Timeline: ShinyHunters' pay-or-leak strategy tied to Canvas, Vimeo, and Pornhub attacks (May 2026)

ShinyHunters set a deadline of May 12, 2026 to pay or face a full data leak related to the Instructure/Canvas breach.

Instructure told TIME that it had taken Canvas offline to investigate and that attackers had exploited a vulnerability tied to Free-For-Teacher accounts, leading to a temporary shutdown of those accounts with a restoration planned.

Canvas outage affected thousands of users in the United States during final exam season, with a message from ShinyHunters allegedly displayed on screens.

In April 2026, ShinyHunters listed Vimeo on its extortion portal, threatening to publish stolen data by April 30. The group said data came via a breach at Anodot, with authentication tokens used to access Vimeo and other organizations’ systems. Leaked material reportedly included hundreds of gigabytes of data, video metadata, and around 119,000 email addresses.

Pornhub faced a breach reportedly connected to ShinyHunters, involving around 201 million records including email addresses, search histories, viewing activity and location data.

In 2024, the US Department of Justice sentenced a member connected to the group, who had put stolen data from more than 60 companies up for sale on dark web forums.

Over the years, the group has been tied to breaches at Ticketmaster, Rockstar Games, Salesforce, Qantas and several other major companies, as reported by Newsweek.

ShinyHunters becomes active around 2019, beginning to operate as a hacking and extortion group.