ACTIVE THREAT NOTICE: Instructure Canvas Breach
As of 7 May 2026, ShinyHunters has defaced Instructure Canvas login portals across 8,809 institutions worldwide and issued a ransom deadline of 12 May 2026. The group claims 275 million student and staff records stolen including institutions in Australia. If your organisation uses Canvas or shares SaaS integrations with Instructure, audit Salesforce guest user profiles and third-party API tokens now.
Key Statistics
- 275 million records claimed in the Canvas LMS breach
- 8,809 institutions affected globally
- 3.65 TB of data volume claimed
- 1 billion+ records compromised across all 2025-2026 campaigns
Red Piranha first reported on ShinyHunters in 2021. Over four years of weekly threat intelligence tracking, the group evolved from data theft and resale operation into something materially more dangerous. That earlier characterisation is now outdated. As of 7 May 2026, ShinyHunters is defacing live production systems at scale under a pay-or-leak extortion model targeting enterprise SaaS environments. The Instructure Canvas Breach is their most visible operation to date by number of affected individuals and geopolitical scope.
This report covers the group's full trajectory, their current kill chain, MITRE ATT&CK-mapped TTPs, confirmed and assessed Indicators of Compromise (IOCs), and how Red Piranha's integrated platform and services detect and respond to each phase of their attack pattern.
What Is ShinyHunters?
ShinyHunters is a financially motivated criminal extortion group active since at least 2020. The FBI treats them as a distinct criminal crew with ties to the broader "The Com" collective, which also encompasses Scattered Spider (UNC3944) and LAPSUS$. Attribution across these designations is contested; operationally, treating them as a single extortion unit is the safer analytical posture for enterprise security teams.
A French national, Sebastien Raoult, was sentenced in 2024 to three years in prison and ordered to pay more than USD 5 million in restitution after conviction on charges related to ShinyHunters activity. The group continued operations through and after his sentencing, confirming a distributed membership model with no single point of leadership. In June 2024, French authorities arrested a second alleged operator. However, the group's operations did not pause.
Operational Evolution: Three Distinct Phases
The group has passed through three identifiable phases since 2020, each representing a deliberate shift in their monetisation model rather than a change in underlying capability.
Phase 1 (2020-2023): Mass Database Theft and Resale.
ShinyHunters targeted consumer platforms and sold stolen credential databases on dark web forums. Key breaches included Tokopedia (91 million records), a major technology company's source code repository (500 GB of data), and AT&T (a claimed 70+ million records, confirmed on BreachForums in March 2024). The operational signature was credential harvesting from exposed repositories and misconfigured cloud storage.
Phase 2 (2024): Cloud Platform Pivot and Snowflake Campaign.
ShinyHunters executed a credential-stuffing campaign against Snowflake environments, leveraging credentials acquired from infostealer malware marketplaces. Confirmed victims included a major global ticketing platform (560 million records, confirmed by the parent company), a leading international bank, and a major telecommunications provider. The group simultaneously began transitioning from data resale to direct victim extortion. An AWS environment compromise in this period saw the group use exposed S3 credentials from a public repository to conduct reconnaissance and exfiltrate data before issuing a ransom demand.
Phase 3 (2025-Present): SaaS Extortion-as-a-Service.
From June 2025, ShinyHunters re-emerged with materially different TTPs following a period of reduced activity after the June 2024 arrests. The new playbook centres on voice phishing (vishing) to abuse Salesforce OAuth flows, supply chain compromises through third-party integrations, and direct defacement of customer-facing applications as an escalation tactic. The group is also developing ShinySp1d3r, a Ransomware-as-a-Service (RaaS) platform, in collaboration with associated criminal actors under the Scattered Lapsus$ Hunters (SLSH) brand.
ShinyHunters Kill Chain: Phase-by-Phase Breakdown
The 2025-2026 operational model follows a consistent eight-step kill chain. The Canvas cyber attack maps to this chain with minor variations in the initial access vector. Understanding each phase is critical for security leaders to identify where existing controls apply, where gaps exist, and where Red Piranha's detection and response capabilities intercept the attack before data leaves the environment.
Step 1: Reconnaissance and Target Identification
Every ShinyHunters operation begins long before a single packet reaches the target. Using T1591 (Gather Victim Org Information), the group methodically identifies organisations with exposed SaaS portals, misconfigured guest user profiles, or publicly accessible API endpoints. This reconnaissance phase is patient and deliberate; the group cross-references dark web forum intelligence, public SaaS configuration exposures, and open-source data to build a target profile before committing an attack.
For the Infrastructure Canvas breach, reconnaissance focused on the Free-For-Teacher (FFT) account provisioning mechanism and the permission boundaries between free-tier and institutional accounts. Across the broader Salesforce campaign, the group used specialised API tooling to probe Experience Cloud portal configurations for guest user access; an attack surface that has existed since 2021 but attracted little defensive attention until the campaign reached scale. Public code repositories containing exposed AWS keys, Snowflake tokens, and OAuth credentials are systematically scanned during this phase, providing a pipeline of validated credentials before initial access is even attempted.
Step 2: Initial Access: Social Engineering or Vulnerability Exploitation
Two concurrent initial access vectors are observed across the 2025-2026 campaigns, and organisations should treat both as live risks regardless of which campaign their sector resembles most.
Vector A: Vishing and Social Engineering: Attackers impersonate IT support personnel and guide employees or BPO help desk agents through authorising malicious OAuth-connected apps in Salesforce, disguised as legitimate service desk tools. Victims are directed to the connected app setup screen and prompted to enter an 8-digit authorisation code controlled by the attacker. This technique, tracked as T1566.002 (Spearphishing Voice), specifically targets identity provider administrators the accounts with the broadest downstream access across the environment.
Vector B: Account and Vulnerability Exploitation: For Canvas, Instructure confirmed that initial access was through an exploited vulnerability in Free-For-Teacher accounts; a provisioning path with less stringent access controls than standard institutional accounts. The group abused T1078 (Valid Accounts) to operate within the platform's own trust model and applied T1190 (Exploit Public-Facing Application) to gain the initial foothold through that provisioning boundary.
Step 3: Credential and Token Acquisition
Once inside, the group harvests every credential within reach. In Salesforce campaigns, this means AWS access keys, Snowflake credentials, and session tokens stored in connected app configurations and custom objects. This is a direct application of T1528 (Steal Application Access Token). This technique was documented in a 2024 AWS environment compromise where the group used cloud storage tools to enumerate bucket configurations and exfiltrate credentials, abusing T1078.004 (Valid Accounts: Cloud Accounts) to blend with normal administrative activity and avoid triggering conventional authentication alerts.
A distinct, campaign-specific user agent string has been identified in automated API query traffic associated with this group; a high-confidence behavioural IOC that is not attributable to any legitimate tooling and can be used to identify ShinyHunters activity within Salesforce Event Monitoring logs.
Step 4: Lateral Movement via SaaS Integration Chains
Harvested credentials are the key to the campaign's true scale. Leveraging T1550.001 (Use Alternate Authentication Material: Application Access Token), the group pivots from a breached Salesforce instance into the full ecosystem of connected platforms; including identity providers, collaboration tools, cloud data warehouses, and enterprise application suites and using SSO relationships and stored integration tokens. The victim's own trusted SaaS architecture becomes the lateral movement path.
The May 2026 video platform breach illustrates T1210 (Exploitation of Remote Services) precisely: ShinyHunters stole authentication tokens from a third-party analytics partner and used them to access cloud data environments belonging to a completely separate organisation without ever touching that organisation's core infrastructure. Instructure confirmed a separate ShinyHunters compromise of their Salesforce business environment in September 2025, which established the organisational familiarity used to target the Canvas platform eight months later.
Step 5: Discovery and Reconnaissance of Data Repositories
With access established, the group applies T1213 (Data from Information Repositories) through automated SOQL queries via the Salesforce Aura API, enumerating accessible objects including Accounts, Contacts, Cases, and internal User records. Anomalous query volume, unexpected IP geolocation, and access to objects outside normal platform function are detectable signals but only for organisations with event monitoring enabled and baseline telemetry in place.
For Canvas, the group enumerated student and staff records, private message histories, and institutional metadata. Separately, T1580 (Cloud Infrastructure Discovery) is applied when scanning for exposed S3 bucket configurations and code repositories containing secrets.
Step 6: Data Exfiltration
Exfiltration is conducted entirely over legitimate API channels. Salesforce Data Loader, Aura API endpoints, or direct cloud storage access using T1567.002 (Exfiltration Over Web Service: Exfiltration to Cloud Storage). There is no custom malware, no covert channel, and no anomalous protocol in documented Phase 3 operations. The group relies on the permissions already granted by the compromised account or OAuth token. Where data is staged and moved to attacker-controlled storage, T1537 (Transfer Data to Cloud Account) applies, consistent with the cloud storage tool activity observed in the 2024 AWS compromise.
For the Canvas cyber attack, Instructure confirmed that names, email addresses, student ID numbers, and private message content were exfiltrated. The group claims 3.65 TB and several billion private messages in addition to the 275 million identity records; a volume that, if accurate, places this among the largest single-platform data thefts on record.
Step 7: Extortion and Public Pressure
ShinyHunters makes direct contact with victim organisations through private ransom communications, while simultaneously running public countdown timers on their dark web leak site. Applying T1657 (Financial Theft / Extortion), the group uses named executive contacts, proactive media outreach, and leak-site listings to manufacture reputational pressure that accelerates payment decisions. There is no encryption of victim systems; the leverage is purely informational, which makes it simultaneously harder to remediate than traditional ransomware and easier to underestimate until the data is public.
When initial pressure fails, the group escalates to T1491 (Defacement) of live production systems. The Instructure sequence illustrates this precisely: ransom note posted 3 May 2026, first deadline set for 6 May, Instructure applied security patches rather than negotiating, and ShinyHunters responded on 7 May by defacing Canvas login portals across every affected institution simultaneously. The message read: "SHINYHUNTERS rooting your systems since '19. ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it, they ignored us and did some security patches."
Step 8: Data Leak or Continued Disruption
If ransom is not paid, data is published on the ShinyHunters dark web leak site or transacted to other criminal actors. Beyond data extortion, the group has begun developing ShinySp1d3r, a Ransomware-as-a-Service platform. Early samples identified in late 2025 include a Windows encryptor engineered to deliver T1486 (Data Encrypted for Impact); a Linux version was confirmed in active development. The platform incorporates T1565 (Data Manipulation) and continued T1491 (Defacement) capabilities as coercive instruments within the RaaS model.
ShinySp1d3r is currently in active development with the data leak site URL embedded in early samples functioning as a placeholder. If the platform reaches operational maturity, it represents a direct escalation from data-only extortion to encrypted system compromise across the same victim pool ShinyHunters has been building since 2020. Organisations targeted in the 2025-2026 Salesforce and Canvas campaigns should treat themselves as priority ShinySp1d3r targets.
MITRE ATT&CK TTP Matrix
The following table maps confirmed ShinyHunters techniques to the MITRE ATT&CK Enterprise framework (v15). All mappings are based on Red Piranha Threat Intelligence Reports, government advisory reporting from the FBI Cyber Division, and the formally documented MITRE ATT&CK Campaign C0059 (Salesforce Data Exfiltration), which covers ShinyHunters activity under the UNC6040/UNC6240 designations.
Tactic | Technique ID | Technique Name | Observed Context |
Reconnaissance | T1591 | Gather Victim Org Information | Dark web forum data, SaaS portal scanning, BPO targeting lists |
Resource Development | T1583.001 | Acquire Infrastructure: Domains | Ticket-themed phishing domains and credential harvesting pages |
Initial Access | T1566.002 | Spearphishing Voice (Vishing) | IT impersonation calls to help desk and BPO agents; OAuth authorisation guidance |
Initial Access | T1078 | Valid Accounts | Stolen credentials from infostealer markets; FFT account exploitation (Canvas) |
Initial Access | T1190 | Exploit Public-Facing Application | Salesforce Aura API guest profile misconfiguration; Canvas FFT account vulnerability |
Execution | T1059 | Command and Scripting Interpreter | Automated SOQL queries; S3 API calls via S3 Browser; API scripting tooling |
Persistence | T1098.001 | Additional Cloud Credentials | OAuth app registration within Salesforce for persistent access |
Defence Evasion | T1078.004 | Valid Accounts: Cloud Accounts | All access through legitimate OAuth tokens; no malware deployed in Phase 3 |
Defence Evasion | T1068 | Exploitation for Privilege Escalation | Canvas FFT account privilege escalation to access institutional data |
Credential Access | T1528 | Steal Application Access Token | AWS keys, Snowflake tokens, OAuth tokens from Salesforce objects and public repos |
Credential Access | T1056 | Input Capture | Credential harvesting pages mimicking enterprise identity provider login flows |
Discovery | T1213 | Data from Information Repositories | SOQL enumeration of Salesforce objects; Canvas database record traversal |
Discovery | T1580 | Cloud Infrastructure Discovery | S3 bucket configuration enumeration; code repository scanning for secrets |
Lateral Movement | T1550.001 | Application Access Token | SSO token reuse across identity providers, collaboration platforms, and cloud data stores |
Lateral Movement | T1210 | Exploitation of Remote Services | Supply chain pivot via third-party analytics partner to cloud data environments |
Collection | T1114 | Email Collection | Exfiltration of private messages and communications data (Canvas LMS breach) |
Exfiltration | T1537 | Transfer Data to Cloud Account | Data moved via S3 Browser and WinSCP to attacker-controlled storage |
Exfiltration | T1567.002 | Exfiltration Over Web Service | Data Loader API; Aura API bulk export; Canvas API data retrieval |
Impact | T1657 | Financial Theft/Extortion | Pay-or-leak ransom model; countdown timers; named executive contact |
Impact | T1491 | Defacement | Canvas login portal defacement on 7 May 2026 across 9,000 institutions |
Impact | T1486 | Data Encrypted for Impact | ShinySp1d3r RaaS in development, Windows encryptor confirmed, Linux version imminent |
The Instructure Canvas Breach: What Happened and What It Means
The Canvas LMS breach is the highest-visibility ShinyHunters operation by affected headcount, and the first documented case of the group defacing live production SaaS infrastructure as a coercive tactic. It is also the group's second confirmed breach of the same organisation within eight months; a detail that carries significant implications for how security leaders should think about post-incident remediation.
Breach Timeline
Date | Event |
30 April 2026 | ShinyHunters exploits a vulnerability in Instructure's Free-For-Teacher (FFT) account provisioning. FFT accounts, designed to allow individual educators to trial Canvas outside of institutional affiliation, had permission boundaries insufficiently isolated from institutional data stores. |
1 May 2026 | Instructure confirms a cybersecurity incident via its status page. Canvas Data 2 and Canvas Beta are taken offline. External forensic experts engaged alongside law enforcement. |
2 May 2026 | Instructure states the incident is contained. Confirms that names, email addresses, student ID numbers, and private messages were stolen. No passwords, dates of birth, government identifiers, or financial information confirmed compromised. |
3 May 2026 | ShinyHunters publishes a ransom note on their dark web leak site. Claims 275 million records across 8,809 institutions, 3.65 TB of data, and access to Instructure's Salesforce instance. First payment deadline set for 6 May 2026. |
6 May 2026 | Instructure reports Canvas fully operational. States no evidence of ongoing unauthorised activity. Applies security patches to the FFT account mechanism and rotates application keys, privileged credentials, and access tokens. |
7 May 2026 | ShinyHunters defaces Canvas login portals simultaneously across all affected institutions at approximately 1:20 PM PDT. Users logging in are redirected to the ShinyHunters ransom message. Finals examinations are disrupted at multiple universities. A new ransom deadline is set for 12 May 2026. |
8 May 2026 | Instructure takes Canvas offline to investigate the defacement. Confirms the attack vector was the FFT account mechanism. Temporarily suspends all Free-For-Teacher accounts globally. |
12 May 2026 | DEADLINE: ShinyHunters states data will be published and additional disruptions will follow if Instructure does not negotiate. Status as of publication: unresolved. |
The ShinyHunters Canvas breach is not an isolated incident. It is the second confirmed ShinyHunters compromise of Instructure's environment. In September 2025, the group breached Instructure's Salesforce business systems via social engineering. That breach did not expose Canvas product data, but it established organisational access and operational familiarity. The April 2026 attack targeted the product platform directly through a different vulnerability class.
Two lessons apply across every sector. First, a declared containment does not mean the adversary has lost interest. ShinyHunters returned to the same target eight months later with an entirely different access vector, confirming that post-incident remediation must address the adversary's full knowledge of the environment, not just the specific vulnerability exploited.
Second, SaaS platforms with tiered account structures free versus institutional; trial versus production consistently present misconfigured permission boundaries between those tiers. The FFT account mechanism is a textbook example of a provisioning path that was never held to the same security standard as the core product. Every organisation operating a SaaS platform with multiple account tiers should treat this as a direct analogue risk.
How Red Piranha Detects and Prevents ShinyHunters Attacks
ShinyHunters does not breach organisations through exotic zero-days. They find the gaps between what a security policy says and what a platform actually enforces: an OAuth flow that bypasses multi-factor authentication (MFA), a guest user profile with API access it was never meant to have, a help desk agent who followed the right procedure for the wrong caller. Closing those gaps requires coverage from network telemetry to governance posture, and the ability to act the moment detection fires. Red Piranha's integrated platform and advisory services are built to cover every phase of the ShinyHunters kill chain.
A Unified Platform Across the Full Kill Chain
ShinyHunters succeeds against fragmented security stacks. When NDR telemetry, identity logs, SaaS audit trails, and endpoint data sit in separate tools with separate teams, the lateral movement from Salesforce to Snowflake to cloud storage is invisible between the seams. Crystal Eye TDIR unifies network security, secure access, and policy enforcement in a single control plane. Crystal Eye NDR, Crystal Eye EDR, Threat Intelligence, DAS, and the Red Piranha SOC operate under the same data model and correlation engine. When ShinyHunters pivots from a Salesforce OAuth token to a cloud storage environment, every hop is visible and every detection is correlated. There is no gap between your SaaS visibility, your network telemetry, and your response workflow for the group to move through undetected.
Unmatched Network Visibility Across Your Entire Environment
The Salesforce Aura API campaign that hit multiple global enterprises succeeded at scale because most organisations had no baseline for normal API query volume on their Experience Cloud portals.
Crystal Eye Network Detection and Response (NDR) closes that gap. It delivers more than ten times the network visibility of standard market alternatives through continuous behavioural analytics across the entire network, baselining API call patterns, session geolocation, data transfer volumes, and lateral movement signals in real time.
When ShinyHunters' automated SOQL queries begin enumerating Accounts, Contacts, and Cases at machine speed, Crystal Eye surfaces the deviation immediately; not as a signature match, but as a behavioural anomaly that flags both known ShinyHunters infrastructure and novel pivot techniques the group has not yet used publicly.
Crystal Eye NDR deploys in-line without requiring re-architecture of existing network or cloud infrastructure. There are no engineering overheads, no extended rollout timelines, and no gap between deployment and coverage. Organisations that discovered their exposure only after receiving a ShinyHunters ransom note understand exactly why time-to-coverage is not a theoretical concern.
Stopping the Endpoint and Cloud Credential Chain
Once ShinyHunters is inside a Salesforce environment, they harvest AWS access keys, Snowflake tokens, and session credentials stored in connected app configurations. They move those credentials through cloud storage tools to enumerate and exfiltrate data.
Crystal Eye Threat Detection, Investigation and Response (TDIR) capability along with EDR detects this execution chain directly: cloud storage tool execution flagged against approved software inventories, process anomalies consistent with credential harvesting activity, and ShinySp1d3r encryptor behavioural signatures at the file system level.
Current SHA256 hashes for ShinySp1d3r samples are loaded into Crystal Eye EDR as direct match indicators. Encrypted metadata handling provides additional visibility across TLS-wrapped API exfiltration channels that bypass conventional traffic inspection entirely.
Red Piranha's Declarative Authorisation Service (DAS) addresses the upstream structural cause of these compromises. Root and administrator access within Crystal Eye requires a strict three-stage escalation and authorisation process. Even where a vulnerability exists in a platform frontend, DAS prevents it from being exploited to gain privileged access. This is a structural reduction of the attack surface ShinyHunters' Phase 3 campaign depending on not a compensating control applied after the fact.
Threat Intelligence That Keeps Pace with the Threat Actor
ShinyHunters rotates infrastructure continuously. New phishing domains, updated campaign user agent strings, and ShinySp1d3r encryptor variants emerge on timelines that make weekly IOC feed updates functionally useless.
Red Piranha's Threat Intelligence ingests and validates indicators from law enforcement sources and Red Piranha's own telemetry, then pushes confirmed ShinyHunters IOCs to Crystal Eye NDR detection rules, Crystal Eye EDR hash matching, DNS filtering, and firewall block lists within hours of publication. No manual intervention, no analyst bottleneck. The campaign-specific user agent string, the ShinySp1d3r encryptor hashes, and the phishing domain patterns associated with ShinyHunters campaigns are active in your control plane the same day they are confirmed.
This operationalised intelligence feeds directly into Red Piranha's Managed Detection and Response (MDR) capability, where the Red Piranha CESOC works against a continuously updated picture of ShinyHunters' current infrastructure not last month's static IOC export.
Detection, Investigation, and Response Without the Retainer Gap
When a ShinyHunters ransom note arrives, most organisations spend their first 48 hours negotiating IR retainer access and scoping agreements while dwell time accumulates, and the attacker leverage increases. Crystal Eye TDIR eliminates that gap entirely. Integrated PCAP analysis means full packet-level context is available at the moment of detection not after an external forensics team has deployed tooling and signed access agreements.
Eighteen or more months of data retention, stored in-country, ensures forensic investigation can reconstruct the complete attack timeline even when as with the Instructure case the initial intrusion predates the extortion demand by months. This retention posture aligns to ISO 27001, Essential Eight, NIST, and PCI requirements without requiring a separate compliance data store.
For organisations facing an active ShinyHunters incident, Red Piranha's Digital Forensics and Incident Response (DFIR) capability delivers in-situ response with human-machine teaming built in from the start. Proactive threat hunting runs continuously alongside reactive investigation, cutting time-to-truth and enabling containment before the group escalates to defacement or data publication. Push-button escalation routes confirmed detections directly to the Red Piranha SOC without contractual delay. Automated containment workflows execute token revocation and connected app suspension the moment a detection is confirmed.
Governance, Compliance, and the Controls That Prevent the Breach
The Salesforce guest user profile misconfiguration that enabled ShinyHunters' Experience Cloud campaign is a governance failure. The Free-For-Teacher account boundary weakness at Instructure is a governance failure. Neither was a sophisticated exploit. Both were provisioning decisions that were never measured against actual security policy after deployment.
Red Piranha's GRC and Compliance Consulting, covering ISO 27001, IEC 62443, and NIST frameworks, identifies these gaps through structured security reviews before a threat actor finds them first.
Red Piranha's Security Risk Assessment (SRA) surfaces the CVE-class exposures associated with ShinyHunters' infrastructure scanning activity and prioritises remediation against current threat intelligence.
Penetration Testing validates whether the OAuth flows, connected app authorisation paths, and third-party SaaS integrations in your environment are exploitable in the manner ShinyHunters has demonstrated against peer organisations. The Corporate Security Review (CSR) examines the broader security posture, including help desk vishing procedures and out-of-band verification controls; the first line of defence against ShinyHunters' Phase 3 initial access vector.
Red Piranha's eCISOTM and vCISO service provides the ongoing strategic oversight to ensure controls remain calibrated as ShinyHunters' TTPs evolve. Integrated Risk Management connects the technical detection posture to business risk quantification, giving boards and risk committees a clear, actionable picture of ShinyHunters exposure. Policy-as-Code enforcement through Crystal Eye SASE applies continuous auditing against your intended configuration, measuring guest user API permissions, OAuth connected app authorisations, and data sharing rules on an ongoing basis — not discovering drift in a post-breach review.
The Canvas cyber attack demonstrates that the group will escalate coercive tactics, including live system defacement affecting hundreds of thousands of end users simultaneously; when initial extortion pressure is resisted. The ShinySp1d3r RaaS platform, currently in active development, represents the next escalation: the same victim pool, the same access methodology, with encryption capability added. Organisations that have received ShinyHunters extortion communications in the 2025-2026 period should treat themselves as priority ShinySp1d3r targets and verify that backup integrity, offline recovery capability, and incident response readiness are confirmed before that platform reaches operational deployment.
Red Piranha has tracked ShinyHunters throughout 2025 and continues to update Crystal Eye detection coverage as the group's TTPs evolve. If your organisation requires a gap analysis against the ShinyHunters attack chain, a review of TDIR coverage, or an active incident response engagement, contact the Red Piranha.
Does detecting malicious activity pose a significant challenge for your organisation?
Crystal Eye, best-in-class Threat Detection, Investigation and Response (TDIR), allows you to catch what the other products in its class missed by detecting all known malware and C2 callouts.
Improve your organisation's security posture and minimise risk to your organisation with our Network Detection and Response program alongside the Managed Detection and Response (MDR) service.
Updates:
11 May 2026: Instructure Reaches Agreement with ShinyHunters
In a statement published on 11 May 2026, Instructure CEO Steve Daly confirmed that the company has reached an agreement with ShinyHunters. According to Instructure, the stolen data has been returned, digital confirmation of data destruction has been received in the form of shred logs, and the group has stated that no Instructure customers will be subject to further extortion publicly or otherwise. The agreement is stated to cover all affected institutions, and Instructure has advised customers not to attempt independent contact with the threat actor. Instructure has also confirmed that Canvas remains fully operational and that core learning data including course content, submissions, and credentials was not compromised at any point during the incident. A forensic summary and customer webinar are expected on 13 May 2026 across multiple time zones.