A continuing data extortion campaign aimed at Canvas—a widely adopted education technology platform—has thrown school districts and universities across the United States into turmoil today. The disruption occurred after a cybercrime group hijacked the service’s login page, displaying a ransom note that threatened to expose data belonging to 275 million students and faculty members at close to 9,000 educational institutions.
A reader-shared screenshot captures the extortion message that appeared on the Canvas login page earlier today.
Instructure [NYSE:INST], the company behind Canvas, took the platform offline in response to today’s defacement. Canvas is relied on by thousands of schools, universities, and businesses for managing coursework, assignments, and student communication.
Earlier this week, Instructure confirmed a data breach after the hacking collective ShinyHunters claimed responsibility, stating they would release data on tens of millions of students and educators unless a ransom was paid. The initial payment deadline was May 6, but it was later extended to May 12.
In a May 6 statement, Instructure said its investigation revealed the compromised data included “specific identifying details of users from affected institutions, such as names, email addresses, and student ID numbers, along with messages exchanged between users.” The company emphasized there was no evidence that more sensitive data—such as passwords, birth dates, government IDs, or financial records—was involved.
The same update assured users that Canvas was fully functional and that no further unauthorized activity had been detected. “At this point, we believe the incident is contained,” Instructure stated.
However, by midday Thursday, May 7, waves of students and staff from numerous schools and universities flooded social media, reporting that the usual Canvas login screen had been replaced with a ransom demand from ShinyHunters. Instructure responded by shutting down Canvas entirely and displaying the notice: “Canvas is currently under scheduled maintenance. Please check back soon.”
“We expect to restore services shortly and will share updates as soon as they’re available,” Instructure’s current status page now reads.
Even if the stolen data isn’t especially sensitive—though ShinyHunters claims it includes billions of private messages between students and teachers, plus names, phone numbers, and email addresses—the timing of this attack couldn’t be worse for Instructure. Many affected institutions are currently in the midst of final exams, and a prolonged outage could seriously harm the company’s reputation and reliability.
The extortion note shown to countless Canvas users today urged individual schools to negotiate their own ransom payments to avoid data leaks—regardless of whether Instructure chooses to pay.
“ShinyHunters has breached Instructure (again),” the message stated. “Instead of reaching out to resolve this, they ignored us and applied a few ‘security patches.’”
An anonymous source familiar with the investigation—who was not authorized to speak publicly—told KrebsOnSecurity that several universities have already contacted the cybercrime group about potential payments. The same person noted that Instructure is no longer listed among current extortion targets on the ShinyHunters leak blog, and that data samples taken from Canvas customers have also been removed. Typically, groups like ShinyHunters only take down victims’ information after receiving payment or when negotiations begin.
Dipan Mann, founder and CEO of cybersecurity firm Cloudskope, sharply criticized Instructure for describing today’s outage as “scheduled maintenance” on its status page. Mann pointed out that ShinyHunters first proved they had breached Instructure on May 1, prompting Instructure’s Chief Information Security Officer Steve Proud to declare the next day that the situation was under control. Yet, according to Mann, this latest incident marks at least the third breach of Instructure by ShinyHunters in the past eight months.
In a blog post published today, Mann highlighted that in September 2025, ShinyHunters leaked thousands of internal University of Pennsylvania files—including donor records, internal memos, and confidential documents—via what the Daily Pennsylvanian and other media later confirmed was partly a Canvas/Instructure-based access route.
“Penn was called the victim,” Mann wrote. “Instructure was the enabler. Most national press treated it as a Penn-only issue, and Instructure quietly handled it as a customer-specific problem. That framing was incorrect back then—and it’s dramatically more so now, given the May 2026 events. These latest incidents appear to be the deliberate escalation of an attack strategy that ShinyHunters had been refining against Instructure’s systems for at least eight months prior. The September 2025 Penn breach was the proof of concept. The May 1, 2026 incident was the full-scale operation. And the May 7, 2026 recompromise publicly proves that the May 2 claim of ‘containment’ never actually happened.”
In February, a spokesperson for ShinyHunters told The Daily Pennsylvanian that Penn refused to pay a $1 million ransom. On March 5, the group followed through by publishing 461 megabytes of stolen Penn data—including thousands of files such as donor records and internal memos.
ShinyHunters is a highly active and adaptable cybercriminal organization specializing in data theft and extortion. They commonly infiltrate organizations using voice phishing and social engineering tactics, often by impersonating IT staff or other trusted insiders.
Last month, the group stole personal data belonging to 5.5 million customers from home security giant ADT. They told BleepingComputer they accessed ADT’s systems by compromising an employee’s Okta single-sign-on account through a voice phishing attack, which granted them entry into ADT’s Salesforce environment. BleepingComputer reports that ShinyHunters has recently claimed responsibility for several high-profile extortion attacks targeting organizations such as Medtronic, Rockstar Games, McGraw Hill, 7-Eleven, and Carnival Cruise Line.
The Canvas customer breach is just one of multiple major extortion operations currently underway by ShinyHunters, according to Charles Carmakal, chief technology officer at Mandiant Consulting, a Google-owned firm. While Carmakal declined to comment specifically on the Canvas incident, he confirmed that “there are several simultaneous, separate ShinyHunters intrusion and extortion campaigns active right now.”
Mann of Cloudskope said the next steps will depend largely on whether Instructure’s clients—the universities, K–12 districts, and education ministries that rely on Canvas—choose to push for accountability or quietly accept the breach.
“Past incidents involving education vendors suggest the path of least resistance will likely prevail,” he concluded.
