How ShinyHunters hacked the world's biggest universities
Get the full intelligence
Search transcripts, export clips, track mentions, and explore all topics from “How ShinyHunters hacked the world's biggest universities” inside PodZeus.
This episode of Smashing Security dives into the massive breach of Canvas, the widely used educational platform, by the hacker group Shiny Hunters, which compromised 275 million records across nearly 9,000 institutions, including all Ivy League universities. The breach began in April 2026 when Instructure, Canvas’s parent company, detected suspicious activity but failed to fully secure the system. Despite deploying so-called 'security patches,' the hackers returned on May 7th—during final exams—defacing login pages and exposing the failure of containment. The root cause was a poorly secured 'Free for Teachers' account system, which allowed anyone with a web browser to create an account without verification. Instructure eventually shut down the program and later confirmed a secret ransom agreement with Shiny Hunters, though the payment amount and data destruction verification remain unclear. The episode also explores a sophisticated financial scam using deepfakes of a well-known economist to promote fake stock tips via Facebook and WhatsApp, leading victims to fraudulent crypto platforms that steal both money and personal data. Finally, guest Mike Nichols from Elastic discusses the transformative role of AI in cybersecurity, arguing that while attackers are using AI to automate and scale attacks, defenders can use AI agents to reduce alert fatigue, enhance detection, and improve response—provided they implement proper guardrails and human oversight. The episode concludes with a lighter note on a French academic who fabricated an entire academic award system, highlighting the growing challenge of verifying truth in the digital age.
The Shiny Hunters breach exploited a 'Free for Teachers' account system with no verification, allowing hackers to gain persistent access to Canvas and compromise 275 million records.
Instructure’s failure to properly contain the initial breach and the ineffective 'security patches' allowed hackers to return and deface systems during final exams, disrupting students’ lives.
The use of deepfakes and fake financial experts on social media is now a major vector for investment scams, often leading victims to fraudulent crypto platforms.
AI is reshaping security operations centers—not replacing them, but enabling analysts to focus on strategic decision-making by automating alert triage and analysis.
Defenders must implement AI with strong guardrails, human oversight, and secure-by-design principles to avoid creating new attack surfaces through autonomous agents.
…and 1 more takeaway available in PodZeus
The Shiny Hunters Canvas Breach: A Global Educational Catastrophe
“If you give anyone in the world an account on your production system with no verification, this free for teacher signal, just tick in a box saying, yeah, I'm a teacher. What you actually had was a free for anyone with a web browser, free for anyone which includes that small proportion of people who might be interested in scurrying off with terabytes of your data.”
The Anatomy of a Deepfake Financial Scam
“The group was full of people posting about how they'd made money from this because their stock prices went up. These people didn't exist. They were fake profiles run by the ringleaders of the campaign who were in this WhatsApp group just to generate trust in the system.”
AI in Cybersecurity: The New Frontier of Defense and Attack
“The cost of developing an attack is extremely low and the sophistication of developing an attack is low. Which means that now cyber criminals and other groups that typically didn't have that kind of sophistication of a nation state have that power now. And that makes every CISO now have to worry about being patient zero.”
The Human Element: Trust, Verification, and the Future of Security
The episode concludes with reflections on the erosion of trust in digital spaces—from fake academic awards to deepfakes and scam platforms. Mike Nichols emphasizes the need for transparent, trustworthy AI with human-in-the-loop controls. The episode ends with a lighter pick: a French academic who invented an entire fake award system, underscoring how easy it is to fabricate credibility in the digital age.
“The cost of developing an attack is extremely low and the sophistication of developing an attack is low. Which means that now cyber criminals and other groups that typically didn't have that kind of sophistication of a nation state have that power now. And that makes every CISO now have to worry about being patient zero.”
“The real security crisis is no longer human users. It's the bots acting on their behalf.”
“If you give anyone in the world an account on your production system with no verification, this free for teacher signal, just tick in a box saying, yeah, I'm a teacher. What you actually had was a free for anyone with a web browser, free for anyone which includes that small proportion of people who might be interested in scurrying off with terabytes of your data.”
Host
Guests
Graham Cluley
person
Danny Palmer
person
Shiny Hunters
other
Instructure
organization
Canvas
product
Mike Nichols
person
Elastic
organization
Vanta
organization
CoreView
organization
Florent Monteclair
person
This man hid $400 million in a fishing rod. Then it vanished
Smashing Security • 45m • 4/1/2026
LinkedIn is spying on you, and you agreed to nothing
Smashing Security • 41m • 4/8/2026
This AI company leaked its own code. It's also built something terrifying
Smashing Security • 50m • 4/15/2026
Rockstar got hacked. The data was junk. The secrets it revealed were not
Smashing Security • 51m • 4/22/2026
This developer wanted to cheat at Roblox. It cost millions
Smashing Security • 1h 4m • 4/29/2026
Get the full intelligence
Search transcripts, export clips, track mentions, and explore all topics from “How ShinyHunters hacked the world's biggest universities” inside PodZeus.
Start discovering podcast insights today
Start with a 7-day trial and explore a growing catalog of popular podcasts. No credit card required.
No credit card required • 7-day trial • Cancel anytime