Canvas Double Breach: ShinyHunters Defaces 330 School Login Portals, Resets Deadline After Instructure Admits Two Intrusions

# Canvas Double Breach: ShinyHunters Defaces 330 School Login Portals, Resets Deadline After Instructure Admits Two Intrusions

> **Quick answer:** Instructure confirmed two separate intrusions into Canvas within two weeks. After Instructure applied security patches instead of negotiating, ShinyHunters defaced login portals at approximately 330 schools on May 7, 2026, displaying ransom messages directly to students and faculty. The group then reset its pay-or-leak deadline to end-of-day May 12, telling each school to contact them privately or face full data publication.

The Canvas ShinyHunters defacement double breach at 330 schools is not just a bigger version of the first attack — it is a tactically different attack designed to humiliate Instructure publicly and pressure individual institutions to break ranks and negotiate on their own. This is what school-by-school ransomware extortion looks like in 2026, and understanding the escalation mechanics matters for every student, faculty member, and administrator still waiting for answers.

## What "Double Breach" Actually Means — and Why It Changes Everything

When Instructure announced on May 1, 2026 that it was investigating a cybersecurity incident, the company said it had contained the issue and that the compromised data included names, email addresses, student ID numbers, and messages among users — but no passwords, birthdates, government IDs, or financial information. By May 6, Instructure declared systems normal.

ShinyHunters had other plans.