Canvas Data Breach: ShinyHunters Target 275 Million Students and Faculty
A massive data extortion campaign has struck Canvas, the widely used education technology platform, disrupting coursework and classes at thousands of school districts and universities across the United States. The attack, orchestrated by the cybercrime group ShinyHunters, culminated in the defacement of the platform’s login page and a ransom demand threatening to leak the personal data of 275 million students and faculty across nearly 9,000 educational institutions.
- Scale of Impact: Attackers claim data from 275 million users across nearly 9,000 institutions.
- Data Compromised: Stolen information includes names, email addresses, student ID numbers, and user messages.
- The Culprit: The prolific extortion group ShinyHunters claimed responsibility.
- Technical Root Cause: Instructure identified a vulnerability related to “Free-for-Teacher” accounts.
- Current Status: The Canvas portal is functional, but “Free-for-Teacher” accounts have been temporarily disabled.
A Timeline of Escalation and “Containment”
The crisis unfolded through a series of events in early May 2026 that highlighted a significant gap between corporate assurances and the reality of the breach.
The intrusion began around May 1, 2026. By May 2, Instructure’s Chief Information Security Officer, Steve Proud, declared that the incident had been contained. On May 6, Instructure officially acknowledged a data breach but maintained that Canvas was fully operational and that no ongoing unauthorized activity was detected. The company stated at the time, “At this stage, we believe the incident has been contained.”
However, this narrative shifted abruptly on Thursday, May 7. Students and faculty reported that the standard Canvas login page had been replaced by a ransom demand from ShinyHunters. In response to the defacement, Instructure pulled the platform offline, replacing the portal with a generic “scheduled maintenance” message.
“ShinyHunters has breached Instructure (again),” the extortion message read. “Instead of contacting us to resolve it they ignored us and did some ‘security patches.’”
The Technical Vulnerability: “Free-for-Teacher” Accounts
In an update published on May 8, Instructure revealed that the hackers exploited a specific issue related to “Free-for-Teacher” accounts. The company confirmed that this was the same vulnerability that led to the unauthorized access experienced the previous week.
To mitigate further risk, Instructure made the decision to temporarily shut down all Free-for-Teacher accounts. While these accounts are a core part of the platform, the company stated it is committed to resolving the issues before restoring them.
Who are ShinyHunters?
ShinyHunters is a fluid and prolific cybercriminal organization specializing in high-profile data theft, and extortion. The group typically gains entry into corporate environments through social engineering and voice phishing (vishing), often impersonating IT personnel to compromise single sign-on (SSO) accounts.
Their recent track record includes several major targets:
- ADT: Personal information of 5.5 million customers was stolen after the group compromised an employee’s Okta SSO account.
- University of Pennsylvania: In September 2025, ShinyHunters released thousands of internal files, including donor records and memos. Dipan Mann, CEO of Cloudskope, noted that this breach occurred via a Canvas/Instructure-mediated access path, suggesting the September event was a “proof of concept” for the May 2026 attack.
- Other Targets: The group has recently taken credit for attacks against Rockstar Games, Medtronic, McGraw Hill, 7-Eleven, and Carnival cruise lines.
Expert Analysis: A Pattern of Escalation
Cybersecurity experts have criticized Instructure’s handling of the event. Dipan Mann of Cloudskope slammed the company for labeling the May 7 outage as “scheduled maintenance,” arguing that the re-compromise demonstrated that the May 2 “containment” never actually happened.
The timing of the attack is particularly damaging, as many affected institutions are currently conducting final exams. Charles Carmakal, CTO at Mandiant Consulting, noted that the Canvas breach is part of a broader trend, stating that there are “multiple concurrent and discrete ShinyHunters intrusion and extortion campaigns happening right now.”
What Data Was Stolen?
According to Instructure, the investigation indicates that the stolen data includes:
- Names
- Email addresses
- Student ID numbers
- Messages exchanged between users
Instructure maintains that there is no evidence that more sensitive data—such as passwords, dates of birth, government identifiers, or financial information—was compromised. However, ShinyHunters claims to possess several billion private messages, as well as phone numbers and email addresses.
FAQ: What Should Users Do?
Is my data at risk?
If your institution uses Canvas, you may be affected. Instructure is contacting the primary contacts of affected organizations directly. Users are advised not to rely on unverified third-party lists or social media posts.
Did Instructure pay the ransom?
While Instructure has not officially confirmed a payment, a source close to the investigation told reporters that several universities have already approached the cybercrime group regarding payments. ShinyHunters removed Instructure from its leak site, a move typically reserved for victims who have paid or agreed to negotiate.
How can I protect my accounts?
Given that ShinyHunters frequently uses voice phishing and SSO compromise, users should be wary of unsolicited calls from individuals claiming to be IT support and should ensure that multi-factor authentication (MFA) is enabled on all critical accounts.
As the deadline for the ransom payment approaches on May 12, the education sector remains on high alert. This incident underscores the critical vulnerability of centralized EdTech platforms and the growing threat of sophisticated social engineering attacks.