Hackers Deface School Login Pages After Alleged Second Instructure Breach

Just days after education technology giant Instructure disclosed a major data breach, a cybercrime group appears to have struck again. This time, hackers defaced the login pages of several schools using the company’s Canvas platform, escalating their extortion campaign. The Instructure data breach initially exposed student names, personal emails, and teacher-student messages. Now, the situation has taken a more visible turn.

How the Canvas Login Defacement Unfolded

On Tuesday, TechCrunch observed that the cybercrime group ShinyHunters had altered the Canvas login pages of three separate schools. The hackers injected an HTML file that replaced the normal login screens with a threatening message. This message warned that stolen data would be published on May 12 unless Instructure agreed to a settlement.

At the time of writing, Instructure’s website appeared partially offline, sometimes returning a “too many requests” error. The Canvas portal displayed a notice about scheduled maintenance. However, this disruption was likely a direct result of the hack.

The Message Behind the Defacement

The defaced pages served as a public shaming tactic. ShinyHunters aims to pressure Instructure into paying a ransom. By compromising login pages—which students and teachers use daily—the hackers amplified their demands. This move follows the same financially motivated playbook the group has used against countless victims over the last couple of years.

Instructure’s Response to the Canvas Security Incident

Instructure spokesperson Brian Watkins confirmed to TechCrunch that the company discovered hackers had changed some customers’ login pages. “Out of an abundance of caution, we immediately took Canvas offline to contain access and further investigate,” Watkins said. The company linked the defacement to an issue with its Free-For-Teacher accounts, leading to a temporary shutdown of that service.

Watkins also stated that the same hackers responsible for the original breach were behind this second attack. “This gives us the confidence to restore access to Canvas, which is now fully back online and available for use,” he added. The company has since restored full functionality.

Escalating Pressure: How ShinyHunters Is Targeting Schools

This apparent second hack indicates that ShinyHunters is ramping up pressure on Instructure and its customers. The group originally claimed responsibility for the first breach, publicizing stolen data on its leak site to extort a payment. Now, by defacing login pages and notifying TechCrunch, the hackers hope to force a quicker capitulation.

It remains unclear how the hackers compromised the login pages. When asked, a ShinyHunters member told TechCrunch they couldn’t comment on specifics but described this as a separate breach. The original Instructure data breach allegedly affected nearly 9,000 schools worldwide, with stolen files containing information on 231 million people.

What This Means for Schools and Students

For schools using Canvas, this incident highlights the risks of relying on third-party platforms for sensitive data. Administrators should review their security protocols and consider additional safeguards. Schools can take proactive steps to protect student information, such as enabling multi-factor authentication and monitoring login activity.

Building on this, parents and students should remain vigilant. If you suspect your data was compromised, change passwords immediately and monitor for phishing attempts. Learn how to respond to a data breach effectively.

The Bigger Picture: Education Tech Under Siege

ShinyHunters has compromised countless victims over the last couple of years, following the same financially motivated playbook: hack, publicize, and extort. This Instructure data breach is part of a broader trend targeting education technology. As schools increasingly rely on digital platforms, they become attractive targets for cybercriminals seeking large datasets.

Therefore, the education sector must invest in stronger cybersecurity measures. Educators can adopt simple strategies to reduce risk, including regular security audits and employee training. The question remains: will Instructure negotiate, or will the hackers follow through on their threat to release data?

For now, the company has restored Canvas access, but the breach underscores the ongoing vulnerability of educational systems. Students and teachers alike should stay informed and take precautions.