When ShinyHunters listed Instructure on their dark web data leak site in late April 2026, the claim was specific: 3.65 terabytes of data, 275 million records, 8,809 institutions. One SaaS vendor had become the attack surface for an entire sector.
ShinyHunters — operating under the Scattered LAPSUS$ Hunters (SLH) collective umbrella — exfiltrated the data and set a payment deadline. No systems were encrypted. No decryption key existed. This is pay-or-leak extortion, and the distinction matters enormously for how you respond.
For the full factual record of what happened, see the Canvas breach. This article is the threat intelligence layer: who ShinyHunters are, how they get in, how they escalate, and why education became a deliberate target in 2026.
Who Is ShinyHunters — and How Did They Become a Credible Enterprise Threat?
ShinyHunters is a financially motivated data theft and extortion collective that first surfaced publicly in January 2020, selling stolen credentials and bulk databases through BreachForums. Over six years it evolved into one of the most active extortion operations targeting enterprise SaaS environments.
The group now operates under the Scattered LAPSUS$ Hunters (SLH/SLSH) collective — formally connecting ShinyHunters with Scattered Spider (UNC3944) and LAPSUS$ under the broader umbrella of The Com: a constellation of cybercrime-focused Discord and Telegram communities whose members are primarily English-speaking, multi-national, and financially motivated.
Don’t let that description breed complacency. As Push Security puts it, it’s “something closer to a distributed collective than a single coordinated group, with several independently operating clusters running parallel campaigns against different target sectors within a compressed timeframe.” Mandiant (GTIG) tracks distinct intrusion clusters — UNC6661, UNC6671, UNC6240 — and Charles Carmakal confirmed there are “multiple concurrent and discrete ShinyHunters intrusion and extortion campaigns happening right now.”
Four ShinyHunters members were arrested by French authorities in June 2025. The group continued without any reduction in operational capability. Disrupting individual members has not disrupted the playbook.
ShinyCorp (also known as sp1d3rhunters), the group’s primary public persona, actively recruits employees at target organisations via Telegram — offering payment for Okta credentials, Microsoft SSO access, Citrix VPN access, or Git repository access. The human attack surface gets the same systematic treatment as the technical one.
What Is “Pay or Leak” Extortion — and Why Is It Not Ransomware?
The core of ShinyHunters’ model is simple: exfiltrate data, set a payment deadline, publish if unpaid.
Ransomware encrypts systems and withholds a decryption key. Pay or leak does neither. No systems are encrypted. No decryption key exists. ShinyHunters steals data and holds the threat of public release as leverage. Systems stay fully operational during the extortion period — which can create a false sense that there’s time to deliberate.
There isn’t. ShinyHunters’ message to Instructure made the timeline explicit: “Reach out by 6 May 2026 before we leak along with several annoying problems that’ll come your way.”
The mechanics are worth understanding. ShinyHunters operates a dark web Data Leak Site (DLS) on Tor infrastructure. Victim organisations are listed with countdown timers and data samples visible to the public — that public visibility is part of the pressure. When a victim disappears from the DLS, it signals the start of negotiations, not resolution.
Contact is established via TOX, an encrypted communications client. The defacement messages placed on Canvas login pages directed institutions to a TOX address for ransom negotiations. Don’t engage with it without qualified incident response and legal counsel.
On payment: Unit 221B (Allison Nixon) holds a firm position — do not pay. The group has a documented history of not honouring payment agreements. There is no technical mechanism to confirm data deletion. As KrebsOnSecurity‘s reporting makes clear, SLH “appears uninterested in building a reputation of consistent behaviour whereby victims might have some measure of confidence that the criminals will keep their word if paid.”
Classify this as data extortion, not ransomware. The distinction has regulatory and coverage implications that matter.
How Does ShinyHunters Get In? Three Attack Vectors Explained
Push Security has documented three primary attack vectors across ShinyHunters’ 2024–2026 campaigns. All three share one critical feature: they bypass MFA. Standard MFA deployment — push notifications, SMS codes, even TOTP apps — is not enough against this threat actor.
Vector 1: Vishing Combined with AiTM Phishing
💡 AiTM (Adversary-in-the-Middle) phishing places an attacker-controlled proxy between the victim and the real login page — it captures session tokens and MFA codes in real time as the victim authenticates, giving the attacker an authenticated session without knowing the password.
An attacker impersonating IT support or an Okta help desk engineer creates urgency — “your MFA is about to expire,” “we detected unusual activity” — and directs the employee to a victim-branded credential harvesting page. The AiTM proxy relays everything to the legitimate identity provider in real time, capturing the authenticated session token as the victim completes MFA. The attacker then registers their own device for MFA. The credential is permanently compromised.
Calling infrastructure is automated using AI-powered voice platforms including Bland AI and Vapi, alongside VoIP services like Twilio and Google Voice. Any detection that depends on humans noticing something before acting is probably too slow.
Vector 2: Vishing Combined with Device Code Phishing
💡 Device code phishing exploits the OAuth 2.0 device authorization grant — the flow designed so a smart TV or CLI tool can authenticate without a keyboard — by tricking a user into entering an attacker-controlled code on a legitimate identity provider page, handing the attacker a persistent access token.
This is the fastest-growing vector in ShinyHunters’ arsenal. Push Security documented a 37.5x increase in device code phishing attacks in 2026.
The attacker registers a malicious OAuth application — often mimicking a legitimate tool like a Salesforce DataLoader — and guides the victim via a vishing call to enter an attacker-supplied code on the real Microsoft or Salesforce authorisation page. Because the victim is on the real login page, no URL warning fires. The attack targets the authorisation layer, not the authentication layer — which means all MFA types fall to it, including passkeys and FIDO2.
Vector 3: OAuth Supply Chain Attack
The third vector doesn’t require phishing the target’s employees at all.
When an organisation connects a third-party SaaS tool, it stores access tokens in that vendor’s environment. If the vendor is compromised, every downstream customer that authorised the integration inherits the breach — without being phished at all. Each authorised integration is a potential credential store.
Instructure’s integration ecosystem runs to over 1,000 third-party tools. When Instructure rotated its API keys after the May 2026 breach, it triggered re-authorisation events across every connected integration — and that re-authorisation window is itself an attack surface. For the full vendor risk assessment implications, see vendor risk in mission-critical SaaS.
What Is ShinyHunters’ Campaign Track Record Before Canvas?
The Canvas 2026 breach was not a deviation from pattern. It was the predictable output of a playbook ShinyHunters had been refining since 2024 — with Instructure as a documented target for at least eight months before the May incident.
Snowflake (2024). ShinyHunters used infostealer-harvested credentials to compromise 165+ Snowflake customer environments. No zero-days, no complex exploits — industrialised credential stuffing. The most publicised victim was Ticketmaster (560 million records). This campaign established the structural playbook: exfiltrate at scale, list on the DLS, apply countdown timer pressure, escalate when the first deadline passes.
Salesforce (2025). Credential stuffing gave way to AI-assisted vishing and device code phishing at scale — 1.5 billion records claimed across 1,000+ organisations. For Instructure, this isn’t abstract context: in September 2025, Instructure disclosed a social engineering attack on its Salesforce instance, and ShinyHunters claimed responsibility. That established direct operational knowledge of Instructure’s environment eight months before May 2026. As Dipan Mann, CEO of Cloudskope, framed it: “The September 2025 Penn breach was the proof of concept. The May 1, 2026 incident was the production run.”
Education Technology (2026). September 2025: thousands of internal University of Pennsylvania files released via a Canvas/Instructure-mediated path. March 2026: Infinite Campus (US K–12 SIS) listed on ShinyHunters’ leak site. May 2026: Canvas. The shift to education infrastructure was deliberate. Which brings us to why.
Why Did Education Become ShinyHunters’ 2026 Target Vertical?
ShinyHunters’ vertical selection is systematic, not opportunistic. Education technology in 2026 presented a specific combination of attributes that maximise extortion leverage.
Data sensitivity and regulatory exposure. Student PII, grade records, private messages, financial aid information, and minor data (COPPA exposure for K–12) sit among the most sensitive data categories in existence. The April 2026 COPPA update raised penalties to $51,744 per child under 13. FERPA obligations apply to every US institution. EU institutions face a 72-hour GDPR notification window. High regulatory pressure means high urgency to resolve — exactly what ShinyHunters exploits.
LMS concentration risk. Canvas serves roughly 50% of US and Canadian higher education and 2,000+ US K–12 districts. One vendor breach cascades across thousands of institutions simultaneously. 8,809 institutions received a notification because one vendor failed.
Security investment gap. Education institutions operate on constrained IT budgets. Enterprise-grade security tooling — SIEM, SOC, phishing-resistant MFA — is uncommon at the institution level. The gap between data sensitivity and security maturity is wider in education than in almost any other sector.
Academic calendar pressure. The May 2026 breach hit during finals week. Students unable to submit assignments or sit exams creates pressure to resolve quickly. Speed favours the extortionist.
Free-For-Teacher as a structural attack surface. Instructure confirmed the unauthorised actor exploited its Free-For-Teacher accounts — individual educator accounts created without institutional verification that ran on the same production infrastructure as paid tenants. When evaluating SaaS vendors, ask explicitly whether free-tier accounts are isolated from production tenant data.
The PowerSchool precedent reinforced that education data extortion generates payment outcomes: a late 2024 breach covering 62 million student records has since resulted in a $17.25 million settlement. Canvas, at 275 million claimed records, is nearly four times larger. For the full analysis of LMS concentration risk, see one platform, 8,809 schools, and the LMS concentration risk.
How Did the Canvas Extortion Campaign Unfold in Practice?
The Canvas campaign demonstrates ShinyHunters’ progressive escalation model in its most publicly documented form. The playbook is not improvised.
Initial access and exfiltration. The breach timeline begins with Instructure’s engineers detecting anomalous API key activity on 30 April 2026. By then, ShinyHunters claimed 3.65TB across 275 million records from 8,809 institutions had been exfiltrated — names, email addresses, student ID numbers, and some private messages.
Phase 1 — Initial extortion. ShinyHunters listed Instructure on the DLS with a countdown timer. The deadline: contact via TOX by 6 May 2026. Instructure did not make contact.
Phase 2 — Defacement as escalation. After the first deadline passed, ShinyHunters defaced Canvas login pages at approximately 330 institutions. Each defaced page blocked access and included TOX contact for direct negotiation — a visibility escalation designed to be seen by students and faculty, who would then pressure institution leadership.
Phase 3 — Individual institution targeting. ShinyHunters pivoted from corporate-level extortion to direct school-by-school demands, with a final deadline of 12 May 2026. This fragmentation is deliberate: Instructure corporate and 8,809 institutions are not a monolithic negotiating entity, and ShinyHunters exploits that.
Two confirmed breaches in eight months, same threat actor, raises direct questions about the adequacy of remediation after the first incident.
What Is the Downstream Risk Once ShinyHunters Has Your Data?
Breach containment does not end risk. The data ShinyHunters exfiltrated from Canvas has a downstream attack life that begins immediately after exfiltration.
Spear phishing with Canvas data. Student names, institutional email addresses, student IDs, and Canvas private message history are enough to run personalised spear phishing campaigns referencing a student’s course, instructor, and actual message threads. Issue phishing advisories immediately, regardless of whether you received a direct extortion demand.
The re-authorisation window. Instructure revoking API keys and rotating OAuth tokens was the right call. It also created a secondary attack surface. Every institution using third-party Canvas integrations received re-authorisation prompts — and ShinyHunters can spoof those prompts using breach data. The spoofed prompt is indistinguishable from the legitimate one. Given Canvas’s 1,000+ integration ecosystem, the blast radius extends well beyond Instructure’s own infrastructure.
Regulatory obligations. FERPA notification obligations are triggered on breach confirmation for every US institution. COPPA (updated April 2026 — $51,744 per child under 13 affected) creates financial exposure for K–12 institutions. EU institutions face a 72-hour GDPR notification window. Review your DPAs immediately.
The secondary market. Student PII and private messages are saleable on BreachForums and Telegram channels independently of whether a ransom is paid. Paying ShinyHunters cannot delete data that has already been copied, staged for sale, or shared. Unit 221B’s “do not pay” position applies precisely here. For the full vendor assessment and defensive posture implications, see vendor risk in mission-critical SaaS.
Frequently Asked Questions
Is ShinyHunters a nation-state hacking group?
No. ShinyHunters is financially motivated with no confirmed state sponsorship. It operates under the SLH/SLSH umbrella as part of The Com eCrime ecosystem — primarily English-speaking, multi-national membership. Four members were arrested by French authorities in June 2025; the group continued without disruption. Unlike nation-state actors, ShinyHunters’ motivation is purely financial, meaning payment calculus drives escalation decisions.
How is “pay or leak” extortion different from ransomware?
Ransomware encrypts systems and withholds a decryption key; payment restores access. “Pay or leak” steals data and withholds a deletion promise — there is no technical recovery path. Systems remain operational during “pay or leak” extortion. Paying ShinyHunters cannot delete already-exfiltrated data or prevent its sale. Insurance, legal, and board communications should classify this as data extortion, not ransomware — the distinction has regulatory and coverage implications.
What is device code phishing and why does it defeat MFA?
Device code phishing exploits the OAuth 2.0 device authorization grant — the flow designed for devices without keyboards. The attacker creates a malicious OAuth application, then tricks the victim via a vishing call into entering a device code on the real identity provider’s authorisation page. No phishing URL warning fires. The attack targets the authorisation layer, not the authentication layer — which is why it defeats all MFA including passkeys and FIDO2. Push Security documented a 37.5x increase in device code phishing in 2026.
What connection does ShinyHunters have to Scattered Spider?
Both groups are part of The Com. Yukari, a named ShinyHunters member, is also connected to Scattered Spider (UNC3944). SLSH is the collective umbrella formally connecting ShinyHunters, Scattered Spider, and LAPSUS$. They share infrastructure, personnel, and tactics — threat intelligence on one group is partially transferable to the others.
Should my institution negotiate with ShinyHunters if it receives a direct extortion demand?
Unit 221B (Allison Nixon) recommends strongly against payment or negotiation. Data has likely already been copied, sold, or shared; payment doesn’t guarantee deletion; payment signals willingness and may attract follow-on demands; and the group has a documented history of not honouring payment agreements. If a direct TOX contact demand arrives, treat it as an active incident: engage a qualified IR firm, notify legal counsel, and begin regulatory notification assessment. Do not engage with the TOX contact directly without qualified legal and IR guidance.
What does vishing look like in a ShinyHunters campaign?
Attackers call impersonating IT support, an Okta help desk, or a vendor representative. Common pretexts: “We detected unusual activity,” “Your MFA is about to expire — let me help you re-enrol.” Red flags: any unsolicited call requesting credential entry, entering a code on a website during a call, or approving a push notification during a call. Countermeasure: establish a callback verification protocol — never act on unsolicited calls; always verify via official contact channels independently.
What happened to Canvas login pages during the escalation?
After the first extortion deadline passed, ShinyHunters defaced Canvas login pages at approximately 330 institutions. Each defacement injected HTML that prevented access and included TOX contact information for direct negotiation — a visibility escalation designed to be seen by students, faculty, and administrators who would then pressure institution leadership.
Can stolen Canvas data be used to target individual students directly?
Yes — this is the primary downstream risk. ShinyHunters exfiltrated student PII, Canvas private message history, and course enrolment details. This enables personalised spear phishing attacks referencing a student’s course name, instructor, and Canvas message thread to establish false credibility. Institutions should proactively communicate this downstream risk to their communities regardless of whether they received a direct extortion demand.
What is the Snowflake breach and why does it matter?
In 2024, ShinyHunters compromised 165+ Snowflake customer environments using infostealer-harvested credentials — no zero-days required. Key victims included Ticketmaster (560 million records) and AT&T. The Snowflake campaign established the structural playbook — exfiltration, public claim, deadline pressure, escalation — that maps directly onto the Canvas 2026 attack.
What is the Free-For-Teacher program and how was it exploited?
Instructure’s Free-For-Teacher program let individual educators create Canvas accounts without institutional verification — accounts that ran on the same production infrastructure as paid institutional tenants, creating a trust boundary failure. The pattern of freemium onboarding tiers sharing production infrastructure with enterprise tenants is a structural SaaS risk that applies well beyond Canvas. When evaluating vendors, ask explicitly whether free-tier accounts are isolated from production tenant data.
This article is part of the Canvas breach cluster. For the detailed breach timeline, see what we know about the Canvas breach. For the LMS concentration risk analysis, see one platform, 8,809 schools, and the LMS concentration risk. For the vendor assessment framework, see vendor risk in mission-critical SaaS.
