TLP:CLEAR · Intelligence Report · May 2026

Canvas × ShinyHunters
Breach Investigation

8,000+ institutions. 41% of North American higher-ed. Instructure's second ShinyHunters breach in eight months — Protos AI mapped the full attack chain, TTPs, and affected targets in under 30 minutes.

80Intelligence nodes
87Mapped connections
2ndBreach in 8 months
~30 minvs. days of manual analysis

What's in the report

On 25 April 2026, ShinyHunters — operating within the Scattered LAPSUS$ Hunters (SLSH) alliance — breached Instructure’s Canvas platform via its Free-For-Teacher account program. Confirmed exposed data includes names, institutional email addresses, student IDs, and private Canvas inbox messages across thousands of institutions. This is Instructure’s second ShinyHunters breach in eight months.

The immediate risk is not ransomware — it’s a wave of highly credible phishing and vishing attacks using stolen course names, instructor details, and message content. This report gives your security team the full picture: attack timeline, threat actor profile, MITRE ATT&CK TTP mapping, IOCs, and nine prioritised actions for this week.

↗ ShinyHunters / SLSH threat actor profile&— motivation, evolution, and SLSH alliance context
↗ Full MITRE ATT&CK TTP mapping — T1190, T1078, T1567 + more
↗ Confirmed victims&— Canvas, McGraw Hill, Infinite Campus, universities
↗ 9 prioritised CISO actions + IOCs, detection rules, monitoring tiers

Get the full CISO brief

18-page threat intelligence pack for education sector security leaders. TLP:CLEAR — free to share.