Canvas, Finals Week, and What Every Higher-Ed SaaS Vendor Should Learn from it

ShinyHunters didn't need a zero-day to take Instructure offline at Harvard and Duke during finals. They needed a Free-For-Teacher signup form and a vendor that hadn't pre-decided its negotiation posture.

On May 7, 2026, a group calling itself ShinyHunters defaced the Canvas login pages at roughly 330 colleges and universities. The defacement was a ransom note. Behind it, Canvas itself was offline. The outage stretched across finals week at Duke, the University of Pennsylvania, UC Irvine, Georgetown, East Carolina, and a couple of dozen other institutions that had built their entire end-of-semester workflow on top of Instructure's LMS.

Four days later, Instructure put out a quiet statement that it had reached "an agreement" with the threat actor. The leak-site listing came down. Canvas came back up. The story moved on.

For the rest of us, meaning anyone who sells software to colleges and universities, the story shouldn't move on. The way ShinyHunters got into Instructure twice in eight months is not exotic, and the math that made the second incident catastrophic is the same math my own company sits on top of.

How they got in, twice

The April–May 2026 incident was not Instructure's first run-in with ShinyHunters. In September 2025 the company disclosed that its Salesforce instance had been compromised through social engineering. Per Instructure's statements at the time, no Canvas product data was accessed; the exposure was characterized as "public business contact information." It was a small story, mostly trade press, easy to file away.

Eight months later they were back, and this time they were inside Canvas itself.

The vector was the Free-For-Teacher program, Instructure's onboarding flow that lets individual educators create a Canvas tenant without going through their institution's procurement or identity verification. Free-For-Teacher tenants shared infrastructure with paid institutional tenants, and the isolation between them was logical rather than physical. The verification on the free side was weak enough that it became the wedge.

Once inside, ShinyHunters claimed 3.65 TB of data covering roughly 275 million users across about 8,809 institutions, including Harvard, Stanford, MIT, Columbia, Princeton, Yale, Penn State, and most of the large public university systems. Instructure has not corroborated those numbers; the company has acknowledged the breach without confirming the scope. What is verified is the visible part: names, .edu email addresses, student ID numbers, and Canvas inbox messages.

The timeline reads as a negotiation, because it was one. Instructure detected the intrusion on May 1. The company issued a public statement on May 2 saying the incident was contained and that "security patches" had been applied. On May 3, ShinyHunters posted Instructure to its leak site with a May 7 deadline. On May 7 — the day the deadline expired — ShinyHunters re-breached and defaced the Canvas login pages.

If you read that as the attacker punishing a vendor for not negotiating, you are reading it right. The pattern of de-listing victims from the leak site shortly after they open contact is documented; Instructure's removal on May 11 is consistent with it.

The playbook is two years old

ShinyHunters has been running essentially the same playbook for two years now. They do not deploy ransomware. (*Not yet*, but there is a Windows encryptor in development called ShinySp1d3r, sample uploaded to VirusTotal in November 2025, but it has not been weaponized in the wild as of this writing.) They do not burn zero-days. They do not write custom malware unless it is branding for the ransom note.

What they do is steal data and threaten to publish it.

The two ways they get in are voice phishing and OAuth abuse. Voice phishing — calling a help desk, impersonating IT or a senior employee, pushing for an MFA reset or a connected-app authorization — was the dominant vector in the 2025 Salesforce campaign that hit Google's corporate Salesforce instance, Cisco, Adidas, Qantas, Allianz Life, Workday, Pandora, Chanel, the LVMH brands, Air France-KLM, and somewhere between several hundred and a thousand other organizations across the second half of 2025. The FBI issued FLASH-20250912-001 on the campaign in September. CISA had been warning about the affiliated Scattered Spider playbook since November 2023, in joint advisory AA23-320A. The recommendations have not meaningfully changed.

The OAuth angle is the newer move. In August 2025, attackers stole OAuth tokens that Salesloft had issued to its Drift chat integration for Salesforce, then replayed those tokens against every Salesforce customer that had connected Drift. The list of confirmed downstream victims included Cloudflare, Zscaler, Palo Alto Networks, PagerDuty, Proofpoint, and Google. None of those companies were socially engineered. Their employees were not tricked. The attackers used a token that a vendor those companies trusted had legitimately been issued, and Salesforce logged the resulting bulk exports as the trusted integration doing its job.

In November 2025 they ran the same play against Gainsight and pulled another ~285 Salesforce instances out of it.

Every connected SaaS app in your stack is a token. Every token is a credential. That is the consequence the Salesloft and Gainsight incidents were trying to communicate, and the consequence most security teams have not yet operationalized.

Why higher-ed SaaS specifically

ShinyHunters has been picking education-technology targets on purpose. PowerSchool in December 2024. The Toronto District School Board, Pittsburgh schools, and the wider PowerSchool re-extortion wave in May 2025. Instructure's Salesforce in September 2025. Instructure's Canvas in May 2026. Udemy and Figure earlier this year. The pattern is explicit enough that Mandiant, Halcyon, ReliaQuest, and BleepingComputer have all said so in print over the last twelve months.

The reason is unflattering and simple. Higher-ed systems hold names, dates of birth, Social Security numbers for U.S. students and employees, financial-aid data, passport and visa information for international students, immigration status, FAFSA family financial data, disability and counseling records, transcripts, and the private student-faculty correspondence inside the LMS. A credit-card number can be reissued; a Social Security number assigned at birth cannot. Stolen SSNs from minors trade at a premium specifically because the victims will not check their credit for a decade. The data is durable, the data is regulated, and the data is concentrated in a small number of vendors. One breach at PowerSchool reaches roughly 6,505 districts. One breach at Instructure, by the actor's own claim, reaches more than 8,800 institutions. The Salesloft Drift incident reached 700+ organizations through a single OAuth credential. The economics of attacking the vendor instead of the customer are obvious from outside.

The third factor is asymmetry. Most colleges and universities run security programs with headcount and tooling that would embarrass a mid-sized SaaS company, and they are extraordinarily sensitive to public disclosure. Donors, prospective students, accreditation, federal funding, state attorneys general, parents — the audience for a higher-ed breach disclosure is enormous and unforgiving. That sensitivity, applied to a multi-tenant vendor, becomes pressure to pay.

What paying actually gets you

The single most useful precedent for any higher-ed SaaS vendor thinking about ransom posture is PowerSchool, and the details matter.

PowerSchool was the dominant K-12 student information system at the time of the breach, used by roughly 75% of U.S. K-12 districts and operating in 90+ countries. The company had just been taken private by KKR and Dragoneer for $4.8 billion. Its CEO had spoken at the White House cybersecurity summit in 2023. By any external read, PowerSchool was a mature security operation.

Matthew D. Lane, a 19-year-old college freshman in Massachusetts, used credentials he reportedly found online — almost certainly purchased from an infostealer log marketplace — to access PowerSchool's PowerSource customer-support portal in September 2024. The portal did not require MFA. He had access for 106 days before PowerSchool knew anything was wrong, which they found out because he emailed them on December 28, 2024 demanding $2.85 million in bitcoin. PowerSchool paid. They received a video purporting to show the data deleted.

In May 2025, individual school districts, starting with Toronto District School Board, then East Carolina University, then dozens more, all began receiving extortion emails containing samples of the same data. Pay us, or we publish your students' records. ShinyHunters' alleged leader told BleepingComputer that the actor extorting the districts was "an affiliate impersonating" the group, a distinction that means very little to a district whose students' SSNs are being sold on a Telegram channel.

What PowerSchool absorbed over the following year:

• A FERPA-compliance review opened by the U.S. Department of Education
• A public Civil Investigative Demand from North Carolina Attorney General Jeff Jackson covering an estimated 4 million affected North Carolinians, with parallel investigations from California and other states
• More than 100 lawsuits, including class actions alleging negligence, CCPA violations, and FERPA-flavored claims pleaded against the schools themselves
• An estimated $28 million compensation fund
• Lane sentenced October 15, 2025 to four years in federal prison and $14.1 million in restitution. About $3 million of the original ransom remains unaccounted for.
• Multiple states transitioning districts off PowerSchool to Infinite Campus and other alternatives

The $2.85 million ransom was the smallest cost of the breach. The customer-contract damage was larger. The regulatory exposure was larger. The fact that paying did not stop the extortion (the data continued circulating, that the same data still circulates) was, on its own, larger than all of that.

Coinbase, when ShinyHunters demanded $20 million from them earlier this year, refused to pay and offered a $20 million reward for information leading to the attackers. That posture costs something in the short term, and it looks much better in the long-term reputation math. The Coinbase incident has largely faded from cycle; PowerSchool will be in court for years.

The controls have been public since 2023

There is a particular frustration in writing this section, because the defenses for the ShinyHunters playbook have been public for two years, and most of them are not new.

CISA's joint advisory AA23-320A — the one on Scattered Spider, originally published November 2023 and updated July 29, 2025 — names the controls. The FBI FLASH alert from September 2025 names them again. Mandiant's UNC6040 proactive hardening recommendations from mid-2025 name them a third time. Three federal agencies and the most-cited threat intelligence team in the industry have said the same things repeatedly. The vendors that keep getting breached have either not implemented them, or have implemented them on the corporate side and not on the customer-facing support side, which is precisely the side the attackers come at.

The short list, in rough order of importance for a higher-ed SaaS vendor:

Phishing-resistant MFA, meaning FIDO2 or WebAuthn or hardware keys, separate from push notifications, not SMS, not TOTP, applied to every employee, every contractor, every service account, every break-glass account, and every customer-facing admin portal. The PowerSchool breach happened because a customer-support portal did not enforce MFA on contractor credentials. That was the entire breach. Not a sophisticated exploit; an unprotected login page.

Help-desk identity proofing that does not rely on knowledge-based answers and requires out-of-band verification for any password or MFA reset. This is the control specifically aimed at the voice-phishing vector. A help desk that can be talked into resetting an executive's MFA from a phone call is a hole that no other control closes, and most outsourced help-desk contracts I have seen do not specify the verification requirements at all.

OAuth governance, meaning an inventory of every connected app in every business-critical SaaS, an allow-list of approved apps, admin-consent-only authorization for new third-party apps, and a review cadence that catches dormant tokens before someone replays them. The Salesloft Drift breach succeeded because every customer that had connected Drift had a valid token sitting in Salesforce, and nobody had been watching for unfamiliar app usage. Most companies cannot tell you, right now, what is authorized in their Salesforce or Workday or Microsoft 365 instances.

SaaS log retention longer than the platform default, with the logs pulled into your SIEM. Salesforce's default retention is short. Most platforms are similar. If the logs are gone before the investigation starts, the investigation does not find anything.

Infostealer monitoring on your domains. Services like SpyCloud, Flare, Recorded Future, and Have I Been Pwned for Domains will tell you when your employees' or contractors' credentials surface in dark-web log dumps. Some of the credentials used in the 2024 Snowflake campaign had been sitting in infostealer logs since 2020. The opportunity to find them and rotate them was right there for four years.

None of these are novel. None of them are even particularly expensive at the scale of a small SaaS company. They are, however, work — the kind of cross-functional, unglamorous, slow-to-deploy work that gets perpetually deprioritized in favor of whatever the engineering team is shipping this quarter.

The decisions that get made for you

The other half of the work is pre-deciding the decisions that will otherwise get made for you in the worst possible moment.

What is your ransom-payment policy? PowerSchool answered that question on December 28, 2024 in a board call that had probably never been rehearsed. Coinbase answered it earlier this year with a public refusal and a counter-bounty that almost certainly had been.

Who notifies your customers, and when, and in what language? "We have reached an agreement with the unauthorized threat actor" is the kind of sentence that gets written when nobody pre-wrote the message and outside counsel had final cut at three in the morning.

Who notifies the regulators? FERPA, GLBA, the FTC Safeguards Rule, state breach laws in every state your customers are in, the UK Information Commissioner's Office at 72 hours, Kuwait's CITRA, Qatar's PDPPL — every jurisdiction is a separate clock. If you serve universities in five countries, you have at least five clocks, and in practice closer to fifty.

Who talks to the press, and what do they say? ShinyHunters will. ShinyHunters has DLS contact emails, Tox accounts, Telegram channels, and a working list of reporters at BleepingComputer, TechCrunch, and Wired who they will give the story to before you do.

These decisions get made on day one of an incident whether you have prepared for them or not. Made on day one, with three hours of sleep, in a Zoom call with the CEO and outside counsel, with the company's contracts hanging on the next sentence, they get made badly.

Where this leaves the rest of us

The Instructure incident was contained on May 2, contained again on May 7 after the re-breach, and contained again on May 11 when the "agreement" was reached. The story will be officially closed when Instructure issues final breach notifications to the institutions whose data was taken, which will take months, and when the inevitable class actions move into discovery, which will take years. By the time those things resolve, the rest of us will have lived through a few more of these.

I run security for a small higher-ed SaaS company with about 400 universities as customers across five countries. We are not a household name. We are not interesting to ShinyHunters today, and that is the only piece of luck I am counting on. The math that made Instructure attractive applies to us identically: a vendor with a large per-breach victim count, downstream of FERPA notification chains in five jurisdictions, in a sector the attacker has explicitly prioritized for 2026.

No defensive posture takes the probability of being targeted to zero. There is a posture that takes the probability of catastrophic outcome down meaningfully, and most of it was published in CISA advisories before anyone had heard of ShinyHunters. The vendors who survive these incidents are the ones who did the unglamorous work, and who decided what they were going to do before they had to do it.

The full briefing — group history through 2026, MITRE ATT&CK–mapped TTPs, generic attack-path threat model for higher-ed SaaS, controls mapped to NIST 800-53 and SOC 2, IOCs and detection-engineering priorities — is available as a PDF: