The infamous hacking group ShinyHunters has targeted two major technology firms, putting the personal details of millions of students and professionals at risk.
The breaches hit Instructure, the US-based parent company behind the popular Canvas learning platform, and the video-hosting site Vimeo.
Hackread.com has obtained the full list of affected institutions impacted by the Instructure data breach, and it is massive, indicating the vast scale of the theft and impacting around 15,000 institutions across the UK, Europe, and the US.
Millions of Student Records Stolen from Canvas
The attack on Instructure began on 30 April 2026. The company confirmed on 1 May that hackers exploited a vulnerability to gain access, forcing the company to shut down parts of its service, including Canvas Data 2 and Canvas Beta. This, in turn, caused problems for schools’ third-party integrations and external apps that rely on API keys (digital connectors) to function.
“While we continue actively investigating, thus far, indications are that the information involved consists of certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users.”
“At this time, we have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved. If that changes, we will notify any impacted institutions,” Instructure explained in its official update released on Saturday.
ShinyHunters claim that they have stolen 3.65 terabytes of data. This includes a whopping 275 million records, and it isn’t just basic info, as it contains billions of private messages between students and teachers. Hackread.com confirmed that top-tier universities are on the list, such as:
- University of Oxford
- University of Melbourne
- University of Cambridge
- University of Hertfordshire
- University of British Columbia
- Harvard, Stanford, and Columbia University
The group is also claiming to have compromised the company’s Salesforce instance (a cloud database used for managing customer details). To stop the leak, Instructure has been rotating application keys, revoking privileged credentials, and resetting access tokens. Though passwords and bank details are safe, the exposure of names, student IDs, and private chats makes users prime targets for phishing scams.
Vimeo Hit via Supply Chain Attack
Vimeo’s breach happened differently. Instead of attacking Vimeo directly, the hackers exploited a third-party connection via a partner company called Anodot. This mode of attacking is called a supply chain attack, where a smaller link in the chain is used to reach a bigger target.
Reportedly, ShinyHunters stole authentication tokens from Anodot and used these to gain unauthorised access to Vimeo’s cloud data environments on Snowflake and BigQuery. For your information, these platforms are used for storing/analysing large amounts of data. About 119,000 accounts were affected, including:
- Customer email addresses and names.
- Metadata (details about videos like titles and upload times).
Vimeo has since deleted the Anodot integration to block the hackers. ShinyHunters gave the company a deadline of 30 April 2026 to pay a ransom, threatening to release the data and cause “digital problems” if they refused.
“This is a final warning to reach out… before we leak along with several annoying (digital) problems that’ll come your way. Make the right decision, don’t be the next headline.”
However, Vimeo isn’t interested in complying and has instead engaged cybersecurity experts and relevant agencies for further investigation.
“The data accessed does not include Vimeo video content, valid user login credentials, or payment card information. Vimeo user and customer login credentials are secure. This incident did not cause any disruption to our systems or service.”
“Upon learning of the incident, we promptly disabled all Anodot credentials, removed the Anodot integration with Vimeo systems, and engaged third-party security experts to assist with the investigation. We have also notified law enforcement,” Vimeo stated in its official statement.
These incidents should be a serious warning for every firm. Even with a well-secured internal network, an organisation can still inherit vulnerabilities through third parties, allowing hackers to bypass primary security controls and access sensitive data. If you use Canvas or Vimeo, stay cautious of messages that ask you to click links or share your password, as this will most likely be a scam.
