In a dramatic escalation of an already serious data breach, the cybercrime group ShinyHunters has defaced the Canvas login pages of multiple schools, marking what appears to be a second, separate compromise of education technology giant Instructure. The defacements, which TechCrunch observed on Tuesday, inject a threatening HTML file into the login portals, displaying a message demanding that Instructure negotiate a settlement by May 12 or face the public release of stolen data.
A Second Breach or an Escalation of the First?
Instructure, the company behind the widely-used Canvas learning management system, disclosed a data breach on Tuesday in which hackers stole students’ personal information, including names, personal email addresses, and private messages between teachers and students. ShinyHunters had already claimed responsibility for that initial breach, posting stolen data on their leak site to pressure the company into paying a ransom.
Also read: Gusto Hits $1 Billion Revenue Milestone, Signaling IPO Readiness
Now, with the defacement of school login pages, the group appears to be turning up the heat. A member of ShinyHunters told TechCrunch that this is a second, separate breach, though they declined to comment on how they compromised the login pages. The defacements were seen on at least three separate schools’ Canvas portals, and the group also notified TechCrunch directly about the attacks, a tactic aimed at maximizing pressure on Instructure and its customers.
Impact on Schools and Students
The original breach, according to ShinyHunters, affected nearly 9,000 schools worldwide and involved data on 231 million individuals. While the company has not confirmed those figures, the scale of the incident is immense, potentially exposing sensitive student-teacher communications and personal contact details. The defacement of login pages adds a new layer of disruption, potentially preventing students and teachers from accessing coursework, assignments, and critical communications.
At the time of writing, Instructure’s website appeared partially online, intermittently returning a ‘too many requests’ error. The Canvas portal displayed a notice stating it was ‘currently undergoing scheduled maintenance.’ Instructure did not immediately respond to TechCrunch’s request for comment.
Why This Matters for the Education Sector
This incident highlights the growing vulnerability of educational technology platforms to financially motivated cyberattacks. Schools and universities, often operating with limited cybersecurity budgets, are increasingly targeted by groups like ShinyHunters, who follow a predictable playbook: hack, publicize, and extort. The breach and subsequent defacement underscore the urgent need for stronger security measures in the ed-tech sector, as well as better incident response and communication protocols to protect students and staff.
Conclusion
The ShinyHunters group’s defacement of Canvas login pages represents a significant escalation in their extortion campaign against Instructure. With a deadline of May 12 for the release of stolen data, the pressure is mounting on the company and its school customers. The incident serves as a stark reminder of the real-world consequences of data breaches in education, where the theft of personal information and disruption of learning platforms can have lasting effects on millions of students.
FAQs
Q1: What is the ShinyHunters group?
A: ShinyHunters is a cybercrime group known for financially motivated hacking, data theft, and extortion. They typically steal data, publicize the breach on leak sites, and demand ransoms to prevent the data from being released publicly.
Q2: What data was stolen in the original Instructure breach?
A: According to ShinyHunters, the stolen data includes names, personal email addresses, and messages sent between teachers and students. The group claims the data involves nearly 9,000 schools and 231 million individuals, though these figures have not been independently verified.
Q3: What should students and parents do if their school uses Canvas?
A: Students and parents should be vigilant for phishing attempts or suspicious communications that may use the stolen data. They should also contact their school’s IT department for specific guidance on the breach and any steps being taken to protect their information.
