- ShinyHunters briefly hijacked login portals of ~330 institutions and sent ransom demands and threats
- The group extended its deadline to May 12 and warned of complete data breaches if no settlement is reached
- Instructure confirmed the earlier breach, but maintains that sensitive financial and ID data was not exposed
The Instructure cyberattack has apparently reached a new level as ShinyHunters, in order to pressure victims into paying a ransom, have defaced Canvas login portals for hundreds of colleges and universities.
Members of around 330 educational institutions were greeted with a completely different “welcome” message when they tried to log into the Canvas learning system after the next phase of the group’s attack.
“ShinyHunters has broken Instructure (again). Instead of contacting us to fix it, they ignored us and made some ‘security fixes,'” the message said. “If any of the schools on the affected list are interested in preventing the release of their data, please consult with a cyber consulting firm and contact us privately at TOX to negotiate a settlement. You have until May 12, 2026 before everything is leaked.”
Postpone the deadline
The destruction message was reportedly visible for about half an hour before it was pulled by Canvas’ team.
Instructure, the company behind the Canvas system, recently notified its users that it had suffered a cyber attack and lost sensitive customer data. Instructure said the crooks gained access to “certain identifying information about users” at affected institutions, including names, email addresses, student ID numbers and user communications.
At the same time, ShinyHunters added Instructure to their data breach page, claiming that the attack affected nearly 9,000 schools and 275 people worldwide.
“Several billions of private messages among students and teachers and students and other involved students, containing personal conversations and other PII. Your Salesforce instance was also breached and much more other data is involved.”
It seems Instructure wasn’t interested in negotiating with the bad guys, as they updated their website earlier this week, dropping several high-profile universities and pushing the deadline to May 7th.
Now the deadline seems to have been pushed back again, this time to May 12.
Passwords, dates of birth, government identifiers or financial information were not involved, and the company revoked privileged credentials and access tokens associated with affected systems to mitigate the threat.
Via Bleeping Computer

The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.



