THE education sector has found itself in the crosshairs of a ShinyHunters “pay or leak” extortion campaign following the compromise of Instructure, the company behind the Canvas Learning Management System. The original compromise of Instructure occurred on 25 April with around 275 million records from 8,809 educational institutions stolen, and over 3.65 TB of data exfiltrated, according to the note released by ShinyHunters.
The group first attempted extortion by posting a ransom demand on its data leak site, setting an initial deadline of 8 May; since that deadline passed, the campaign has intensified into a school-by-school extortion drive, with a defacement message appearing on approximately 330 institutional Canvas login pages. The attackers gave affected organisations until 12 May to negotiate a settlement before leakage proceeds, according to Halcyon’s analysis referenced in the report. Raluca Saceanu, CEO of Smarttech247, described the attack as timed to maximise pressure as schools approach the end of the academic year and exam season.