Hackers deface school login pages after claiming another Instructure hack

The cybercrime group ShinyHunters has defaced login pages for Instructure’s Canvas platform at three separate schools, altering the login screens to display a message threatening to publish stolen student data on May 12 if the company does not negotiate a settlement. The hackers injected an HTML file into the login portals, marking a second breach after Instructure disclosed a data breach on May 5, 2026, where ShinyHunters claimed to steal private information—including names, email addresses, and teacher-student messages—from nearly 9,000 schools worldwide, affecting 231 million people. Instructure’s website has been experiencing intermittent issues, with users encountering ‘too many requests’ errors, while the Canvas portal displayed a notice stating it was ‘currently undergoing scheduled maintenance.’ The company did not immediately respond to a request for comment from TechCrunch. ShinyHunters previously claimed responsibility for the initial breach, publishing stolen data on its leak site to pressure Instructure into paying a ransom. The group’s latest actions suggest an attempt to escalate pressure on Instructure and its customers, following a pattern of hacking, publicizing stolen data, and demanding financial settlements. ShinyHunters confirmed to TechCrunch that this is a separate breach from the earlier incident but declined to provide technical details on how the login pages were compromised. This is not the first time ShinyHunters has targeted educational institutions, as the group has repeatedly used the same extortion tactics against multiple victims over the past two years. The defacement of login pages and the threat to release sensitive data highlight the ongoing risks faced by schools and educational platforms in the face of cyber threats.