Between the 3rd and 5th of May 2026, the ShinyHunters cyber extortion group claimed responsibility for a data breach of cloud education provider Instructure and its Canvas online platform.
According to the hackers, they’ve compromised 275 million students and staff across “nearly 9,000” schools and universities.
Instructure has since confirmed the incident and is now working with government departments and educational institutions worldwide to ascertain the full scope of the breach.
On May 5, ShinyHunters published what it called the “Entire list of affected schools by Instructure breach”. This list, published in text form on hackers’ darkweb leak site, falls somewhat short of the claimed 9,000-odd schools – but for the more than 2,700 institutions actually listed, it still represents a potential disaster.
While the global impact is vast, the local, Australian outlook appears potentially dire. Education departments across the nation, along with a raft of tertiary institutions, are investigating the impact on Aussie students and teachers. Still, even a brief search of the list of schools published by ShinyHunters shows cause for concern.
Even simply searching for “Australia” and the various state capitals returns 27 hits, with universities and colleges in Sydney, Melbourne, and Adelaide featuring prominently. Fully ten institutions with the word Australia in their name are on the list. And that’s not even looking at regional schools and other local places of education.
“An attack of this magnitude transcends an isolated IT incident. The consequences for the victims are far-reaching, as stolen student data can be weaponised for lifelong identity theft, financial fraud, and extortion,” Miguel Fornes, Information Security Manager at cyber security firm Surfshark, told Cyber Daily.
“As a student, could you imagine your emotional response if you received an email requesting to confirm your data by the end of the semester? Wouldn't you be tempted or desperate to log in and confirm the problem?”
One of the issues facing schools is a combination of legacy systems, a lack of properly trained staff, and the sheer level of information creep facing students and their families as smartphone apps and online portals become an ever more important part of the education process. Facing cyber criminals armed with AI and skilled at social engineering, it’s a disaster waiting to happen.
“Educational institutions still relying on legacy systems rather than modern architectures will be targeted as 'low-hanging fruit' by automated attacker-bots. Once categorised as an easy target, an institution is guaranteed to face a relentless barrage of aggressive, highly targeted strikes that easily overwhelm basic defences or unsuspected users,” Fornes said.
“Digital hygiene education must become a priority for all public groups if society is to keep pace with the advent of AI. Cyber security is no longer a responsibility that can be entirely outsourced to underfunded school IT teams, government agencies, or corporations.”
Former FBI agent and Chief Information Security Officer at Arctic Wolf, Adam Marré, said the Instructure incident is a “timely reminder for schools and universities of the growing risk organisations face when it comes to third-party platforms or SaaS providers”.
"What makes this incident significant is that even when an organisation is not directly compromised, attackers are increasingly looking for opportunities to exploit the wider technology stack,” Marré said.
"The education sector remains a highly attractive target due to the volume of personal data and the complexity of managing large student and staff networks. Incidents like this should prompt a call-to-action for schools and universities to reassess third-party risk management and incident response planning because cyber security today extends well beyond an organisation’s own perimeter."
SUB Pressure tactics
While schools and governments are in an investigation phase, ShinyHunters is continuing to apply the pressure, targeting individual schools with website defacement attacks, according to TechCrunch.
"TechCrunch saw a message published by the cybercrime group ShinyHunters on the Canvas login pages of three separate schools," the outlet said in a May 7 article.
"A review of the defaced portals shows that the hackers injected an HTML file that altered the login screens to display their message."
ThreatLocker CEO Danny Jenkins said the defacement activity was just one clue as to how the hackers had compromised Instructure and the schools it partners with.
"Based on initial reports, this attack likely began with a stolen credential tied to an account with extensive privileges. Instructure revoking privileged credentials and rotating keys is a strong indicator the investigation is centred around identity compromise," Jenkins told Cyber Daily.
"The attackers’ ability to deface login systems also suggests a level of access to servers and systems that increases the likelihood they may have had access to sensitive databases. The priority right now is determining whether data was successfully exfiltrated and understanding the full scope of the breach."
Jenkins also suggested the timing of the incident was quite deliberate, and just one part of the hackers' extortion tactics, particularly for students in the United States, where Spring exams are underway.
"The disruption of Canvas is happening at an especially cruel time, right as students are preparing for final exams and graduation," Jenkins said.
"Students are panicked, and that’s exactly what the attackers wanted in an effort to pressure Instructure and schools."
UPDATED 08.05/26 to include ThreatLocker commentary.
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.