Instructure Breach by ShinyHunters (May 2026)

Claim Summary

On May 5, 2026, the threat actor group ShinyHunters posted a claim on their dark web leak site alleging a data breach of Instructure, the provider of the Canvas Learning Management System (LMS). According to the post, the group has obtained a list of schools affected by the breach and is threatening to release all data by May 7, 2026, if a settlement is not reached. The post claims that Instructure has not engaged in negotiations and that the ransom demand was “not even as high as you might think.” The group warns that non-payment will “worsen the situation rather than resolving it,” and has issued a “FINAL WARNING PAY OR LEAK” notice. This claim has not been independently verified by Yazoul Security.

Threat Actor Profile

ShinyHunters is a threat actor group known for data breaches and extortion campaigns, primarily targeting educational institutions, technology firms, and other sectors. The group has a history of claiming high-profile breaches, including those of academic platforms and databases. Their tactics typically involve exploiting vulnerabilities in web applications, misconfigured databases, or compromised credentials to exfiltrate sensitive data. ShinyHunters often uses extortion as a primary motivator, posting stolen data on leak sites if ransoms are not paid. While the group’s total known victims are undisclosed, their track record includes several verified breaches, lending some credibility to their claims. However, they have also been known to exaggerate or repackage old data to pressure victims. No specific tools or YARA rules are publicly available for ShinyHunters at this time.

Alleged Data Exposure

The group claims to have obtained a list of schools affected by the Instructure Canvas LMS data breach. The post does not specify the exact data types or volume, but based on typical Canvas LMS breaches, this could include student names, email addresses, course enrollments, grades, and potentially other personally identifiable information (PII). The group has provided a download button for the list of affected schools, but Yazoul Security has not accessed or verified this data. The threat actor states that schools on the list can negotiate privately via TOX to prevent data release, but the deadline is May 7, 2026. The post also implies that Instructure has not responded, suggesting the group may have attempted direct contact.

Potential Impact

If verified, this breach could have significant consequences for the affected schools and their students. Exposure of student PII could lead to identity theft, phishing attacks, and reputational damage for the institutions. Schools may face regulatory scrutiny under data protection laws, such as FERPA in the United States or GDPR in Europe, depending on the jurisdiction. The alleged lack of response from Instructure could also erode trust in the platform, potentially affecting its adoption by educational institutions. Additionally, the group’s threat to release all data by May 7, 2026, creates a time-sensitive pressure for both Instructure and the listed schools.

What to Watch For

• Monitor for any official statements from Instructure regarding the alleged breach.
• Affected schools should review their data security posture and consider engaging cyber advisory firms as suggested by the threat actor.
• Watch for any leaked data on dark web forums or leak sites after the May 7 deadline.
• Be alert for phishing attempts targeting students and staff using the alleged breached data.
• Verify the authenticity of any communications claiming to be from ShinyHunters or related parties.

Disclaimer

This report is based solely on unverified claims made by the threat actor group ShinyHunters on their dark web leak site. Yazoul Security has not independently confirmed the breach, the data, or the identity of the affected schools. Ransomware groups frequently exaggerate or fabricate claims to pressure victims. No PII, download links, or access methods are provided in this report. Readers should treat this information with skepticism and await official confirmation from Instructure or relevant authorities.