When Canvas Login Pages Displayed Ransom Messages
Canvas / Instructure timeline
Service disruption
Reporting tied early disruption to tools relying on API keys and Canvas Data 2 / Beta maintenance.
Incident disclosed
Instructure said a criminal actor was involved and brought in outside forensics support.
Containment actions
Reports describe credential and token revocation, reissued application keys, fixes, and additional monitoring.
Public claim
ShinyHunters claimed large-scale theft from thousands of schools. The exact scale remains unverified.
Login pages defaced
Canvas portals displayed a ransom message and a May 12 leak deadline.
Access restored
AP reported Canvas was available again for most users. Instructure also said it temporarily shut down Free-For-Teacher accounts tied to the issue.
The confirmed data categories matter: names, email addresses, student ID numbers, and user messages can support phishing, privacy abuse, and follow-on targeting even without passwords or financial records. SecurityWeek The Record
The defacement changed who saw the threat. A leak-site post reaches defenders and reporters. A ransom message on a classroom login page reaches students, faculty, and administrators. BC TechCrunch AP
ShinyHunters Is the Name Victims See
Names used in the reporting
ShinyHunters
The name used in public claims, leak-site posts, and ransom messages. It is the name most victims and readers will recognize.
UNC6040
Google uses this name for voice-phishing activity that targets Salesforce access and data exports.
UNC6240
Google uses this name for ransom activity after data theft, including messages that claim to be from ShinyHunters.
UNC6661
A January 2026 activity set involving phone calls, fake login pages, SSO credentials, MFA codes, and cloud-app access.
UNC6671
A similar January 2026 activity set that Google tracks separately because the infrastructure and ransom details differed.
The name ShinyHunters matters because it appears in public threats. The UNC names matter because they help defenders understand the access method: phone scams, fake login pages, app approvals, data exports, or ransom messages. Google
This article keeps those facts separate. Public claims explain what the attackers said. Google tracking names explain observed activity. Vendor statements explain what has been confirmed.
A Stolen Login Can Be Enough
Common cloud-extortion chain
Impersonate support
Attackers call as IT, help desk, or vendor support and create urgency around MFA, access, or account changes.
Capture identity
They collect SSO credentials and MFA codes, enroll a device, or get the user to approve a malicious app.
Reach cloud data
The stolen session opens Salesforce, Microsoft 365, Google Workspace, Slack, or other cloud applications.
Export records
Attackers use exports, APIs, connected apps, scripts, or misconfigured public portals to copy data.
Demand payment
Leak-site posts, emails, texts, harassment, outage threats, or defacements push the victim toward negotiation.
Google's January 2026 reporting describes attackers pretending to be IT staff, sending employees to fake company login pages, and capturing SSO credentials plus MFA codes. The stolen cloud session becomes the access path. Jan 2026
Salesforce-specific reporting shows the same kind of attack in another setting: a phone call, an approved app or export tool, and bulk access to business data. UNC6040
The Data Is Already in the Apps
What attackers look for
Customer records
Data Loader, malicious connected apps, Experience Cloud, and Aura access all relate to Salesforce data theft.
Files and searches
Google observed document access, SharePoint downloads, and searches for strings such as confidential, internal, proposal, Salesforce, and VPN.
Mail and OAuth
OAuth authorizations and deleted MFA enrollment emails show how attackers can use normal collaboration tools.
Education identity
Names, emails, student IDs, messages, and enrollment context turn a classroom platform into a privacy and phishing risk.
Tokens and APIs
Snowflake and Salesforce-linked incidents show why third-party cloud integrations can expose data through tokens and APIs.
These attacks work because important records already live inside cloud applications. A customer database and a classroom platform hold different information, but both can create real harm when copied. Aura CyberScoop
The Canvas incident belongs beside the Salesforce cases as a comparison, not as a confirmed linked campaign. Both show the same risk: one account or app permission can expose a large store of records.
What Organizations Should Check
Verify the caller before changing identity state.
MFA resets, device enrollments, app approvals, and vendor-support requests should require a second verification step through a trusted channel.
Treat cloud apps like major databases.
Audit connected apps, guest profiles, API permissions, OAuth grants, data exports, and public portals. Business applications need logs and alerts.
Look for signs before the ransom note.
Watch for bulk exports, unusual user agents, deleted MFA emails, new app approvals, leak-site outreach, employee harassment, and defacement attempts.
Mandiant's hardening guidance is clear on identity checks: caller-provided facts, public data, and easy identifiers are weak proof when someone asks to change account access. Hardening
Detection should reach beyond malware alerts. The important traces often live in identity-provider events, cloud-app audit logs, API activity, export patterns, and help-desk workflows.
What Is Confirmed, Claimed, and Tracked
Core analytic source
The Cost of a Call: From Voice Phishing to Data Extortion
Google baseline on UNC6040, Salesforce phone scams, Data Loader / custom app abuse, and UNC6240 ransom messages claiming ShinyHunters.
Defensive source
UNC6040 Proactive Hardening Recommendations
Control guidance for identity checks, cloud-app settings, programmatic credentials, and logging.
Core analytic source
Vishing for Access: Tracking the Expansion of ShinyHunters-Branded SaaS Data Theft
Google's expansion report covering UNC6661, UNC6671, UNC6240, cloud-app targeting, harassment, and leak-site threats.
Salesforce context
ShinyHunters claims ongoing Salesforce Aura data theft attacks
Context on Experience Cloud / Aura exposure and attacker claims around public-facing Salesforce sites.
Salesforce context
Salesforce issues new security alert tied to third customer attack spree in six months
Frames the campaign as another Salesforce customer attack wave associated with ShinyHunters-linked activity.
Canvas context
Edtech Firm Instructure Discloses Data Breach Amid Hacker Leak Threats
Early summary of confirmed data categories, containment steps, and ShinyHunters' attacker-claimed scale.
Attacker claim layer
Instructure hacker claims data theft from 8,800 schools, universities
Documents the claimed affected-institution list and attacker explanation of export/API access paths.
Canvas defacement
Canvas login portals hacked in mass ShinyHunters extortion campaign
Defacement phase, May 12 deadline, and extortion escalation against educational institutions.
Canvas follow-up
Hackers deface school login pages after claiming another Instructure hack
Includes Instructure spokesperson comments on Canvas being taken offline and the Free-For-Teacher account issue.
Service restoration
A Canvas outage tied to a cyberattack has wreaked havoc on colleges' final exam season
Same-day AP update: Canvas was available again for most users, some schools kept access blocked, and Instructure/Canvas no longer appeared on ShinyHunters' target site.
Mainstream hook
Canvas is online again after ShinyHunters threaten to leak schools' data
Restoration framing and current-news summary of the Canvas outage and extortion message.
Publication Note
This article combines current reporting with local OPTIC extraction files, especially `extraction_results/expansion-shinyhunters-saas-data-theft.json` and the Mandiant normalized records for UNC6040, Salesforce data theft, Aura exposure, and Snowflake-style cloud extortion. The public Postgres snapshot in `opticlab/release-assets/optic-postgres-2026-04-07.dump` predates the May 2026 Canvas incident, so Canvas sits in the current-news section outside the April 7 database snapshot.
Use vendor statements and reputable reporting for data categories, service status, and containment actions.
Scale numbers, school counts, and theft mechanics should stay explicitly labeled unless independently confirmed.
Use UNC names when describing specific activity. Use ShinyHunters when describing public claims and ransom messages.
This story may need updates after the May 12 deadline, leak-site changes, or any final Instructure incident report.