ShinyHunters Exploits Canvas LMS XSS Vulnerabilities in Mult

ShinyHunters exploited unpatched cross-site scripting vulnerabilities in Instructure’s Canvas LMS to steal data from over 8,800 educational institutions, claiming 275 million records exfiltrated. In a second stage on May 7, 2026, the attacker defaced Canvas login portals with ransom messages timed to finals week, maximizing operational disruption. Organizations running Canvas face active extortion risk, potential regulatory exposure for student and staff data, and reputational harm during a critical academic period.

Author

ShinyHunters Exploits Canvas LMS XSS Vulnerabilities in Multi-Stage Extortion Campaign Targeting 8,800+ Educational Institutions

Executive Summary

Here’s what you need to know.

Impact Assessment

Exposure Analysis

Are You Exposed?

Business Context

Business Impact

You Are Affected If

Board Talking Points

Business Risk

Third-Party / Supply-Chain Risk

Loss Exposure (illustrative)

Insurance / Contractual / Legal — Potential Obligations

Technical Analysis

Action Checklist IR ENRICHED

Recovery Guidance

Key Forensic Artifacts

Detection Guidance

Platform Playbooks

MITRE ATT&CK Hunting Queries (4)

Compliance Framework Mappings

MITRE ATT&CK Mapping

Sources (5)

Gallery

Contacts

Tech Jacks Solutions

Services

Learn

Company