ShinyHunters Strikes Again: Canvas Login Pages Defaced
On Tuesday, Instructure disclosed a breach where hackers stole student names, personal emails, and teacher-student messages. Now, the same group—ShinyHunters—claims a second, separate breach. They defaced the Canvas login pages of at least three schools, injecting an HTML file that replaced the login screen with an extortion message.
> "The hackers will publish the stolen data on May 12 if the company does not 'negotiate a settlement.'"
At time of writing, Instructure's website was partially online, returning "too many requests" errors. The Canvas portal displayed a "scheduled maintenance" notice. Instructure did not respond to TechCrunch's request for comment.
How the Attack Unfolded
ShinyHunters previously claimed responsibility for the initial hack, publicizing it on their leak site to pressure Instructure into paying a ransom. This new defacement—and the fact that the hackers notified TechCrunch—shows they're escalating pressure on both Instructure and its customers.
The group compromised the login pages by injecting an HTML file. How they gained access remains unclear. When asked, a ShinyHunters member told TechCrunch they couldn't comment on specifics but confirmed this is a second, separate breach.
Scale of the Original Breach
The first breach allegedly stole data from almost 9,000 schools worldwide, with files containing information on 231 million people. That's a massive trove of PII (personally identifiable information) including student records and internal communications.
ShinyHunters' Playbook
ShinyHunters has followed this financially motivated playbook for years: hack, publicize, extort. They've compromised countless victims, often targeting education and tech companies. Their modus operandi is to steal large datasets, then demand payment to prevent public release.
What Developers Should Know
If you manage any system that integrates with Canvas or other Instructure products, this is a red flag. The defacement suggests the attackers may have compromised more than just the login pages—they could have access to API endpoints, user databases, or even the underlying infrastructure.
Check your organization's Canvas instance for any unauthorized changes. Review logs for unusual activity around the time of the defacement. If your school uses Canvas for SSO (Single Sign-On), consider rotating API keys and tokens immediately.
The Bigger Picture
This incident highlights the vulnerability of educational platforms. Schools often run outdated software, have limited security budgets, and store sensitive data on millions of minors. The combination makes them prime targets for ransomware and extortion groups.
For developers building integrations with third-party platforms like Canvas, always assume the third party could be compromised. Implement defense-in-depth: encrypt sensitive data at rest and in transit, use minimal privilege access tokens, and monitor for anomalous API calls.
What to Do Now
- Verify your Canvas instance: Check for any HTML injections or altered login pages.
- Review access logs: Look for unauthorized API calls or admin actions.
- Rotate secrets: Change any API keys, tokens, or passwords used with Canvas.
- Notify users: If your institution uses Canvas, inform students and staff about the breach and recommend changing passwords.
- Monitor ShinyHunters' leak site: On May 12, check if your data appears in the dump.
This is an active situation. Keep an eye on Instructure's security advisories and TechCrunch for updates. The defacement may be a precursor to more aggressive attacks.
This article was based on reporting by Lorenzo Franceschi-Bicchierai and Zack Whittaker at TechCrunch.
