An ongoing data extortion attack targeting the widely-used education technology platform Canvas disrupted classes and coursework at school districts and universities across the United States today, after a cybercrime group defaced the service’s login page with a ransom demand that threatened to leak data from 275 million students and faculty across nearly 9,000 educational institutions.
A screenshot shared by a reader showing the extortion message that was shown on the Canvas login page today.
Canvas parent firm Instructure responded to today’s defacement attacks by disabling the platform, which is used by thousands of schools, universities and businesses to manage coursework and assignments, and to communicate with students.
Instructure acknowledged a data breach earlier this week, after the cybercrime group ShinyHunters claimed responsibility and said they would leak data on tens of millions of students and faculty unless paid a ransom. The stated deadline for payment was initially set at May 6, but it was later pushed back to May 12.
In a statement on May 6, Instructure said the investigation so far shows the stolen information includes “certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as as messages among users.” The company said it found no evidence the breached data included more sensitive information, such as passwords, dates of birth, government identifiers or financial information.
The May 6 update stated that Canvas was fully operational, and that Instructure was not seeing any ongoing unauthorized activity on their platform. “At this stage, we believe the incident has been contained,” Instructure wrote.
However, by mid-day on Thursday, May 7, students and faculty at dozens of schools and universities were flooding social media sites with comments saying that a ransom demand from ShinyHunters had replaced the usual Canvas login page. Instructure responded by pulling Canvas offline and replacing the portal with the message, “Canvas is currently undergoing scheduled maintenance. Check back soon.”
“We anticipate being up soon, and will provide updates as soon as possible,” reads the current message on Instructure’s status page.
While the data stolen by ShinyHunters may or may not contain particularly sensitive information (ShinyHunters claims it includes several billion private messages among students and teachers, as well as names, phone numbers and email addresses), this attack could hardly have come at a worse time for Instructure: Many of the affected schools and universities are in the middle of final exams, and a prolonged outage could be highly damaging for the company.
The extortion message that greeted countless Canvas users today advised the affected schools to negotiate their own ransom payments to prevent the publication of their data — regardless of whether Instructure decides to pay.
“ShinyHunters has breached Instructure (again),” the extortion message read. “Instead of contacting us to resolve it they ignored us and did some ‘security patches.'”
A source close to the investigation who was not authorized to speak to the press told KrebsOnSecurity that a number of universities have already approached the cybercrime group about paying. The same source also pointed out that the ShinyHunters data leak blog no longer lists Instructure among its current extortion victims, and that the samples of data stolen from Canvas customers were removed as well. Data extortion groups like ShinyHunters will typically only remove victims from their leak sites after receiving an extortion payment or after a victim agrees to negotiate.
Dipan Mann, founder and CEO of the security firm Cloudskope, slammed Instructure for referring to today’s outage as a “scheduled maintenance” event on its status page. Mann said Shiny Hunters first demonstrated they’d breached Instructure on May 1, prompting Instructure’s Chief Information Security Officer Steve Proud to declare the following day that the incident had been contained. But Mann said today’s attack is at least the third time in the past eight months that Instructure has been breached by ShinyHunters.
In a blog post today, Mann noted that in September 2025, ShinyHunters released thousands of internal University of Pennsylvania files — donor records, internal memos, and other confidential materials — through what the Daily Pennsylvanian and other outlets later determined was, in part, a Canvas/Instructure-mediated access path.
“Penn was the named victim,” Mann wrote. “Instructure was the mechanism. The incident was treated as a Penn-specific story by most of the national press and quietly handled by Instructure as a customer-specific matter. That framing was wrong then. It is dramatically more wrong in light of the May 2026 events, which now look like the planned escalation of an attack pattern that ShinyHunters had been working against Instructure’s environment for at least eight months prior. The September 2025 Penn breach was the proof of concept. The May 1, 2026 incident was the production run. The May 7, 2026 recompromise was ShinyHunters demonstrating publicly that the May 2 ‘containment’ did not happen.”
In February, a ShinyHunters spokesperson told The Daily Pennsylvanian that Penn failed to pay a $1 million ransom demand. On March 5, ShinyHunters published 461 megabytes worth of data stolen from Penn, including thousands of files such as donor records and internal memos.
ShinyHunters is a prolific and fluid cybercriminal group that specializes in data theft and extortion. They typically gain access to companies through voice phishing and social engineering attacks that often involve impersonating IT personnel or other trusted members of a targeted organization.
Last month, ShinyHunters relieved the home security giant ADT of personal information on 5.5 million customers. The extortion group told BleepingComputer they breached the company by compromising an employee’s Okta single sign-on account in a voice phishing attack that enabled access to ADT’s Salesforce instance. BleepingComputer says ShinyHunters recently has taken credit for a number of extortion attacks against high-profile organizations, including Medtronic, Rockstar Games, McGraw Hill, 7-Eleven and the cruise line operator Carnival.
The attack on Canvas customers is just one of several major cybercrime campaigns being launched by ShinyHunters at the moment, said Charles Carmakal, chief technology officer at the Google-owned Mandiant Consulting. Carmakal declined to comment specifically on the Canvas breach, but said “there are multiple concurrent and discrete ShinyHunters intrusion and extortion campaigns happening right now.”
Cloudskope’s Mann said what happens next depends largely on whether Instructure’s customers — the universities, K-12 districts, and education ministries paying for Canvas — choose to apply pressure or absorb the breach quietly.
“The history of education-vendor incidents suggests the path of least resistance is the second one,” he concluded.
Update, May 8, 11:05 a.m. ET: Instructure has published an incident update page that includes more information about the breach. Instructure said its Canvas portal is functioning normally again, and that the hackers exploited an issue related to Free-for-Teacher accounts.
“This is the same issue that led to the unauthorized access the prior week,” Instructure wrote. “As a result, we have made the difficult decision to temporarily shut down Free-for-Teacher accounts. These accounts have been a core part of our platform, and we’re committed to resolving the issues with these accounts.”
Instructure said affected organizations were notified on May 6.
“If your organization is affected, Instructure will contact your organization’s primary contacts directly,” the update states. “Please don’t rely on third-party lists or social media posts naming potentially affected organizations as those lists aren’t verified. Instructure will confirm validated information through direct outreach to all affected organizations.”
These hackers have no honor. They have brought shame to both their families and their ancestors. Their parents should be embarrassed by them.
To be entirely honest, what they just accomplished is groundbreaking. Horrible for sure, but for a system that literally robs their students- what a HUGE pull of attention to a system that needs to be scrutinized. Hopefully the schools do the right thing by their students, and pay the hackers. They do nothing but generate money and put students in to massive amounts of debt just for information that can be self taught, but not looked at because it wasn’t “Credited” by a university…
You’re going to get your wish and see a wave of universities closing across the country, because critical thought is just too dangerous and anyway it can all be self-taught with Youtube videos.
Get me out of this stupid fucking country.
“Hopefully the schools do the right thing by their students, and pay the hackers”…is a horrible way to deal with this. You really think by paying the ransom they are actually going to honor what they say? There are actual laws in some states that bar against paying cyber ransoms. If a cyber criminal is good at their job, which it seems to be for this one, they are quite good at it, they are going to make copies/backups as SOON as they get the data they are after. They will just take the money and sell the data to the blackmarket. Sometimes you just have to cut your losses and rebuild stronger.
You might be responding to a SH affiliate performing their duties as “Public Relations content creator”…
honor? shame? embarressed ancestors?
dude, are you living in the 17th century???
lol
Spoken like a true Klingon!
It is entirely IN STRUCTURES FAULT. THEY WARNED THEM MULTIPLE TIMES. INSTRUCTOR IGNORED THEIR WARNINGS FOR BUG FIXING.
Yet take a computer away from these turds and what are they? Small insignificant manchildren. They have no life skills and owe their parents so much for babying them and letting them learn the ability to… be a criminal? Seriously, is that it?
Idiots can’t go after places that matter, so they go after education…? Which is already poorly funded as is, mind you…
I pray to all deities known to man and hope that just a little karmic justice will come to light. They should be considered cyberterrorists for this act alone.
Karmic justice would be awesome. But as someone else pointed out, the U.S. educational industrial complex is not poorly funded, at least not the larger universities. All the local colleges and below are usually strapped. But this whole thing is indeed big money, but we’ll have to see if Instructure takes the bait and coughs up some of its millions for this. I doubt even an ivy-league university will pay for Instructure’s lack of security or for its pride, wanting to act like the emperor still has clothes.
projection is strong with this one
Regarding “Canvas parent firm Instructure [NYSE:INST]”, Instructure was taken private in 2024. It is no longer a public company.
If it was bought by private equity you know exactly why it has gone to crap.
Given the current political climate in the U.S., my foremost concern is access to which classes students are taking, what pronouns they use, and the papers and discussion posts they are writing. I also see far too little attention to the fact that **they stole personal information about children** since Canvas is heavily used in K-12. We’ve got plenty of ways to protect ourselves against identity theft, but nobody’s talking about how to protect children who experiment with using “they/them” pronouns, or who wrote a term paper for or against gay marriage, abortion, or capitalism? Or adult scholars working on gender studies, black studies, Christianity, Islam, or the Israeli-Palestinian crisis? Those early papers (high school and college) tend to be very un-nuanced and “read” as more extreme than the person’s actual beliefs, and could even be an assignment or thought exercise in arguing the opposite of what they really believe. In the past, all of that would be inaccessible to the wider world. Making all of that public, especially right now, especially for children and young adults, is very concerning.
THAT’s your concern, out of EVERYTHING else that was stolen?! And you think THAT’s what the hackers, any hackers, are after?!
Your dismissive comment towards MYOB shows your privilege, Sara.
I am as concerned as MYOB is. The real sensitive information is anything that the US’s right-wing authoritarian regime is opposed to — like anyone not white, straight, cis, and the correct flavor of Christian — being tied to one’s name. The 20-somethin’ year-old Elon-fanboys with surely use AI to pour over the hacked data, build a list, and use it to harm dissenters.
they were after $ – nothing else, they could care less about politics, or religion, or other social issues
That’s not really the point, it’s not that the hackers are after that data, but if it becomes public, certain things might land you on certain lists, and you could become a political target regardless of what the hackers’ intentions are
Canvas does not have information about who is LGBTQ+. Nor do they have information about what color people are, who they believe in, etc. What you will find on Canvas is exams, discussion boards, reading materials, and grades.
And you don’t see how those are connected? Pretty dim bulb, ain’t you.
That is why redundancy is important, but most in Government have no idea what that is…….
“Canvas is currently undergoing scheduled ransomware negotiation. Check back soon”
Fixed it.
Even in Europe, in the Netherlands, all universities and colleges have been hacked.
” this attack could hardly have come at a worse time for Instructure: Many of the affected schools and universities are in the middle of final exams, and a prolonged outage could be highly damaging for the company.”
I don’t feel bad for the company, except any employee that was screaming about security and wasn’t listened to.
The week or two before, then finals week was always a very stressful time for me, so I feel for the students going through this hell. Plus the added burden of wondering what info on them is now floating around the Internet…
The company is private, not public: https://www.instructure.com/press-release/instructure-to-be-acquired-by-KKR. See also KKR: https://www.kkr.com/invest/portfolio?cfnode=instructure-holdings-inc-. This matters because it means the company is subject to different regulatory and enforcement rules.
Huh, they were taken private less than two years ago. I wonder what the new owners did with “unnecessary” spending on security?
Oof, it’s like Instructure took every piece of advice on handling this type of attack and threw it out the window. It doesn’t make me super confident that anything they’ve stated regarding breached information is accurate. Great that the colleges might be able to pay up, but the cash-strapped public school systems don’t have an extra few million hanging around to give away.
Those claims from Mann sure are something. Cybersecurity practices at Instructure did not appear to be immature: https://trust.instructure.com/.
I think it’s time to look at other platforms like blackboard instead of Canvas that might be more secure.
Blackboard had many functioning issues so our schools got rid of it a while ago.
Brian,
thank you for picking up the cover-up angle — most outlets are still
leading with the breach itself rather than the company’s response to it. A
few things from our reporting that may be useful to your readers:
The 21-minute gap between the “scheduled maintenance” cover (4:20 PM ET on
May 7) and the status page acknowledgment (4:41 PM) wasn’t accidental
architecture. status.instructure.com runs on Statuspage (Atlassian) —
infrastructure independent from canvas.instructure.com. Updating one does
not require updating the other. The maintenance message went up on the
surface where students were being actively redirected from a ransom screen.
The acknowledgment went up on a surface their IT teams would eventually
check. Two separate decisions, two separate surfaces, timing arbitraged
accordingly.
As of this comment, status.instructure.com still shows “No incidents
reported today” for May 7, and Canvas LMS is still flagged “Operational.”
Multiple universities are still publicly reporting the platform is down.
That delta is the story.
For anyone working on follow-up reporting: the question that surfaces the
next layer of accountability is what specific Instructure communications
school IT teams received between May 1 and May 7 — and whether they were
told the incident was “resolved” or “contained.” Several university
communications offices have already reproduced Instructure’s May 6
“resolved” language verbatim in messages to parents.
Thanks again, Brian. The reporting matters.
— Dipan Mann, Cloudskope
are you able to do anything in your life without using the clanker? you deserve to be automated out of your job
Are you one of those people that saves your own comments in a text document (not even bothering to fix your linefeeds when pasting them), thinking they are a gift to a future mankind, or like me and do not believe in saving your sent messages to people after weeks of no replies, Dipan?
Company has made a statement: https://www.instructure.com/incident_update
I work at a university, fortunately in the library and not on the education side. It was _not_ a good day for the students.
They say they’ve fixed the problem. If there’s no leak, can we assume they paid the ransom?
> “Penn was the named victim,” Mann wrote. “Instructure was the mechanism.
that’s like blaming the car manufacturer because you left it unlocked and someone stole your laptop from inside.
As a CISO myself, I do have to wonder why Salesforce is not a bit in the crosshairs with Canvas running on their platform!