Canvas Login Pages Are Defaced In Mass Extortion Campaign After Instructure Breach

by Justin Erickson

The extortion group “ShinyHunters” defaced Canvas login portals for about 330 educational institutions, replacing normal sign-in pages with an extortion message demanding negotiation and payment by May 12, 2026. This followed soon after Instructure’s recent disclosure that data was stolen from Canvas. This data included “…names, email addresses, [and] student ID numbers,” as well as “…user records, private messages, enrollment data, and other information allegedly gathered through Canvas data export features and APIs.” ShinyHunters claims they stole 280 million student and staff records from 8,809 schools. Canvas went offline during the breach, but as of writing this post, Canvas is back up and working for most users. Instructure is still actively investigating this issue.