$10 Million Ransom, Four Days of Peace, and Then the Login Page Changed

On May 7, 2026, every Canvas LMS login page — across 8,809 universities and schools worldwide — displayed a ransom note. Instructure had already paid. Four days earlier.

TL;DR

ShinyHunters breached Canvas LMS affecting up to 275 million users — the largest educational data breach on record

Instructure reportedly paid ~$10M ransom and received “confirmation” data was destroyed. It wasn’t.

The attack vector: Free-For-Teacher accounts with no institutional verification, in a multi-tenant SaaS architecture with only logical data isolation

ShinyHunters has survived arrests on three continents and formed a criminal alliance with Scattered Spider and LAPSUS$

This was not a random target — Canvas was hit before in September 2025. The May attack was a return visit.

Why This Matters Beyond the Headlines

If you work in education, educational technology, or run any SaaS platform with tiered account types — this incident is a direct blueprint for how you get breached.

If you are an Instructure customer, a student, or a teacher: your private messages, your student ID, and your contact information are in the hands of a financially motivated criminal collective that has already proven they do not keep their word.

And if you are a security professional advising organizations on ransomware response: Instructure’s experience is the clearest recent example of why paying is not a strategy.

May 1–11: A Timeline That Gets Worse at Every Step

The Canvas breach did not happen once. It happened twice, in eleven days, with a ransom payment in between.

May 1 — Instructure discloses a cybersecurity incident. Names, email addresses, student IDs, and private messages between students and teachers have been stolen. The company says passwords, birthdates, government IDs, and financial data were not affected.

May 3 — ShinyHunters publicly claims responsibility and posts a ransom demand. They claim to hold 3.65 terabytes of data belonging to approximately 275 million users.

May 6 — Instructure announces the situation is contained and systems restored. The company denies the full scope of ShinyHunters’ claims.

May 7 — Every Canvas login page across thousands of institutions worldwide is replaced with a new ransom note. ShinyHunters had not left. Instructure’s “containment” had not worked.

May 8 — Access is restored to most users.

May 11 — Instructure apologizes for its lack of transparency and announces it has reached an agreement with ShinyHunters. The company states it received digital confirmation that the stolen data covering 275 million people was destroyed. It acknowledges it has no certainty the attackers kept their word.

May 13 — A class action lawsuit is filed in San Diego Federal Court.

The ransom payment — reportedly around $10 million — bought Instructure four days of quiet and one page of unverifiable confirmation.

How They Got In: The Free-For-Teacher Problem

ShinyHunters did not exploit a zero-day vulnerability. They did not deploy custom malware. They walked in through a door that Instructure had left open by design.

Canvas offers a Free-For-Teacher (FFT) account program — a way for individual educators to create accounts and explore the platform without going through institutional procurement. The appeal is obvious: lower the barrier to adoption, let teachers experiment, grow the user base.

The security problem is equally obvious in hindsight. FFT accounts required no institutional verification. Any person could claim to be an educator and receive an account. In a multi-tenant SaaS platform — where a single application serves thousands of separate organizations — those unverified accounts existed in the same environment as accounts belonging to verified universities and their students.

The technical attack path maps to MITRE ATT&CK T1078 — Valid Accounts: gain access through legitimate credentials, then move laterally. Canvas’s architecture used logical data isolation — database-level separation of tenant data — rather than physical isolation in separate environments. Logical isolation relies on the application enforcing boundaries correctly. ShinyHunters found a way through those boundaries from an FFT-tier account.

This was not the first time. Instructure’s own incident analysis confirmed that Canvas was targeted by ShinyHunters in September 2025 via social engineering. The May 2026 attack was a return visit by a group that already knew the terrain.

Who Is ShinyHunters

ShinyHunters is not a shadowy nation-state operation. They are a decentralized collective of financially motivated young hackers, primarily with French connections, that emerged around 2020 and has spent five years systematically dismantling the security posture of some of the world’s largest organizations.

Google’s threat intelligence team tracks the group under the internal designations UNC6040 and UNC6240. They are part of a broader criminal ecosystem known as “The Com” — an English-speaking underground network that shares tools, targets, and talent across loosely affiliated criminal operations.

Their tactics are not technically sophisticated in the traditional sense. ShinyHunters does not write kernel exploits. They make phone calls.

Voice phishing — impersonating IT helpdesk staff to convince employees to hand over credentials or approve MFA requests. OAuth token abuse — hijacking authentication tokens from compromised SaaS integrations rather than cracking passwords. SMS phishing — intercepting or spoofing text messages used for two-factor authentication. AI-enabled social engineering — using synthetic voice technology to make vishing calls more convincing at scale.

The group has used these techniques to breach AT&T, Santander, Ticketmaster, PowerSchool, Google, Cisco, Adidas, Qantas, Air France-KLM, Allianz Life, Coinbase, and the LVMH luxury group (Louis Vuitton, Dior, Tiffany). The Canvas breach sits alongside some of the most recognizable names in global business.

The Scattered LAPSUS Alliance

In 2025, ShinyHunters formalized a working partnership with two other prominent groups: Scattered Spider (known for the MGM Resorts and Caesars Entertainment breaches) and LAPSUS$ (responsible for breaches at Microsoft, Nvidia, and Samsung). The alliance is known informally as “Scattered LAPSUS.”

This collaboration matters for organizations assessing their exposure. A breach by one member of this alliance is visible to all three. Intelligence about targets, credentials, and network access flows between groups. If ShinyHunters has touched your environment, you should assume Scattered Spider and LAPSUS$ may also have visibility into what was found.

Arrests That Changed Nothing

Law enforcement has moved against ShinyHunters repeatedly. The results tell a consistent story: arrests create friction, not shutdown.

Date	Action	Outcome
May 2022	Sébastien Raoult (French) arrested in Morocco	Extradited to US
January 2024	Raoult sentenced to 3 years, $5M restitution	Operations continued
February 2025	Kai West (IntelBroker, British) arrested in France	BreachForums disrupted briefly
June 2025	Four members arrested across France (Hollow, Noct, Depressed + one other)	Operations continued
May 2026	Canvas breach — group at full operational capacity	Ongoing

The arrests happened in three countries across four years. After each one, ShinyHunters continued operating without meaningful interruption.

This is the defining characteristic of decentralized criminal collectives: they are not organizations in the traditional sense. There is no headquarters, no server room to seize, no single leader whose arrest collapses the operation. When a member is arrested, others take over their functions. The knowledge, tools, and access are distributed. Removing one node does not take down the network.

Law enforcement actions matter — they impose real costs and occasionally remove specific individuals from the threat landscape. But for defenders, the operational conclusion is clear: do not plan your security strategy around the assumption that these groups will be dismantled.

The Moral Calculation ShinyHunters Made

It is worth being direct about what was stolen here.

The 275 million affected users are not corporate employees whose work emails were exposed in a breach. They are students — many of them minors — and teachers. The stolen data includes private messages exchanged in what users reasonably believed was a secure educational environment.

Think about what teachers and students discuss in those messages: grades, disciplinary issues, mental health concerns, requests for accommodation, personal circumstances affecting academic performance. These are conversations that people have in private because the content is private.

ShinyHunters knew what Canvas is. They attacked it in September 2025 via social engineering before returning in May 2026 with a more damaging approach. The choice to target an educational platform serving K-12 and higher education globally — twice — was deliberate.

There is no claim of political motivation, no ideological justification. The group’s stated motivation is financial. They targeted students because the data was there and someone would pay to protect it.

Why Paying the Ransom Failed

Instructure’s decision to pay is understandable in context. Hundreds of millions of students’ private messages were at risk. The deadline was days away. The legal and reputational exposure of a confirmed 3.65 TB data release was enormous.

But the four-day gap between payment and the second attack reveals the structural problem with ransom payment as a strategy.

The data was almost certainly not destroyed. No cryptographic mechanism allows one party to prove to another that data has been deleted. The “digital confirmation” Instructure received was, at best, a file hash — proof that a file existed and was processed, not proof that all copies are gone. ShinyHunters knew this when they issued the confirmation. Instructure knew this when they accepted it.

The second attack was likely prepared in parallel. Sophisticated criminal groups do not abandon a profitable target after a single payment. The May 7 defacement was technically executed — replacing login pages across thousands of institutions simultaneously requires pre-positioned access that was not acquired in four days. The capability existed before the ransom was paid.

Three explanations, none of them good:

A different faction within ShinyHunters’ decentralized structure executed the second attack independently, without knowledge of the payment
The data was never destroyed and the group retained access to use as continued leverage
Instructure’s “containment” missed a persistent foothold that ShinyHunters had established during the initial breach

The most likely answer is some combination of all three.

The class action lawsuit filed May 13 adds another dimension: organizations that pay ransoms now face legal exposure for the payment itself in addition to liability for the breach. Paying is not just ineffective — it creates new legal risk.

What Schools and SaaS Providers Should Do

The Canvas breach is a specific incident with specific technical causes. Those causes are not unique to Instructure.

For SaaS providers with tiered account types:

Low-friction enrollment tiers (free, teacher, trial) that bypass institutional verification create trusted identities in untrusted hands. Verify educational status before granting access to multi-tenant environments — even at the cost of some friction.
Logical tenant isolation is a security boundary that must be audited. Assume that a sufficiently motivated attacker will probe the boundary between tenant environments from a low-privilege account.
Audit FFT and trial accounts for access patterns that do not match expected educator behavior — bulk data queries, API calls across tenant boundaries, unusual authentication patterns.

For educational institutions using Canvas or similar platforms:

Treat your LMS as a high-value target. Student private messages, IDs, and contact information are sensitive data that warrant the same protection as financial records.
Establish an incident response plan specific to SaaS providers you depend on. When a provider is breached, your response time matters.
Inform students and staff when their data may have been exposed — do not wait for the provider to make that determination for you.

For any organization facing a ransom demand:

Paying does not guarantee data deletion, does not guarantee operational recovery, and does not prevent repeat attacks.
Paying funds the next attack — against you, or against someone else.
The decision to pay should involve legal counsel from the moment the incident is confirmed. In some jurisdictions, ransom payments to sanctioned entities are illegal regardless of circumstances.
Document everything. If you pay and data is released anyway, your documentation of the decision-making process affects your legal position in subsequent litigation.

A note to ShinyHunters: You targeted students. Children, in some cases. Private conversations between teachers and the students they were trying to help. You did it in September 2025, took notes, and came back in May 2026 better prepared. You took the money and hit again anyway.

Sébastien Raoult thought he was untouchable too. Three years and five million dollars later, he reconsidered.

Four members arrested in France last June. More to follow.

Ransomware and Backup Strategy: What Actually Works in 2026 — why backups alone don’t save you and what a real ransomware resilience plan looks like
AiTM Phishing and MFA Bypass: How Evilginx Works — the OAuth token abuse and credential phishing techniques ShinyHunters uses in practice
Unmasking TeamPCP: The Supply Chain Saboteurs and the Trails They Left Behind — how investigators track financially motivated criminal groups through their OPSEC failures