ShinyHunters Attacks Canvas: The Breach Exposing Millions of Students' Data and Putting Spanish Universities on Alert

The attack on Instructure began on 30 April 2026, when the cybercrime group ShinyHunters managed to access the company’s cloud environment by exploiting a vulnerability in its infrastructure. Instructure, the parent company of Canvas LMS — the most widely deployed learning management platform in higher education globally — was forced to shut down parts of its service, including Canvas Data 2 and Canvas Beta. This week, the group is escalating pressure with a second attack and an extortion message published directly on the login screens of affected institutions. The deadline to pay or face a public data leak is 12 May.

‍

What has happened with Canvas and Instructure?

The facts confirmed and reconstructed from sources including Malwarebytes, TechCrunch, DataBreaches.net, Hackread and Escudo Digital are as follows:

• First breach (30 April — 1 May): ShinyHunters compromised 3.65 TB of Instructure data. The group claims to have stolen approximately 275 million records linked to students, teachers and staff, with a list of 8,809 educational institutions whose Canvas instances are said to have been compromised.
• Data compromised: names, institutional email addresses, student IDs and private messages within the platform. Instructure stated it found no indication that passwords, dates of birth, government identifiers or financial information had been compromised.
• Second breach (7 May — today): ShinyHunters defaced Canvas login pages at several educational institutions, injecting an extortion message directly onto the access screens of students and staff. TechCrunch confirmed the defacement at at least three separate institutions.
• The ultimatum: ShinyHunters has given Instructure and affected institutions until EOD 12 May 2026 to make contact and negotiate. After that date, they threaten to publish all stolen data.
• Global scale: Hackread obtained the full list of institutions, with massive presence across the UK, Europe and the United States, amounting to around 15,000 institutions. BleepingComputer’s list counts 8,809 institutions with compromised data.
• Canvas in Spain: although there is no public confirmation of which specific Spanish universities appear on the list, Canvas is the primary platform at institutions such as the Universidad Autónoma de Madrid, the Universidad del País Vasco, the Universidad de Salamanca and the Universidad Carlos III. Given the confirmed European scope of the breach, any Spanish institution using Canvas should assume potential risk and urgently verify its status with Instructure.

‍

Why the education sector is a priority target

The attack on Instructure again highlights the growing interest of criminal groups in the education sector. In recent years, universities, schools and academic platforms have become priority targets. Four structural factors explain this pattern:

1. High volumes of highly sensitive data. Education platforms store not only identifying data but also private messages, academic performance records, scholarship financial data and, in many cases, data relating to minors. A student profile is worth more on the black market than a simple email record.
2. Complex and fragmented infrastructure. Many educational institutions operate with networks distributed across campuses, personal devices and external platforms, which makes comprehensive protection against advanced threats enormously difficult.
3. Heavy dependence on centralised SaaS providers. Concentrating millions of users on a single platform means that each provider vulnerability becomes a mass threat for all client institutions simultaneously.
4. Cybersecurity budget constraints. The education sector has historically invested less in security than the financial or healthcare sectors, despite handling comparable data volumes.

‍

How ShinyHunters operates: extortion without encryption

ShinyHunters does not follow the classic ransomware model. Instead of encrypting systems, it extracts data en masse and leaks it publicly to apply pressure — what experts call the “industrialisation of data-based extortion”, avoiding encryption to reduce early detection. Its recent track record includes attacks on Ticketmaster, AT&T, Rockstar Games and Vercel.

The pattern of this specific attack follows three phases:

1. Silent access: ShinyHunters exploited a vulnerability in Instructure’s infrastructure, extracted 3.65 TB of data and waited before revealing the breach. The victim organisation did not detect the intrusion for days.
2. Direct extortion: once in possession of the data, the group published its demand on a leak site and contacted Instructure directly, threatening to release billions of private messages between students and teachers if the company did not comply.
3. Public escalation: receiving no satisfactory response, ShinyHunters defaced Canvas login screens to make the attack visible to students and staff, multiplying media pressure on Instructure and the affected institutions.

This model is particularly effective in the education sector: the reputational damage from leaking private conversations between minors and teachers is sufficient to force negotiations even when the technical impact is limited.

‍

Key lessons for Spanish universities and educational institutions

The Canvas-Instructure case leaves lessons directly applicable to any Spanish educational institution operating with third-party SaaS platforms:

• Urgently verify status with Instructure. If your institution uses Canvas, contact your account manager to confirm whether you appear on the list of affected institutions and what specific data may have been compromised — before 12 May.
• Review Canvas access logs for the past 30 days. Unusual activity in data exports, access from unrecognised IPs or mass authentication errors can be indicators of prior compromise.
• Communicate proactively with students and staff. If impact is confirmed, swift and transparent communication reduces reputational damage. Instructure’s delayed response is being widely criticised and is worsening the perception of the incident.
• Assess the provider’s security posture before renewing contracts. This is not the first attack on Instructure. A provider with a history of recurring incidents requires a formal risk assessment and improved contractual guarantees.
• The 12 May deadline is real. If your institution is on the list and has not taken action, the risk of a public leak of student and staff data increases significantly from that date.

‍

Cybersecurity as a strategic priority

The Canvas attack confirms a trend the education sector can no longer ignore: centralised SaaS providers are first-tier attack vectors. A single vulnerability in Instructure simultaneously compromises thousands of institutions worldwide — exactly the same pattern seen in SolarWinds, in the SAP npm packages, in Trellix, and in Naturgy this same week.

For Spanish universities and educational institutions, the message is clear: the security of student and teacher data cannot be fully delegated to the provider. It requires continuous assessment of the security posture of third parties with access to that data, active monitoring of associated cloud environments, and incident response plans that explicitly address the scenario of a breach at a critical SaaS provider.

‍

Apolo Cybersecurity: protecting the institutions that shape the future

At Apolo Cybersecurity we help universities, training centres and EdTech companies assess their real exposure to attacks like the one Instructure has suffered. We work on critical SaaS provider auditing, technology supply chain analysis, API and data export flow assessment, access monitoring and third-party incident response.

If your institution uses Canvas or other cloud-based LMS platforms and you have no visibility over what student and teacher data would be exposed in the event of a provider breach, this week’s incident is the signal to act. The 12 May deadline cannot wait.

‍