Digital security concept with circuit board patterns and lock symbols in blue light

TL;DR:

  • Who: ShinyHunters, a cybercriminal extortion group, has been on a rampage in 2026
  • Instructure/Canvas: 275 million student and teacher records stolen from 9,000 institutions. 3.65TB of data. Instructure paid the ransom. Got a pinky promise the data was deleted
  • Medtronic: 9 million records including patient data and Social Security numbers. Ransom deadline passed, but Medtronic vanished from the leak site, suggesting they paid too
  • Vimeo: 119,000 users exposed after ShinyHunters hit third-party analytics provider Anodot. Ransom talks failed. 106GB dumped publicly
  • Cushman & Wakefield: 310,000 accounts breached via a single vishing call targeting Salesforce access. 50GB leaked after ransom talks collapsed
  • The pattern: Third-party integrations, stolen OAuth tokens, vishing attacks on SSO accounts. Same playbook, different victims, funded by the last ransom payment

One Group, Four Months, Hundreds of Millions of Records

ShinyHunters didn't come out of nowhere. The group has been active since 2020, racking up breaches at Microsoft, Tokopedia, Mashable, and dozens of others. But 2026 is different. The scale is different. The speed is different. And the economics are becoming clear.

Here's the 2026 scoreboard so far:

  • January: UFP Technologies breached
  • March: TriMed healthcare breach
  • April 17: Medtronic: 9 million records, including SSNs and medical data
  • Late April: Instructure/Canvas: 275 million records from 9,000 schools
  • April-May: Vimeo: 119,000 users via Anodot third-party breach
  • May 3: Cushman & Wakefield: 310,000 accounts via vishing attack

That's at least six major breaches in under five months. The victims include a medical device company that makes insulin pumps, the learning platform used by most American universities, a video hosting service, and one of the world's largest commercial real estate firms. The connecting thread isn't the industry. It's the attack vector.

Canvas: 275 Million Records and a Ransom That "Worked"

The Canvas breach is the headline. ShinyHunters exploited a vulnerability in Instructure's Free-for-Teacher environment (specifically something related to support tickets) and siphoned 3.65 terabytes of data covering 275 million records across nearly 9,000 institutions. Harvard. Stanford. Penn. Public school districts. Community colleges. If your school uses Canvas, your data was likely in that pile.

The stolen data included usernames, email addresses, course names, enrollment information, and private messages. Not passwords or course content, but enough for targeted phishing campaigns against students, parents, teachers, and administrators.

On May 7, ShinyHunters escalated. They defaced the login portals at roughly 330 institutions with extortion messages, giving Instructure until May 12 to negotiate. Instructure, owned by private equity firm KKR, paid.

The company's statement: they "reached an agreement with the unauthorized actor" and received "digital confirmation of data destruction (shred logs)" along with assurance that "none of the company's customers will be separately extorted."

Think about that for a second. A company paid criminals for a text file that says "we deleted your data." That's the receipt. A log file from the people who just stole 275 million records from children's school accounts. And Instructure is treating it as a resolution.

Medtronic: The Quiet Payer

On April 17, ShinyHunters posted Medtronic to their leak site, claiming 9 million records containing names, Social Security numbers, dates of birth, medical information, and government IDs. The ransom deadline: April 21.

April 22 came. ShinyHunters published a mass data dump from multiple victims. Medtronic wasn't in it.

That's the tell. When a victim disappears from the leak site after a deadline passes, without their data showing up in the dump, it usually means one thing: they paid. Medtronic hasn't confirmed or denied a ransom payment. They filed an 8-K with the SEC on April 24 confirming "an unauthorized party had accessed data in certain corporate IT systems." Their subsidiary MiniMed Group, which makes diabetes technology, filed a separate disclosure.

The stolen data includes patient identifiers, device registrations, warranty data, clinical information, and supply chain details. This isn't just a privacy issue. Medtronic makes devices that keep people alive. The attack surface now includes the medical records of patients who depend on those devices.

Vimeo: The Third-Party Pipeline

Vimeo didn't get hacked directly. ShinyHunters compromised Anodot, a third-party analytics provider that Vimeo used. Same pipeline that was linked to the Rockstar Games breach. The attackers didn't need to touch Vimeo's own infrastructure. They just rode in through a vendor connection.

The result: personal information for 119,000 Vimeo users. When ransom negotiations failed, ShinyHunters dumped 106GB of stolen data publicly on May 5. Have I Been Pwned indexed 119,200 unique email addresses the same day.

This is the attack vector that keeps working: compromise a third-party service provider, then use that access to reach dozens of downstream clients. ShinyHunters has been exploiting Salesforce instances, stolen OAuth tokens, and SSO accounts through Okta, Microsoft Entra, and Google. They don't need to find a vulnerability in your system if they can find one in a vendor you forgot you were connected to.

Cushman & Wakefield: One Phone Call

It started with a vishing call, voice phishing. Someone at Cushman & Wakefield, the $10 billion commercial real estate firm, got a phone call that sounded legitimate enough to hand over access to the company's Salesforce instance. That's all it took.

ShinyHunters claimed more than 500,000 Salesforce records. On May 3, they gave Cushman & Wakefield until May 6 to pay. The company didn't. On May 5, ShinyHunters published a 50GB dataset, mostly business contact information, including names, job titles, addresses, phone numbers, and tens of thousands of external email addresses.

Have I Been Pwned confirmed 310,431 exposed accounts on May 12. A class action lawsuit followed almost immediately. And then things got worse: the Qilin ransomware group also listed Cushman & Wakefield on its leak site on May 4, suggesting either a second intrusion or that ShinyHunters sold initial access on dark web markets.

When one group sells your breach to another, you're not dealing with a security incident anymore. You're a commodity.

The Economics of Paying

The debate over paying ransoms is over in theory and unresolved in practice. Every cybersecurity agency in the world says don't pay. The logic is simple: payment funds the next attack. The FBI, CISA, and the UK's NCSC have been saying this for years.

But look at it from Instructure's perspective. You're owned by KKR. You have 275 million records from schools. Parents are furious. Schools are threatening to cancel contracts. Eight federal class actions are already filed. The ransom, whatever the number, is a rounding error compared to the litigation costs, the regulatory fines, and the lost contracts if that data goes public.

So you pay. And you get a text file that says the data was deleted. And you tell your customers the incident is resolved.

But the data wasn't deleted. You have no way to verify that. ShinyHunters can copy a database as many times as they want before generating a "shred log." The "assurance" that no customers will be extorted is a promise from criminals who just extorted you. The entire transaction is built on the goodwill of people who break into children's school accounts for money.

Instructure paid → ShinyHunters had fresh funding for the next operation. Within weeks, they hit Cushman & Wakefield with a more sophisticated vishing attack.
Medtronic likely paid → Their data vanished from the leak site. The group moved on to the next target with the same toolkit and more resources.
Vimeo didn't pay → Their data got dumped publicly. But ShinyHunters didn't gain new funding from the breach. The cycle paused for one victim.
Cushman & Wakefield didn't pay → Data leaked. A class action followed. But the group had to spend effort on a breach that didn't convert to revenue.

Every ransom payment is venture capital for cybercrime. The 2026 ShinyHunters campaign isn't happening despite the payments. It's happening because of them.

The Third-Party Problem

ShinyHunters isn't finding zero-days in hardened systems. They're walking through open doors in the supply chain. The attack methods documented across these breaches include:

  • Compromised Salesforce instances: used in the Cushman & Wakefield breach
  • Stolen OAuth tokens: gaining access through legitimate API credentials
  • Vishing attacks on SSO accounts: targeting Okta, Microsoft Entra, and Google logins
  • Third-party analytics providers: the Anodot breach that hit Vimeo (and previously Rockstar Games)
  • Support ticket vulnerabilities: the Canvas breach started in the Free-for-Teacher environment

None of these are exotic. They're all known attack vectors. They keep working because companies bolt on third-party services without auditing the access those services have, because employees still fall for vishing calls, and because support systems often have elevated privileges that nobody reviews.

Your company's security posture is only as strong as the weakest vendor in your supply chain. ShinyHunters knows this better than most security teams do.

What You Can Do

Check if you're in a breach: Go to Have I Been Pwned and enter your email. The Vimeo and Cushman & Wakefield breaches are already indexed. Canvas data may appear as the class actions progress.
Change your Canvas password now: If you're a student, teacher, or parent at any institution that uses Canvas, change your password immediately. Enable two-factor authentication if available. Assume your email, name, and enrollment data are compromised.
Watch for targeted phishing: The stolen Canvas data enables extremely convincing phishing. Attackers know your school, your courses, your teachers' names. Any email referencing specific course information or school administration should be verified through official channels, not by clicking links.
If you're a Medtronic patient: Monitor your credit reports and consider a credit freeze. The stolen data includes Social Security numbers and medical records. File a report with IdentityTheft.gov if you notice suspicious activity.

The Bottom Line

ShinyHunters isn't the most sophisticated hacking group in the world. They don't need to be. They've built a business model that works: find a third-party weakness, steal everything, demand payment, and use the proceeds to do it again. The tools are basic. The psychology is simple. The economics are devastating.

Instructure paid, and their customers got a promise from criminals. Medtronic probably paid, and their patients got silence. Vimeo and Cushman & Wakefield refused, and their users got a data dump. Nobody won.

The only thing that breaks this cycle is making it unprofitable. That means not paying. It means vendors auditing their supply chains. It means treating a vishing call as seriously as a zero-day. And it means holding companies accountable (through lawsuits, through regulation, through switching providers) when they store 275 million records and can't keep a Free-for-Teacher support ticket system from becoming the front door.

Sources