If you haven’t read the threat intelligence breakdown of the ShinyHunters Salesforce campaign, start there. This article assumes you know what happened and focuses on what to do about it. ...
ShinyHunters didn’t hack Salesforce. That distinction matters. Across three separate campaigns spanning mid-2025 through early 2026, the group — tracked by security researchers as UNC6040 and UNC6395 — systematically exploited how organizations configure, connect, and authenticate into Salesforce. The platform’s infrastructure was never the vulnerability. The integrations, the OAuth flows, and the guest user permissions were. ...
When I published my original piece on the Canvas breach back on May 9th, Instructure was publicly claiming the situation was contained. It wasn’t. Since then, ShinyHunters hit Canvas a second time through the same unpatched vulnerability, defaced login pages at hundreds of institutions, and ultimately extracted a ransom payment from Instructure, the amount of which has never been disclosed. As of May 12th, 2026, the story is closed. Sort of. Here’s everything that happened and what it means. ...
The ShinyHunters extortion gang breached Instructure again, defacing Canvas login portals across hundreds of institutions and threatening to leak data on 280 million students and staff unless a ransom is paid by May 12.