The FBI is warning students and staff that ShinyHunters may come knocking after the Canvas breach
When the FBI issues a public service announcement that appears to deliberately avoid naming the company at the center of the story, you can figure out which…
On May 15, 2026, the FBI’s Internet Crime Complaint Center (IC3) issued an advisory regarding the ShinyHunters gang that recently breached the “Online Learning Management System” used by educational institutions across the United States.
The advisory does not say that the hacked platform was Canvas, and that the company involved was Instructure.
In fact, it wasn’t necessary. The security breach wasn’t just big news on cybersecurity blogs, it made headlines around the world.
On May 12, Instructure quietly confirmed that it had reached an “agreement” with the attackers, who apparently had provided “digital assurance of data destruction (log shredders).”
In short, Instructure paid the ransom.
There are several potential problems with paying off a gang and hoping they honor the deal. One of the biggest problems is that it requires you to trust the gang.
And I thought that’s why the FBI wrote their PSA. It is a respectful reminder to everyone (whether they are students, parents, or staff) that their data may still be there – and that it may be reasonable to reinforce that it is possible that criminals may show that they are not trustworthy – and start using the stolen information.
For example, ShinyHunters or their cybercriminal affiliates may use potentially sensitive personal information to victimize innocent people who are caught in a breach of the law through no fault of their own.
As the FBI warns, in an effort to extort money ShinyHunters “often use harassment tactics, sending threatening text messages and phone calls to victims and their family members, and in some cases, swatting.”
In addition, scammers may claim to have access to compromising information, such as embarrassing photos or videos of victims.
And then there are always spear-hacking campaigns, where hackers can hide their poisoned messages by using stolen student IDs, professor names, or snippets of private messages stolen in a breach.
The FBI advises victims not to engage with anyone who claims to be holding their data for ransom, and to wait for official guidance from their educational institutions to learn what information is at risk.
In addition, users are advised not to click on suspicious links or unsolicited attachments, and to enable multi-factor authentication where possible to strengthen the security of their accounts.
Every successful ransom payment records the sales volume of the next attack, and ShinyHunters — which has ties to events at Ticketmaster, the University of Pennsylvania, Princeton, Harvard, Infinite Campus, and McGraw Hill — won’t be stopping anytime soon.
For readers stuck in the middle: assume your data is there, treat all unexpected messages with suspicion, and don’t let anyone scare you into paying, clicking, or responding. Criminals rely on your fear. Don’t give them.
There is, of course, no guarantee that ShinyHunters (or any other hacker) will try to exploit the information captured by the hackers during the Canvas/Instructure breach – but it would be wise to consider the possibility, and ensure that security measures are properly adopted.
And that advice goes to other “online learning management programs” and educational institutions. After receiving a ransom payment for its attack on Canvas, ShinyHunters and other hacking groups may be more motivated to launch similar attacks in the future.
