ShinyHunters exploited unpatched cross-site scripting vulnerabilities in Instructure’s Canvas LMS to steal data from over 8,800 educational institutions, claiming 275 million records exfiltrated. In a second stage on May 7, 2026, the attacker defaced Canvas login portals with ransom messages timed to finals week, maximizing operational disruption. Organizations running Canvas face active extortion risk, potential regulatory exposure for student and staff data, and reputational harm during a critical academic period.