How to use this pack.

This pack is structured so a CISO can read the first two sections in five minutes and brief the executive team, then hand the rest to their security team for action. It is built from Protos Labs investigation work plus open-source corroboration as of 13 May 2026. Where claims are based on actor statements rather than vendor or independent confirmation, that distinction is preserved.

The pack covers four things:

• —Latest position — what is confirmed, what is claimed but unverified, and what changed in the last 72 hours.
• —What this means for your institution — risk framing for non-Instructure customers as well as direct ones.
• —Threat actor context — who ShinyHunters are, how they have evolved, and why the education sector is a recurring target.
• —Recommended actions and supporting technical material — contained in accompanying technical details document.

Latest position.

Timeline of the incident

Confirmed exposed data

Names, email addresses (mostly institutional .edu addresses), student ID numbers, and Canvas inbox messages between users.

Canvas breach confirmed by Instructure

• —Instructure, the company behind SaaS platform Canvas, stated the cyber incident date as 25 April 2026, with detection on 29 April.
• —The unauthorized actor exploited an issue related to Instructure's Free-For-Teacher account program — the same issue that enabled the second-wave 7 May intrusion. The program has now been permanently shut down.
• —Privileged credentials were revoked, API keys rotated, and law enforcement engaged. Instructure confirmed engagement of CrowdStrike for forensic analysis and incident response, and confirmed notification of the FBI and CISA.
• —Instructure confirmed only the following exposed data: names, email addresses (mostly institutional .edu addresses), student ID numbers, and Canvas inbox messages between users.
• —Per their most recent statement, no evidence that passwords, dates of birth, government identifiers, or financial information were exposed. This may be revised as the investigation continues.
• —Canvas was fully restored on 8 May 2026 following the Free-For-Teacher shutdown.

CISO-relevant caveats

• —Help Net Security and independent commentators have noted that paying threat actors does not guarantee data was not copied, redistributed, or shared with affiliates before destruction. The "shred logs" assurance is by the threat actor's word.
• —The FBI's standing public position remains: do not pay ransoms. Instructure's decision is described by The Register as a "risky approach."
• —The agreement covers Instructure-impacted customers as a class but does not prevent downstream use of any data the actor or affiliates may have retained or sold prior to the agreement.

Claimed by the threat actor (unverified)

• —An actor using the ShinyHunters name claimed responsibility on 3 May 2026 via its Tor-based leak site; the listing was reproduced by Ransomware.live.
• —The claim references approximately 3.65 TB of data, ~275 million records, and ~8,809 schools/institutions. These figures are actor-supplied and have not been independently verified. Historical ShinyHunters claims have frequently been inflated; one ShinyHunters representative subsequently told TechCrunch the unique email count is closer to 231 million.
• —The 7 May login-page defacement messages instructed schools to "contact us privately at TOX" — referring to Tox, a peer-to-peer encrypted messaging protocol used by the group for negotiation. The specific Tox ID is the actionable indicator; "TOX" itself is the channel, not a token.
• —ShinyHunters also claims a separate breach of Instructure's Salesforce instance in May 2026, and that individual organisations have already paid them directly. Neither claim is independently verified. The vendor-confirmed vector remains the Canvas Free-For-Teacher account program.

Confirmed second breach in eight months

This is Instructure's second ShinyHunters breach in eight months, but the attack surfaces differ:

CISOs evaluating Instructure (or any SaaS vendor) on this campaign should request documentation on what changed after September 2025 and why those controls did not prevent the May 2026 incident.

What is not yet known

• —Tenant-by-tenant scope. Each Canvas customer must confirm with Instructure which of its specific data, integrations, and users were affected.
• —Final dataset scale. The actor's 275M / 8,809-schools figures have not been independently corroborated; even with the 11 May agreement, no third-party forensic accounting has been published.
• —Whether further data was taken from the second-wave (7 May) login-page activity beyond the original intrusion.
• —Whether any portion of the dataset was sold, shared with affiliates, or redistributed prior to the 11 May "data destruction" claim.
• —Authoritative registrar/registry confirmation that shinyhunte[.]rs is permanently suspended (vs. temporary outage or migration).
• —The amount paid (if any) and what regulatory disclosures will follow the Congressional inquiry.

Executive summary for non-technical stakeholders.

The headline. Canvas — the learning management system used by 41% of higher-education institutions in North America and over 8,000 institutions globally — has been hit by a data-extortion group called ShinyHunters. Identity data and private messages are confirmed exposed. Instructure announced on 11 May that it had reached an agreement with the threat actor and received "digital confirmation of data destruction"; press reporting (The Register, Help Net Security, Inside Higher Ed) characterises this as a ransom payment, though Instructure has not used that word and has not disclosed an amount. The most realistic near-term threat to your institution is not encryption of your systems, and is no longer leak-site exposure — it is a wave of highly credible phishing emails and phone calls aimed at your students, faculty, and IT staff, using context that may have been copied before the agreement was reached.

Any copy that left the group's primary infrastructure prior to 11 May — to affiliates, brokers, or other extortion actors — remains usable for phishing and credential-stuffing campaigns. Treat the data as exposed regardless of the agreement.

Why it matters even if you are not an Instructure customer

ShinyHunters has spent the last 18 months systematically targeting the education and edtech sector, and the broader SaaS ecosystem the sector depends on. Confirmed victims in this campaign series include Instructure (twice), McGraw Hill (April 2026, ~13.5M emails confirmed by Have I Been Pwned), Infinite Campus (March 2026, via its Salesforce instance), and individual universities including the University of Pennsylvania, Princeton, and Harvard (late 2025). The recurring infrastructure target is Salesforce — many edtech vendors run customer data on Salesforce, and a single Salesforce or analytics-vendor compromise has cascaded across the sector multiple times.

What to do this week

Brief your IT helpdesk and admin staff on a specific phone-based social-engineering technique (vishing) the group is using to bypass MFA. Inventory and rotate developer keys, OAuth tokens, and service-account credentials tied to Canvas and Salesforce. Scan code repositories for exposed credentials. Preserve logs. Issue a measured user notification that focuses on what is confirmed, not what the actor claims, and that does not over-rely on the 11 May agreement.

What this means for your institution.

If you are an Instructure customer

You are a directly affected party. Your immediate priorities are validating vendor guidance, inventorying your Canvas developer keys and LTI integrations, rotating or reauthorising affected credentials / tokens, hardening privileged access, preserving logs for forensic and regulatory needs, and preparing a measured user notification. See the technical details document for sequenced actions.

You should also specifically check whether your tenant ever used or interacted with Free-For-Teacher accounts — these have now been permanently shut down, and any data flows dependent on them need to be unwound.

If you are not an Instructure customer

You are still affected by the broader campaign in three ways:

• —Adjacent vendor exposure. Confirmed ShinyHunters victims also include McGraw Hill (April 2026), and Infinite Campus (March 2026, via its Salesforce instance). Most institutions hold student or staff data with at least one of these. Run the same key-rotation and integration-audit process against any edtech vendor that has disclosed an incident in the past 18 months, and pay particular attention to anything that touches Salesforce.
• —Indirect data exposure via partners. Affiliated schools, alumni systems, research partners, and third-party tutoring/proctoring services may be Canvas customers whose breach exposes your population indirectly.
• —Sector-wide phishing risk. The data exposed in this campaign — names, emails, student IDs, message content — fuels phishing campaigns targeted at the education sector generally, not just Canvas users. Expect attempts that reference plausible course names, instructor names, or message threads to surface across the sector for the next several months.

What will probably happen next

In order of likelihood:

1. Targeted phishing emails referencing internal course or instructor names, sent to students and staff, attempting credential harvest or fraudulent payment requests.
2. Vishing calls to IT helpdesks and finance/admin staff, using context from leaked data to appear legitimate.
3. Impersonation of faculty in messages to students requesting urgent action (grade changes, fee payments, gift-card requests).
4. Re-emergence of the dataset via secondary brokers or other extortion actors even after the 11 May "destruction" claim — particularly if affiliates retained copies.
5. (Lower probability, longer time horizon) Follow-on intrusions where credentials harvested in this campaign are used to access other systems, particularly cloud services where the victim reused passwords.

Threat actor context: who ShinyHunters are.

Behavioural profile

ShinyHunters is a financially motivated data-extortion actor that emerged in 2020. The operating model emphasises public coercion rather than encryption: leak-site listings, staged sample releases, deadline-based negotiation pressure, and login-page defacement to amplify visibility. Until late 2025 ransomware was not part of the playbook (see "evolution" below).

The group has demonstrated effective tradecraft against SaaS and cloud-hosted environments, with particular skill at exploiting integration pathways — OAuth tokens, API keys, third-party connectors — rather than compromising endpoints.

Description of the actor in current reporting: a loose affiliation of teenagers and young adults based in the US and UK. Sebastien Raoult, an alleged member, was sentenced to three years' prison and over $5 million in restitution by the US Department of Justice in 2024.

Infrastructure status — May 2026

• —Clearnet domain shinyhunte[.]rs reported suspended / non-resolving as of 12 May 2026 (multiple Tier-2 sources; corroborated by Protos Labs 12-hour technical monitoring: DNS non-resolution, RDAP 404). Moderate confidence that this is a permanent suspension vs. transient outage pending registrar confirmation.
• —Onion leak infrastructure announced as the group's new primary distribution channel post-clearnet suspension. The pre-existing shinypogk4j…[.]onion site referenced in Bitdefender's 8 May Technical Advisory continues to be the principal observed onion address.
• —Operational impact for monitoring teams: shift to onion reduces visibility for organisations without lawfully-authorised dark-web monitoring. Closed-source feed coverage (VirusTotal, Censys, Shodan) and approved onion-monitoring services become more important; passive DNS and certificate-transparency monitoring for shinyhunte substrings should continue for replacement-domain discovery.

The SLSH alliance — important context

ShinyHunters now operates within Scattered LAPSUS$ Hunters (SLSH), a situational alliance fusing ShinyHunters, LAPSUS$, and Scattered Spider tradecraft. The umbrella sits inside the broader "Com" cybercrime ecosystem.

Mandiant currently tracks the activity across multiple UNC clusters that overlap with or feed ShinyHunters-branded extortion: UNC6040, UNC6240, UNC6661, and UNC6671. The Bling Libra cluster (Unit 42's designation for the same actor) is also part of this picture.

For CISOs, that means when you read about "ShinyHunters" in the press, you may be reading about several overlapping or affiliated clusters using shared infrastructure, branding, and extortion tooling. Defences calibrated to the brand alone may miss adjacent activity.

Targeting pattern

Recent ShinyHunters and SLSH activity shows recurring overlap with:

• —Salesforce — the central recurring infrastructure target. The Salesloft Drift supply-chain attack (August 2025), the Salesforce Aura campaign, and direct vishing-driven Salesforce intrusions are all linked to this group. The actor claims ~1.5 billion Salesforce records across ~760 organisations; independent reporting confirms at least ~400 affected Salesforce customers in the campaign cluster. The McGraw Hill, Infinite Campus, and ADT intrusions are Salesforce-rooted. ShinyHunters has also claimed that Instructure's Salesforce instance was breached in May 2026, but Instructure has not confirmed this; the vendor-confirmed vector is the Canvas Free-For-Teacher account program (see Section 1).
• —Analytics and data-pipeline supply-chain pivots. In April 2026 ShinyHunters compromised Anodot (a third-party analytics provider) and used stolen authentication tokens to pivot into customers' Snowflake and BigQuery environments. Vimeo is the publicly named victim of that pivot (~119,200 unique emails, 106GB leaked after extortion failed). ShinyHunters told BleepingComputer it had stolen data from "dozens of companies" via Anodot tokens. The earlier 2024 Snowflake customer campaign (Ticketmaster ~560M records, AT&T call/text metadata, Santander 30M, Neiman Marcus, and others) is also attributed to ShinyHunters.
• —Identity providers. Okta is the primary identity-provider target via vishing-driven AiTM attacks; the group has also moved laterally into Microsoft 365 and Google Workspace environments via stolen SSO sessions.
• —Education and edtech. Confirmed ShinyHunters victims: Instructure (September 2025 + May 2026), Infinite Campus (March 2026, via Salesforce), McGraw Hill (April 2026, via a Salesforce misconfiguration), and the late-2025 university intrusions at Penn, Princeton, and Harvard.
• —Datasets containing PII and communications content — the mix that makes downstream phishing more credible.

The overlap is at the level of shared target platforms and integration pathways, not shared C2 infrastructure. This means defences focused on Salesforce hygiene, analytics-vendor token management, identity-provider controls, and integration least-privilege transfer well across incidents.

Evolution: three phases

The threat has changed materially over the last 24 months. Defences calibrated to the 2024 version of this group will miss the 2026 version.

Sources.

Vendor

Instructure status communications and incident update log (instructure.com/incident_update); CISO Steve Proud's update log; CEO Steve Daly's 11 May agreement statement; application-key timestamp notice; community posts.

Vendor research / threat intelligence (Tier 1)

• —Mandiant / Google Threat Intelligence Group — vishing campaign analysis, UNC cluster tracking (UNC6040, UNC6240, UNC6661, UNC6671), defensive guidance for ShinyHunters-branded data theft
• —Palo Alto Networks Unit 42 — Bling Libra coverage, ShinySp1d3r ransomware IOC feed (21 November 2025), Scattered LAPSUS$ Hunters updates
• —CrowdStrike — engaged by Instructure for forensic analysis and incident response (per The Register, 12 May 2026)
• —Okta Threat Intelligence — vishing-enabled phishing-kit analysis
• —Sophos Counter Threat Unit — campaign attribution and infrastructure analysis
• —Bitdefender — Technical Advisory: ShinyHunters Breach of Instructure Canvas LMS (8 May 2026) — Free-For-Teacher exploitation analysis and IOCs

Government

FBI Cyber Division (public advisory and social-media alert); US Cybersecurity and Infrastructure Security Agency (CISA) notification.

News reporting (Tier 2)

The Register (double-intrusion and ransom-agreement coverage, 12 May 2026; Congressional inquiry coverage, 12 May 2026); Help Net Security ("risky approach to recover stolen Canvas data," 12 May 2026); Inside Higher Ed ("Instructure Pays Ransom to Canvas Hackers," 11 May 2026); CNN; Time; BleepingComputer; HackRead; TechCrunch; KSL; WRAL; NBC; ABC News (Australia); CBS Sacramento; ABC15. Coverage from student newspapers including the Harvard Crimson, the Duke Chronicle, and the Daily Pennsylvanian.

OSINT and analysis (Tier 3 — leads require corroboration)

SOCRadar; Memeburn; Ogun Security; Ransomware.live; Halcyon ("Education Sector in the Crosshairs"); Have I Been Pwned breach ingestion records; the Wikipedia 2026 Canvas security incident article (which compiles primary sources).

Underlying Protos Labs investigations

• —ShinyHunters / Instructure (Canvas) Incident — May 3–6, 2026
• —ShinyHunters — Threat Actor Dossier: Instructure/Canvas Campaign (Apr 06 → May 06 2026)
• —ShinyHunters Defense Advisory (university defensive layering)
• —ShinyHunters / Bling Libra — TTP & IOC Monitoring Reference
• —ShinyHunters 12-hour Monitoring Report (2026-05-12T12:00Z → 2026-05-13T00:00Z) — clearnet infrastructure status, new IOC monitoring (no new clearnet IOCs in window)