Cybercrime group ShinyHunters has seized control ofCanvas login pagesat hundreds of universities, giving the platform's parent company until 12 May 2026 to pay up or risk seeing stolen data from tens of millions of students made public.

Canvas, the cloud-based learning management system operated by education technology company Instructure,serves more than 30 million active usersacross more than 8,000 institutions globally.

On 7 May 2026, students at universities including Harvard, Columbia, Princeton, Georgetown and the University of Pennsylvania opened their Canvas dashboards during finals week and found a ransom note in place of their coursework. Instructure had disclosed a separate breach just six days earlier, on 1 May, and told customers the situation was contained. ShinyHunters disagreed.

Instructure first disclosed a security incident on 1 May 2026, when Chief Information Security Officer Steve Proudposted a statement to the company's status pageconfirming that a 'criminal threat actor' had accessed user data. Proud said the breach involved 'certain identifying information,' specifically names, email addresses, student ID numbers and messages exchanged between users. He stated that there was 'no evidence that passwords, dates of birth, government identifiers, or financial information were involved.' By 6 May, Instructure declared the incident resolved.

ShinyHunters had other ideas. On 7 May, the group defaced Canvas login portals at roughly 330 institutions, injecting an HTML file that replaced the normal sign-in screen with an extortion message, according toTechCrunch, whose reporters directly viewed the defaced pages at three separate institutions.

Hacker group ShinyHunters hacked Canvas and held the website for ransom during finals weekThey claim over 9,000 schools were affected and 275 million users' data was compromisedpic.twitter.com/hXLzPWjnup

The message read: 'ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some "security patches."'

Instructure responded by taking Canvas offline globally, listing the platform as 'in maintenance mode' on its status page. The company did not respond to multiple press requests for comment. A member of ShinyHunters toldTechCrunchthat the 7 May defacement constituted a second, separate breach, distinct from the April attack, though the group declined to specify the vulnerability exploited.

ShinyHunters has alleged on its data leak site that the breach covers approximately 275 million records across 8,809 educational institutions, amounting to 3.65 terabytes of data, according tothreat intelligence published by cybersecurity firm Halcyon. TechCrunch, citing its own communication with the group, reported the figure as 231 million people. Neither figure has been independently verified. The affected institutions span the United States, United Kingdom, New Zealand, Australia, Sweden and the Netherlands.

At the University of Pennsylvania alone, ShinyHuntersclaimed to have accessed data on more than 306,000 users, including Canvas account records and internal messages between students and faculty. The Daily Pennsylvanian confirmed it had seen a sample of the stolen data provided by a ShinyHunters member. Penn's Chief Information Officer Joshua Beeman said in a statement to the newspaper that the university's information security team was 'collaborating with the affected vendor, industry professionals, and law enforcement to assess any potential impact.'

Source: International Business Times UK