Criminal Group ShinyHunters Breached Instructure's Canvas LMS Again
May 9, 2026
IBL News | New York
One day after Instructure said yesterday it had resolved the data breach to its Canvas LMS, extortion hacking group ShinyHunters accessed the platform again.
On Thursday, students and faculty who use Canvas LMS reported receiving a message from the criminal extortion group ShinyHunters, which earlier this week claimed to have compromised the personal identifying information of 275 million people across 9,000 institutions, including students, teachers, and staff.
āShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some āsecurity patches,” read a message multiple Canvas users received when they tried to log in to the platform on Thursday.
āIf any schools in the affected list are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately at TOX to negotiate a settlement. You have till the end of the day by 12 May 2026 before everything is leaked. Instructure still has until EOD 12 May 2026 to contact us.”
Holy shit. I was in Canvas and then all of a sudden, this showed up!
ā Katy Pearce (@katypearce.bsky.social) May 7, 2026 at 4:03 PM
The group had previously given Instructure until Wednesday to pay a ransom, threatening to leak all the data if the company didnāt pay by the deadline.
According to ShinyHuntersāwhich is also linked to recent data breaches at the University of Pennsylvania, Princeton, and Harvard UniversitiesāInstructure didnāt respond to those demands in time.
Instead, the company said earlier this week that it had addressed the breach by deploying security measures, including revoking privileged credentials and access tokens associated with affected systems; deploying patches to enhance system security; rotating certain keys, āeven though there is no evidence they were misusedā; and implementing increased monitoring across all platforms.
Instructure posted on Wednesday that āCanvas is fully operational, and we are not seeing any ongoing unauthorized activity.ā
But by Thursday afternoon, Instructure acknowledged there was trouble again: āCanvas, Canvas Beta, and Canvas Test are currently unavailable,ā the status update read. āWe are currently investigating this issue.ā
Itās unclear whether Instructure plans to pay the ransom by the May 12 deadline.
ShinyHunters criticized Instructureās lack of communication to date.
āInstructure has not even bothered speaking to us to understand the situation or to even negotiate with us to prevent the release of this data. Our demand was not even as high as you might think it is,ā reads one version of the cybergangās ransom letter posted on RansomLook, a website that tracks cybercrime activity.
Many U.S. colleges and universities postponed final exams and assignment due dates after Canvas LMS, the learning platform used by 41 percent of North American institutions, temporarily went offline due to a hack.
- On Thursday night, the University of Illinois at Urbana-Champaign Provost John Coleman wrote to students and employees, communicating that the institution postponed āall final exams and assignments, including papers, projects, etc., scheduled for Friday, Saturday, or Sunday.ā
- Arizona State University canceled all exams scheduled to be held on Canvas on Friday and Saturday, adding that instructors will update students on grade adjustments.
- The University of California System said in a statement Thursday that āout of an abundance of caution, the presidentās office has instructed all UC locations to temporarily block or redirect Canvas access, and Canvas access will not be restored until we are confident the system is secure.ā
- Nationally, campuses including Harvard, Duke, and the University of Pennsylvania reported similar outages.
Canvasās disruption caused widespread uncertainty.
Cliff Steinhauer, the National Cybersecurity Allianceās information security and engagement director, said the ābreach underscores how deeply schools now depend on centralized digital platforms to keep day-to-day academic operations running.ā
āEven if highly sensitive financial information was not exposed, educational records, communications, and identity data can still be valuable to cybercriminals for phishing, impersonation, and future attacks,ā Steinhauer said.
āCybercriminals are increasingly incentivized to target large technology vendors and shared service providers because compromising a single platform can provide access to thousands of organizations at once, making it far more efficient and profitable than attacking individual schools one by one.”
Earlier this week, the criminal extortion group ShinyHunters claimed its attack on Instructure compromised personal identifying information for 275 million people, including students and employees, across 9,000 K-12 and higher ed institutions worldwide.
Instructure said it notified law enforcement, including the FBI and the U.S. Cybersecurity and Infrastructure Security Agency, about the hack that included names, email addresses, student ID numbers, and messages among Canvas users.
The KrebsOnSecurity website reported that several universities had already approached the cybercrime group about paying. Data extortion groups like ShinyHunters typically remove victims from their leak sites only after receiving an extortion payment or after a victim agrees to negotiate.
Schools and universities use Canvas LMS to manage nearly all aspects of instruction. The platform acts as a gradebook, a hub for digital lectures and course materials, a discussion board for classroom projects, and a messaging platform between students and instructors. Some courses also offer quizzes and exams on the platform, or use it as a portal for submitting final projects and papers on time.
ShinyHunters is a cybercriminal group that specializes in data theft and extortion. They typically gain access to companies through voice phishing and social engineering attacks, often by impersonating IT personnel or other trusted members of the targeted organization.
Discover more
IBL News is funded by the New York-based, family-owned company ibl.ai. Our stories adhere to the highest ethical standards in journalism and are available to news syndication agencies.
