deliberate attribution confusion. Multiple security researchers note that the ShinyHunters name has been used by actors who may not be the "original" group, including affiliates who operate independently and, in at least some documented cases, by impersonators. When the PowerSchool extortion was attributed to ShinyHunters, a person claiming to be the group's leader told Bleeping Computer that the actual culprit was an affiliate impersonating them. Whether that claim was true or a tactical deflection is impossible to verify from outside. What it demonstrates is that the brand itself functions as cover: law enforcement has to identify and prove the specific actors behind a specific operation, while the brand absorbs the attribution and then distributes the legal risk across a diffuse network.
There is also the operational security question. The group's members — the ones not yet arrested — appear to have internalized lessons from the arrests that did occur. Raoult was caught in Morocco, a country with a functioning extradition relationship with the United States. Subsequent operations have presumably adapted accordingly. Young, English-speaking, US- and UK-based actors who understand basic operational security — VPNs, cryptocurrency mixers, compartmentalized identities, avoiding physical traceable infrastructure — are significantly harder to locate than state-sponsored threat actors with bureaucratic footprints and government-issued equipment.
The result is a criminal enterprise that has successfully compromised hundreds of organizations, collected ransoms from at least some of them, been described by the DOJ as "notorious," had several of its peripheral members convicted — and is still running active extortion campaigns today.
The September 2025 Warning That Went Nowhere
Eight months before the Canvas defacement, ShinyHunters had already been inside Instructure's infrastructure.
In September 2025, the group conducted a social engineering attack against Instructure's Salesforce environment. Specifically, operators impersonating IT support or a trusted vendor used voice phishing to trick Instructure employees into approving a malicious connected application inside their Salesforce instance — the same "Data Loader" impersonation technique that Mandiant and Google's GTIG documented extensively across the group's 2025 Salesforce campaign, which claimed 1.5 billion records from approximately 760 organizations. Instructure disclosed the incident but characterized the exposure as limited to public business contact details, stated that no Canvas product data had been accessed, and described the incident as contained.
Two failures are embedded in that response. The first is the characterization itself. "Public business contact details" as a description of what was exposed in a Salesforce breach by a group with a documented pattern of returning to high-value targets is either naïve or deliberately minimizing. The second is what did not happen afterward: a structural re-examination of the company's attack surface, with specific attention to the access mechanisms that ShinyHunters had just demonstrated it knew how to exploit. Bitdefender's technical advisory notes that the September 2025 and May 2026 incidents, while targeting different infrastructure and using different attack classes, represent a clear pattern of sustained adversarial interest in Instructure specifically.
ShinyHunters came back because they had already demonstrated that Instructure's defenses had gaps, and because nothing in Instructure's response to the September breach indicated that those gaps were being systematically closed.
The Twelve-Day Corporate Communication Disaster
Instructure detected unauthorized activity in Canvas on April 29, 2026. That detection is worth noting: the company did not learn about the breach from ShinyHunters or from students posting screenshots. Its own monitoring caught something. The company revoked the intruder's access and initiated a forensic investigation.
On April 30, Instructure had to take additional steps to address what it described as "additional suspicious access" — which is to say, the initial revocation did not fully close the vector. On May 1, the company posted a notice to its status page acknowledging a cybersecurity incident. On May 2, CISO Steve Proud stated, publicly, "We believe the incident has been contained." On May 6, the company reiterated that it was "not seeing any ongoing unauthorized activity" and that Canvas was fully operational.
On May 7, ShinyHunters defaced the login portals of approximately 330 institutions.
The sequence is important. Between May 2 and May 7, Instructure had declared the incident resolved and stopped meaningful communication with the institutions whose students' data had been stolen. According to ShinyHunters' own public statements — which is not an endorsement of the group's credibility, but a data point about what Instructure did not do — the company made no attempt to communicate with the group after the initial breach. One version of the ransom note put it bluntly: "Instructure has not even bothered speaking to us to understand the situation or to even negotiate with us to prevent the release of this data."
The question of whether to negotiate with an extortion group is genuinely complicated. There are sound arguments against it — payment funds future attacks, provides no reliable guarantee of data deletion, and may create legal exposure depending on sanctions considerations. But there is a meaningful difference between a deliberate decision not to engage, made with full situational awareness and accompanied by vigorous alternative measures, and simply not engaging because the company believed its patches had worked and the problem was over. The evidence strongly suggests the latter. The status page on the morning of May 7 showed no active incidents. Schools found out their students' login pages had been compromised at the same time their students did.
What followed was a public communications failure of significant proportions. CEO Steve Daly did not make a public statement for twelve days after the initial breach — twelve days during which the incident escalated from a first compromise to a second defacement to a campus-wide finals disruption affecting institutions across five countries. When Daly finally spoke on May 11, his statement was: "We got the balance wrong. We focused on fact-finding and went quiet when you needed consistent updates." That is an accurate description of what happened. It is also an extraordinarily mild accounting of a month in which the company told 8,800 institutions their platform was secure when it was not, watched students lose access to course materials during final exams, and allowed a criminal extortion group to deliver the breach notification that the company itself should have been sending proactively.
By May 11, Instructure had reached an undisclosed financial agreement with ShinyHunters. The company received what it described as "digital confirmation of data destruction (shred logs)" and stated that the agreement covers all impacted institutions and that individual schools need not negotiate separately. The statement added, with careful hedging: "While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible." The company will not confirm the amount of the payment.
The practical implications of "shred logs" from a criminal extortion group require no extended analysis. ShinyHunters has a documented history of publishing data after receiving payment — AT&T paid $370,000 in 2024 and the data later circulated regardless. The group's reputation for non-compliance with its own settlement terms is, in a perverse sense, a feature of the business model: it maintains fear without creating a reliable enough track record that future victims can feel confident paying. Whether the Canvas data actually stays suppressed is a question that will not be answered for months or years, and possibly never definitively.
The Structural Failure Behind the Technical One
The Free-For-Teacher vulnerability that ShinyHunters exploited was not an obscure zero-day requiring nation-state resources to discover. It was a design decision: a program intended to reduce friction for individual educators, implemented without adequate isolation between pilot accounts and institutional tenants sharing the same underlying infrastructure. Rescana's analysis describes the architectural model precisely — a multi-tenant SaaS environment relying on logical rather than physical data isolation, where a verification gap in one account type could undermine the isolation guarantees for all tenants. That is not an exotic attack surface. It is a known risk category in enterprise SaaS architecture, documented extensively in security literature, and one that a company managing the data of 30 million users and 8,800 institutions should have identified and mitigated.
The fact that the same vulnerability — the same Free-For-Teacher account issue — remained exploitable after Instructure's "security patches" between the April 29 intrusion and the May 7 defacement is difficult to characterize charitably. Instructure's own post-incident disclosure confirms that the May 7 unauthorized activity was "tied to the same incident" and exploited the same vector. The patches applied between May 2 and May 7 did not close the door. The company declared the incident resolved anyway.
This has material downstream consequences that extend beyond the immediate data exposure. Cybersecurity researchers at Trend Micro, Halcyon, and Bitdefender have all flagged the same downstream risk: the stolen dataset — names, email addresses, student IDs, private messages, course names, enrollment information — constitutes extremely high-quality material for targeted spear-phishing campaigns. A criminal actor with access to real course names, real advisor names, real student circumstances, and real private message content can construct convincing, contextually accurate phishing messages that bear no resemblance to the generic credential-harvesting attempts that most security awareness training prepares people to recognize. Researchers recommend elevated phishing vigilance for at least 90 days post-breach. Given that the data may not stay suppressed, the effective window of elevated risk is indefinite.
The class-action landscape is developing accordingly. At least four law firms had opened investigations as of mid-May. State attorneys general in California, New York, and Texas have standing under student-privacy and breach-notification statutes. The FTC's updated COPPA rule, effective April 22, 2026 — just one week before the initial Canvas breach — gives federal regulators additional authority over K-12 data involving children under 13, a category well-represented in the 8,800 affected institutions. Schools that have not yet notified parents of the breach are accumulating legal exposure with each passing day; under FERPA, the notification obligation rests with the institution, not with Instructure.
The broader market question is harder to resolve. Canvas holds 41 percent of the U.S. higher-education LMS market. The institutional switching costs — migrating course content, retraining faculty, renegotiating contracts — are substantial enough that most affected schools will remain on Canvas regardless of this incident. Instructure knows this. The company's communications throughout the breach reflect an awareness that its user base has limited options. Doug Thompson, chief education architect at Tanium, identified the strategic logic that made Instructure such an attractive target in the first place: "Instead of targeting individual campuses, attackers are moving up the data supply chain to the platforms that sit underneath thousands of institutions at once." The concentrated architecture of the EdTech market — where a single vendor serves 41 percent of an entire sector — is not incidental to the scale of the damage. It is the reason for it.
What This Incident Actually Demonstrates
ShinyHunters did not need a sophisticated exploit to breach Instructure. They needed a program with lax verification requirements, a company that had already shown it would characterize breaches as contained when they were not, and a deadline timed to coincide with the moment when institutional capacity for disruption management was at its lowest. They got all three.
The September 2025 Salesforce breach was a warning signal that Instructure converted into a press release and then forgot about. The April 29 detection was an opportunity to treat the incident with the seriousness it warranted, communicate transparently with affected institutions, and give schools time to develop contingency plans before finals week. Instructure converted that opportunity into a series of status-page updates and a CISO statement declaring containment that turned out to be wrong.
There is a version of this incident in which a company of Instructure's scale and resources, having been breached once by ShinyHunters in September 2025, conducts a comprehensive threat-model review, identifies the Free-For-Teacher account program as an insufficiently isolated attack surface, implements meaningful verification requirements and tenant isolation, and responds to the April 29 intrusion with aggressive transparency and proactive institutional notification. That version of this incident does not end with 330 university login pages carrying ransom demands during finals week.
The version that actually happened ends with an undisclosed ransom paid to an extortion group that may or may not have actually deleted 3.65 terabytes of data, a CEO apologizing for going "quiet," and 275 million students, teachers, and staff left wondering whether the messages they sent to their professors — the ones about the mental health crisis, the family emergency, the disability accommodation — are sitting in a criminal database somewhere, waiting.
KKR paid $4.8 billion for this company. The board can ask whether they got security commensurate with that investment. Based on the available evidence, the answer is clearly no.
Recommendations for Affected Institutions and Users
Affected individuals should freeze credit at Equifax, Experian, and TransUnion — a free process that takes roughly an hour and limits the utility of the stolen data for identity fraud. Any password associated with the email address used for Canvas should be changed immediately, not because Canvas passwords were reportedly in the breach, but because the email address was, and credential-stuffing operations routinely test known emails against common password patterns across multiple services. Any communication purporting to come from Canvas, Instructure, or a school administrator that arrives via email over the next several months should be treated with heightened skepticism — the stolen dataset provides exactly the contextual information needed to make phishing messages convincing.
Institutions should rotate Canvas API credentials, OAuth tokens, and SSO configurations regardless of whether they received direct breach notification. The scope of the incident has not been independently verified, Instructure's track record of accurate scope characterization during this incident is not strong, and the cost of unnecessary credential rotation is far lower than the cost of leaving compromised tokens active. K-12 districts handling data on children under 13 should begin FERPA and COPPA notification planning immediately; the legal exposure for delayed notification is real and is not resolved by Instructure's ransom settlement.
ShinyHunters will attack again. They have done so after every previous enforcement action, every previous arrest, every previous public declaration that a campaign has been contained. The education technology sector, which combines massive concentrated data holdings with constrained security budgets and deep user trust, should anticipate continued targeting. The lesson from Canvas is not specific to Canvas.
Reporting in this article draws on primary source disclosures from Instructure, technical advisories from Bitdefender, Halcyon, Rescana, and Trend Micro, original reporting from Dark Reading, The Register, Inside Higher Ed, CNN, Time, The Daily Pennsylvanian, and Ransomware.live tracking data, as well as threat intelligence reporting from Mandiant/Google and the Wikipedia documentation of the 2026 Canvas security incident. Thanks to Olive Badger for early coverage that brought this story to wider public attention.
Jonathan Brown is a cybersecurity researcher and investigative journalist at bordercybergroup.com.If you would like to support our work, providing useful, well researched and detailed evaluations of current cybersecurity topics at no cost, feel free to buy us a coffee! https://bordercybergroup.com/#/portal/support
Member discussion: