The Canvas learning management system, the platform used by millions of students worldwide to access course materials, submit assignments and communicate with professors, was hit by a hacking group during the worst possible week of the academic calendar.
The group ShinyHunters targeted Instructure, the company that owns Canvas, and has now claimed access to data from approximately 8,809 educational institutions and up to 275 million individuals, demanding ransoms and threatening to release everything if not paid.
Students at the University of Washington, Columbia University, Harvard, UC Berkeley and dozens of other universities discovered the breach the hard way on Thursday, by trying to log into Canvas during finals week and being met with a message from the hackers themselves rather than their course materials.
Instructure had disclosed the initial breach on May 1 and claimed it was contained by May 2. The events of Thursday suggest otherwise.
What Is ShinyHunters?
ShinyHunters is, according to Luke Connolly, a threat analyst at the cybersecurity firm Emisoft, a loose affiliation of teenagers and young adults based in the United States and the United Kingdom.
They are not a nation-state actor and not a sophisticated criminal organization in the traditional sense.
They are, however, effective, the same group was previously tied to the Ticketmaster breach that compromised the personal data of millions of Live Nation customers.
Instructure acknowledged in a May 1 disclosure that the company was investigating a cybersecurity incident.
By May 2, the company said it had been contained. It had not. On May 3, ShinyHunters posted a ransom note to Ransomware.live, the dark web monitoring site that tracks ransomware groups, claiming they had breached 275 million individuals’ data and had access to “several billions of private messages” exchanged on the Canvas platform.
They gave Instructure a deadline of May 6 to reach out and negotiate.
In the note, ShinyHunters explained why they were being more aggressive this time around: “Instead of contacting us to resolve it they ignored us and did some ‘security patches.'”
This was, they claimed, their second breach of Instructure. The first time, the company patched rather than engaging. The second time, they escalated.
When the May 6 deadline passed without Instructure publicly engaging, ShinyHunters escalated further.
On Thursday May 7, students attempting to log into Canvas at multiple universities were greeted not by their course materials but by a message from the hackers displayed directly on the login page. Harvard’s Canvas site went down entirely Thursday afternoon.
UC Berkeley’s bCourses, the university’s Canvas instance, displayed the group’s message to students attempting to access their 43,000-student platform.
A University of Washington student obtained a screenshot of the message and shared it with campus media.
ShinyHunters published a full list of approximately 8,809 educational institutions they claim were affected.
The list has been reviewed by cybersecurity researchers at Cybernews and confirmed to include Harvard, MIT, Princeton, Columbia, Rutgers, Georgetown, Kent State, Oxford, Duke and UC Berkeley among thousands of others. Corporate entities including Amazon, Apple and Cisco also appear on the list, suggesting those companies used Canvas for employee training programs.
The most represented countries are the United States, followed by Australia, the United Kingdom and Sweden.
Schools now have until May 12, 2026 to pay a ransom or negotiate a settlement. Connolly noted that the extended deadline suggests extortion negotiations may already be underway with some institutions.
What Data Was Exposed?
Instructure has confirmed specific categories of data that were accessed. Names, email addresses and student ID numbers were exposed across affected institutions.
Communications among users, messages between students and professors, class discussions, direct messages, were also accessed.
Instructure Chief Information Security Officer Steve Proud confirmed the team revoked privileged credentials and access tokens associated with the incident.
What Instructure says was not exposed: passwords, dates of birth and government identifiers such as Social Security numbers.
Duke University’s chief information security officer Nick Tripp confirmed to WRAL News that Instructure had indicated there was no evidence those more sensitive categories were breached.
The absence of passwords and government identifiers is meaningful. It does not mean this breach is harmless.
The combination of names, email addresses, student ID numbers and private messages creates what cybersecurity professionals call a phishing goldmine.
A bad actor who has your name, your email address, your student ID number and knowledge of conversations you have had on Canvas knows enough to construct an extremely convincing phishing email, something that looks exactly like an official Canvas notification because it contains details that only someone with Canvas access would know.
The risk is not the data itself sitting in a database. The risk is how that data will be used to trick people into handing over their passwords voluntarily.
Schools And Districts That Have Confirmed Being Affected
Universities that have issued statements confirming impact include Columbia University, Rutgers, Princeton, Kent State, Harvard and Georgetown in a wave of communications Thursday.
UC Berkeley confirmed 600,000 records potentially at risk. Duke confirmed its listing in the breach. The University of Pennsylvania reported students being logged out mid-session.
At the K-12 level, school districts across California, Florida, Georgia, Oklahoma, Oregon, Nevada, North Carolina, Tennessee, Utah, Virginia and Wisconsin have all reported being affected.
Canvas has been the standard learning management platform for all North Carolina public K-12 schools since 2015, meaning every student and teacher who has used that system in the past eleven years may have data exposed.
Durham Public Schools in North Carolina told parents it believes personal data could have been accessed including names, email addresses and student ID numbers for staff, student and parent accounts.
The Wake County Public School System confirmed that students in the district received the hackers’ ransom message directly.
Internationally, institutions in the United Kingdom, Australia, New Zealand, Sweden and the Netherlands have all reported disruptions or potential exposure of user information.
The full scope of affected institutions has not been independently verified by third parties. ShinyHunters’ claimed scale of 275 million individuals has not been confirmed by Instructure.
Cybernews, based on the published list of institution names and their enrollment data, estimates at least 47.4 million students could be affected, a number smaller than ShinyHunters’ claim but still one of the largest education data breaches in history.
What Students And Parents Should Do Right Now
The most immediate and important action is to be extremely skeptical of any email that appears to come from Canvas, Instructure, your university IT department or any educational platform between now and whenever this situation is formally resolved.
Phishing is the downstream risk from a breach of this type. The template is predictable: you will receive an email that says your Canvas account has been compromised and you need to click a link to verify your credentials, or that your assignment submission failed and you need to resubmit, or that your Canvas access requires a security reset.
The email will look legitimate because it will contain your name, your student ID and possibly references to actual communications you have had on the platform. It is not legitimate. Do not click the link.
Change your Canvas password regardless of Instructure’s assurance that passwords were not exposed, it is a free action that costs you thirty seconds and eliminates one category of risk.
If you use the same password for Canvas and any other service, change that password on the other service immediately.
Monitor your institutional email for official communications from your university’s IT security office.
Most affected institutions are in the process of sending notifications to students and faculty as their own assessments of the breach scope are completed.
Parents of K-12 students should check their district’s official communications channels for specific guidance, as the exposure of student data at the elementary and secondary school level carries different legal implications than university-level breaches.
Why Schools Keep Getting Hacked
This is the second major education platform breach in less than a year. In December 2024, PowerSchool, a company that stores data for more than 60 million students across 18,000 school district customers, was breached by a single threat actor who was subsequently paid a ransom.
PowerSchool’s security team watched a video of the hacker deleting the data. Cybersecurity analysts warned at the time that more education sector attacks would follow.
The pattern reflects something specific about educational institutions as targets.
Schools store enormous quantities of personal data, for students, parents, faculty and staff, across systems that are often not as well-resourced for cybersecurity as corporate targets.
That combination of valuable data and limited security investment makes education a preferred sector for ransomware groups who need a target that is likely to pay.
ShinyHunters’ decision to time the escalation of the Canvas breach to finals week is not accidental.
The operational disruption of taking Canvas offline during finals creates maximum pressure on institutions to pay quickly, administrators dealing with student panic about inaccessible materials and final exam submissions are in a poor position to calmly evaluate whether paying a ransom is the right decision.
The May 12 deadline is the next pressure point. Whether Instructure or individual institutions engage with ShinyHunters’ demands, and what happens when that deadline passes, will determine how much of the claimed data actually becomes public.
