The disruption caused by a data breach is real, and most organizations are not ready.
Canvas, the learning management platform trusted by more than 8,800 educational institutions worldwide, learned this in the worst way. In early May 2026, with students in the middle of final exams, ShinyHunters stole 3.65 terabytes of student and faculty data and replaced the Canvas login page with a ransom demand.
ShinyHunters, a financially motivated cybercrime group, had been inside Canvas's parent company, Instructure Holdings, Inc.'s environment for eight months before the situation became public. Their entry point? A phone call. Using voice phishing and credential-harvesting sites designed to mimic legitimate portals, they captured SSO credentials and MFA codes, registered their own devices for ongoing authentication, and moved through the environment as authorized users.
By the time they replaced the Canvas login page with a ransom demand, they had already exfiltrated approximately 275 million records, including student names, email addresses, IDs, and private messages.
Grades were delayed, institutions scrambled. And the methods ShinyHunters used—documented, repeatable, and already in use across sectors far beyond education—did not change.
This blog will tell you what to do next. If your organization depends on any of the access patterns ShinyHunters exploited at Canvas, now is a good time to review your posture and understand where identity risk is concentrated.
1. What happened, and why the pattern is familiar
Canvas is shared infrastructure. Grades, communications, records, and exams for thousands of institutions flow through one platform. When ShinyHunters moved against Instructure, they weren't targeting a single school; they were targeting the access layer trusted by 8,809 organizations.
The attack unfolded in two stages. In September 2025, ShinyHunters accessed Instructure's Salesforce environment through social engineering. Eight months later, they returned—this time compromising the "free-for-teacher" system and exposing names, email addresses, student ID numbers, and private messages, then replacing the Canvas login page with a ransom demand and a payment deadline.
This two-stage, multi-platform approach is a pattern that Delinea's team has tracked across ShinyHunters operations.
Delinea Labs research has documented a consistent finding across the incident landscape: most breaches don't start with a technical vulnerability. They start with legitimate access. Our research also shows that 75% of organizations experienced a SaaS security incident in the prior 12 months, while 91% expressed confidence in their SaaS security posture. That gap between perceived control and actual exposure is where breaches begin.
Attackers increasingly stopped 'breaking in' and started 'logging in.' Credentials, session tokens, OAuth grants, and service accounts have become the primary pathway into enterprise environments. ~ Delinea Labs
2. Credential theft is the method
ShinyHunters did not use a zero-day exploit to access Instructure's environment. Delinea Labs has studied this group's tactics, techniques, and procedures across dozens of incidents, and their standard approach relies on voice phishing (vishing) combined with credential-harvesting sites designed to mimic legitimate authentication portals.
The method is consistent: attackers impersonate IT staff by phone, direct employees to a convincing but fake login page, capture SSO credentials and MFA codes in real time, and then register their own devices for ongoing MFA authentication. From that point forward, they appear as authorized users. Nothing in the environment flags them as unusual, because technically, they aren't.
In 2026, this technique is harder to detect than it was two years ago. Delinea Labs has observed ShinyHunters and similar groups adopting AI-powered voice tools that adjust tone in real time, respond credibly to unexpected answers, and sustain authority across a full call. Security awareness training alone will not solve this problem. It requires architectural controls that limit what a compromised credential can access because the assumption that every credential is legitimate must be treated as a risk, not a given.
Delinea Labs research shows that once inside, ShinyHunters moves through non-human identities (NHIs) such as service accounts, automation pipelines, and API tokens to expand access without triggering human-facing controls. These identities are the connective tissue of modern enterprises, and in most organizations, they are the least-governed layer of the identity environment.
According to Delinea Labs, NHIs now outnumber human identities by approximately 52:1 in enterprise environments. Organizations report that 90% have at least one identity visibility gap. Only 30% validate NHIs and AI agent usage in real time.
Based on what Delinea Labs has observed across ShinyHunters operations, most employees won't recognize a sophisticated impersonation attempt. That's not a failure of awareness, it's a reflection of how effective these methods have become. The more durable question is whether your access architecture limits what an attacker can do even after a successful authentication.
What to do
-
Map every identity in your environment, including human users, service accounts, automation, and AI agents.
-
Implement continuous authorization that governs what identities can do after access is granted, not just if they were allowed in.
-
Review MFA device registration procedures to ensure attackers cannot add their own devices using captured credentials.
3. Vendor trust is not the same as vendor security
The September 2025 intrusion went through Salesforce. The May 2026 intrusion targeted Canvas directly. In both cases, ShinyHunters exploited the connection layer between Instructure and its broader ecosystem—not core infrastructure, but the delegated credentials, OAuth grants, and trusted integrations that make modern SaaS environments function.
This is the supply chain risk that security leaders consistently underestimate. Every SaaS platform with access to your data is an extension of your identity perimeter. When you delegate trust to a vendor through OAuth grants, API tokens, or federated SSO, you inherit the risk of how that vendor governs those credentials. And in most cases, neither party reviews them regularly after initial setup.
Delinea Labs research has documented this pattern across incidents beyond Canvas: modern supply chain compromise increasingly moves through identity rather than code. Attackers don't need to exploit a software flaw. They need to find a trusted credential, a long-lived token, or an OAuth grant with broader permissions than anyone reviewed lately.
82% of organizations say they're confident they can discover non-human identities, but only 30% validate their usage in real time. (Delinea Labs)
What to do
-
Audit which SaaS vendors currently hold privileged access to your production data.
-
Review OAuth grant scopes and API token permissions, particularly those created during onboarding and never revisited.
-
Apply the same access governance standards to vendor credentials that you apply to internal privileged accounts.
4. Paying a ransom doesn't make you whole
ShinyHunters operates on a "pay or leak" model that Delinea Labs tracks closely. Stolen data is either returned for payment, published if payment is refused, or sold. Organizations that pay establish themselves as willing to do so, while leaving the underlying access architecture that enabled the breach unchanged.
Instructure paid the ransom and received documentation from ShinyHunters that the stolen data had been deleted called shred logs. However, there is no technical mechanism to verify that data provided by an attacker has actually been destroyed. When you pay a ransom, you accept the attacker’s account of what happened to your data. This is why security guidance consistently discourages ransom payments.
According to our research, 85% of ransomware victims were threatened with public data exposure. 57% paid ransom in 2025, down from 76% in 2024. This reflects growing recognition that payment doesn't resolve the underlying threat.
Delinea Labs found that ransomware operators in 2025 consistently completed data exfiltration before deploying any encryption or making any demand. By the time the ransom arrives, the leverage already exists.
What to do
-
Build access architecture that limits what an attacker can reach and exfiltrate—before any ransom conversation begins.
-
Treat incident response as a secondary control; access architecture is the primary one.
-
If a ransom is paid under legal or operational duress, treat it as a temporary measure and immediately address the access gaps that made it possible.
5. What it looks like to be prepared
Each of the patterns above: credential-based initial access, NHI abuse, trusted vendor connections, and post-breach leverage, represents a specific gap in traditional identity security. Delinea addresses all of them through a continuous authorization model that governs access across every human, machine, and AI identity from a single platform.
See every identity
Delinea continuously discovers human, machine, and AI identities across on-premise, cloud, SaaS, and endpoint environments—building a living identity graph that maps relationships, context, and risk in real time. This includes the service accounts and delegated credentials that most organizations have no current visibility into, and that ShinyHunters routinely uses as a path to lateral movement.
Know where risk exists before an incident does
Delinea Iris AI continuously analyzes every identity and interaction, surfacing over-permissioned accounts, stale credentials, and access configurations that represent real exposure. Security teams get prioritized, actionable output—not alert volume.
49% improvement in ability to detect threats and anomalies. 33% decrease in security incidents or breaches. (Delinea ROI study)
Control what identities can do after access is granted
Delinea Secret Server centrally vaults, rotates, and governs credentials across privileged accounts, machine identities, and automation pipelines to eliminate the standing credentials ShinyHunters harvests and reuses. With StrongDM, Delinea extends privileged access management into runtime authorization: access granted just-in-time, only for the duration of a specific task, then automatically removed. No standing privilege means no persistent credential for an attacker to capture and carry forward.
Operate from intelligence
Delinea Labs actively tracks ShinyHunters and other financially motivated threat groups—analyzing their current tactics and procedures so security teams understand what they're defending against before an incident occurs. The access patterns observed in the Canvas breach are consistent with behaviors Delinea Labs has documented across this group's operations. Organizations with access to that intelligence are working from evidence, not reacting to events.
The practical takeaway
The Canvas breach is not an anomaly. It is a clear example of a pattern Delinea Labs has tracked across years of financially motivated identity attacks: access obtained through trusted credentials, expanded through ungoverned NHIs, monetized before defenders had sufficient visibility to respond.
Security leaders who work in any environment where identity is the connective tissue between systems and data should treat this as a moment to review their own organization. Three questions are worth asking right now:
-
Can you see every identity in your environment (including NHIs)in real time?
-
Do you know which vendor credentials have privileged access to your production data, and when they were last reviewed?
-
Are your access controls designed to limit what an attacker can do after a credential is compromised—not just to prevent initial access?
Delinea helps organizations move from reactive governance to continuous control with real-time authorization across every identity, auditable and defensible at every step. Governing access before detection and at the moment of execution reduces the attacker’s leverage. That's the difference that matters.
Learn how Delinea closes the access gaps that financially motivated attackers exploit.
Delinea Platform Powered by Delinea Iris AI