Canvas Data Breach and ShinyHunters Hit 275M Education Records

ShinyHunters breached Canvas LMS affecting 275 million users across 9,000 schools, while Medtronic and Cushman & Wakefield also fell victim to major credential exposure campaigns this week.

The education technology sector faced unprecedented exposure this week as ShinyHunters claimed to have stolen 3.65 terabytes of data from approximately 275 million users, including private messages exchanged between students and teachers, in what experts are calling the largest educational security breach on record due to its unprecedented global scale, affecting 8,809 universities, educational ministries, and other institutions worldwide. Meanwhile, medical device giant Medtronic and real estate firm Cushman & Wakefield confirmed separate breaches by the same threat actor group, highlighting a coordinated campaign targeting North American enterprises through social engineering tactics.

Canvas Breach Exposes Student-Teacher Communications Across 9,000 Schools

The criminal extortion group ShinyHunters breached Instructure last week. Canvas, which is used by 41 percent of higher education institutions across North America to deliver courses, experienced an initial cybersecurity incident on May 1, then was hacked again on May 7 when its login page was replaced with a ransomware message by ShinyHunters. The breach occurred during finals week, temporarily leaving students and faculty at thousands of U.S. colleges — and K-12 schools — without access to course materials and communications during finals period. According to an update published by the education-technology company Monday night, the deal means that the hackers have returned the compromised data of some 275 million users across more than 8,800 institutions, though unconfirmed rumors suggest that US$10 million was paid.

Medtronic Data Breach Affects 9 Million Healthcare Records

Medical device manufacturing giant Medtronic has confirmed that hackers breached its network and exfiltrated data. The company announced the cyberattack on Friday, April 24, 2026. The group claimed to have exfiltrated more than nine million records containing personal information, along with large volumes of internal corporate data. The disclosure follows allegations by ShinyHunters, which listed the firm on its leak site in mid-April. Medtronic manufactures a range of medical products, including pacemakers, defibrillators, heart valves, coronary stents, insulin pumps, continuous glucose monitoring systems, neurosurgery products and imaging systems, surgical robotics, ventilators, and gastrointestinal products. The company is the world's largest medical device company by revenue, which was $33.5 billion in fiscal year 2025.

Cushman & Wakefield Breach Exposes 310,000 Real Estate Client Records

Cushman & Wakefield, one of the world's largest commercial real estate services companies, confirmed in May 2026 that threat actors stole and publicly leaked data belonging to over 310,000 individuals, exposing sensitive business contact records in a brazen "pay or leak" campaign. The breach was orchestrated by ShinyHunters. A spokesperson told The Register the attack was "limited" in scope and stemmed from vishing (voice phishing), suggesting an employee was socially engineered. The notorious ShinyHunters group claimed responsibility, alleging theft of over 500,000 Salesforce records containing personally identifiable information and sensitive internal corporate data. ShinyHunters claimed the initial attack on May 1, 2026, and issued a ransom deadline of May 6. When negotiations collapsed, they published the full 50 GB dataset.

What Individuals Should Do Now

If you're affiliated with any affected institutions, immediately enable multi-factor authentication on all educational and work accounts. Users should stay vigilant, especially for phishing messages — whether it's someone posing as Canvas prompting a password change, or pretending to be a professor sending course materials. Students and staff should be particularly cautious of communications requesting credential changes or containing unexpected attachments, as threat actors now have detailed institutional contact lists for targeted campaigns.

What Businesses Should Do This Week

Organizations must immediately audit their voice communication protocols and implement vishing-specific security awareness training. The attackers impersonate trusted parties over phone calls to trick employees over the phone into handing over credentials or internal access. Review all third-party integrations, especially CRM platforms like Salesforce, and implement zero-trust verification for any telephonic requests involving system access or credential modifications. Initial Access Brokers (IABs) sell compromised credentials to multiple buyers, meaning a single social engineering success can trigger parallel extortion campaigns from entirely unrelated groups. CRM platforms like Salesforce have become prime targets.