A cyberattack on Canvas, the learning management system used by more than 30 million students and teachers globally, disrupted classroom access at thousands of schools and universities on Thursday, May 7, 2026, after the hacking group ShinyHunters breached parent company Instructure for a second time and posted ransom messages on user login pages.
The breach hit during finals week at many U.S. universities, locking students out of exams, course materials, and grade portals. Instructure restored service for most users by Friday morning, though Canvas Beta and Canvas Test remained in maintenance mode as of publication.
What Happened in the Canvas Hack
Students and faculty logging into Canvas on Thursday afternoon were greeted by a message from ShinyHunters claiming the group had breached Instructure “again” and threatening to release stolen data unless a ransom was paid by May 12, 2026.
The message read in part: “ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some ‘security patches.'” The group instructed affected institutions to consult cyber advisory firms and contact ShinyHunters through the encrypted messaging app Tox to negotiate a settlement.
Instructure responded by placing Canvas, Canvas Beta, and Canvas Test into maintenance mode while it investigated the incident. The company said it first detected unauthorized activity on April 29 and identified the May 7 intrusion as related to the same vulnerability.
In a statement, Instructure said the attacker exploited an issue tied to its Free-For-Teacher accounts and that it has temporarily shut down those accounts as a result. The company also said it notified the FBI, the U.S. Cybersecurity and Infrastructure Security Agency, and international law enforcement partners.
Scope of the Breach
ShinyHunters claims the attack affected nearly 9,000 schools worldwide and exposed data belonging to roughly 275 million users, including more than 3.65 terabytes of records. The full scope has not been independently verified.
Affected institutions include all eight Ivy League universities, including Harvard, Princeton, Columbia, and the University of Pennsylvania. Public university systems such as Rutgers, Stanford, Duke, Georgetown, MIT, Penn State, and multiple University of California campuses were also impacted, along with California State University campuses including Sacramento State, Long Beach, and Humboldt. K-12 districts in California, Florida, Georgia, North Carolina, Oklahoma, Oregon, Nevada, Tennessee, Utah, Virginia, and Wisconsin reported disruptions, as did international institutions in the United Kingdom, Australia, New Zealand, Sweden, and the Netherlands.
In Australia, the federal government’s National Office of Cyber Security is coordinating a response. In the Netherlands, 44 educational institutions reported impact, according to the umbrella organization Universities of the Netherlands.
What Data Was Compromised
According to Instructure, the compromised data may include names, email addresses, student ID numbers, and private messages between users on the Canvas platform. The company stated it has found no evidence that passwords, dates of birth, government identifiers, or financial information were involved in the breach.
ShinyHunters has disputed the scope as described by Instructure. In a statement to the Daily Californian, the group claimed to have stolen more than 600,000 records from UC Berkeley alone, including student and staff email addresses, names, student IDs, course enrollments, and private messages.
The Daily Pennsylvanian reported it confirmed ShinyHunters had obtained Penn user data after the group shared a sample that included Canvas user accounts and internal messages between students and faculty.
Impact on Students During Finals
The attack came at a disruptive time for higher education, with many U.S. universities holding final exams. At the University of Wisconsin-Madison, one student was kicked out of a Microbiology 303 exam mid-test, according to The Daily Cardinal. Students at the University of Pennsylvania reported being logged out while studying for finals, forcing professors to distribute course materials through alternative channels.
Several institutions extended deadlines, rescheduled exams, and asked faculty not to penalize students affected by the outage. At Sacramento State, Provost Erika Cameron emailed faculty asking that students not be penalized as a result of the incident.
The North Carolina Department of Public Instruction removed Canvas access from NCEdCloud, the state’s sign-on portal for K-12 schools, until officials determine it is safe to restore. The Wake County Public School System also removed Canvas from its student portal and instructed staff and students not to use the application.
Who Is ShinyHunters
Photo Credit: Unsplash.com
ShinyHunters is a cybercrime group founded in 2019 or 2020 that has been linked to several high-profile data breaches. According to Luke Connolly, a threat intelligence analyst at cybersecurity firm Emsisoft who spoke with the Associated Press, the group is described as a loose collection of teenagers and young adults based in the United States and the United Kingdom.
The group has previously claimed responsibility for breaches at Ticketmaster owner Live Nation in 2024, where it said it stole the personal details of 560 million customers. It has also been linked to attacks on Vimeo, Salesforce, McGraw Hill, and the K-12 student information system Infinite Campus.
ShinyHunters previously targeted the University of Pennsylvania, Harvard, and Princeton in November 2025, leaking 1.2 million lines of data after the universities reportedly refused to pay ransom demands.
In 2024, the U.S. Department of Justice sentenced 22-year-old French citizen Sebastien Raoult, an alleged member of ShinyHunters, to three years in prison and ordered him to pay more than $5 million in restitution.
What Comes Next
ShinyHunters set a May 12, 2026 deadline for Instructure or affected schools to contact the group and negotiate a settlement. It remains unclear whether Instructure plans to pay the ransom.
According to DataBreaches.net, the Instructure listing was removed from ShinyHunters’ dark web leak site after the defacement of Canvas login pages, which security researchers say could indicate that Instructure or affected institutions have made contact with the group, though the company has not confirmed any communication.
Instructure has advised users that no immediate action is required and said it is continuing to investigate. Affected schools have advised students and faculty to monitor official institutional channels for updates and to be cautious of phishing attempts that could follow the breach.
Canvas is used by approximately 41 percent of higher education institutions in North America, according to Inside Higher Ed, making it the most widely deployed learning management system on the continent.
