over 30 million
The notorious extortion group ShinyHunters has successfully breached the education technology giant Instructure, exposing the data of more than 30 million students and staff. The attack vector was not a sophisticated zero-day exploit but a simple voice phishing (vishing) call to the company's helpdesk. By impersonating IT personnel, the attackers obtained credentials for a Microsoft Entra account, which granted them access to the Canvas Learning Management System (LMS). The incident underscores a systemic failure in access governance and the persistent threat of social engineering. The breach caused significant disruption, including the postponement of final exams, and culminated in Instructure paying a ransom to prevent the public release of the stolen data, a direct contradiction of FBI guidance.
The attack began when members of ShinyHunters initiated a vishing campaign targeting Instructure's IT helpdesk. Posing as internal IT support staff, they successfully convinced a helpdesk employee to provide them with credentials for an employee's Microsoft Entra account. This single point of failure provided the attackers with initial access to Instructure's corporate environment and, subsequently, the Canvas LMS platform.
Once inside, ShinyHunters exfiltrated a massive trove of data, including student and staff names, email addresses, student IDs, and private messages exchanged within the Canvas platform. When Instructure initially refused to meet the attackers' ransom demands, ShinyHunters escalated its tactics. They conducted a second breach and defaced the login screens of the Canvas LMS during a critical period—final exams for many of the nearly 9,000 schools using the service. This act of digital vandalism caused widespread panic and operational disruption, forcing some institutions to postpone exams. Faced with mounting pressure and the threat of a massive data leak, Instructure ultimately paid an undisclosed ransom.
The attack on Instructure is a classic example of leveraging the human element to bypass technical controls. The TTPs observed are:
T1566.004 - Spearphishing Voice: The core of the attack was a vishing call to the helpdesk to socially engineer an employee into giving up credentials.T1078 - Valid Accounts: The threat actors used the legitimate, stolen credentials to access the Canvas LMS and escalate their privileges within the system.T1530 - Data from Cloud Storage Object: The group accessed and exfiltrated sensitive user data stored within the Canvas cloud platform.T1491.001 - Defacement: To apply pressure, ShinyHunters defaced the Canvas login pages. The entire operation is a form of T1472 - Extortion.This incident highlights a critical failure in access lifecycle governance. The ease with which the attackers obtained credentials points to inadequate identity verification protocols at the helpdesk, a common but often overlooked weak point in enterprise security.
The breach has had a severe impact on Instructure and the millions of users who rely on its platform. The exposure of 30 million records containing personal information and private messages creates a significant risk of identity theft, phishing, and other follow-on attacks for the affected students and staff. For Instructure, the financial impact includes the ransom payment, incident response costs, and potential regulatory fines. The reputational damage is immense, eroding trust among the thousands of educational institutions that are its customers. The disruption of final exams caused direct harm to the educational process, demonstrating the tangible, real-world consequences of cyberattacks on critical service providers.
No specific technical IOCs were mentioned in the source articles.
Since this was a social engineering attack, technical observables are less relevant than procedural and behavioral ones. Security teams may want to hunt for:
event_id4768, 4769log_sourceMicrosoft Entra ID Sign-in logsuser_account_patternhelpdesk*, admin*api_endpointPOST /login/canvasTraining helpdesk staff specifically on vishing and social engineering tactics is crucial to prevent credential compromise.
Implementing phishing-resistant MFA (like FIDO2) would have rendered the stolen credentials useless.
Enforcing strong identity verification for any privileged action, such as a password reset, is a critical control.
The most effective technical countermeasure to the vishing attack that compromised Instructure is the widespread implementation of phishing-resistant Multi-Factor Authentication (MFA). Specifically, organizations should prioritize deploying FIDO2/WebAuthn standards, which use public-key cryptography and require a hardware token or biometric authenticator. Unlike one-time passwords (OTPs) sent via SMS or authenticator apps, FIDO2 keys are not susceptible to being phished or socially engineered. Had Instructure's Microsoft Entra accounts been protected by this technology, the credentials stolen by ShinyHunters would have been insufficient to gain access, stopping the attack at the initial access stage. The rollout should be prioritized for all employees, but especially for privileged accounts and helpdesk staff.
Strengthen helpdesk procedures by implementing a system of authentication event thresholding and verification for high-risk actions. For any request to reset a password or modify MFA settings, the helpdesk protocol must require multi-channel verification that does not rely on information an attacker could easily obtain. For example, after an initial request, an automated system should trigger a callback to the user's pre-registered, on-file phone number for confirmation. For privileged accounts, this process should be even more stringent, potentially requiring manager approval or verification from a second trusted source. This creates friction for attackers and provides a crucial verification layer that a simple vishing call cannot bypass.
Implement comprehensive monitoring and auditing of all helpdesk activities within your ITSM platform and correlate this data with sign-in logs from identity providers like Microsoft Entra. Create high-fidelity alerts for the sequence of 'password reset ticket created' followed by 'successful login from new IP/device/geolocation'. This allows the security operations team to quickly investigate potentially fraudulent account recovery events. Furthermore, User and Entity Behavior Analytics (UEBA) should be employed to baseline normal user activity. A compromised account used by ShinyHunters would likely exhibit anomalous behavior (e.g., accessing unusual data, large data downloads) that would deviate from the legitimate user's profile, triggering an alert for investigation.

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Help others stay informed about cybersecurity threats
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.