### Canvas Login Portals Defaced **Instructure**, the company behind the popular **Canvas** learning management system, is grappling with the fallout from a second attack allegedly perpetrated by the **ShinyHunters** extortion group. The attackers exploited a vulnerability to deface **Canvas** login portals, impacting approximately 330 educational institutions. The defaced pages displayed a message claiming responsibility for a prior breach and demanding a ransom to prevent the release of stolen student data. The defacements, which were visible for about 30 minutes before being taken offline, warned **Instructure** and affected schools to contact the group by May 12 to negotiate a settlement. The message stated that if their demands were ignored, student data would be leaked. "ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some 'security patches'," the defacement read.  *Defaced University of Texas San Antonio Canvas login page* ### Previous Breach and Data Theft Claims This incident follows **Instructure's** recent disclosure that they were investigating a cyberattack. **ShinyHunters** claimed to have stolen 280 million student and staff records from 8,809 schools, universities, and educational platforms using the **Canvas** system. The stolen data allegedly includes user records, private messages, enrollment data, and other information obtained through **Canvas** data export features and APIs. **Instructure** has confirmed the data breach and stated that they are continuing to investigate the incident. BleepingComputer reports that they have repeatedly contacted **Instructure** for comment, including questions about notifying affected students and staff, but have not received a response. ### Who is ShinyHunters? The name **ShinyHunters** has been linked to numerous threat actors involved in data breaches since 2018. This year, groups using the **ShinyHunters** moniker have become increasingly active in data theft and extortion attacks targeting organizations worldwide. They have primarily focused on **Salesforce** and other cloud SaaS environments, and have been connected to breaches affecting companies such as **Google**, **Cisco**, **PornHub**, and **Match Group**. Their tactics include breaching third-party integration companies and using stolen authentication tokens to access customer data. They are also known for conducting voice phishing (vishing) attacks targeting **Okta**, **Microsoft**, and **Google** single sign-on (SSO) accounts. As BleepingComputer previously reported, **ShinyHunters** has adopted device code vishing attacks to obtain **Microsoft Entra** authentication tokens. After stealing credentials and authentication codes, the attackers hijack SSO accounts to breach connected enterprise services like **Salesforce**, **Microsoft 365**, **Google Workspace**, **SAP**, **Slack**, **Adobe**, **Atlassian**, **Zendesk**, and **Dropbox**. While individual members have faced arrests, the **ShinyHunters** group continues to operate, even offering extortion-as-a-service to other threat actors. <!--HubSpot Ad-->