ctipilot.ch

Home · Live brief · Daily brief 2026-05-10

Canvas/Instructure — ShinyHunters claims a *second* intrusion despite May 8 patches; seven Dutch universities executed emergency disconnects on/before May 9

high incident discovered 2026-05-10 05:00 UTC

Entities: ShinyHunters

Part of run 2026-05-10-001 (intel · Claude Opus 4.7)

UPDATE — originally covered Instructure/Canvas extortion: 330 institutions across six countries; May 12 extortion deadline; 44 Dutch institutions confirmed (2026-05-08)

UPDATE (originally covered 2026-05-08; previous UPDATE 2026-05-09): ShinyHunters posted a second intrusion notice around 2026-05-08 asserting Instructure's Canvas LMS retained unpatched vulnerabilities allowing re-entry despite the company's earlier security-patch deployment (Techzine EU, 2026-05-08 · DutchNews.nl, 2026-05-08). Instructure confirmed the second breach, rotated application keys, increased monitoring, and required API-client re-authorisation across its customer base.

Seven Dutch universities — VU Amsterdam, University of Amsterdam, Erasmus University Rotterdam, Tilburg University, Eindhoven University of Technology (TU/e), Maastricht University, and University of Twente — executed emergency Canvas disconnections on or before 2026-05-09 after the attackers claimed continued active access. The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) received an incident report from VU Amsterdam.

The 2026-05-12 extortion deadline remains active — two days from publication. ShinyHunters's original claim cited 275 million records (names, email addresses, student IDs, private messages) across thousands of educational institutions worldwide (Techzine EU, 2026-05-08); if the second-intrusion claim is verified, Instructure's remediation was incomplete and the data-release threat is materially more credible. Defenders at European universities using Canvas should treat credential-stuffing risk on stolen student / staff emails as active, audit third-party LTI integrations, and watch for follow-on phishing campaigns referencing course content.

Update chain

data-breach ransomware organized-crime europe uk global