The cybercrime group behind a data breach at education technology company Instructure has escalated its attack by defacing school login pages. The hackers, known as ShinyHunters, posted extortion messages on the Canvas learning management system portals of several schools, demanding a financial settlement by May 12 to prevent the public release of stolen student data.
What Happened
Following an initial data breach that exposed student names, email addresses, and private messages, hackers compromised the Canvas login pages of several schools. According to TechCrunch, the group injected an HTML file that altered login screens to display a threatening message. The message stated that the stolen data will be published on May 12 if Instructure does not negotiate a settlement.
During the defacement, Canvas portals displayed notices of scheduled maintenance, and the main corporate website experienced partial outages. Instructure is the parent company of Canvas, a digital platform used by millions of students and educators to manage coursework, submit assignments, and handle school communications.
The Bigger Picture
The attackers, identified as the ShinyHunters extortion gang, claim to have stolen up to 280 million records from nearly 9,000 institutions globally. Instructure confirmed that the breach exposed personal identifiers and internal communications between teachers and students. The company stated their internal investigation shows no evidence that passwords or financial information were compromised.
ShinyHunters operates using an extortion-only playbook. Unlike ransomware groups that encrypt files to lock schools out of their networks, this group bypasses multi-factor authentication through social engineering, often tricking IT staff over the phone. Once inside, they download cloud databases and threaten to publish the information online to extort victims.
Public school districts are vulnerable to these tactics because of their reliance on cloud-based educational software and limited cybersecurity budgets. When districts take systems offline to contain a breach, the operational disruption can halt instruction and force schools to cancel classes.
What This Means for Families
For parents and educators, the concern is the exposure of direct communications and personal contact information. While data like Social Security numbers or banking details do not appear to be involved, the exposed private messages and email addresses can be weaponized. Cybercriminals use this personal information to launch targeted phishing attacks or social engineering scams against students and families.
The defacement of login pages also creates logistical hurdles for school operations. Students may be temporarily blocked from accessing coursework, submitting assignments, or communicating with their teachers while technology departments and Instructure take systems offline for maintenance. The presence of a hacker's note on a school portal adds stress to the learning environment.
What You Can Do
- Monitor for phishing: Be suspicious of unsolicited emails, texts, or messages claiming to be from your child's school, district administrators, or teachers. Hackers may use stolen contact lists to trick parents into revealing passwords or financial details.
- Watch for API reauthorization requests: Educators and school staff should follow official IT department instructions to revoke and reauthorize their access to Instructure’s platform. Changing login credentials immediately is a necessary precaution.
- Check alternative communication channels: Stay alert for updates from your school district through official automated phone calls, district-wide email blasts, or alternative district websites if the main Canvas portal remains inaccessible.
- Review student messaging: Parents should talk to their children about the information they share through school messaging platforms. Remind them that school digital environments are not entirely private and can be vulnerable to unauthorized access.