Cybersecurity

Canvas Hacked Instructure ShinyHunters 2026: 5 Alarming Facts for Students

Canvas hacked Instructure ShinyHunters 2026 maintenance offline screen
Canvas went offline twice during the week of May 5, 2026, as Instructure scrambled to contain the ShinyHunters breach and restore service to 8,809 institutions across more than 100 countries that depend on the platform for course delivery.

8,809 schools. 275 million records. Billions of private messages. And a May 12 deadline to pay or see it all leaked. Here is everything confirmed about the Canvas breach.

Contents
Background and ContextWhy Canvas Hacked Instructure ShinyHunters 2026 Is the Education Security Crisis of the YearLatest UpdateThe Five Alarming Facts Every Student and Parent Must KnowWhat Students and Parents Should Do Right NowExpert Insights and AnalysisBroader ImplicationsRelated History and Comparable IncidentsWhat Happens NextConclusionFAQSources & ReferencesOh hi there 👋It’s nice to meet you.Sign up to receive awesome content in your inbox, every week.

The Canvas hacked Instructure ShinyHunters 2026 story is the largest confirmed education data breach in history. Instructure, the Utah-based company behind Canvas LMS, confirmed on May 1, 2026 that hackers gained unauthorized access to its cloud-hosted environment beginning April 30, exposing names, email addresses, student ID numbers, and private messages between students and teachers across 8,809 schools, universities, and education ministries worldwide. The criminal extortion group ShinyHunters claims to have stolen 3.65 terabytes of data covering 275 million records and has given Instructure until May 12, 2026 to pay a ransom or face the public release of “several billions of private messages among students and teachers.” Canvas is used by 41% of higher education institutions across North America. Harvard, Stanford, Columbia, MIT, and the entire Ivy League except Princeton are on the confirmed affected institution list. Canvas went offline twice this week as the breach evolved.

Background and Context

Canvas is the world’s most widely deployed learning management system. Instructure, its parent company, was acquired by private equity firms KKR and Dragoneer in 2024 for $4.8 billion. The platform operates across more than 100 countries and is used by more than 7,000 universities, K-12 districts, and education ministries worldwide.

The attack that produced the Canvas hacked Instructure ShinyHunters 2026 breach is not this group’s first attack on Instructure. This is the company’s second confirmed breach in approximately eight months. In September 2025, the same ShinyHunters group exploited a social engineering attack against Instructure’s Salesforce environment. The fact that the same threat actor successfully breached the same company twice in eight months is one of the most alarming elements of the story.

ShinyHunters is a well-documented financially motivated criminal extortion group that has been linked to major breaches at Ticketmaster, several high-profile universities, Infinite Campus, McGraw Hill, Panera Bread, and multiple Salesforce environments in early 2026. The group now operates within an alliance called Scattered LAPSUS$ Hunters alongside the LAPSUS$ gang.

Why Canvas Hacked Instructure ShinyHunters 2026 Is the Education Security Crisis of the Year

Latest Update

Instructure confirmed the breach on May 1, with ShinyHunters escalating their ransom demand publicly on May 7 by posting directly to Canvas user dashboards.

Full coverage from the incident:

Key confirmed details from all sources:

  • The attack began April 30, 2026. Instructure confirmed on May 1 that hackers exploited a vulnerability to gain unauthorized access to its cloud-hosted Canvas Data 2 and Canvas Beta environments. The company shut down those services, causing disruptions to third-party integrations.
  • Confirmed exposed data includes: full names, email addresses, student ID numbers, and private messages between users. Instructure has stated there is no evidence passwords, dates of birth, government identifiers, or financial information were involved.
  • ShinyHunters claims 3.65 terabytes of data stolen, covering 275 million records across 8,809 institutions. TechCrunch, which reviewed sample data provided by the hackers, confirmed the sample included names, email addresses, and some phone numbers. ShinyHunters told TechCrunch that unique emails in the stolen data total 231 million.
  • On May 7, ShinyHunters posted a ransom message directly to Canvas user dashboards: “ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some ‘security patches.'” The message demanded Instructure negotiate a settlement with a deadline of May 12, 2026 before data would be leaked.
  • Institutions confirmed affected include Harvard, Stanford, Columbia, MIT, Duke, and the entire Ivy League except Princeton. The North Carolina Department of Public Instruction, which uses Canvas across all state K-12 schools, was notified. Wake County Public School System alerted families and staff.

The Five Alarming Facts Every Student and Parent Must Know

Fact 1: This is Instructure’s second ShinyHunters breach in eight months. The September 2025 breach exploited a social engineering attack against Instructure’s Salesforce environment. The May 2026 breach exploited a vulnerability in the same company’s cloud infrastructure, by the same threat actor. Institutions should request documentation from Instructure addressing what specifically changed after the September 2025 breach and why those controls did not prevent the May 2026 incident. The structural vulnerability in the edtech sector is consistent: a single SaaS provider holding records on tens of millions of students across thousands of institutions is compromised through a single account or integration, and every dependent institution inherits the breach simultaneously.

Fact 2: The private message exposure is the most sensitive element. Canvas is used by students to disclose medical and mental health information to academic advisers, to request accommodations, and to communicate with Title IX advocates. ShinyHunters claims to have stolen “several billions of private messages among students and teachers.” The sensitivity of those communications goes far beyond names and email addresses. A student who disclosed a mental health condition to an adviser via Canvas, or who reported sexual harassment to a Title IX coordinator through the platform, may have had that communication exposed in the breach.

Fact 3: The ransom deadline is May 12, 2026. ShinyHunters has given Instructure until the end of the day on May 12 before threatening to release everything. The message posted to Canvas dashboards on May 7 directed schools or Instructure to contact the group and “negotiate a settlement.” Instructure has not publicly acknowledged receiving or responding to the ransom demand. The company did tell Inside Higher Ed that it would not comment on specific questions about the ransom, pointing instead to its CISO’s public status log.

Fact 4: Passwords, birth dates, and financial information were not confirmed as stolen. Instructure has stated it found no evidence that passwords, dates of birth, government identifiers, or financial information were involved in the breach. This is the most protective boundary the company has confirmed. It means the immediate risk is targeted phishing using the exposed information, not direct account takeover through credential theft. However, the private message content the group claims to hold could contain financial or health information that students shared through the platform.

Fact 5: The affected population includes millions of children under COPPA. The 8,809 affected institutions include K-12 school districts. The breach of student data for minors triggers obligations under the Children’s Online Privacy Protection Act (updated April 22, 2026) alongside FERPA. Parental notification obligations apply at the institutional level. Parents of K-12 students whose schools are on the affected institution list should expect notifications from their school districts and should proactively contact their district if no notification has arrived within the next 48 to 72 hours.

What Students and Parents Should Do Right Now

Change your Canvas password immediately, especially if you use the same password across multiple platforms. If your school uses single sign-on through Google or Microsoft, those credentials are separate, but any standalone Canvas account passwords should be changed now.

Be extremely cautious of unsolicited emails, texts, or messages claiming to be from Canvas, your school, or Instructure. Attackers who hold names, email addresses, student IDs, and private message content can craft highly convincing phishing messages. Any communication asking you to confirm login details, open attachments described as course assignments, or pay fees through unusual methods should be verified through the official school website directly rather than through any link in the message.

Monitor your child’s accounts for unusual activity. If your child uses Canvas accounts across multiple platforms, enable multi-factor authentication wherever it is available. Consider using a family password manager to ensure each education platform account has a unique, strong password.

Malwarebytes recommends using their free Digital Footprint scan to check whether your personal information has been exposed online. FERPA-protected data in the wrong hands can enable identity fraud targeting students, including fraudulent scholarship applications and financial aid manipulation.

Expert Insights and Analysis

Anton Dahbura, executive director of the Johns Hopkins University Information Security Institute, told Inside Higher Ed: “The Canvas breach is a reminder that no platform is immune. There are countless widely used systems that remain attractive targets for sophisticated bad actors, including nation-states.”

The structural problem the Canvas breach illustrates is the concentration of educational data in centralized SaaS platforms. Canvas, PowerSchool, and Infinite Campus collectively hold student records for the majority of the US student population. ShinyHunters has now breached all three in recent months. The edtech sector’s data concentration makes it structurally attractive to ransomware groups: a single successful attack reaches tens of millions of records simultaneously.

The method by which ShinyHunters exfiltrated 3.65 terabytes of data from Instructure without detection, and the duration of access before discovery, remain under investigation. Instructure’s chief information security officer Steve Proud confirmed in a public status update that the breach was perpetrated by a criminal threat actor and that outside forensic cybersecurity experts and law enforcement have been engaged.

Broader Implications

The Canvas hacked Instructure ShinyHunters 2026 incident arrives as schools are nearing end-of-year examinations and course completions, when Canvas usage is at its highest intensity and the disruption from service outages is most damaging to students.

The breach also arrives at a moment when FERPA, COPPA, and state-level student privacy regulations are facing their most significant enforcement environment in years. The exposure of student communication records, particularly communications with Title IX advocates and disability accommodation staff, may trigger regulatory investigations regardless of whether Instructure pays the ransom.

Canvas joins PowerSchool, which disclosed a breach affecting 62 million student records in December 2024, and Infinite Campus, which ShinyHunters also breached earlier in 2026, in a documented pattern of the same threat actor group targeting the three largest student information systems in North America.

For deeper coverage of the Canvas breach, the ShinyHunters threat actor, and the cybersecurity stories shaping the education technology sector in 2026, The Tech Marketer covers the technology and security developments that affect students, parents, and institutions nationwide.

ShinyHunters has a documented 2026 attack pattern that specifically targets edtech platforms through Salesforce environments and credential compromise. Before the Instructure breach, the group claimed a PowerSchool breach in late 2025, the Infinite Campus breach in early 2026, and the McGraw Hill breach. The group also claimed responsibility for breaching the University of Pennsylvania and Princeton University.

The PowerSchool breach remains the largest comparable education data incident before the Canvas breach. PowerSchool disclosed in December 2024 that ShinyHunters had accessed student records for approximately 62 million students and 9.5 million teachers across North American school districts. The Canvas breach, at 275 million claimed records, would be nearly four times larger.

The common thread across all ShinyHunters education sector attacks is the Salesforce connection. ShinyHunters claimed a Salesforce breach in October 2025 covering over a billion customer records across dozens of companies that contracted with Salesforce, including Instructure. The May 2026 Instructure breach may represent continued exploitation of access first obtained through that earlier Salesforce compromise.

What Happens Next

The May 12 ransom deadline is the most immediate watch item. If Instructure does not pay and ShinyHunters follows through, billions of private student-teacher messages would be released publicly. Instructure has not publicly commented on whether it is in contact with the group.

Instructure’s CISO Steve Proud posted on May 7 that Canvas Data 2 and Beta “should now be available for all customers,” while Canvas Test remains under maintenance. The platform went offline again briefly on May 7 after ShinyHunters posted to user dashboards, then returned to service.

Law enforcement engagement has been confirmed. The FBI and outside forensic teams are involved. Whether law enforcement contact with ShinyHunters produces any interruption to the group’s operations before May 12 is uncertain.

Conclusion

Canvas hacked Instructure ShinyHunters 2026 is the most consequential education data breach in history by claimed record count. 275 million records. 8,809 institutions. Billions of private messages. A May 12 ransom deadline. And this is the same company breached by the same group eight months ago.

Change your password now. Watch for phishing. Monitor your accounts. And if you sent anything through Canvas that you would not want published publicly, know that the group holding it has given Instructure six days to respond.

FAQ

1. What happened in the Canvas Instructure ShinyHunters 2026 breach? On April 30, 2026, the criminal extortion group ShinyHunters exploited a vulnerability in Instructure’s cloud-hosted Canvas LMS environment. Instructure confirmed on May 1 that names, email addresses, student ID numbers, and private messages between users had been accessed. ShinyHunters claims to have stolen 3.65 terabytes of data covering 275 million records across 8,809 schools, universities, and education platforms worldwide.

2. Was my Canvas password stolen in the Instructure breach? Instructure has confirmed there is no evidence that passwords, dates of birth, government identifiers, or financial information were stolen. The confirmed exposed data includes names, email addresses, student ID numbers, and user messages. Change your Canvas password as a precaution regardless, particularly if you use the same password on other platforms.

3. Which schools and universities are affected by the Canvas hack? ShinyHunters shared a list of 8,809 affected institutions with BleepingComputer. Confirmed affected institutions include Harvard, Stanford, Columbia, MIT, Duke, and the entire Ivy League except Princeton. The North Carolina Department of Public Instruction and Wake County Public Schools have confirmed their institutions are on the list. Individual students should check with their school’s IT department for confirmation.

4. What is the ShinyHunters May 12 ransom deadline for Canvas? On May 7, 2026, ShinyHunters posted a ransom message directly to Canvas user dashboards stating Instructure had ignored them and done “security patches” instead of contacting them. The message gave Instructure until end of day May 12, 2026 to negotiate a settlement, after which the group threatened to release “several billions of private messages among students and teachers” publicly.

5. What should students and parents do after the Canvas Instructure hack? Change your Canvas password immediately. Never reuse passwords across platforms. Watch for phishing emails claiming to be from Canvas, your school, or Instructure, as attackers can craft convincing messages using your name, email, school name, and course information. Do not click links in unsolicited messages about the breach. Monitor accounts for unusual activity. Parents of K-12 students should contact their school district directly if they have not received a notification.

Sources & References

Oh hi there 👋
It’s nice to meet you.

Sign up to receive awesome content in your inbox, every week.

We don’t spam! Read our privacy policy for more info.

You Might Also Like

Data Privacy Regulations Surge in 2026 as New U.S. Law Push Gains Momentum

CVE-2026-31431 Linux Vulnerability Enables Root Access via Copy Fail Flaw

Windows Update April 2026: Critical Patch Tuesday Fixes 160+ Vulnerabilities Including Exploited SharePoint Zero-Day

CareCloud Data Breach 2026: What Happened and Why It Matters for Healthcare Cybersecurity

Social Security Scam Warning Surges as Retirees Targeted by New Fraud Wave

Share This Article
Previous Article Measurement Microscope Selection: How to Select the Right Measurement Microscope – Leica Microsystems
Next Article 2026 El Nino intensity forecast Super ECMWF 100 percent probability 2026 El Nino Intensity Forecast Super: 5 Alarming Facts About the Record Event
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Latest News

  • Sony’s PS5 sales plummet amid price rises and a memory crisis

    Sony sold just 1.5 million PS5 consoles in its most recent fourth fiscal quarter, down 46 percent year over year. The slump in PS5 sales comes after Sony raised the price of its PS5 consoles twice over the past year, pushing the price of the regular PS5 from $499.99 all the way up to $649.99.

  • Nintendo is raising Switch 2 prices

    Nintendo is raising the price of its Switch 2 console globally, "in light of changes in market conditions," and is now forecasting a drop in sales over the next year. Starting September 1st, the Switch 2 will cost $499.99 in the US, up from its current $449.99 price. At the same time, prices will also

  • Canvas is down as ShinyHunters threatens to leak schools’ data

    The Instructure-owned learning management platform, Canvas, is down after recently confirming a massive data breach that impacted student names, email addresses, ID numbers, and messages. Students attempting to access the system on Thursday saw a message from the hacking group ShinyHunters, which claimed responsibility for the attack: ShinyHunters has breached Instructure (again). Instead of contacting

  • Mira Murati’s deposition pulled back the curtain on Sam Altman’s ouster

    The week leading up to Thanksgiving 2023 was the AI industry's biggest soap opera moment. OpenAI CEO Sam Altman was abruptly ousted from his role at the ChatGPT maker. The explanation? That Altman was "not consistently candid in his communications with the board." Now, via witness testimony and trial exhibits in Musk v. Altman, the

  • Apple’s AirPods with cameras for AI are apparently close to production

    Apple's rumored AirPods with cameras are nearing a stage where the company will test early mass production, Bloomberg's Mark Gurman reports. Currently, Apple testers are "actively using" prototypes that are in the design validation test stage, which is one step before the production validation test stage. The AirPods' cameras "aren't designed" to snap photos or

- Advertisement -