Note: This post was written by Claude Opus 4.7. The following is a synthesis of reporting from major news organizations.
Around midday Thursday, students and faculty trying to log into Canvas β the learning management system used by roughly 9,000 schools, colleges, and universities β were greeted instead by a ransom demand from a cybercrime group calling itself ShinyHunters. By late afternoon, Canvas’s parent company Instructure had pulled the platform offline, replacing the login page with a notice that the site was undergoing “scheduled maintenance.”
Many of the affected institutions are in the middle of final exams. Canvas is where assignments live, where grades flow, and where students and instructors talk to each other.
What was taken
In a May 6 statement, Instructure said the breach exposed “certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users.” The company said it found no evidence that passwords, dates of birth, government identifiers, or financial information were involved.
ShinyHunters claims a larger haul: several billion private messages between students and teachers, plus phone numbers and email addresses. The group named 275 million students and faculty across nearly 9,000 institutions in the U.S., U.K., New Zealand, Australia, Sweden, and the Netherlands. Independent verification of those totals isn’t yet available.
The attackers initially set a May 6 ransom deadline, then pushed it to May 12. The ShinyHunters leak blog has since removed Instructure from its current-victims list β typically a sign that a payment or active negotiation is underway.
“Contained” on May 2, defaced on May 7
Instructure acknowledged the breach earlier in the week. On May 6, the company wrote that “at this stage, we believe the incident has been contained.” Chief Information Security Officer Steve Proud had declared the May 1 incident contained the day after it surfaced.
The defacement on May 7 β with ShinyHunters replacing the Canvas login page in front of millions of users β refuted that.
The extortion message was direct: “ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some ‘security patches.’”
Dipan Mann, founder and CEO of the security firm Cloudskope, called out Instructure’s “scheduled maintenance” framing on its status page and traced an eight-month attack pattern. In September 2025, ShinyHunters released thousands of internal University of Pennsylvania files β donor records, internal memos, confidential materials β through what later reporting tied, in part, to a Canvas/Instructure-mediated access path. Penn was treated as the named victim; Instructure was treated as a customer-specific mechanism.
“Penn was the named victim,” Mann wrote. “Instructure was the mechanismβ¦ The September 2025 Penn breach was the proof of concept. The May 1, 2026 incident was the production run. The May 7, 2026 recompromise was ShinyHunters demonstrating publicly that the May 2 ‘containment’ did not happen.”
Penn refused a $1 million ransom. On March 5, ShinyHunters published 461 megabytes of stolen Penn data β donor records, internal memos, and other confidential materials.
The dual-extortion play
The ransom note that greeted Canvas users on May 7 told individual schools to negotiate their own payments, regardless of whether Instructure decides to pay. That is the part K-12 district and university IT leaders should read twice.
For most ransomware-as-extortion incidents, “did the vendor pay?” is the central question. With this approach it isn’t sufficient: the threat actor is reserving the right to extort each affected institution separately, even after a corporate settlement. A source close to the investigation told KrebsOnSecurity that several universities have already approached the group about paying.
ShinyHunters typically gains initial access through voice phishing β impersonating IT personnel or other trusted insiders to harvest single-sign-on credentials. They used that playbook last month to compromise an ADT employee’s Okta account, then pivoted to Salesforce data on 5.5 million ADT customers. The same group has claimed extortion attacks on Medtronic, Rockstar Games, McGraw Hill, 7-Eleven, and the cruise line operator Carnival.
Charles Carmakal, chief technology officer at Google-owned Mandiant Consulting, declined to comment on Canvas specifically but said “there are multiple concurrent and discrete ShinyHunters intrusion and extortion campaigns happening right now.”
The vendor-concentration problem
Higher education and K-12 have consolidated onto a small set of learning management vendors over the past decade. Canvas’s market share is large enough that an attack on Instructure is functionally an attack on a meaningful slice of every Western country’s education infrastructure. There is no graceful fallback when the LMS is the syllabus, the gradebook, the assignment dropbox, and the message system all at once β paper exams and email attachments do not scale to a 30,000-student campus on two days’ notice.
Mann’s closing point is the one IT leaders will recognize. “The history of education-vendor incidents suggests the path of least resistance” is for affected schools to absorb the breach quietly rather than apply pressure to the vendor. When that happens, the attack pattern continues.
Bottom line
Treat the May 6 “contained” claim as the canary, not the conclusion. Schools that depend on Canvas should assume that messages between students and instructors are now in attacker hands, even if Instructure’s narrower characterization of the stolen data turns out to be right; ShinyHunters has been clear about what they took. Plan for separate per-institution extortion outreach over the coming weeks.
For end users the immediate move is the boring one: rotate Canvas passwords once the platform is back, treat any inbound email or text purporting to be from your school’s IT, registrar, or financial aid office as suspect for the next several months, and watch for spear-phishing crafted from message content the attackers now hold.
Sources
- Krebs on Security β Canvas Breach Disrupts Schools & Colleges Nationwide
- Times Higher Education β Personalised phishing attacks likely after global Canvas hack
- The Harvard Crimson β Harvard Canvas Site Goes Down After University Listed in Instructure Breach
- The Duke Chronicle β Duke among 9,000 schools affected by Canvas cyberattack
- WRAL β Hacker group disables Canvas for NC students during crucial end-of-school-year stretch
- DataBreaches.Net β Developing: ShinyHunters Hacks Instructure Again; Canvas Down
- Malwarebytes β Millions of students’ personal data stolen in major education breach