Canvas Hack: ShinyHunters Holds 275M Student Records Hostage

Canvas went dark on Thursday afternoon, and a chunk of American higher education went dark with it. Around 3:30 p.m. Eastern on May 7, the learning management system used by roughly 8,000 institutions began redirecting students to a ransom note from the cybercrime crew ShinyHunters, which claims it has stolen records on 275 million users from nearly 9,000 schools. By 4:20 p.m., the page had been swapped for a bland “scheduled maintenance” notice. Finals week had already started.

The hackers gave Instructure, Canvas’s parent company, until end of day on May 12 to pay. Otherwise, they say, the data leaks. Universities from Harvard to UC Berkeley to the University of Pennsylvania spent Thursday night drafting emergency exam policies they did not expect to need.

What Actually Happened on May 7

The intrusion itself isn’t new. Instructure first confirmed a Canvas Data 2 and Canvas Beta compromise on May 1, after attackers exploited a vulnerability that gave them access on April 30. ShinyHunters said publicly it had been in talks with the company. Instructure pushed security patches. The hackers say those patches were the trigger for Thursday’s escalation.

Their on-site message was blunt. “ShinyHunters has breached Instructure (again),” it read. “Instead of contacting us to resolve it they ignored us and did some ‘security patches.'” The note pointed schools to a Tox messaging address and told institutions to hire a cyber-advisory firm if they wanted to negotiate before the May 12 deadline.

Instructure has not confirmed whether Canvas went down because the attackers knocked it offline or because the company pulled the plug as a precaution. Both readings circulated Thursday. Neither is good.

The Number Behind the Panic: 275 Million

ShinyHunters claims to hold records on 275 million Canvas users, drawn from a list of affected institutions Hackread reviewed and pegged at roughly 15,000 schools across the United States, the United Kingdom, and Europe. Instructure’s own marketing puts Canvas at 30 million-plus active users across more than 8,000 institutions, so the gap between the company’s active-user figure and the hackers’ claimed haul is essentially every account that ever existed.

The stolen records, according to the group, include names, email addresses, student ID numbers, courses enrolled, and what one threat actor described to the UC Berkeley student paper as “tons of private messages.” Instructure has said it sees no evidence that passwords or financial data were taken. That carve-out is real but limited. A roster of every course a student has ever enrolled in, paired with name and email, is a phishing dataset of unusual quality.

What Canvas Actually Holds

To grasp why the breach matters, look at what Canvas does. It is the gradebook, the syllabus, the discussion board, the submission portal, and the direct-message channel between students, teaching assistants, and professors. It sits on roughly half of all North American higher-education enrollment, by Phil Hill & Associates’ year-end 2024 LMS analysis, with D2L Brightspace at 20%, Anthology Blackboard at 12%, and Moodle at 9%.

That share is what makes Canvas a single point of failure. When the gradebook goes offline, classes don’t just slow down. They stop.

The Schools Already on the List

The list of confirmed affected institutions reads like a US News ranking. Harvard’s Canvas portal went dark Thursday afternoon, with the school confirming the connection in a statement to The Harvard Crimson’s coverage of the breach. The University of Pennsylvania, the University of Oklahoma, and Virginia Tech all reported outages.

The University of California system was hit hard. ShinyHunters claims more than 600,000 records from UC Berkeley alone, plus exposure across UCLA, UC Davis, UC Riverside, UC San Diego, UC Irvine, and UC Scout, the system’s high-school online-course arm.

K-12 districts were not spared. Hillsborough and Pinellas County schools in Florida confirmed compromised accounts in the Tampa Bay Times’s reporting on the Florida district leak. Anne Arundel County Public Schools in Maryland shut down Canvas access entirely and told families not to attempt logins, fearing credential capture.

• UC Berkeley: 600,000-plus student and staff records claimed stolen
• Harvard: Canvas access cut Thursday afternoon, listed by attackers
• UPenn, Virginia Tech, University of Oklahoma: Confirmed outages
• Hillsborough and Pinellas County, Florida: K-12 student and staff accounts compromised
• Anne Arundel County, Maryland: Canvas access disabled district-wide

Finals Week Was the Whole Point

The timing is not accidental. Spring final exams at most US universities run May 8 through May 13, the same week the hackers set as their ransom deadline. Pressure on Instructure peaks when the cost of a multi-day outage is measured in rescheduled exams and incomplete grades, not in vague “business impact.”

Several universities have already moved exams. One school’s status page, cited in CNN’s reporting on the finals-week disruption, pushed Friday May 8 finals to Sunday May 10. Others are running paper exams, accepting emailed PDFs, or extending deadlines into the following week. Faculty are improvising grade weights for assignments students can’t submit.

ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some ‘security patches.’ If any of the schools in the affected list are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately.

That message, posted to the hijacked Canvas page Thursday afternoon, is the leverage. The schools, not Instructure, are the targets of the squeeze.

Who ShinyHunters Are, and Why They Keep Winning

ShinyHunters is not a lone hacker or a ransomware gang in the traditional sense. Luke Connolly, a threat analyst at the cybersecurity firm Emsisoft, described the group as a loose affiliation of teenagers and young adults based in the United States and the United Kingdom. “They’ve been tied to attacks on Live Nation’s Ticketmaster subsidiary and a string of major retail and enterprise breaches,” Connolly told reporters covering the Canvas incident.

The group spent most of 2025 punching above its weight. Working alongside Scattered Spider and Lapsus$, they ran a voice-phishing campaign Google’s Threat Intelligence Group tracked as UNC6040 in its Salesforce intrusion analysis, hitting Google, Cisco, Adidas, Qantas, Allianz, TransUnion, Workday, Pandora, Chanel, Dior, Louis Vuitton, and Tiffany & Co.

The Salesforce Playbook

That campaign confirmed the group’s core method: don’t break the platform, break the people. Attackers called employees pretending to be IT support, walked them through installing a tampered version of Salesforce’s Data Loader tool, and used OAuth tokens to drain customer data from inside legitimate sessions. Salesforce itself was never compromised. Its customers were.

By October 2025, the group claimed nearly a billion Salesforce records and listed 39 victim companies on a leak site before the FBI seized its BreachForums domain. By February 2026, Google’s analysts called it a “significant expansion and escalation,” with around 700 companies hit. Canvas is the next big name.

The Vimeo Connection

Hours before the Canvas outage cascaded, ShinyHunters claimed a parallel breach at Vimeo. The mechanics are different and worth pausing on. According to the same hackread.com reporting, Vimeo wasn’t attacked directly. The attackers compromised Anodot, a third-party analytics partner, stole authentication tokens, and used those tokens to log into Vimeo’s cloud data on Snowflake and BigQuery as if they were Vimeo itself.

That’s a supply-chain attack. The smaller vendor becomes the door. It’s the same shape as the Salesloft Drift breach in August 2025, which exposed 760 customer Salesforce instances through stolen OAuth tokens, and the Gainsight integration compromise in November.

1. April 30, 2026: Attackers exploit a vulnerability and gain access to Instructure systems
2. May 1, 2026: Instructure confirms compromise; Canvas Data 2 and Canvas Beta partially shut down
3. Early May: Instructure deploys security patches; ShinyHunters says it was ignored
4. May 7, 3:30 p.m.: Canvas redirects to ShinyHunters ransom message
5. May 7, 4:20 p.m.: Page replaced with “scheduled maintenance” notice
6. May 12, end of day: Hackers’ deadline for Instructure and listed schools to negotiate

What Students and Staff Should Do Right Now

Instructure’s guidance, echoed by the affected universities, is narrower than students would like. Change Canvas passwords once the platform is verified back online. Enable multifactor authentication if it isn’t already on. Watch for phishing emails referencing specific courses, professors, or recent assignments – those details are exactly what ShinyHunters claims to hold.

Berkeley’s communications team specifically warned students against logging in to bCourses, the campus’s Canvas instance, until the university gives the all-clear. The concern is that the current outage page or any redirected login flow could be a credential-harvesting trap layered on top of the original breach.

What This Says About the LMS Monoculture

Higher education built itself around four LMS vendors over fifteen years, and Canvas now carries about half of North American enrollment by Phil Hill’s count. That concentration delivered real benefits: shared training, integrations, transferability between schools. It also means a single vendor’s bad week becomes everyone’s bad week.

Instructure’s first-quarter 2023 revenue filing showed the company growing to $128.8 million as Canvas continued taking share from Blackboard. The pitch to procurement teams was always reliability and scale. The Thursday outage doesn’t undo that pitch, but it stress-tests it for the first time at full load during the worst possible week of the academic year.

Frequently Asked Questions

Is my Canvas password compromised?

Probably not, but treat it as if it were. Instructure says it has found no evidence that passwords or financial information were stolen. The hackers haven’t claimed passwords either. Still, change your Canvas password once the platform is verified back online, turn on multifactor authentication, and change the same password anywhere else you reused it. Reused passwords are how a name-and-email breach turns into account takeovers two weeks later.

Will my final exam still happen if Canvas is down?

Yes, in most cases, but the format may change. Many schools have already moved exams to paper, email submission, or rescheduled dates. Check your university’s official status page and your professor’s direct email, not Canvas, for instructions. If your school hasn’t communicated by May 8, contact your registrar or dean of students office directly. Don’t assume an exam is canceled just because the gradebook is offline.

What data did ShinyHunters actually steal?

According to the group, the stolen records include full names, email addresses, student ID numbers, lists of courses enrolled, and private Canvas messages between students, professors, and teaching assistants. Instructure says passwords and financial data appear safe. The private messages are the most sensitive piece, because they may contain academic accommodations, mental health disclosures, or personal exchanges users assumed were confidential.

Should I expect phishing emails?

Yes, and they will be unusually convincing. The attackers hold details like which professor teaches your section and what course code you’re in. Expect emails referencing real classes, real assignment names, and real deadlines. Verify any email asking you to click a link or reset a password by going directly to your university portal in a new browser tab. Forward suspicious messages to your campus IT security team rather than replying.

Is my child’s K-12 Canvas account affected?

Possibly, depending on the district. Hillsborough and Pinellas County in Florida and Anne Arundel County in Maryland have publicly confirmed compromised accounts. Other districts may be on the leaked list without having communicated yet. Contact your district’s IT or superintendent’s office for confirmation. If your district uses Canvas and hasn’t said anything by Friday, that silence is itself a question worth asking in writing.

Whether Instructure pays, negotiates, or rides out the May 12 deadline will shape how every other LMS vendor handles the next breach. The schools listed by ShinyHunters don’t get to wait for that decision. They have exams to grade and parents to answer to, starting Friday morning.

Disclaimer: This article reports on a publicly disclosed cybersecurity incident and recommended user precautions. The information provided is for general awareness and does not replace formal incident response or institutional guidance. Affected students, staff, and IT administrators should consult their school’s official communications and security operations team for environment-specific instructions. Details cited reflect public reporting accurate as of publication on May 8, 2026, and may change as Instructure and law enforcement release further information.