Colleges hit in cyberattack by group behind Canvas breach, Google says

An article fromsite logoDive Brief Colleges hit in cyberattack by group behind Canvas breach, Google says

The cybercrime group ShinyHunters targeted Oracle’s PeopleSoft software and may have gained access to data at more than 100 organizations, according to a Thursday report.

Published June 12, 2026Laura Spitalniak's headshotLaura Spitalniak Editor

A row of data center servers, featuring the silhouette of a single worker standing in the background.

Getty ImagesListen to the article 3 min This audio is auto-generated. Please let us know if you have feedback. Dive Brief:

  • Dozens of higher education institutions may have been hit by another attack from the cybercrime group behind the May hack against Canvas, according to the Google Threat Intelligence Group and cybersecurity firm Mandiant.
  • From May 27 and June 9, the group ShinyHunters potentially gained access to the systems of over 100 organizations by targeting the Oracle PeopleSoft software suite. A majority of them are based in the U.S., and 68% are within the higher education sector, GTIG and Mandiant said in a post Thursday.
  • ShinyHunters twice gained unauthorized access to Instructure’s Canvas learning management system last month, disrupting final exam season at colleges nationwide.

if (window.dfp_visibility === 'mobile' ) googletag.cmd.push(function() googletag.defineSlot( '/3618/highereddive/highereddivehybrid1', [[300, 250], 'fluid'], 'dfp-hybrid1-mobile' ).addService(googletag.pubads()); ); waitToLoadAds.push(function() googletag.cmd.push(function() if (window.dfp_visibility === 'mobile' ) window.onDvtagReady?.(() => googletag.display('dfp-hybrid1-mobile')); googletag.pubads().addEventListener('slotRenderEnded', function (event) var adUnitPath = '/3618/highereddive/highereddivehybrid1'; var onProformative = false; if (onProformative && event.slot.getAdUnitPath() === adUnitPath && !event.isEmpty ) var adUnitPathWithVisibility = adUnitPath + '-mobile'; var selector = '.pf-comments__ad-wrapper #dfp-hybrid1-mobile'; if (!$(selector).closest('.pf-comments__ad-wrapper').hasClass('borders')) $(selector).closest('.pf-comments__ad-wrapper').addClass('borders') ); ); ); if (window.dfp_visibility === 'desktop' ) googletag.cmd.push(function() googletag.defineSlot( '/3618/highereddive/highereddivehybrid2', [[300, 250], 'fluid'], 'dfp-hybrid2-desktop' ).addService(googletag.pubads()); ); waitToLoadAds.push(function() googletag.cmd.push(function() if (window.dfp_visibility === 'desktop' ) window.onDvtagReady?.(() => googletag.display('dfp-hybrid2-desktop')); googletag.pubads().addEventListener('slotRenderEnded', function (event) var adUnitPath = '/3618/highereddive/highereddivehybrid2'; var onProformative = false; if (onProformative && event.slot.getAdUnitPath() === adUnitPath && !event.isEmpty ) var adUnitPathWithVisibility = adUnitPath + '-desktop'; var selector = '.pf-comments__ad-wrapper #dfp-hybrid2-desktop'; if (!$(selector).closest('.pf-comments__ad-wrapper').hasClass('borders')) $(selector).closest('.pf-comments__ad-wrapper').addClass('borders') ); ); ); Dive Insight:

Oracle's PeopleSoft is a wide-ranging software suite that organizations often use for human resources management and financial operations.

GTIG and Mandiant, both of which are Google units, said several institutions targeted by ShinyHunters successfully blocked the hack or fixed the vulnerabilities in Oracle's software. But others had their data stolen and published on the group's website.

The University of Nottingham, in England, confirmed the following day it had suffered a cybersecurity breach during which a threat actor accessed "a significant amount of data in our student record system." 

In an email to students, the university said it was still working to assess which data had been accessed. But it was "operating on the precautionary assumption" that the breach included names, email addresses, university IDs and students' course information, as well as some financial and insurance information, according to a copy of the email published by Politics UK.

ShinyHunters has claimed credit for the hack.

Some of the breached organizations have since received extortion demands, according to tech website Bleeping Computer.

On June 10, Oracle released a security alert about the vulnerability ShinyHunters exploited, but the company did not confirm if any of its software users had already been breached.

Oracle did not immediately respond to questions Friday.

Colleges are a prime target for cybercriminals, both because they hold vast troves of student and employee data and because their systems typically have a massive number of users that turn over regularly.

In the Oracle and Instructure hacks, ShinyHunters gained access to data through system vulnerabilities at companies with whom colleges contracted — another big risk facing higher education.

The Canvas breaches affected hundreds of institutions and exposed personal information such as users’ names, email addresses, student ID numbers and messages, ShinyHunters alleged. The hack came at the tail end of the spring semester and forced many colleges to take Canvas offline amid finals and grading.

ShinyHunters set a May 12 deadline for Instructure to reach an agreement with the group or risk the data being leaked.

The day before the deadline, Instructure announced it struck a deal to have the stolen data returned. According to cybersecurity experts, the company’s deal appears to involve a ransomware payment, against the guidance of the FBI.

Instructure CEO Steve Daly later acknowledged the "enormous" effects the abrupt loss of Canvas access had on colleges and K-12 schools.

The goal moving forward is "to develop a clear playbook for how we collectively secure our environments and, should something happen that affects system availability, have a redundant ecosystem that our community can rely on," he said in a May 26 statement.

Filed Under: Technology /* Keep this hidden until we need to show the v2 challenge. */ .captcha-container display: none; (function () )(); Higher Ed Dive news delivered to your inbox

Get the free daily newsletter read by industry experts

Email:

Sign up A valid email address is required. Please select at least one newsletter.Newsletter example on mobileEditors' picks

  • Blurry wildflowers in the foreground and an in-focus building in the middle ground with "B.W" on the wall. Image attribution tooltipThe image by Erik Drost is licensed under CC BY 2.0Image attribution tooltipBaldwin Wallace University winds down 16 degree programs, 19 minors

    The Ohio private nonprofit’s president said he wants to invest the savings in areas with high student and workforce demand. 

    By Ben Unglesbee • May 20, 2026
  • ECU sign on campus Image attribution tooltipThe image by COGpio is licensed under CC BY-SA 4.0Image attribution tooltipEast Carolina University plans to cut 44 academic programs

    The university launched a review of its offerings last fall along with a push to shed $25 million from its budget as it wrestles with enrollment pressure.

    By Ben Unglesbee • April 27, 2026

ES by OMG

Euro-Savings.com |Buy More, Pay Less | Anywhere in Europe

Shop Smarter, Stretch your Euro & Stack the Savings | Latest Discounts & Deals, Best Coupon Codes & Promotions in Europe | Your Favourite Stores update directly every Second

Euro-Savings.com or ES lets you buy more and pay less anywhere in Europe. Shop Smarter on ES Today. Sign-up to receive Latest Discounts, Deals, Coupon Codes & Promotions. With Direct Brand Updates every second, ES is Every Shopper’s Dream come true! Stretch your dollar now with ES. Start saving today!

Originally posted on: https://www.highereddive.com/news/colleges-hit-in-cyberattack-by-group-behind-canvas-breach-google-says/822831/