Black-hat hacking group ShinyHunters hacked online learning platform Canvas on Thursday afternoon, claiming to hack into more than 9,000 schools, including Northern Kentucky University.
A black-hat group hacks in order to extort their subjects for the return of their data. If the hacked corporation or individual doesn’t pay the ransom, the group will leak or sell the data.
ShineyHunters gave Instructure, the owner of Canvas, till the end of the day on May 12 to contact them, so they don’t breach millions of students’ and faculty’s data across the country, but the issue has now been fixed.
The statement that was shown on screen on the Canvas site from ShineyHunters states:
“ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some ‘security patches’.”
“If any of the schools in the affected list are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately at TOX to negotiate a settlement. You have till the end of the day by 12 May 2026 before everything is leaked.”
“Instructure still has until EOD 12 May 2026 to contact us.”
In an email to students from Timothy Ferguson on Thursday evening, they reiterated this statement of the importance of using Duo Mobile.
“Canvas, the cloud service provider for NKU’s Learning Management System (LMS) is experiencing a cybersecurity incident. NKU is impacted by this national Canvas issue, and we are treating the matter as a serious issue. NKU has been monitoring the situation closely over the last few days, working in conjunction with Canvas during this attack to protect your data and digital identity. We had Canvas’s recommended precautions already implemented when this attack occurred.
Canvas (vendor) thought this attack was under control by Wednesday, May 6, but as some users saw today, the attackers (who go by the name of ShinyHunters) still had control of some Canvas systems. You may have seen a defaced Canvas webpage today before Canvas removed it and replaced it with a maintenance webpage.
A few security reminders to help protect you and your data:
Two-factor authentication (Duo) is one of our best defenses for such attacks. Two-factor authentication approval does not trigger for no reason – only upon a successful login attempt with your NKU username and password. If you receive a Duo Two-Factor prompt but didn’t attempt to log in to an NKU service like Canvas, do not approve the Two-Factor prompt. Instead, notify the helpdesk or submit a ticket.
NKU will never email, call, or send you a text message requesting your username and password. Never give out your username or password. Remember that attackers will pressure you to act immediately, to try to convince you to give up your credentials. Don’t fall for it.
If the attacker defaces the Canvas website again or even tries to contact you via email, instructing you to contact them to prevent the release of data, or provide a download link for affected users or schools, DO NOT FOLLOW THE INSTRUCTIONS.”
Now, the Canvas site is back up and running for students and faculty to use. It has pushed back due dates for professors to submit their final grades to Wednesday, May 13, at 9 a.m., according to Provost Diana McGill
In their most recent attack from this group came against Rockstar Games, ADT Home Security and Instructure. Instructure was the last to be attacked on May 1. ShineyHunters claimed responsibility for the exfiltration of 3.65 terabytes of data, impacting an estimated 275 million users.
In the past, ShinyHunters has targeted and hacked Microsoft, AT&T Wireless (twice), Ticketmaster, PornHub, Louis Vuitton, Google, Jaguar Land Rover, Harvard and many more companies and universities across the globe.
This group’s name, ShineyHunters, is derived from Pokémon, where players log hours in the game hunting for “shiny” versions of regular Pokémon.