The Same Group That Hacked ADT Just Took Down Canvas for 30 Million Users. Here Is What That Means for Your Business.

THE SHORT ANSWER

ShinyHunters hacked ADT on April 20, 2026 through a single vishing call that compromised one employee’s login. Thirteen days later, on May 7, the same group took down Canvas, the learning management system used by 8,000 schools worldwide, exposing 30 million active users and disrupting finals week for students from UC Irvine to Georgetown. These are not isolated incidents. They are the same playbook applied to two different vendors. If your Los Angeles business uses any third-party platform, your data is sitting in a system built by someone else, protected by controls you do not manage, and targeted by a group that has now hacked a home security giant and a global education platform in the same month.

IT Accuracy  |  Managed IT Services, Los Angeles  |  Date: May 10, 2026  |  12 min read

ShinyHunters threat actor data breach concept illustration
AT A GLANCE
ShinyHunters hacked ADT on April 20, 2026 through a vishing call that compromised one Okta SSO account, then pivoted to Salesforce to steal customer records
The same group took down Canvas on May 7, 2026, exposing 30 million active users at 8,000 institutions and disrupting finals week across dozens of universities
⚠️ShinyHunters’ method does not require a technical exploit. It requires a convincing phone call and one employee who does not know what to do when it comes
⚠️Every vendor platform your Los Angeles business uses is a potential entry point. The breach does not need to hit your systems to expose your data
IT Accuracy implements the identity controls, vendor access policies, and security awareness training that close the gaps ShinyHunters exploits

The breach you need to worry about is rarely the one that hits your systems directly. It is the one that hits your payroll provider, your CRM, your document management platform, or the software your accountant uses to store your tax records. ShinyHunters has spent 2026 demonstrating this with unusual clarity. They are not hacking into businesses through the front door. They are walking through the vendor entrance.

Who ShinyHunters Is and Why This Year Is Different

ShinyHunters is a financially motivated criminal extortion group that has been active since 2019. Their model is straightforward: breach a vendor that holds data at scale, extract as much as possible, demand payment, and publish whatever they are not paid to protect. Their name reportedly comes from the Pokemon concept of shiny hunting, the practice of searching for rare alternate-color variants of Pokemon characters.

What makes 2026 different is the velocity and the profile of the targets. In the span of about two weeks, they breached ADT, which commands roughly 41% of the US residential security market, and Instructure, which operates Canvas and holds data on 30 million active users at 8,000 institutions worldwide. Neither breach involved a sophisticated technical exploit against hardened infrastructure. Both involved attacking the identity layer: the login credentials that connect an employee to the platforms a company depends on.

The FBI and cybersecurity researchers have tracked ShinyHunters across dozens of confirmed breaches. Their victims include AT&T, Ticketmaster, Santander Bank, Snowflake customers, and PowerSchool, an education software vendor breached in December 2024 that then saw individual school districts targeted months later when attackers leveraged the original stolen data. The pattern of returning to breach victims is consistent and documented.

Business data breach third party vendor exposure concept
ShinyHunters 2026 Breach Timeline: What Happened and When
Apr 20
ADT breach detected
ShinyHunters compromised an ADT employee’s Okta SSO account through a vishing call. Used that access to pivot into ADT’s Salesforce instance and extract customer records including names, phone numbers, addresses, and in some cases dates of birth and partial Social Security numbers.
Apr 24
ShinyHunters lists ADT on data leak site
The group published ADT on its leak site and gave the company until April 27 to pay an undisclosed ransom. The group claimed more than 10 million customer records plus internal corporate data. ADT confirmed the breach publicly.
May 1
Canvas breach first claimed
ShinyHunters claimed responsibility for exfiltrating 3.65 terabytes of data from Instructure’s Canvas platform, affecting an estimated 30 million active users across 8,000 institutions. Instructure confirmed a cybersecurity incident and said it had applied security patches.
May 5
ShinyHunters escalates against Canvas
Stating that Instructure ignored their demands and applied patches rather than negotiating, ShinyHunters threatened to leak all student data unless Instructure paid by May 12, 2026.
May 7
Canvas goes dark during finals week
ShinyHunters replaced the Canvas login page with a ransom message. Canvas, Canvas Beta, and Canvas Test were placed into maintenance mode. Students at UC Irvine, Georgetown, Penn, Duke, and dozens of other universities were locked out during final exams. A deadline of May 12 was posted for affected schools to contact the group.

How They Get In: The Vishing Playbook

The ADT breach is the cleaner case study for understanding how ShinyHunters actually operates because the method was disclosed in detail. They did not break through a firewall. They did not exploit a software vulnerability. They called an ADT employee on the phone, impersonated an IT support contact, and convinced that employee to provide their Okta single sign-on credentials or approve an MFA request.

Once inside that one account, the attacker had access to every platform connected to it. In ADT’s case, that included the company’s entire Salesforce instance, which held customer records going back years. A single employee receiving a convincing phone call was all the entry required. The rest was data extraction and extortion.

ShinyHunters has refined this playbook across multiple campaigns: vish an employee, own the SSO account, pivot to every connected SaaS application, exfiltrate, and extort. The technique does not require exploiting a technical vulnerability in the target’s infrastructure. It requires a convincing phone call.

CISO Whisperer analysis of the ADT breach, April 2026

This is the same group, the same general approach, applied to Instructure one week later. The specific technical method for the Canvas breach has not been fully disclosed, but the outcome follows the same pattern: a vendor with massive user data holdings was accessed, data was exfiltrated at scale, and extortion demands followed. When the vendor responded with patches rather than payment, the group escalated to a public disruption that took the platform offline globally.

The Canvas breach by the numbers
Users potentially affected
30 million
Active users across 8,000 institutions worldwide
Data exfiltrated
3.65 TB
Including names, email addresses, student IDs, and private messages
Ransom deadline
May 12, 2026
Affected schools given until this date to negotiate or face full data release

Why This Is a Business Problem Not a School Problem

The headlines focus on students locked out of their coursework during finals week. That is the human story and it is a real one. But the structural problem the Canvas breach illustrates applies directly to every Los Angeles business that uses a third-party SaaS platform, which is every Los Angeles business.

Your law firm uses a document management system. Your medical practice uses an EHR platform. Your accounting firm uses cloud-based tax software. Your construction company uses project management tools that hold client contracts and payment schedules. Every one of those platforms holds data you gave them, managed by a vendor you do not control, protected by security controls you did not choose and cannot inspect.

When that vendor gets breached, the notification arrives after the fact. The data is already gone. The attacker already has your clients’ names, your employees’ contact information, your internal communications, or whatever the platform held. You did not fail to protect it. The vendor did. But your clients do not experience that distinction when their information appears in a data leak.

Los Angeles business professional reviewing IT security audit on laptop
April 2026 Target
ADT: Home Security
Entry: Vishing call to help desk employee
ShinyHunters compromised one Okta SSO account and used it to access ADT’s Salesforce instance. Customer names, phone numbers, addresses, and partial Social Security numbers were stolen from a company that sells security as its core product.
May 2026 Target
Instructure: Canvas LMS
Entry: Vendor system access, method under investigation
30 million active users exposed across 8,000 institutions. The platform was taken offline globally during finals week when the vendor applied patches rather than paying. Deadline set for May 12 or full data release.

The two targets in this month alone illustrate the scope of the problem. A home security company and an education technology company share almost nothing operationally. They share everything strategically from an attacker’s perspective: large user bases, centralized data stores, and employees who receive phone calls and emails from people claiming to be from IT support.

The vendor risk most Los Angeles businesses have not mapped

Most small and mid-size businesses in Los Angeles have never conducted a vendor access audit. They do not have a documented list of which platforms hold which categories of data, who has administrative access to those platforms, or what notification obligations apply if a vendor is breached. When a platform like Canvas goes down or an ADT-scale breach is announced, there is no playbook for determining what their own exposure is. IT Accuracy builds that playbook before the incident rather than after it.

ShinyHunters threat actor data breach concept illustration

What Protects You When the Vendor Gets Hit

There is no control that eliminates vendor breach risk entirely. If you use a third-party platform, your data is in their environment, and their security posture determines what happens to it. But the controls that reduce the blast radius of a vendor breach are well understood, and most small businesses in Los Angeles have not implemented them.

The first is MFA that cannot be bypassed by a phone call. Standard SMS-based MFA is vulnerable to vishing attacks because an attacker who has your password can call you, claim to be IT support, and ask you to approve the push notification you just received. Phishing-resistant MFA, such as hardware security keys or passkey-based authentication, removes that vulnerability because there is no push to approve and no code to relay.

The second is access minimization. The ADT breach demonstrated how much damage a single compromised SSO account can do when it connects to every platform in the organization. Limiting what each account can access, and reviewing those connections regularly, means a compromised account reaches fewer systems before it is detected and shut down.

The third is a vendor breach response plan. When a platform your business depends on reports a breach, the first 24 hours determine whether the incident becomes a client notification event, a compliance issue, or both. Having a documented process for assessing what data was held by the breached vendor, who needs to be notified, and what immediate actions are required turns a reactive scramble into a managed response. Most Los Angeles businesses do not have this document and would not know where to start building it.

Three actions for Los Angeles businesses this week
1
List every platform that holds client or employee data. Go through your software subscriptions and identify which ones store names, contact information, financial data, health information, or internal communications. This is your vendor exposure map. Most businesses discover they have more platforms than they realized and fewer controls over each one than they thought.
2
Upgrade MFA on every SSO account to phishing-resistant options. Okta, Microsoft Entra, and Google Workspace all support hardware key or passkey authentication. SMS and app-based push notifications are not sufficient against the vishing attacks ShinyHunters uses. One account with weak MFA is the only entry point they need.
3
Train every employee who receives phone calls to verify before acting. The ADT breach started with a convincing call. The entire ShinyHunters campaign depends on employees being willing to approve access requests or provide credentials when asked by someone who sounds authoritative and urgent. One sentence of policy communicated to every staff member: if someone calls asking you to approve a login or provide a password, hang up and call the real number back independently.
How IT Accuracy protects Los Angeles businesses from vendor-level breaches

You cannot control what happens inside your vendor’s systems. You can control what happens when their systems get hit.

IT Accuracy provides IT security services for Los Angeles businesses that include the identity controls, vendor access policies, and incident response plans that determine how much damage a breach like Canvas or ADT can cause. We start with an honest assessment of what data you hold, where it lives, and what happens if any of those vendors report an incident.

We also covered the ADT breach in detail when it was first disclosed. If your business uses home security monitoring connected to any IT infrastructure, that post is worth reading alongside this one.

Phishing-resistant MFA deployment across Okta, Entra, and Google Workspace
Vendor access audits that map which platforms hold which categories of data
SSO access minimization so compromised credentials reach fewer systems
Security awareness training covering vishing, social engineering, and credential attacks
Vendor breach response plan built before an incident requires it
Ongoing monitoring for credential exposure and identity anomalies across business accounts
IT Accuracy