Who are ShinyHunters? The 'Pay-or-Leak' Gang that Just Left the Canvas Hacked Platform Dark

Students and educators worldwide were met with a digital blackout this week after a notorious cybercriminal collective infiltrated a primary learning network. The group, known for its aggressive extortion tactics, claimed responsibility for the disruption just as critical academic deadlines approached.

As institutions scramble to secure their data, many are left wondering about the identity and motives of the shadowy organisation holding their school year hostage.

Thousands of users found themselves locked out ofCanvason Thursday as the site crashed, reportedly replaced by a haunting digital note from the ShinyHunters collective. According to live tracking data from Downdetector, the service disruption hit over 8,000 people during the peak of the outage.

Instructure's Canvas platform serves as a cloud-hosted learning hub where schools, universities, and companies can coordinate everything from fully remote courses to traditional classroom lessons.

how shiny hunters hacked canvas, made by@motion_sopic.twitter.com/gN2TlGyVWG

A wave of users took to social media to report the shutdown, with many convinced that a security breach had taken place. One student posted, 'Final exam just got canceled cuz canvas got hacked wtf. Can't tell if we are so up or so down,' alongside a screen grab of the suspicious alert they encountered.

The warning stated, 'SHINY HUNTERS rooting your systems since 19 ;) ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some "security patches."'

It's confirmed — ShinyHunters breached Instructure.The Canvas/Instructure breach is going to be one of the largest ed-tech compromises ever — 275M records across ~9,000 schools if the claims hold up.Worth a serious conversation about how much student and faculty data we've…https://t.co/JAZjKQSnE5pic.twitter.com/EWELK4EYLL

'A WARNING If any of the schools in the affected list are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately at TOX to negotiate a settlement. You have till the end of the day by 12 May 2026 before everything is leaked. Instructure still has until EOD 12 May 2026 to contact us.'

As the digital dust settles on the immediate outage, the focus shifts from the technical failure to the shadowy figures claiming responsibility for the strike.

Source: International Business Times UK