Cyber Analysis Group - CyberAGroup - OSINT Darkweb Investigations  - Insider Threat - Crypto - Online threat & exposure - SOCMINT - Canadian

cyberagroup

UPDATE - May 8: ShinyHunters just released a press statement. They have also removed their ransom threats related to their Canvas LMS breach. This is a strong indication they got paid::

 

PRESS STATEMENT

 

Due to the significant amount of press inquries we are receiving every hour from all around the world, we are making a public statement.

 

We are not commenting and have no further comment to make regarding this global incident.

 

ORIGINAL NEWS ITEM:

 

A recent cyberattack on Instructure, the parent company of the Canvas Learning Management System (LMS), has escalated into a massive global extortion event. The threat actor group known as ShinyHunters has issued a "final warning" ransom demand, claiming to have compromised data from nearly 9,000 educational institutions worldwide including many major Canadian educational institutions.

 

This breach is estimated to impact approximately 275 million individuals, including students, teachers, and staff, and reportedly involves the theft of names, email addresses, student IDs, and billions of private messages.

 

ShinyHunters, a prolific cyber-extortion group specializing in cloud environment exploits and social engineering, has given a strict deadline of May 7, 2026, before they publicly leak the stolen databases. The group claims that in addition to the Canvas LMS data, they have also successfully breached associated Salesforce instances, further expanding the volume of sensitive information at risk.

 

The severity of this breach highlights a critical vulnerability in the educational technology sector, as the leaked list of affected schools includes major universities and K-12 districts across the globe. Concerned institutions are being urged to verify their status on the leaked lists and consult with cyber advisory firms to mitigate potential damages. As the ransom deadline approaches, the situation serves as a stark reminder of the escalating risks posed by supply chain attacks targeting the privacy and digital security of millions of students and educators.


On May 3, 2026, ShinyHunters posted the following on their Darkweb onion site:


QUOTE


Instructure Holdings, Inc. (Canva LMS, instructure.com)

 

Nearly 9,000 schools worldwide affected. 275 million individuals data ranging from students, teachers, and other staff containing PII. Several billions of private messages among students and teachers and students and other students involved, containing personal conversations and other PII. Your Salesforce instance was also breached and a lot more other data is involved. Pay or Leak.

This is a final warning to reach out by 6 May 2026 before we leak along with several annoying (digital) problems that'll come your way.

 

Make the right decision, don't be the next headline.


UNQUOTE


On May 5, 2026, ShinyHunters posted the following on their Darkweb onion site which included a downloadable list of the 9,000 educational institutions affected:


QUOTE

 

Entire list of affected schools by Instructure breach

 

The download button below is a list of affected schools by the Instructure Canvas LMS data breach. If any of the schools in the file are interested in preventing the release of their data please consult with a cyber advisory firm and contact us privately at TOX to negociate a settlement. You have till the end of the day by 7 May 2026 before everything is leaked and there will be no chance at a negociation for anyone.

 

Instructure has not even bothered speaking to us to understand the situation or to even negociate with us to prevent the release of this data. Our demand was not even as high as you might think it is. The Company seemingly does not care about all the students affected and the institutions impacted by this data breach. They still have by 6 May 2026 to come speak with us. There is no better option but to come to an agreement with us. Not paying will only worsen the situation rather than resolving it.

 

UNQUOTE

 

CyberAGroup has reviewed the list provided by the group and it includes 8809 educational institutions world wide including major Canadian institutions: The University of British Columbia, University of Toronto, University of Alberta, Humber College, British Columbia Ministry of Education, College O'Sullivan de Quebec, Concordia University, HEC Montreal.

 

UPDATE - ShinyHunters have extended their deadline till May 12th:

 

QUOTE

 

The deadline has been extended to 12 May 2026 due to some institutions engaging with us. Instructure, The Company also has till 12 May 2026 to contact us to prevent the full release. All data will be releaesd by 12 May 2026, no further extension will be provided.

 

UNQUOTE

 

The recent activities of ShinyHunters highlight a paradigm shift in the field of cyber-extortion, moving away from isolated corporate targets in favor of the far more lucrative exploitation of digital supply chains. By compromising a single cloud service provider or infrastructure node, these actors exponentially increase their reach, harvesting sensitive data from thousands of client organizations through a single point of entry. This systemic vulnerability only intensifies as businesses continue to migrate toward centralized cloud ecosystems.