Picture this: it is finals week. Thousands of students across the United States log into their school's exam portal — and instead of a login form, they see a mocking message left by hackers. That is exactly what happened to Instructure, the company behind Canvas, the learning management system used by millions of students globally. And the group responsible? A hacker gang called ShinyHunters — the same crew behind some of the largest data thefts of the decade.
If your organisation uses any cloud-based platform — whether for education, HR, finance, or operations — this breach is a direct warning. Here is exactly what happened, and why it matters for every business leader reading this.
How the Hackers Got In: A Phone Call
You might expect a breach of this magnitude to involve sophisticated malware or a zero-day exploit. It did not. ShinyHunters got into Instructure's systems using voice phishing — also called vishing. Their operatives called the company's IT support line, pretended to be employees who had forgotten their passwords, and talked their way into internal systems. No code required. Just confidence and a convincing script. This technique has become one of the most effective and underrated threats to organisations of any size — because it targets the weakest link in any security system: people.
What Was Stolen: 30 Million Records
Once inside, the hackers exfiltrated private data belonging to more than 30 million students and staff across the Canvas platform. This included personal information, login credentials, and sensitive data stored in the cloud environment. The scale puts this among the largest education-sector breaches in history. For those affected, consequences range from spam and phishing attempts to full-blown identity theft and financial fraud.
The Company Said No — So the Hackers Came Back
Here is where the story gets particularly brutal. When Instructure initially refused to pay the ransom, ShinyHunters did not disappear. They returned — and escalated. The group defaced Canvas login screens at schools across the United States during finals week. Students trying to access exam materials and submit coursework were met with the hackers' messages instead. Exams were disrupted nationwide. Instructure eventually paid the ransom — despite the FBI explicitly advising the company not to do so. It is a case study in exactly what not to do, and exactly what you should prepare to avoid.
ShinyHunters' 2026 Damage Sheet
Instructure was far from the only target. In 2026 alone, ShinyHunters has claimed responsibility for:
- Stealing 40 million records from internet provider Charter Communications
- Breaching Carnival cruises for 6 million customer records
- Data leaks from Harvard and UPenn
- A breach of a major fintech lending company
- Attacks on European government agencies
The pattern is consistent: they go after organisations that hold large volumes of personal data and have low tolerance for operational disruption — schools, healthcare providers, fintechs, and telecoms.
The Nigerian and African Business Angle
Nigerian businesses — especially fintechs, edtech platforms, HR systems, and cloud-hosted SaaS tools — are increasingly attractive targets for groups operating at this level. The NDPC (Nigeria Data Protection Commission) now enforces penalties under the Nigeria Data Protection Act 2023. A breach of this scale, if it happened to a Nigerian company, would trigger regulatory fines, reputational damage, and customer loss that no ransom payment would repair. The question is not whether your organisation could be targeted — it is whether your helpdesk staff would hand over system access to someone on the phone claiming to be a forgetful employee.
What You Need to Do Now
The ShinyHunters playbook is depressingly simple to defend against with the right controls in place:
- Enforce multi-factor authentication on every system account — no exceptions
- Train staff to verify caller identity through an out-of-band callback before granting any access
- Never reset credentials over the phone without a second-channel confirmation
- Run simulated vishing exercises with your team annually
- Have a documented incident response plan — do not make your first decisions under pressure
The Instructure breach is a masterclass in how much damage a single well-placed phone call can do. How confident are you that your team would hang up on the right people?
Originally featured on TechCrunch