Encoding laptop
Source: Canva

Cybercrime group ShinyHunters has seized control of Canvas login pages at hundreds of universities, giving the platform's parent company until 12 May 2026 to pay up or risk seeing stolen data from tens of millions of students made public.

Canvas, the cloud-based learning management system operated by education technology company Instructure, serves more than 30 million active users across more than 8,000 institutions globally.

On 7 May 2026, students at universities including Harvard, Columbia, Princeton, Georgetown and the University of Pennsylvania opened their Canvas dashboards during finals week and found a ransom note in place of their coursework. Instructure had disclosed a separate breach just six days earlier, on 1 May, and told customers the situation was contained. ShinyHunters disagreed.

ShinyHunters' Two-Stage Attack on Instructure

Instructure first disclosed a security incident on 1 May 2026, when Chief Information Security Officer Steve Proud posted a statement to the company's status page confirming that a 'criminal threat actor' had accessed user data. Proud said the breach involved 'certain identifying information,' specifically names, email addresses, student ID numbers and messages exchanged between users. He stated that there was 'no evidence that passwords, dates of birth, government identifiers, or financial information were involved.' By 6 May, Instructure declared the incident resolved.

ShinyHunters had other ideas. On 7 May, the group defaced Canvas login portals at roughly 330 institutions, injecting an HTML file that replaced the normal sign-in screen with an extortion message, according to TechCrunch, whose reporters directly viewed the defaced pages at three separate institutions.

The message read: 'ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some "security patches."'

Instructure responded by taking Canvas offline globally, listing the platform as 'in maintenance mode' on its status page. The company did not respond to multiple press requests for comment. A member of ShinyHunters told TechCrunch that the 7 May defacement constituted a second, separate breach, distinct from the April attack, though the group declined to specify the vulnerability exploited.

Scope of Data at Risk and 12 May Deadline

ShinyHunters has alleged on its data leak site that the breach covers approximately 275 million records across 8,809 educational institutions, amounting to 3.65 terabytes of data, according to threat intelligence published by cybersecurity firm Halcyon. TechCrunch, citing its own communication with the group, reported the figure as 231 million people. Neither figure has been independently verified. The affected institutions span the United States, United Kingdom, New Zealand, Australia, Sweden and the Netherlands.

Hacker
Global education was thrown into chaos this week after the notorious ShinyHunters group breached Instructure’s Canvas platform. Pexels

At the University of Pennsylvania alone, ShinyHunters claimed to have accessed data on more than 306,000 users, including Canvas account records and internal messages between students and faculty. The Daily Pennsylvanian confirmed it had seen a sample of the stolen data provided by a ShinyHunters member. Penn's Chief Information Officer Joshua Beeman said in a statement to the newspaper that the university's information security team was 'collaborating with the affected vendor, industry professionals, and law enforcement to assess any potential impact.'

The group has set 12 May 2026 as its deadline. 'Instructure still has until EOD 12 May 2026 to contact us,' the defacement message stated, as reported by CNN. 'Everything is leaked' if no contact is made. Halcyon's analysis notes that ShinyHunters operates an explicit 'pay or leak' extortion model and does not use ransomware encryption; its sole leverage is the threat of public data release. Crucially, Halcyon warns that paying a ransom carries no guarantee the group will not publish the data regardless.

Who ShinyHunters Are and Their Escalation Pattern

ShinyHunters is a financially motivated cybercrime group that first emerged publicly in January 2020, according to Halcyon's threat intelligence. The group operates a loosely decentralised structure with documented overlap with other known threat actors. Its methodology has evolved steadily: bulk consumer database theft in 2020 and 2021, large-scale cloud credential theft targeting Snowflake customers in 2024, AI-generated vishing calls and token-based access abuse against Salesforce environments in 2025, and now attacks against third-party integrators to reach downstream institutional victims in 2026.

The Canvas attack follows a pattern the group has used before: breach, publicise on a dark-web leak site, issue a deadline and escalate when ignored. When Instructure did not respond to the initial ransom demand after the late April breach, ShinyHunters moved to direct defacement of login pages across hundreds of institutions, a tactic designed to maximise public visibility and pressure. The group also notified TechCrunch directly of the defaced portals, a move security researchers say is intended to force institutional pressure on Instructure.

For students already deep in finals season, the practical disruption has been immediate. Anish Garimadi, a junior at the University of Pennsylvania, told CNN that being locked out of Canvas mid-revision caused 'fear and anxiety,' adding that 'the biggest cause of fear and anxiety in me is that I was deprived of significant resources to study.' He said his professors sent materials through alternative channels while Canvas remained offline.

Halcyon advises that all affected institutions should treat themselves as compromised regardless of the ransom outcome, and recommends rotating Canvas API keys, OAuth tokens and SSO credentials immediately. The firm also warns that the exfiltrated data provides enough personal context for targeted phishing campaigns impersonating school administrators, IT support teams, or financial aid offices.

With the 12 May deadline now two days away and Instructure yet to publicly acknowledge any negotiation, tens of millions of students, faculty and parents are waiting to find out whether their personal data becomes the next entry on ShinyHunters' public leak site.

Read more