ShinyHunters cybercriminals deface Instructure Canvas portals in latest extortion attempt

The cybercrime collective ShinyHunters has defaced the login portals of three separate educational institutions that utilise the Instructure Canvas platform. The intrusion displays an extortion message demanding a settlement from the company to prevent the public release of allegedly stolen student and teacher data by 12 May.

This incident marks a second separate breach attributed to the group, which previously claimed to have compromised information from nearly 9,000 schools worldwide. That earlier attack reportedly impacted approximately 231 million individuals, with stolen files allegedly containing names, personal email addresses, and private messages exchanged between teachers and students.

Observation of the compromised portals indicates that the attackers injected an HTML file to alter the login screens and display their demands. While Instructure's main website appeared partially offline with error messages at the time of reporting, the Canvas portal itself showed a notice regarding scheduled maintenance, though it is unclear if this was an operational issue or a tactic to obscure the defacement.

A member of ShinyHunters confirmed to TechCrunch that this event is distinct from the prior breach but declined to provide technical details on how the login pages were accessed. The group has not specified the extent or type of data stolen in this latest incident, referring only to general "stolen data" in their threats.

Instructure has not yet responded to requests for comment regarding the new defacement. The company remains under pressure from the attackers, who utilise a financially motivated playbook involving hacking, publicising stolen data on leak sites, and extorting victims into paying ransoms to keep the information private.