Education technology company Instructure appears to have suffered a second cybersecurity incident days after disclosing a major student data breach, with hackers defacing login pages tied to its Canvas learning platform and threatening to release stolen information unless the company negotiates a settlement.
TechCrunch identified messages posted by cybercrime group ShinyHunters on the Canvas login pages of three separate schools. The altered pages displayed warnings claiming that stolen data would be published on May 12 if Instructure failed to negotiate with the attackers.
The defacement appeared to involve hackers injecting malicious HTML files into school login portals connected to Canvas, the company’s platform used by schools to manage coursework, assignments, and communication between teachers and students.
Earlier this week, Instructure disclosed a separate breach in which hackers stole student information including names, personal email addresses, and messages exchanged between students and teachers.
Company Temporarily Took Canvas Offline
At various points during the incident, Instructure’s website returned “too many requests” errors, while the Canvas platform displayed notices indicating scheduled maintenance.
Brian Watkins told TechCrunch that the company temporarily shut down Canvas services after discovering that attackers had modified customer login pages.
“Out of an abundance of caution, we immediately took Canvas offline to contain access and further investigate,” Watkins said.
The company later determined that attackers exploited an issue tied to Canvas Free-For-Teacher accounts.
As a result, Instructure temporarily disabled those accounts while restoring broader access to the platform.
Watkins also confirmed that the individuals responsible for the login page defacements were connected to the earlier data breach.
“This gives us the confidence to restore access to Canvas, which is now fully back online and available for use,” he said.
Hackers Increase Pressure Following Earlier Breach
Cybercrime group ShinyHunters previously claimed responsibility for the original Instructure breach and publicly listed the company on its leak site, a platform commonly used by ransomware and extortion groups to pressure victims into paying demands.
The latest defacement campaign appears intended to increase pressure on Instructure and affected schools by publicly displaying ransom-related messages directly on login pages accessed by students and educators.
When asked about the new compromise, a member of ShinyHunters told TechCrunch that the incident involved a second, separate breach but declined to discuss technical details.
Following the earlier breach, the group claimed it had stolen data connected to nearly 9,000 schools worldwide, allegedly affecting information tied to approximately 231 million individuals.
ShinyHunters has been linked to numerous data theft and extortion operations over the past several years, typically using a strategy centered on breaching organizations, publicizing stolen information, and pressuring victims into payment negotiations.
Featured image credits: Onit
For more stories like it, click the +Follow button at the top of this page to follow us.