惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
The Last Watchdog
The Last Watchdog
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
T
Troy Hunt's Blog
L
LINUX DO - 最新话题
C
Check Point Blog
T
Threat Research - Cisco Blogs
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
罗磊的独立博客
V
Vulnerabilities – Threatpost
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
J
Java Code Geeks
Apple Machine Learning Research
Apple Machine Learning Research
大猫的无限游戏
大猫的无限游戏
S
Security @ Cisco Blogs
IT之家
IT之家
T
The Exploit Database - CXSecurity.com
The GitHub Blog
The GitHub Blog
D
Docker
Engineering at Meta
Engineering at Meta
AWS News Blog
AWS News Blog
S
Security Affairs
U
Unit 42
P
Palo Alto Networks Blog
V
Visual Studio Blog
Y
Y Combinator Blog
D
DataBreaches.Net
Forbes - Security
Forbes - Security
阮一峰的网络日志
阮一峰的网络日志
美团技术团队
Security Latest
Security Latest
aimingoo的专栏
aimingoo的专栏
Simon Willison's Weblog
Simon Willison's Weblog
A
Arctic Wolf
博客园_首页
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
H
Hacker News: Front Page
博客园 - 司徒正美
博客园 - Franky
宝玉的分享
宝玉的分享
TaoSecurity Blog
TaoSecurity Blog
Latest news
Latest news
Scott Helme
Scott Helme
MongoDB | Blog
MongoDB | Blog
量子位
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
C
Cisco Blogs
P
Privacy International News Feed
Application and Cybersecurity Blog
Application and Cybersecurity Blog

GRAHAM CLULEY

Anubis ransomware: what you need to know Smashing Security podcast #476: Remote-control rickshaws and rogue book marketers The ransomware negotiator who was working for the other side Invited to a "job interview" with Netflix or OpenAI? Beware! Your Google password could be at risk Smashing Security podcast #475: JadePuffer - the AI that ran a ransomware attack all by itself Two arrested over credit card phishing - as the Netherlands is named Europe's worst for payment fraud The Gentlemen ransomware: what you need to know Smashing Security podcast #474: Polymarket can predict the future. So how did it miss this hack? Scammers race to cash in on Venezuelan earthquake disaster USB drives carrying China-linked malware infected Japanese military networks for nearly a year Smashing Security podcast #473: How a hacker could have Rickrolled the entire World Cup Hacker hijacks Brazil's national alert system, sending "misanthropy" to millions of phones Apple's Hide My Email tweak leaves privacy fans fuming Imposter scams cost Americans $3.5 billion in 2025 – and it’s getting worse Smashing Security podcast #472: AI gets hacked, and BitLocker gets bypassed Maine forced to take down data breach portal after fake notices filed with authorities Privacy own-goal: World Cup blunder leaks Lionel Messi's passport details Silent Ransom Group: what you need to know Smashing Security podcast #471: This AI worm just rewrote its own rules Why schools remain one of cybercriminals' favourite targets Got a LinkedIn message from a recruiter? It might be Chinese intelligence, warn FBI and MI5 Meta’s own AI chatbot to blame for Instagram accounts being stolen in seconds Smashing Security podcast #470: This AI security flaw might be impossible to fix Police arrest man following hack of Ajax football club MyPillow listed on ransomware gang's leak site, but denies it has been breached Smashing Security podcast #469: What your Oura ring won’t tell you FBI warns of Kali365 phishing kit that breaks into Microsoft 365 accounts — no password required Defenders fall behind, as AI rewrites the rules of a data breach Smashing Security podcast #468: High-speed train hacks and homicidal lawnmowers Suspected Dream Market kingpin arrested after gold bars sent to his home address When ransomware gets physical: cybercriminals turn to threats of violence Smashing Security podcast #467: How ShinyHunters hacked the world’s biggest universities One in eight UK workers has sold their company passwords, and bosses think it’s fine Inside Department 4: Russia's secret school for hackers Sri Lanka makes 37 arrests as it raids another scam centre Smashing Security podcast #466: Meta sees everything, Copy Fail, and a deepfake gets hired Teenager alleged to be Scattered Spider hacker arrested in Finland, faces US extradition Iran-linked Handala hackers leak US Marines data, send chilling WhatsApp threats Smashing Security podcast #465: This developer wanted to cheat at Roblox. It cost millions Alleged Silk Typhoon hacker extradited to the United States to face charges French police arrest 21-year-old "HexDex" hacker over 100 alleged data breaches Smashing Security podcast #464: Rockstar got hacked. The data was junk. The secrets it revealed were not Singer loses life savings to fake wallet downloaded from the Apple App Store Sometimes changing the password on your email mailbox isn’t enough 108 malicious Chrome extensions caught stealing Google and Telegram data from 20,000 users AI and cryptocurrency scams are costing Americans billions, FBI reports Life imprisonment for Cambodian scam compound operators - but will it make a difference? Nigerian romance scammer jailed after being caught out by fellow fraudster Alleged RedLine malware developer extradited to United States Iranian hackers breach FBI director's personal email, and post his CV and photos online World Leaks data extortion: What you need to know How one man used 10,000 bots to steal $8,000,000 from music artists Denver's crosswalks hacked to broadcast anti-Trump messages LeakNet ransomware: what you need to know Free parking in Russia after Distributed Denial-of-Service attack knocks city's parking system offline Fraudsters are using public planning records to target permit applicants Your Signal account is safe - unless you fall for this trick Twitter suspended 800 million accounts last year — so why does manipulation remain so rampant? How hackers bypassed MFA with a $120 phishing kit - until a global takedown shut it down They seized $4.8m in crypto... then gave the master key to the internet
FBI warns students and staff that ShinyHunters may come knocking after Canvas breach
Graham CLULEY · 2026-05-20 · via GRAHAM CLULEY

When the FBI puts out a public service announcement that deliberately appears to avoid naming the company at the centre of the story, you can usually work out which one it is...

On 15 May 2026, the FBI's Internet Crime Complaint Center (IC3) issued an advisory about the ShinyHunters extortion gang that recently breached "an online Learning Management System" used by educational institutions across the United States.

The advisory doesn't say the platform that was hacked was Canvas, and that the company concerned was Instructure.

Frankly, it didn't need to. The security breach was not just big news on cybersecurity blogs, it made headlines worldwide.

On 12 May, Instructure quietly confirmed it had reached "an agreement" with the attackers, who apparently had helpfully provided "digital confirmation of data destruction (shred logs)."

In short, Instructure paid the ransom.

There are a few possible problems with paying an extortion gang and trusting that they will honour the deal. One of the big problems is that it requires you to trust an extortion gang.

And I supposed that's why the FBI wrote its PSA. It's a polite reminder to everyone (whether they be students, parents, or staff) that their data may still be out there - and that it might be sensible to be braced to the possibility that criminals could prove not to be trustworthy - and start putting the stolen information to work.

For instance, ShinyHunters or their cybercriminal counterparts could use the potentially sensitive personal information to harras innocent parties caught up in the breach through no fault of their own.

As the FBI warns, in an attempt to extort money ShinyHunters "commonly use harassment strategies, sending threatening text messages and phone calls to victims and their family members, and in some cases, swatting."

Furthermore, extortionists might falsely claim to have access to compromising information, such as embarrassing photographs or videos of victims.

And then there is always the possibility of spearphishing campaigns, where hackers can disguise their poisoned messages through the use of stolen student IDs, professors' names, or snippets of private messages that were stolen in the breach.

The FBI advises that victims do not engage with anyone claiming to hold their data for ransom, and wait for official guidance from their educational establishment to learn what details may have been compromised.

Furthermore, users are advised to not click on suspicious links or unsolicited attachments, and to enable multi-factor authentication where possible to harden the security of their accounts.

Every successful ransom payment writes a sales pitch for the next attack, and ShinyHunters — already linked to incidents at Ticketmaster, the University of Pennsylvania, Princeton, Harvard, Infinite Campus, and McGraw Hill — will not be stopping any time soon.

For students caught in the middle: assume your data is out there, treat every unexpected message with suspicion, and don't let anyone panic you into paying, clicking, or replying. The criminals are counting on your fear. Don't give it to them.

There is, of course, no certainty that ShinyHunters (or any other criminal) will attempt to exploit the information seized by hackers during the Canvas/Instructure breach - but it would it would be wise to consider the possibility, and ensure that defensive measures are properly adopted.

And that advice also goes to other "online learning management systems" and educational establishments. Having receive a ransom payment for its attack on Canvas, ShinyHunters and other extortion gangs are only likely to be further incentivised to launch similar attacks in future.