Millions of American college students opened their laptops during finals week, entered their Canvas passwords, and discovered something unexpected: a ransom message that was injected straight into the login page informing them that the platform had been compromised and that ShinyHunters now had their data. It was likely the first time the majority of them had heard that name. It won’t be the final one.
The hack began covertly on April 25, 2026, when ShinyHunters took advantage of a flaw in Instructure’s Free-For-Teacher service, which was essentially a promotional account mechanism that allowed the attackers access to a system that was used by almost 9,000 educational institutions across the globe. The damage had already been done when Instructure discovered the illegal access on April 29, four days later. Approximately 275 million records pertaining to student and staff names, institutional email addresses, student ID numbers, and private Canvas inbox messages exchanged between students, teachers, and staff were among the 3.65 terabytes of data that the group claimed to have stolen. Account passwords, financial information, and Social Security numbers were not among the data accessed, according to Instructure’s May 2 confirmation of the breach. There is some comfort in that final detail. Some, but not much.
On May 7, a major breach was transformed into something truly concerning. The group escalated with a move that was difficult to overlook after Instructure closed the incident on its status page and refused to get in touch with ShinyHunters by the original deadline. They switched from focusing on Instructure centrally to focusing on each of the 8,809 impacted schools separately and defaced the Canvas login portals of about 330 institutions, inserting their own HTML message directly into the pages that staff, parents, and students use on a daily basis. The message could be seen. It was intentional. Additionally, it was timed to cause the most disruption possible by falling during a time when students at universities around the nation were taking exams and relying on Canvas to access course materials and turn in assignments. In response, Instructure took Canvas offline worldwide. The platform was operational again by May 8. The Free-For-Teacher program was put on indefinite hold.
| Field | Details |
|---|---|
| Threat Actor | ShinyHunters |
| Active Since | 2019 (publicly emerged January 2020) |
| Attack Model | “Pay or leak” data extortion (no ransomware encryption) |
| Target | Instructure (parent company of Canvas LMS) |
| Date of Initial Breach | April 25, 2026 |
| Breach Vector | Vulnerability in Canvas Free-For-Teacher account mechanism |
| Data Volume Claimed | 3.65 Terabytes |
| Records Affected | ~275 Million |
| Institutions Affected | ~8,809 educational institutions |
| Data Types Exposed | Names, institutional emails, student IDs, Canvas inbox messages |
| Data NOT Reported Exposed | Passwords, financial data, Social Security numbers |
| Login Pages Defaced | ~330 institutional Canvas portals |
| Final Extortion Deadline | May 12, 2026 |
| Canvas Status (as of May 8) | Back online (briefly taken offline during escalation) |
| Free-For-Teacher Service | Indefinitely suspended by Instructure |
| Known Linked Groups | Scattered Spider (UNC3944), LAPSUS$ |
| Previous Notable Attacks | Snowflake customers (2024), Salesforce environments (2025) |
This is not something that ShinyHunters happened upon by accident. The gang has been active since 2019 and has been well-known since early 2020. They have a documented history of changing their tactics with a sort of strategic patience, going from bulk consumer database theft to cloud credential attacks against Snowflake customers in 2024, to AI-assisted voice phishing against Salesforce environments in 2025, and now to using third-party educational platforms to reach downstream victims at institutional scale. In essence, what they have created is a pressure escalation system that involves exfiltrating the data, listing the victim on a dark web leak site, setting a deadline, and then finding a way to directly affect the victim’s users if the deadline has passed. The vandalism on the login page went beyond simple extortion. They were promoting themselves.
When you think about the type of data that is stored in Canvas inboxes, it’s difficult not to feel something. Students frequently use Canvas messaging to talk about disputed grades, mental health issues, accommodations for disabilities, requests for financial hardship, and family emergencies. These are discussions that take place in an educational setting under the presumption of privacy. For millions of people who never gave their consent to any of this and were unable to opt out, that assumption is now violated. K–12 districts, community colleges, Ivy League universities, and international organizations in Europe, Canada, Latin America, Asia, and Oceania were all impacted by the hack. There are currently tens of thousands of entries on a list of impacted schools that is being made public. The practical question for any Canvas-using institution is no longer whether or not they are on the list. It’s what comes next.
By May 12, 2026, each of the roughly 8,809 impacted institutions must have independently contacted ShinyHunters or the dataset will be fully made public. This is the final deadline ShinyHunters set for individual school negotiations. Paying extortion demands from organizations using this model does not ensure that data will not be released in any case, as security researchers have consistently pointed out. When negotiations start, ShinyHunters has a documented pattern of deleting victim entries from their leak site; this is a fact, not a guarantee. The data that left Instructure’s servers in late April is already lost, regardless of whether schools pay, miss the deadline, or find another way. Where it ends up is still a mystery.
