{“lastseen”:”2026-05-08T14:05:08″,”description”:”Days after confirming a major data breach, Instructure is now facing a second blow.\\n\\nEarlier this week, Instructure confirmed a major data breach affecting its cloud\u2011hosted Canvas environment, with the ShinyHunters group claiming it stole hundreds of millions of records tied to thousands of schools and universities worldwide. As discussed in our earlier blog, that incident involved data such as student and staff records, enrollment details, and private messages allegedly accessed through Canvas export features and APIs. At that stage, the focus was on large\u2011scale data theft and the long\u2011term risks for affected students and families, including identity fraud and highly targeted phishing.\\n\\nAccording to new reporting, ShinyHunters has now hit Instructure again, this time moving from quiet data theft to very visible extortion. Using another vulnerability in Instructure\u2019s systems, the attackers were able to modify Canvas login portals for hundreds of educational institutions, defacing both web logins and the Canvas app with an on\u2011screen ransom message.\\n\\nImage credit: vx-underground\\n\\nThe message both claimed responsibility for the earlier breach and set a deadline of May 12 for Instructure and affected schools to contact the gang or risk the public release of stolen data.\\n\\nThis second wave matters for two reasons. First, it confirms that ShinyHunters still has meaningful access to Instructure\u2019s environment, or at least to components that control the look and behavior of school login pages. Second, it marks a clear escalation in pressure tactics, from leaked claims and dark web posts to messages shown directly to students, parents, and staff trying to access their courses.\\n\\n## How to deal with this data breach\\n\\nFor students and families, the practical advice from our original blog still applies:\\n\\n * Reset Canvas\u2011related passwords\\n * Enable multi\u2011factor authentication where possible\\n * Monitor financial and credit activity as children get older\\n * Stay wary of highly personalized phishing that references real schools, courses, or teachers\\n\\n\\n\\nFor schools and districts, this latest extortion campaign underlines the need to coordinate closely with Instructure, review single sign-on (SSO) integrations, and prepare clear communications so that any future defacements or data leaks do not catch staff and parents by surprise.\\n\\n* * *\\n\\n\\n\\n### ****\u201cOne of the best cybersecurity suites on the planet.\u201d** **\\n\\nAccording to CNET. Read their review \u2192\\n\\n* * *”,”published”:”2026-05-08T12:00:01″,”modified”:”2026-05-08T12:00:01″,”type”:”malwarebytes”,”title”:”ShinyHunters escalates Canvas attacks with school login defacements”,”source”:””,”references”:””,”id”:”MALWAREBYTES:DE11220BFEE59A50990A7A149A46BBD4″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/news\/2026\/05\/shinyhunters-escalates-canvas-attacks-with-school-login-defacements”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-08T14:05:08″,”description”:”Days after confirming a major data breach, Instructure is now facing a second blow.\\n\\nEarlier this week, Instructure confirmed a major data breach affecting its cloud\u2011hosted…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-52498","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n