What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

← Breach

0 sources verified·5 min read

By Lyrie Threat Intelligence·5/11/2026

The Ransom Clock: ShinyHunters Launches Second Canvas Attack—Service Blackout, Deadline Today

TL;DR

ShinyHunters has escalated its Canvas LMS assault with a second, more destructive attack targeting the Free-For-Teacher account program. Canvas went offline at major institutions (Penn, OU, others) on May 7 with ransom banners. After failing to extort payment by May 7, the group has reset the deadline to May 12, 2026 (TODAY) at end of day—and Instructure has not confirmed all vulnerabilities are patched. Nearly 9,000 schools globally are in the crosshairs of one of the largest education sector breaches on record.

What Happened

On April 29, 2026, Instructure detected unauthorized activity targeting the Canvas Learning Management System. By May 3, ShinyHunters claimed responsibility for breaching the platform and launched a public extortion campaign, demanding payment or face data release.

The critical twist: this was not a repeat of the September 2025 Salesforce incident. Instead, ShinyHunters exploited the Free-For-Teacher (FFT) account program—a no-verification onboarding pathway that allows educators to spin up Canvas instances without institutional approval. This architectural weakness created a backdoor into the entire multi-tenant ecosystem.

On May 7, 2026, Canvas and Canvas Beta went dark at universities including Penn, OU, and thousands of K-12 districts worldwide. Students reported seeing ransom messages directly on the login page:

_"ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some 'security patches.' Instructure didn't fix all the vulnerabilities we have more."_

The deadline was May 7. Instructure did not pay. Now the group has reset the clock to May 12 at end of day.

The University of Pennsylvania's Vice Provost and CISO confirmed the breach affects "multiple institutions" and spans 9,000 schools worldwide—including all eight Ivy League universities. Instructure claims to have discovered ~306,000 Penn affiliates were exposed, though ShinyHunters claims 275 million users and 3.6 TB of exfiltrated data globally.

Technical Details

The Attack Vector: Free-For-Teacher Account Exploitation

The FFT program allowed educators to create Canvas instances with minimal friction—no institutional verification, no administrative sign-off. This created a trust boundary collapse within the multi-tenant SaaS architecture:

FFT accounts and institutional Canvas tenants shared the same underlying infrastructure
Logical isolation (the norm in SaaS) was the only barrier
When an attacker gains control of an FFT account, they can pivot to institutional data via shared databases, backup systems, or API endpoints

ShinyHunters exploited this weakness to:

1. Create or compromise FFT accounts

2. Escalate privileges within the Canvas environment

3. Exfiltrate names, email addresses, student IDs, and private student-faculty messages

4. Potentially deface login pages (TechCrunch and Mashable confirmed defacement at multiple schools; Instructure has not officially confirmed the scope)

Exposure Window: April 30 – May 7, 2026 (7 days)

Confirmed Stolen Data:

Full names
Email addresses
Student ID numbers
Private messages between students and faculty
Course enrollments

Threat Actor Profile:

ShinyHunters is a prolific extortion-as-a-service group active since 2020. Known victims: Panera Bread, Crunchyroll, Bumble, ADT, Rockstar Games, Udemy, Figure. In September 2025, they targeted Instructure's Salesforce instance via social engineering but did not reach Canvas. Now they've returned with a more surgical exploit.

Their operational pattern: public extortion campaign, leaked data samples as proof, media pressure, escalating threats.

Lyrie Assessment: Why CISOs Should Fear This Pattern

This breach reveals three critical failures in modern SaaS security that should terrify every CISO:

1. Multi-Tenant Isolation Is a Governance Problem, Not a Technology Problem

Instructure's architecture is standard industry practice: logical isolation via database rows and API scoping. The problem wasn't the technology—it was the policy decision to allow unverified account creation. The FFT program traded security for frictionless UX. This is a business decision, not a security one. And business wins.

Lyrie's takeaway: Your SaaS vendors have made the same tradeoff. Audit every "free trial," "one-click onboarding," or "teacher/researcher program" in your stack. These are privilege escalation vectors.

2. Remediation Speed ≠ Actual Remediation

Instructure shut down Canvas on May 7, rotated some credentials, and brought it back on May 8. They announced "security patches." Three days later, ShinyHunters reset the ransom deadline and taunted: "they ignored us and did some 'security patches.'"

This suggests one or both of two things:

Initial forensics were incomplete and the group still has access
There are additional unpatched vulnerabilities the group knows about but Instructure doesn't

Either way: the vendor's confidence in their fix is not evidence of actual security. CISOs who rely on vendor incident statements alone are operating blind.

3. Education Sector Is Now a High-Value Target for Commodity Ransomware

9,000 schools is a vast, fragmented target set. No single institution has the budget or security posture to withstand a determined extortion campaign. Instructure won't pay (reputation risk). Schools will pay (smaller ransom = easier decision). Attackers know this math.

Lyrie's take: Any vertical with commodity customers and data is now a target. Your vendor's security posture is only as good as their weakest customer.

Recommended Actions

For Institutions (Immediate):

1. Credential Rotation—All Systems: Rotate all API keys, OAuth tokens, and service account credentials associated with Canvas. Re-authorize all third-party integrations.

2. Audit FFT Accounts: If your institution allowed FFT account creation, disable all remaining FFT users. Assume any FFT account active April 30–May 7 is compromised.

3. User Awareness: Your exposed data is high-quality PII. Expect spear phishing targeting faculty and students. Run a phishing exercise using the exposed information.

4. Forensics: Review Canvas logs for unusual API calls, data exports, or configuration changes during the exposure window.

5. Law Enforcement: File a report with your local FBI field office and IC3 (Internet Crime Complaint Center).

For CISOs (Strategic):

1. SaaS Vendor Audit: Map every "free tier," "low-friction onboarding," or "research program" in your vendor stack. Request security documentation proving logical isolation.

2. Incident Response Playbooks: Assume vendors will NOT fully remediate on their first try. Your playbook should include a "phase 2 response" (additional hardening steps if the vendor gets breached again within 30 days).

3. Multi-Tenant Risk Framework: Build a TPRM process that specifically assesses isolation models and unverified account risks in every SaaS contract.

4. Ransomware Negotiations: Engage with your IR team and legal on what happens if your vendor is extorted. (Spoiler: you're at risk.)