With summer basically upon us, it seems bad actors have also been counting down the days until the end of the school year. In this month’s cybercrime update, we dig into:
- ShinyHunters’ latest hack of the Canvas learning management system
- The latest, never-ending forum drama
- New insights from our team about the emerging device code phishing threat
- And more!
Let’s dig in.
ShinyHunters hacks Canvas during finals season
In early May, ShinyHunters (a data-theft extortion group linked to the COM), claimed responsibility for a breach of Instructure, the parent company of Canvas. Instructure confirmed the incident and disclosed that the exposed data included names, email addresses, student ID numbers, and messages among users, while stating it found no evidence that passwords, birth dates, government IDs, or financial information were involved. Canvas is the most widely used learning management system in US higher education, where roughly 41% of institutions run it.
ShinyHunters also used their access to push pop-up messages to Canvas users that pressured individual schools to negotiate directly with the criminal group to prevent the release of their data. They leveraged their access to Canvas’ central infrastructure as a means of directly communicating with students and teachers, echoing the scare tactics of more traditional ransom notes, which are frequently deployed across every endpoint in a corporate network by ransomware actors. Days earlier, ShinyHunters had published a list of over 8,000 educational institutions that they claimed to have stolen from using their access to Canvas.
Pop-up message displayed to students on Canvas. Screenshot was posted by a student to the University of Washington subreddit (r/udub) on May 7.
Instructure announced that they had “reached an agreement” with ShinyHunters before any data was released publicly. The company also stated that the hackers returned the data and provided deletion confirmation, that the agreement covers all impacted customers, and that no Instructure customer will be separately extorted as a result. This incident highlights a few key tactics which enhanced ShinyHunters’ extortion attempts:
- Focusing on a key centralized cloud service provider – Valuable organizational data is increasingly stored in the cloud. By going after cloud services directly instead of individual corporate networks, threat actors can access valuable data, often more quickly and easily than a traditional ransomware intrusion. This approach also often allows threat actors to diversify their victim pool from a single campaign or incident.
- Pressuring individual customers of a major service provider to extort the service provider – This appears to be a key TTP in recent ShinyHunters data-theft extortion campaigns. In some past incidents, ShinyHunters has not necessarily even needed to hack the centralized service provider to employ this pressure tactic. In 2024, ShinyHunters (tracked by Mandiant as UNC5537) launched a campaign to compromise hundreds of customer cloud accounts for Snowflake. Even though they only hacked individual customer cloud accounts, the threat actors also attempted to extort Snowflake directly.
- Choosing a high-pressure time window to announce their intrusion – By pushing their ransom notes to Canvas users during finals week, ShinyHunters was able to inflict maximum friction for Instructure’s customer base. The strategic timing allowed the threat actors to apply even more pressure on the company to resolve the situation as quickly as possible.
BlavoForums employs guerrilla marketing tactics
The owner of a new data breach forum called “BlavoForums” (seemingly a misspelling of Bravo) is aggressively promoting their new forum by posting about breached datasets to other forums. When users use their forum credits on third-party forums like DarkForums to unlock a hidden link to the dataset (which is generally populated with a file download link), they instead find a link to a post on BlavoForums. This second post then requires users to make a new BlavoForums account and acquire BlavoForums tokens to unlock an actual link to the promised data.
Post on DarkForums with a blavo[.]is link in the hidden content area.
Post on BlavoForums about the same breached database. It requires BlavoForum credits (here called “tokens”) to unlock the actual download link for the full leak.
Only time will tell whether this somewhat annoying traffic generation tactic will prove effective in funneling new users to Blavo. In the meantime, we will keep an eye out for posts on third party forums that state they are “By BlavoForums” – we anticipate future posts will likely follow this pattern
Another update in the Forum Wars
A schism in Hasan’s BreachForums
Announcement from May 20 directing forum members to a new domain and “exiling” Hasan from the forum.
List of staff members on breached[.]su. Hasan and many other administrators, like VECT, were removed.
On breached[.]su, old posts made by Hasan’s profile label his account as “exiled.” Hasan responded to the coup in posts across Telegram and X/Twitter, stating that he had been “betrayed” by the other forum staff while he was “on a trip.” In further posts, he stated that the offending staff members were “all basically sewer rats who came out of nothing” and owed their “entire careers” to Hasan.
Hasan doubles down on doxxing
Homepage of the new DoxByte website recently launched by Hasan and Jayze.
Telegram message from Hasan regarding “PROJECT BREDOX.”
New research and insights from SpyCloud
Attackers are finding new ways to make MFA irrelevant, and device code phishing is their latest weapon. This adversary-in-the-middle (AiTM) technique exploits the legitimate OAuth 2.0 Device Authorization Grant flow, tricking users into entering an attacker-generated code that issues active session tokens directly to the attacker’s device. Refresh tokens remain valid for up to 90 days and survive password resets, meaning explicit token revocation is the only true remediation, but it’s a step most IR playbooks don’t yet account for. Here’s what you need to know.
Google’s Device Bound Session Credentials (DBSC) is now generally available in Chrome on Windows, marking a meaningful step forward in the fight against session hijacking. It’s a welcome one, especially given the scale at which we recapture stolen cookie and token records from the criminal underground. But DBSC does not protect refresh tokens, nor does it address device code phishing. It also doesn’t yet cover macOS, mobile, or non-Chrome browsers, and requires server-side implementation by website owners. Long story short, security teams still need visibility into stolen refresh tokens, infostealer-exfiltrated auth data, and phished data. Get the full scoop.
The newly-released 2026 Verizon Data Breach Investigations Report reinforces that identity is the throughline of every major attack pattern. Stolen credentials appear in 39% of all breaches, and 73% of ransomware victims had an infostealer infection or credential leak in the year before their attack, with half of those occurring within 95 days of the ransomware incident. Third-party breaches jumped 60% year over year, driven largely by authentication failures like missing or misconfigured MFA. Read the full recap.
Recaptured data numbers for May 2026
May monthly total
Total New Recaptured Data Records for May:
2,997,408,282
New third-party breach data this month
Third-Party Breaches Parsed and Ingested:
2,810
New Data Records from Third-Party Breaches:
1,934,475,834
New recaptured phished data this month
New Phished Data Records:
4,259,096
New infostealer malware data this month
Stealer Logs Parsed and Ingested:
7,094,453
New Data Records from Stealer Infections:
139,170,101
New Stolen Cookie Records:
923,762,347
Discover what cybercriminals know about your business and your customers – and how to prevent targeted attacks with SpyCloud.
Keep reading
