SecurityThe Education Sector Learns About Pay-or-Leak
Monday’s brief documented ShinyHunters breaching ADT, Amtrak, and Medtronic through a consistent Okta SSO vishing playbook: call an employee, harvest credentials, walk into downstream SaaS systems. Two days later, the group’s target list expanded by an order of magnitude. Instructure, which operates the Canvas learning management system used by 41 percent of North American higher-education institutions, confirmed on May 1 that ShinyHunters exfiltrated 3.65 TB of data covering approximately 275 million students, instructors, and staff. Private messages between students were included. The group’s deadline for Instructure to pay expired May 6. The data is almost certainly public by the time this brief publishes.
In parallel, ShinyHunters claimed a breach of Vimeo via the company’s Snowflake and BigQuery environments. That detail matters more than the victim count: it represents a tactical shift from SaaS-layer access via compromised SSO credentials to direct access to the underlying cloud data infrastructure.
The Cloud Infrastructure Pivot
Monday’s analysis framed ShinyHunters as an identity-first operator. That framing remains accurate, but the Vimeo breach adds a second phase to the operation that Monday’s cases did not show clearly.
The Okta SSO vishing cases (ADT, Amtrak, Medtronic) follow a straightforward path: social engineer an employee, harvest the SSO credential, use it to access whatever SaaS applications the employee can reach. The access is bounded by what that user account touches. It is effective and scalable, but the blast radius is determined by the victim’s SaaS footprint.
Accessing Snowflake or BigQuery environments is different. Both are cloud data warehouses where organizations consolidate large volumes of operational and customer data. A successful intrusion into a cloud warehouse grants access not to one application’s data, but potentially to aggregated records across every application whose data flows into it. The 2025 Snowflake campaign (attributed by Mandiant to UNC5537) demonstrated this precisely: attackers compromised Snowflake customer credentials and accessed pooled datasets from multiple downstream SaaS providers simultaneously, yielding breach volumes that would have been impossible through individual SaaS application access.
If ShinyHunters is now targeting Snowflake and BigQuery environments, the group is either replicating the UNC5537 playbook or has acquired personnel who already know it. Either way, organizations should treat cloud data warehouse access as a materially higher-risk compromise path than standard SaaS credential theft. The scale of the Canvas breach, 3.65 TB across 275 million users, is consistent with warehouse-level exfiltration rather than application-layer access.
The Canvas intrusion separately illustrates a structural problem in higher education. The sector runs on shared infrastructure: a single LMS vendor serving 41 percent of institutions means a single successful attack yields population-scale impact. Education has historically lagged other sectors on identity hygiene investment, and the SSO vishing playbook targets exactly that gap. Phishing-resistant MFA enrollment rates in higher education are significantly lower than in financial services or technology, which is likely why the sector appeared in ShinyHunters’ expansion window this week.
The Linux kernel privilege escalation added to CISA’s Known Exploited Vulnerabilities catalog on May 1 (CVE-2026-31431, “Copy Fail”) is relevant context here. An unprivileged local user can escalate to root using a publicly available 732-byte Python script. The federal remediation deadline is May 15. In environments where ShinyHunters or any other actor has already established a low-privilege foothold via credential theft, that script converts the access to full system control without any additional tooling or sophistication. Organizations that have not patched should operate as though any compromised account on a Linux host is already root.
PAN-OS Zero-Day Adds a Perimeter Problem With a Defined Calendar Gap
The second significant development since Monday is unrelated to ShinyHunters but creates an independent exposure window worth marking precisely. CVE-2026-0300, a critical buffer overflow in the PAN-OS Authentication Portal, allows unauthenticated attackers to execute arbitrary code with root privileges on internet-exposed PA-Series and VM-Series firewalls. Active exploitation is confirmed. Palo Alto does not expect patches until May 13, a gap of six days from today.
Shadowserver tracks approximately 5,800 VM-Series firewalls with public Authentication Portal exposure, with the largest concentrations in Asia (2,466 instances) and North America (1,998). These are not edge devices in the typical small-business sense. PA-Series and VM-Series hardware anchors enterprise perimeters, cloud gateway deployments, and government network boundaries. Successful exploitation yields root access to the device controlling network segmentation, which means an attacker can see everything the firewall can see and modify the policies governing what moves through it.
The interim mitigation Palo Alto recommends is disabling or restricting the Authentication Portal on untrusted interfaces. For organizations that have not done this, May 13 is not a target date; it is the latest acceptable action date, and the exploitation window is already open.
The pairing of CVE-2026-0300 with CVE-2026-31431 in the same week is worth flagging, not because they are connected, but because they cover opposite ends of the attack chain. CVE-2026-0300 gets an attacker onto the device controlling network access. CVE-2026-31431 converts any subsequent low-privilege foothold inside the network to root. A campaign that chained both would move from internet-exposed firewall compromise to full system control inside the target network in two steps, neither of which requires a sophisticated capability.
Escalations From Monday
As noted in Monday’s brief, ShinyHunters entered the tracking window with confirmed or claimed breaches across security, transportation, medical devices, and financial technology. The Canvas and Vimeo disclosures since Monday extend that sector-agnostic profile to six confirmed or claimed victims in a single week. The Instructure pay-or-leak deadline passed May 6 without public resolution, and the group’s willingness to follow through on data release threats is established from prior operations.
Monday’s brief also noted MuddyWater (CyberAv3ngers) as stable in its ICS/OT targeting posture. A separate MuddyWater development disclosed this week adds texture without changing that assessment: Rapid7 attributed an early-2026 operation to the group in which Microsoft Teams was used for interactive social engineering sessions to harvest credentials and bypass MFA, with the operation dressed as a Chaos ransomware-as-a-service intrusion to obscure state sponsorship. No file encryption occurred; the goal was credential and data theft. This is worth documenting because nation-state actors borrowing RaaS branding to delay attribution complicates incident response triage precisely when responders have the least margin for ambiguity.
What To Watch
The PAN-OS patch releases May 13. If active exploitation broadens before then, expect CISA to issue a KEV addition or emergency directive targeting federal agencies with exposed firewall deployments. Watch specifically for any reporting on threat actors scanning for CVE-2026-0300 at scale, which would signal the window has moved from limited to broad exploitation. Separately, the ShinyHunters data release following Instructure’s expired deadline will either produce a verifiable public dataset before the end of the week or signal that negotiations continued privately. A public dump triggers notification obligations for hundreds of institutions across North America and adds forensic evidence about the full scope of the cloud data warehouse pivot. A private resolution leaves the 3.65 TB exposure unquantified for the affected population and sets a troubling precedent for how large-scale education breaches resolve.
Security Unlocked publishes threat intelligence and strategic analysis twice weekly. This mid-week brief covers developments from 2026-05-04 through 2026-05-07.