ShinyHunters: A Serial Extortion Campaign Targets Enterprise SaaS (May 2026)

Between May 7 and May 18, 2026, ShinyHunters targeted Canvas, 7-Eleven, and Grafana in a high-profile data extortion spree. While Instructure paid to secure it…

Between May 7 and May 18, 2026, the ShinyHunters threat group—alongside suspected affiliate CoinbaseCartel—executed a targeted data extortion campaign against high-profile enterprise targets, including Instructure, 7-Eleven, and Grafana. While Instructure reached a settlement to secure approximately 3.65 TB of data stolen from its Canvas platform, the incident has sparked a wider debate on SaaS supply chain accountability. Even when providers pay, end-users often remain exposed to downstream threats like targeted phishing.

Key Takeaways

Instructure reached an agreement with ShinyHunters for the recovery and digital destruction of 3.65 TB of data stolen from Canvas, impacting nearly 9,000 organizations and approximately 275 million records.
On May 7, 2026, ShinyHunters defaced the login portals of roughly 330 Canvas institutions, posting an extortion message with a May 12 deadline.
7-Eleven confirmed the theft of over 600,000 Salesforce records, which were listed for sale for approximately $250,000; it remains unconfirmed if the retailer paid the ransom.
Grafana suffered the theft of a GitHub token, allowing an unauthorized actor to download its codebase and attempt extortion, though no customer data was compromised.

The May 7 Defacement and the Canvas Data Negotiations

On May 7, 2026, ShinyHunters defaced the login portals of approximately 330 Canvas institutions, issuing an extortion demand with a May 12 deadline. The message left on the pages stated: "ShinyHunters has breached Instructure (again)... Instead of contacting us to resolve it they ignored us and did some 'security patches.'" While the maneuver did not compromise the schools' local infrastructures, it exerted significant psychological pressure during the height of the campaign.

Instructure later confirmed it had reached an agreement with the attackers for the recovery and digital destruction of the 3.65 TB of stolen data. The company stated: "While there is never complete certainty when dealing with cyber criminals, we believe it was important to take every step within our control to give customers additional peace of mind, to the extent possible." The breach involved roughly 9,000 organizations and 275 million records containing names, emails, and enrollment information.

Initial access was gained by exploiting an unspecified vulnerability in the Canvas "Free-for-Teacher" environment, specifically related to support ticket management. No public CVE has been assigned, and the exact technical nature of the bug remains undisclosed. This lack of transparency makes it difficult for third-party institutions to independently assess the residual risk of their integration with the platform.

Salesforce in the Crosshairs: 7-Eleven Confirms Extortion Attempt

7-Eleven confirmed a data breach involving the compromise of over 600,000 Salesforce records after ShinyHunters posted a ransom demand. The group offered the data for sale for approximately $250,000 on a specialized underground forum. At the time of official confirmation, it was not publicly known whether the retail giant had yielded to the ransom demand.

The true scope of the individual impact remains partially obscured. Only two residents of the State of Maine were officially notified via regulatory filings, while the total number of affected individuals has not been released. This discrepancy between stolen records and regulatory notifications highlights a significant lag in real-world visibility for the impacted consumers.

According to available reports, ShinyHunters has been targeting the Salesforce instances of large organizations since 2025 using phishing, abuse of third-party integrations, or configuration errors. No zero-day vulnerabilities in the Salesforce product itself appear to be involved—a technical distinction that shifts the defensive focus toward access management and the security posture of third-party integrations.

Grafana and CoinbaseCartel: GitHub Token Theft and Failed Ransom

Grafana confirmed that an unauthorized actor obtained a GitHub access token, which was used to download the company's codebase and attempt extortion. The company refused to pay the ransom and launched an internal investigation to contain the incident. It has not been specified exactly when the unauthorized access began or how long it remained active before discovery.

In its official communication, Grafana clarified: "Our investigation has determined that no customer data or personal information was accessed during this incident, and we have found no evidence of impact to customer systems or operations." This limited attack surface likely weakened the extortionists' leverage, leading to the company's decision not to pay.

The attack on Grafana has been linked to CoinbaseCartel, a group assessed to be a possible offshoot of ShinyHunters based on leak site trackers and operational patterns. However, this attribution is based on threat intelligence assessments rather than direct forensic analysis. CoinbaseCartel has been associated with approximately 170 victims since September 2025, according to available data.

Why Ransom Payments Fail to Secure the SaaS Supply Chain

While Instructure’s ransom payment resulted in a "digital confirmation of data destruction," there is no technical guarantee that copies of the data were actually deleted. When a SaaS provider negotiates with cybercriminals, end-customers lack visibility into the process and cannot independently verify the cleanup. The risk that information will be repurposed for targeted phishing campaigns remains a concrete reality that institutional users cannot manage on their own.

Instructure's decision sets a challenging precedent for the education technology sector. If critical platform providers normalize ransom payments as an operational cost, threat actors are incentivized to focus on targets with high service dependency and low downtime tolerance. Students, faculty, and retail customers ultimately bear the residual risk of a transaction over which they have no control.

The ripple effect extends beyond education. 7-Eleven, operating in a different sector, saw its enterprise records treated as commodities on clandestine forums. The convergence of data theft, psychological defacement, and direct negotiation defines a modern attack model where system encryption is no longer necessary to extract value: a poorly protected GitHub token or a SaaS misconfiguration is sufficient.

Approximately 275 million records, including names, emails, and enrollment details, were exfiltrated from the Canvas platform during the May campaign.

Strategic Mitigation and Response

Immediately rotate GitHub tokens and API keys across all repositories with access to production codebase; isolate CI/CD systems from environments hosting sensitive data or privileged credentials.
Force re-authentication for all active sessions on Salesforce and educational SaaS instances, auditing authorized third-party integrations to identify potential abuse or excessive permissions.
Monitor for targeted phishing campaigns utilizing enrollment data and institutional identities stolen from Canvas, updating email gateways and spam filters with indicators of compromise related to the breach.
Review insurance coverage and disclosure protocols with critical SaaS providers, contractually demanding visibility into post-breach response actions before renewing enterprise agreements.

The May campaign demonstrates that data extortion does not require encryption to be devastating. The true point of failure lies in the chain of trust between SaaS platforms and end-users: when a ransom becomes a manageable option for the vendor, the risk silently shifts to the data creators. Unless the enterprise sector adopts a model of shared responsibility, today’s payment will serve only as a down payment for the next attack.

Frequently Asked Questions

Does Instructure have absolute certainty that the data was destroyed?: Instructure received a "digital confirmation of data destruction," but there is no absolute guarantee when dealing with cybercriminals. The company stated it took every possible step to reassure customers, implicitly acknowledging the inherent limits of such negotiations.
Why did Grafana refuse to pay the ransom while Instructure did not?: Grafana confirmed that no customer data was compromised, significantly limiting the extortionists' leverage. In contrast, Instructure was facing the theft of 3.65 TB of sensitive data belonging to thousands of educational institutions, creating a different level of reputational and regulatory pressure.
Should Canvas and 7-Eleven users expect immediate misuse of their data?: The data has already been offered for sale or handled via private agreement. Even without public leaks, contact information and institutional identities can be repurposed for targeted phishing aimed at credential harvesting or secondary access to connected systems.

Information has been verified against cited sources and is current as of the time of publication.