ShinyHunters Group Breaches Edtech Giant Instructure, Exposing Data of Over 30 Million from Canvas LMS

Human Error Breach: ShinyHunters Hits Instructure via Vishing, Steals 30M+ Student Records

HIGH
July 11, 2026
6m read
Data BreachThreat ActorPhishing

Impact Scope

People Affected

over 30 million

Affected Companies

Instructure

Industries Affected

EducationTechnology

Related Entities

Threat Actors

Organizations

Products & Tech

Canvas LMSMicrosoft Entra

Other

Instructure

Full Report

Executive Summary

The notorious extortion group ShinyHunters has successfully breached the education technology giant Instructure, exposing the data of more than 30 million students and staff. The attack vector was not a sophisticated zero-day exploit but a simple voice phishing (vishing) call to the company's helpdesk. By impersonating IT personnel, the attackers obtained credentials for a Microsoft Entra account, which granted them access to the Canvas Learning Management System (LMS). The incident underscores a systemic failure in access governance and the persistent threat of social engineering. The breach caused significant disruption, including the postponement of final exams, and culminated in Instructure paying a ransom to prevent the public release of the stolen data, a direct contradiction of FBI guidance.

Threat Overview

The attack began when members of ShinyHunters initiated a vishing campaign targeting Instructure's IT helpdesk. Posing as internal IT support staff, they successfully convinced a helpdesk employee to provide them with credentials for an employee's Microsoft Entra account. This single point of failure provided the attackers with initial access to Instructure's corporate environment and, subsequently, the Canvas LMS platform.

Once inside, ShinyHunters exfiltrated a massive trove of data, including student and staff names, email addresses, student IDs, and private messages exchanged within the Canvas platform. When Instructure initially refused to meet the attackers' ransom demands, ShinyHunters escalated its tactics. They conducted a second breach and defaced the login screens of the Canvas LMS during a critical period—final exams for many of the nearly 9,000 schools using the service. This act of digital vandalism caused widespread panic and operational disruption, forcing some institutions to postpone exams. Faced with mounting pressure and the threat of a massive data leak, Instructure ultimately paid an undisclosed ransom.

Technical Analysis

The attack on Instructure is a classic example of leveraging the human element to bypass technical controls. The TTPs observed are:

  • Initial Access: T1566.004 - Spearphishing Voice: The core of the attack was a vishing call to the helpdesk to socially engineer an employee into giving up credentials.
  • Credential Access: The attackers obtained valid credentials for a Microsoft Entra account.
  • Defense Evasion & Privilege Escalation: T1078 - Valid Accounts: The threat actors used the legitimate, stolen credentials to access the Canvas LMS and escalate their privileges within the system.
  • Collection: T1530 - Data from Cloud Storage Object: The group accessed and exfiltrated sensitive user data stored within the Canvas cloud platform.
  • Impact: T1491.001 - Defacement: To apply pressure, ShinyHunters defaced the Canvas login pages. The entire operation is a form of T1472 - Extortion.

This incident highlights a critical failure in access lifecycle governance. The ease with which the attackers obtained credentials points to inadequate identity verification protocols at the helpdesk, a common but often overlooked weak point in enterprise security.

Impact Assessment

The breach has had a severe impact on Instructure and the millions of users who rely on its platform. The exposure of 30 million records containing personal information and private messages creates a significant risk of identity theft, phishing, and other follow-on attacks for the affected students and staff. For Instructure, the financial impact includes the ransom payment, incident response costs, and potential regulatory fines. The reputational damage is immense, eroding trust among the thousands of educational institutions that are its customers. The disruption of final exams caused direct harm to the educational process, demonstrating the tangible, real-world consequences of cyberattacks on critical service providers.

IOCs — Directly from Articles

No specific technical IOCs were mentioned in the source articles.

Cyber Observables — Hunting Hints

Since this was a social engineering attack, technical observables are less relevant than procedural and behavioral ones. Security teams may want to hunt for:

Type
event_id
Value
4768, 4769
Description
Anomalous Kerberos authentication events, especially from unusual locations or for accounts that should not be used for interactive logon.
Context
Domain Controller Security Logs
Type
log_source
Value
Microsoft Entra ID Sign-in logs
Description
Look for sign-ins for helpdesk or privileged accounts from unfamiliar IP addresses, locations, or devices shortly after a reported helpdesk interaction.
Context
Azure Portal, SIEM
Type
user_account_pattern
Value
helpdesk*, admin*
Description
Monitor for unusual activity on accounts used by helpdesk personnel, such as access to sensitive systems they do not normally manage.
Context
SIEM, UEBA
Type
api_endpoint
Value
POST /login/canvas
Description
While not an indicator of the breach itself, monitoring for unusual User-Agent strings or a high volume of failed logins followed by a success from a new IP could indicate credential abuse.
Context
Web server logs

Detection & Response

  • User and Entity Behavior Analytics (UEBA): Deploy UEBA tools to detect anomalous account usage. A UEBA system could have flagged the compromised Entra account when it was used from an unusual location or began accessing data inconsistent with the legitimate user's normal behavior.
  • Helpdesk Monitoring (D3FEND: Domain Account Monitoring (D3-DAM)): All credential reset and account recovery actions performed by the helpdesk must be logged and audited. Implement alerts for high-risk activities, such as resetting credentials for privileged accounts.
  • Phishing-Resistant MFA: The most effective technical control would have been the use of phishing-resistant Multi-Factor Authentication (MFA), such as FIDO2/WebAuthn. This would have prevented the stolen credentials from being useful to the attacker.

Mitigation

  • Helpdesk Identity Verification: Implement stringent identity verification procedures for all helpdesk requests, especially those involving credential resets or MFA changes. This should involve multi-channel verification (e.g., a callback to a registered phone number, questions based on HR data).
  • User Training (D3FEND: User Training): Conduct regular, mandatory security awareness training for all employees, with a special focus on helpdesk staff. Training should include simulations of vishing and other social engineering attacks.
  • Implement Phishing-Resistant MFA (D3FEND: Multi-factor Authentication (D3-MFA)): Prioritize the rollout of phishing-resistant MFA (e.g., FIDO2 security keys) for all users, especially those with privileged access. This is the single most effective control against credential theft via phishing and vishing.
  • Access Lifecycle Governance: Enforce policies for regular access reviews and the removal of stale or unnecessary credentials and permissions. Ensure that accounts have the least privilege necessary to perform their roles.

Timeline of Events

1
July 11, 2026
This article was published

MITRE ATT&CK Mitigations

Training helpdesk staff specifically on vishing and social engineering tactics is crucial to prevent credential compromise.

Implementing phishing-resistant MFA (like FIDO2) would have rendered the stolen credentials useless.

Enforcing strong identity verification for any privileged action, such as a password reset, is a critical control.

Audit

M1047enterprise

Auditing all helpdesk actions, especially those related to account recovery, can help detect abuse.

D3FEND Defensive Countermeasures

The most effective technical countermeasure to the vishing attack that compromised Instructure is the widespread implementation of phishing-resistant Multi-Factor Authentication (MFA). Specifically, organizations should prioritize deploying FIDO2/WebAuthn standards, which use public-key cryptography and require a hardware token or biometric authenticator. Unlike one-time passwords (OTPs) sent via SMS or authenticator apps, FIDO2 keys are not susceptible to being phished or socially engineered. Had Instructure's Microsoft Entra accounts been protected by this technology, the credentials stolen by ShinyHunters would have been insufficient to gain access, stopping the attack at the initial access stage. The rollout should be prioritized for all employees, but especially for privileged accounts and helpdesk staff.

Strengthen helpdesk procedures by implementing a system of authentication event thresholding and verification for high-risk actions. For any request to reset a password or modify MFA settings, the helpdesk protocol must require multi-channel verification that does not rely on information an attacker could easily obtain. For example, after an initial request, an automated system should trigger a callback to the user's pre-registered, on-file phone number for confirmation. For privileged accounts, this process should be even more stringent, potentially requiring manager approval or verification from a second trusted source. This creates friction for attackers and provides a crucial verification layer that a simple vishing call cannot bypass.

Implement comprehensive monitoring and auditing of all helpdesk activities within your ITSM platform and correlate this data with sign-in logs from identity providers like Microsoft Entra. Create high-fidelity alerts for the sequence of 'password reset ticket created' followed by 'successful login from new IP/device/geolocation'. This allows the security operations team to quickly investigate potentially fraudulent account recovery events. Furthermore, User and Entity Behavior Analytics (UEBA) should be employed to baseline normal user activity. A compromised account used by ShinyHunters would likely exhibit anomalous behavior (e.g., accessing unusual data, large data downloads) that would deviate from the legitimate user's profile, triggering an alert for investigation.

Sources & References

The 6 biggest cybersecurity breaches of 2026 so far
Mashable (mashable.com) July 11, 2026
How Stale Credentials Drove the Worst Data Breach Incidents of 2026
Cybersecurity Insiders (cybersecurity-insiders.com) July 11, 2026
2026 Data Breaches: Cybersecurity Incidents Explained
PKWARE (pkware.com) July 11, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

ShinyHuntersInstructureCanvas LMSData BreachVishingSocial EngineeringEducation

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.