Dark Perimeter: True Cybersecurity Stories
Every major cyberattack has a story behind it. A vulnerability no one patched. A phishing email someone clicked. A nation-state with a motive. Dark Perimeter goes beyond the headlines to explore the true stories of the hacks, breaches, and cyber operations that shaped history - told in narrative form for security professionals and curious minds alike. No guests, no panels, no filler. Just the story.
Dark Perimeter: True Cybersecurity Stories
Dark Perimeter: "Finals Week" — The ShinyHunters Canvas Extortion
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Welcome back to Dark Perimeter. I'm Cole Draden, May 7, 2026. First week of finals at universities across the country, students logging into Canvas to submit papers, check exam schedules, access course materials, and then their screen goes dark. And where the login page used to be, there's a message. Not from Canvas, from Shiny Hunters. The message reads Shiny Hunters has breached in structure again. Instead of contacting us to resolve it, they ignored us and did some security patches. The word again is doing a lot of work in that sentence. Tonight we're telling the full story. How a group of extortionists got inside the platform that runs academic life for 275 million people, how they timed their strike for maximum pain, how the company paid, and what the FBI said about it afterward. Dr. Elliot Vance is here, and so is Marcus Hale. Let's get into it.
SPEAKER_02To understand this story, you have to understand who Shiny Hunters is. They're not a traditional ransomware operation. They don't encrypt your files and leave you unable to work. Their model is pure extortion. Steal the data, threaten to publish it, collect payment, and promise to delete what they took. Whether they actually delete it is a different question. They've been active for several years and they have a documented pattern. Large-scale breaches of platforms with broad user bases, education, enterprise SaaS, identity services. In 2026 alone, before this incident, they'd already hit Udemy, a financial services firm called Figure and Aura, the identity protection company. That last one is worth remembering. The company selling identity protection got breached by Shiny Hunters through a voice phishing call to one of their employees.
SPEAKER_01And they'd already been inside Instructure. That's the part of this story that doesn't get enough attention. In September of 2025, Shiny Hunters hit Instructure's Salesforce business systems through social engineering. That attack didn't touch Canvas product data. What was peripheral infrastructure? So business contacts, that kind of thing. Instructure disclosed it, said no Canvas data was affected, and moved on. Eight months later, Shiny Hunters was back, and this time they went straight for the platform.
SPEAKER_00So walk us through how they got in. Because the entry point in this case is not what you'd expect.
SPEAKER_02Canvas has a feature called free-for-teacher. The premise is straightforward. Educators can create a Canvas account without going through their institution. It's designed to let individual teachers explore the platform, run small courses, get familiar with the tools before their school adopts it. A legitimate product decision, reasonable on its face. The problem is that it creates a category of account that doesn't go through institutional verification or the same access controls that normal Canvas deployments use. Shiny Hunters found that category of account and exploited a vulnerability in how those accounts were handled. The exposure window ran from April 30th through May 7th when Instructure finally shut the program down entirely.
SPEAKER_00So Instructure detects the intrusion on April 29th, announces it on May 1st on their status page. They say they've contained it, they've revoked third-party access, they've brought in forensic experts. May 2nd, they say the situation is resolved, and then May 7th happens.
SPEAKER_02And May 7th is where this goes from a data breach story to something else. Because what Shiny Hunters did on May 7th wasn't a technical attack in the conventional sense. They had the leverage they needed. What they did was use it publicly, visibly, and at the worst possible moment. At around 4.20 in the afternoon, users at roughly 330 institutions around the country tried to log into Canvas during finals week and got the ransom note instead. Some were mid-exam. One parent told a news outlet that her son was in the middle of a test when the message appeared on his screen. The group gave instructor until May 12th. Pay or 3.65 terabytes of data gets released.
SPEAKER_01The timing is not accidental. These groups know what they're doing. End of semester is the highest leverage moment you can find at an education company. Millions of students are dependent on the platform for exams, for grade submissions, for communication with professors. If canvas goes down for six hours in February, it's an inconvenience. If it goes down during finals week, it's a catastrophe. They chose the moment deliberately.
SPEAKER_00And what did instructor do after May 7th?
SPEAKER_02They took Canvas offline, calling it maintenance mode, to contain the second intrusion and investigate. They confirmed that shiny hunters had gotten back in through the same free-for-teacher vulnerability that hadn't been fully closed. And then on May 12th, the Derri. Instructure Dirr quietly announced they had reached an agreement with the attackers.
SPEAKER_00They paid.
SPEAKER_02They paid. The amount was never disclosed. What instructor said publicly is that the cyber criminals had returned the compromise data and provided digital confirmation of data destruction, what the group called shred logs. They also said they'd received assurance that no instructor customers would be further extorted as a result of this incident.
SPEAKER_01I want to be careful here because there's a version of this where you say instructure made the right call. 275 million records, billions of private messages. The alternative is that data set hitting the open market, getting used for years of targeted fraud, phishing, credential stuffing, every student and faculty member at 8,800 institutions is a permanent target. The scale of the secondary harm from a public leak is genuinely difficult to calculate.
SPEAKER_00And yet.
SPEAKER_01And yet, in structure itself, acknowledged there is, and I'm quoting directly, never complete certainty when dealing with cyber criminals. The shred logs prove nothing. The promise of no further extortion is the word of an extortion group, and pain confirms for every similar group that this model works against this class of target. Education vendors with broad user bases, high-stakes academic calendars, and enough data to credibly threaten hundreds of institutions at once. You just painted a target on every ed tech company operating at scale.
SPEAKER_02The National Cybersecurity Alliance put it plainly. A cybersecurity director there said the payment reinforces the economic incentive structure behind cyber extortion and risks normalizing payment as a viable incident response strategy, which law enforcement agencies consistently warn against because it fuels further attacks across the sector.
SPEAKER_00And then the FBI showed up.
SPEAKER_02On May 15th, three days after Instructor confirmed the agreement, the FBI's Internet Crime Complaint Center issued an advisory about the Shiny Hunters Extortion Gang and their attack on a learning management system used by educational institutions across the United States. They didn't name Canvas by name, they didn't need to. It had been global news for two weeks. The advisory is notable for what it tells students and faculty to do because the risk doesn't end with the ransom payment. The stolen data, names, student IDs, email addresses, private messages is out there, regardless of what the shred logs say. It can be used to construct highly personalized phishing attacks. Someone who knows you're enrolled in a specific course at a specific institution, knows your professor's name, knows the subject of your final exam, that person can write you an email that looks completely legitimate.
SPEAKER_01This is the piece that gets lost in the coverage. The ransomware payment is the headline. The residual threat is the longer story. That data, even if deleted by Shiny Hunters, may have been copied, sold, or shared before the agreement was reached. The exposure window was a week. The threat window is years.
SPEAKER_00Let's talk about what instructor should have done differently. Because there are real lessons here that aren't about paying or not paying.
SPEAKER_01The Free for Teacher program is the core failure. It's a feature that creates a parallel account type with different access controls than the main institutional deployment. The second, you have two categories of account with different verification requirements. You've created an attack surface. If that program needed to exist, it needed to be air gapped from production student data in a way that it clearly wasn't. The second failure is the response to the first breach. September 2025, Shiny Hunters hits Instructor's Salesforce environment. The right question to ask after that, the one that apparently didn't get asked with enough urgency, is where else can they get in? You've been targeted once by a group that patterns against you. That's intelligence. Eight months later, the same group came back with a different vector.
SPEAKER_02From a technical standpoint, the free-for-teacher exploitation suggests an account privilege issue, the ability to escalate access or pivot from a low-trust account type to data stores that should only be accessible to institutional accounts. The fact that this vulnerability existed was exploited, and then after instructor thought they'd patched it, was exploited again, suggests the remediation after the first detection was incomplete. They revoked access without fully understanding the attack path.
SPEAKER_00So, what does this look like from the outside? From the perspective of a security leader at an institution that uses Canvas.
SPEAKER_01You rotate your API credentials immediately, not because instructor told you to, because you assume the worst about what was exposed during that window. You audit any integrations your institution has with Canvas for third-party access that might have been compromised. You brief your faculty and student population on what to watch for, personalized phishing, emails that reference specific course details or exam schedules, anything that seems to know too much about their academic situation, and longer term you have a harder conversation with your LMS vendor about how they handle account types with different security tiers. Because if Canvas has a free-for-teacher program, the question is what other access boundaries exist in their architecture that don't meet the same standard as your institutional deployment?
SPEAKER_02The vendor risk angle here is underappreciated. Institutions don't have visibility into how instructure manages its own internal infrastructure. The first breach came through social engineering against Salesforce systems. The second came through a product feature. Two completely different attack surfaces, both touching the same customer data. That tells you something about the complexity of the vendor's attack surface and about the limits of what a security assessment of the product here can actually tell you about the organization's overall posture.
SPEAKER_00I want to come back to Shiny Hunters for a moment. Because this group is operating as what some analysts are calling extortion as a service. They're not opportunistic, they're systematic.
SPEAKER_02Their 2026 campaign before this incident included Udemy, Figure, and Aura, the identity protection company. Their late 2025 campaign claimed a breach of Salesforce customer environments, affecting what they said were one and a half billion records. In November 2025, they hit Harvard's Alumni Affairs office over a million records. The pattern is consistent. Large platforms with broad user bases, data that's valuable for secondary exploitation, and organizational complexity that creates gaps in access control. They're not technically sophisticated in the way that nation-state actors are. They're not writing zero days, they're doing social engineering, exploiting poorly secured account types, and using the leverage of the data itself as the weapon. The sophistication is operational. They understand which targets are most likely to pay, when to apply pressure for maximum effect, and how to run an extortion campaign that stays just credible enough to get the wire transfer.
SPEAKER_01And the timing component is the thing I'd want every security leader to internalize. They waited for finals week. They knew the academic calendar. They understood that hitting Canvas in early May in the middle of end of semester exams multiplied the pressure on instructor by an order of magnitude compared to hitting the same target in January. This is threat intelligence working in reverse. They studied the operational calendar of their target and chose the moment of maximum leverage. If you're if you're running security at a company that provides critical services to a time-sensitive industry, education, healthcare, financial services, any sector with known high-stakes periods, your adversaries may be thinking about your calendar more carefully than you are.
SPEAKER_00The last thing I want to cover is what happens next with the data. Because Instructure paid, they got shred logs. And Instructure's own statement acknowledged there is never complete certainty when dealing with cyber criminals.
SPEAKER_02The FBI advisory makes clear that the risk is ongoing, regardless of the agreement. The stolen data, student IDs, emails, private messages, is live threat intelligence for phishing operations. Even if Shiny Hunters honors the deal and deletes their copy, the data is valuable enough that it may have been duplicated, sold to a third party, or shared within the group's network before the payment cleared. 275 million records is not a small data set. There is no scenario where the security community should assume that data set is fully contained. The obligation that flows from that falls on the institutions, to their students, their faculty, their staff, to treat this as an extended threat window, not a closed incident.
SPEAKER_01And the FBI advisory exists precisely because the Bureau isn't confident. The agreement means what instructor says it means. Law enforcement doesn't issue advisories for incidents that are resolved. They issue advisories when they believe the threat is ongoing.
SPEAKER_008,800 institutions, 275 million users, 3.65 terabytes of data, one ransom payment, and an advisory from the FBI that says the threat isn't over. Shiny Hunters understood something that a lot of organizations still don't. The leverage in a data breach isn't the data itself, it's the timing, the scale, and the credibility of the threat to release it. They picked the right target, the right moment, and the right amount of pressure, and they got paid. The lesson for every vendor that runs critical infrastructure for time-sensitive industries is not complicated. Know your calendar, know your attack surface, and assume that if a sophisticated extortion group is targeting your sector, they know both of those things better than you do. This is dark perimeter. I'm Cole Draden. Stay sharp.
SPEAKER_02Thanks, Cole. Good night. Um