Canvas Hacked By ShinyHunters: Are Your Private Messages Now Exposed In The Dark Web?

The hacking group ShinyHunters has compromised Canvas LMS, an online learning platform used by 9,000 educational institutions worldwide, potentially exposing data for up to 200 million users. Instructure, the company behind Canvas, confirmed unauthorized access on 1 May, linking the breach to ShinyHunters, a group with prior attacks on Ticketmaster, Google, and Ivy League universities. The hackers also infiltrated K-12 platform Infinite Campus in March and publishing firm McGraw Hill in April. ShinyHunters demanded a ransom, threatening to leak 3.65 terabytes of stolen data—including names, email addresses, student IDs, and private messages—by a 6 May deadline. The group defaced Canvas login portals across hundreds of universities, warning of data release if demands were ignored. Cybersecurity expert Doug Thompson described the strategy as targeting the 'data supply chain,' making downstream phishing attacks more effective due to access to real course details and conversations. The stolen data may be sold on the dark web via Tor, packaged into 'combo lists' or 'fullz' files containing credentials, emails, and financial details. Leak sites operated by ransomware gangs serve as extortion hubs, with data resold through encrypted Telegram channels or paste sites if ransoms remain unpaid. Victims face risks of blackmail, targeted scams, and account takeovers due to the specificity of the exposed information. Universities have urged students and staff to remain vigilant against impersonation attempts, warning of unsolicited emails or messages claiming to be from Canvas or their institutions. These messages may seek login credentials or personal information, exploiting the breach for further cybercrime. Internal investigations are ongoing as institutions assess the full scope of the damage and potential long-term impacts on academic operations.