SHINYHUNTERS escalates Canvas attacks with school login defacements, Malwarebytes reports on 8 May 2026. Days after confirming a major data breach, Instructure’s cloud‑hosted Canvas environment was breached again, with the group allegedly stealing hundreds of millions of records from thousands of schools and universities worldwide.
According to new reporting, ShinyHunters has moved from data theft to extortion, using a vulnerability to modify Canvas login portals and deface web logins and the Canvas app with an on‑screen ransom message. The defacements also carry a time pressure, as the message claims responsibility for the earlier breach and sets a deadline of 12 May for Instructure and affected schools to contact the gang or face the public release of stolen data.
This escalation suggests ongoing access to components controlling login pages and marks a shift in tactic from leaks to direct pressure aimed at students, parents and staff. For affected institutions, Malwarebytes reiterates guidance to reset Canvas passwords, enable MFA where possible and monitor for targeted phishing.