Sometime in early May 2026, students at universities across the United States logged into Canvas, the learning platform they use for everything from submitting homework to checking grades, and found ransom messages where the login page should have been. Within days, the hacking group ShinyHunters claimed it had stolen records tied to 275 million people from Instructure, the company that builds Canvas. Congress demanded answers. Harvard told its students to lock down their accounts. And Instructure did something unusual: it said it had reached an agreement with the attackers to delete the stolen data.
Now ShinyHunters says it has hit another target. The group claims to have extracted roughly 500,000 Salesforce records from Cushman & Wakefield, one of the world’s largest commercial real estate firms. Cushman has not confirmed the breach, and no law enforcement agency has publicly corroborated the claim. But the allegation alone has put the company’s clients, employees, and partners on alert, and it raises pointed questions about whether the same playbook that worked against an education technology vendor is now being aimed at corporate America.
The Canvas breach: what the evidence shows
The Canvas incident is the better-documented of the two, backed by government records, a wire-service report, and institutional advisories.
Chairman Andrew Garbarino of the U.S. House Committee on Homeland Security sent a formal letter to Instructure after what the committee described as two intrusions in a single week that affected schools and universities nationwide. The committee’s press release confirmed that login pages were defaced with ransom messages, a tactic designed to maximize panic among the students, faculty, and administrators who rely on Canvas daily. Garbarino requested a full briefing on the scope of the breach, Instructure’s response, and what the company is doing to prevent further attacks.
Instructure publicly acknowledged the severity. According to the Associated Press, the company said it reached an agreement with the threat actor covering a claimed 275 million individuals whose records were exposed. Whether Instructure paid for that agreement, and on what terms, has not been disclosed. The decision to negotiate directly with ShinyHunters, rather than rely solely on law enforcement or technical containment, reflects both the scale of the exposure and the pressure facing a vendor that serves thousands of educational institutions at once.
Harvard University moved quickly after Instructure confirmed the incident. Harvard’s IT division, HUIT, issued a campus-wide advisory telling students and staff to monitor their accounts, treat unexpected emails with caution, and rely on official channels for updates. That a single vendor compromise triggered an institutional response at Harvard illustrates how deeply Canvas is embedded in higher education infrastructure and how one cloud provider’s failure can ripple across hundreds of campuses.
A critical caveat: the 275 million figure originates from ShinyHunters’ own claims. Instructure’s agreement references that number, but neither the company nor any independent party has confirmed whether it represents unique individuals or includes duplicate records across institutions. The true scale of exposure remains uncertain.
ShinyHunters: a track record that demands attention
ShinyHunters is not an obscure newcomer. The group has been linked to data thefts from dozens of organizations since at least 2020, and its operations have grown more ambitious over time. In 2024, ShinyHunters was connected to a wave of breaches exploiting misconfigured Snowflake cloud environments, incidents that exposed data from Ticketmaster, AT&T, and Santander, among others. U.S. and international law enforcement agencies have pursued members of the group, but its operations have continued.
The group’s pattern is consistent: target cloud-hosted databases and third-party platforms rather than attacking end users directly, exfiltrate large datasets, then use public forums or direct negotiation to pressure victims into paying for deletion. The Canvas breach fits that playbook precisely. So does the alleged Cushman & Wakefield incident, at least based on what ShinyHunters has claimed so far.
The Cushman & Wakefield claim: what we don’t know
The Cushman & Wakefield side of this story carries far less documentation. As of late May 2026, no primary statement or breach notification from the company has confirmed the claimed 500,000 Salesforce record count or described what data may have been exposed. The attribution linking ShinyHunters to the incident rests entirely on the group’s own assertions, not on law enforcement findings, regulatory filings, or independent forensic analysis.
That gap matters because the nature of the stolen data, if the breach is real, could be significant. Salesforce instances at a commercial real estate firm of Cushman’s size typically hold client contact information, deal pipelines, lease terms, tenant details, and internal communications. Whether the alleged theft touched any of that, or was limited to less sensitive records, is unknown.
It is also unclear whether Salesforce’s platform itself was compromised or whether the issue lies with Cushman’s specific configuration and access controls. Salesforce has not publicly commented on the claim. That distinction matters: a platform-level vulnerability would have implications far beyond one company, while a misconfiguration issue would point to Cushman’s own security practices.
No congressional committee has weighed in on the Cushman allegation, and neither the FBI nor CISA has issued any public statement linking ShinyHunters to a breach at the firm. Until there is a regulatory disclosure, a law enforcement bulletin, or a company statement, the Cushman incident should be understood as an unverified allegation from an interested party, not a confirmed breach.
Why the two incidents look different on paper
The gap between the Canvas and Cushman stories highlights a structural difference in how breaches get documented and disclosed.
Educational technology vendors like Instructure serve institutions subject to federal student privacy laws, including FERPA, which creates reporting obligations and draws regulatory scrutiny fast. That is why, within days of the Canvas breach, a congressional committee was sending letters and a major university was issuing public advisories.
Commercial real estate firms operate under different rules. Unless the stolen Cushman data includes personally identifiable information covered by state breach notification statutes, the company faces less immediate legal pressure to confirm or deny the incident publicly. That regulatory asymmetry may help explain why ShinyHunters appears to be expanding from education targets, where public scrutiny arrives quickly, to corporate targets, where the window for quiet negotiation can be wider.
The calculation is straightforward. A group that successfully pressured an education technology company into a deletion agreement may bet that corporate victims, facing less mandatory transparency, will pay faster to avoid prolonged exposure. Whether Cushman & Wakefield responds publicly, and how, will offer important signals about how large enterprises weigh reputational risk against legal obligations when confronted by a high-profile extortion group.
What to watch as this develops
Several threads will determine how these stories unfold in the weeks ahead. On the Canvas side, the House Homeland Security Committee has not yet released findings from its inquiry or indicated whether public hearings will follow. The timeline for Instructure’s response to Chairman Garbarino’s letter has not been made public. And it remains unclear how many individual schools and universities beyond Harvard have issued their own breach notices or advised students about identity protection.
On the Cushman & Wakefield side, the key question is whether the company will issue a public statement or a regulatory filing confirming or denying the breach. If the stolen Salesforce records contain personal information, state-level notification laws may eventually force that transparency regardless of the company’s preference.
More broadly, these incidents test whether the current patchwork of federal and state breach disclosure rules is adequate when a single threat actor can hit an education platform serving millions of students and a global real estate firm in the same month. ShinyHunters has demonstrated, repeatedly, that cloud platforms and the companies that depend on them remain vulnerable. The question now is whether regulators, lawmakers, and the targeted organizations themselves will move fast enough to close the gaps that groups like ShinyHunters continue to exploit.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
