Pull to refresh
Logo
Daily Brief
Following Why Ranks Sign Up
ShinyHunters extortion targets Instructure Canvas

ShinyHunters extortion targets Instructure Canvas

Force in Play

Extortion group claims theft of student and staff records from thousands of schools worldwide

4 days ago: Ransom deadline

Overview

Canvas is the homework portal and gradebook for millions of students. On May 7, 2026, during finals week, students at dozens of universities logged in and found a ransom note instead of their coursework. ShinyHunters, a criminal extortion group, claims it stole records on roughly 275 million students, teachers, and staff from about 8,809 schools. James Madison University moved Friday exams to May 13. The University of Illinois suspended final exams and assignments. Instructure, the company that runs Canvas, restored access by May 8 and confirmed it notified the FBI and the Cybersecurity and Infrastructure Security Agency (CISA).

ShinyHunters gave Instructure until May 12 to pay or have 3.65 terabytes of stolen data published. Instructure has confirmed that names, email addresses, and student ID numbers were taken but disputes the 275-million figure. If the deadline passes without a deal, phishing campaigns using real student names, IDs, and teacher-student messages could start hitting families within days of the data going public.

Why it matters

If the leak goes ahead, scammers gain a verified list of who attends which school, useful for personalized phishing of students and parents.

Play on this story Voices Debate Predict

Key Indicators

275M
Records claimed stolen
ShinyHunters' figure for affected students, teachers, and staff. Instructure disputes the scope.
8,809
Institutions on leak list
School districts, universities, and online education platforms named by the attackers.
3.65 TB
Data volume claimed
Size of records, messages, and enrollment data the group says it pulled from Canvas.
May 12
Ransom deadline
Date set by ShinyHunters for Instructure to pay or have stolen data published.
8 of 8
Ivy League schools listed
Every Ivy appears on the leak list, alongside MIT, Oxford, Duke, and Penn.

Voices

Curated perspectives — historical figures and your fellow readers.

Ever wondered what historical figures would say about today's headlines?

Sign up to generate historical perspectives on this story.

Log in Sign Up

Play

Exploring all sides of a story is often best achieved with Play.

Log in to play. Track your picks, climb the leaderboards. Log in Sign Up
Predict 4 ways this could play out. Contrarian picks score more — points lock when the scenario resolves. Log in to play

People Involved

Steve Proud
Steve Proud
Leading Instructure's incident response and public communications

Organizations Involved

SH
ShinyHunters
Cybercriminal extortion group
Holding Instructure data for ransom; deadline May 12, 2026

A long-running data-theft and extortion crew known for stealing customer databases from cloud platforms and naming victims publicly to force payment.
Instructure
Instructure
Educational technology company
Canvas restored after outage; FBI and CISA notified; third-party forensics engaged; May 12 ransom deadline approaching

The Salt Lake City company behind Canvas, the dominant learning-management system in U.S. higher education and a large share of K-12.

Timeline

  1. Ransom deadline

    Deadline

    Date by which ShinyHunters has threatened to publish the full data trove if no settlement is reached.

  2. Canvas restored; Instructure confirms FBI and CISA notification

    Response

    Instructure brought Canvas back online after the May 7 outage, confirmed it had notified federal law enforcement including the FBI and CISA, and said it had engaged a third-party forensics firm to support the investigation.

  3. Finals disrupted at multiple universities as Canvas goes dark

    Impact

    James Madison University postponed Friday morning exams to Wednesday May 13. The University of Illinois suspended final exams and assignments. UMass Amherst, Rutgers, and dozens of other campuses reported students unable to access coursework or submit work during the outage.

  4. University of California system blocks Canvas access across all campuses

    Response

    The University of California's Office of the President directed all UC campuses to temporarily block or redirect Canvas while Instructure's investigation continued, affecting the entire ten-campus system.

  5. Login pages defaced, May 12 deadline set

    Escalation

    ShinyHunters injects ransom messages onto Canvas login pages at multiple schools and gives Instructure five days to settle.

  6. 8,809-institution leak list published

    Statement

    BleepingComputer obtains list of affected schools from the attackers, including all eight Ivies, MIT, Oxford, and 44 Dutch universities.

  7. ShinyHunters claims 275 million records

    Statement

    Group posts Instructure to its leak site, naming the company and claiming theft of 3.65 TB of student and staff data.

  8. Instructure discloses investigation

    Disclosure

    Company tells customers it is investigating a cybersecurity incident affecting Canvas data.

  9. Initial Canvas data exfiltration

    Attack

    Attackers pull data from Canvas using legitimate export features including DAP queries, provisioning reports, and user APIs.

  10. European Commission data leaked

    Background

    Group publishes 350 GB of internal European Commission communications and documents, raising its profile in Europe.

  11. ShinyHunters pivots to Salesforce Experience Cloud

    Background

    Begins scanning for misconfigured guest access on Salesforce Experience Cloud, eventually claiming roughly 400 corporate victims.

  12. ShinyHunters claims Santander breach

    Background

    Group claims theft of Santander staff and 30 million customer records, part of its broader Snowflake-tenant campaign.

Historical Context

MOVEit Transfer mass extortion (2023)

May–December 2023

What Happened

The Cl0p ransomware group exploited a zero-day in Progress Software's MOVEit file-transfer tool, stealing data from roughly 2,700 organizations and tens of millions of individuals, including state DMVs, U.S. federal agencies, and the BBC. Cl0p named victims on its leak site one by one and demanded payment within days.

Outcome

Short Term

Most victims refused to pay. Cl0p released stolen data in waves through late 2023, fueling years of identity-theft litigation.

Long Term

MOVEit became the reference case for vendor-driven mass breaches, pushing regulators and insurers to focus on third-party software supply chains.

Why It's Relevant Today

Like Instructure, Progress was a single vendor whose product sat inside thousands of customer environments, turning one bug into a sector-wide event. The Canvas incident is following the same pattern in education.

Snowflake customer data theft (2024)

April–July 2024

What Happened

ShinyHunters and an associate stole data from at least 165 Snowflake-tenant customers, including AT&T, Ticketmaster, Santander, and Advance Auto Parts. The attackers used stolen credentials, often pulled from earlier malware infections, against accounts that lacked multifactor authentication.

Outcome

Short Term

Several companies paid undisclosed settlements. AT&T data and Ticketmaster records appeared on leak forums. Snowflake made multifactor authentication mandatory.

Long Term

The campaign became a case study in shared-responsibility failure between cloud platforms and their customers, and cemented ShinyHunters as one of the most active extortion crews in the world.

Why It's Relevant Today

Same threat actor, same playbook: legitimate platform features used at scale to siphon customer data, followed by pay-or-leak deadlines. Canvas is the next chapter of an ongoing campaign rather than a one-off.

PowerSchool student-data breach (2024–2025)

December 2024 – January 2025

What Happened

Attackers used a single stolen support credential to access PowerSchool's student-information system and exfiltrated records on roughly 62 million students and 9.5 million teachers across U.S. and Canadian K-12 districts. Data included names, addresses, Social Security numbers in some districts, and medical notes.

Outcome

Short Term

PowerSchool reportedly paid an extortion demand. Data still surfaced months later as a separate actor began re-extorting individual school districts.

Long Term

Triggered state attorney-general investigations and class actions and put edtech vendors on notice that paying does not end the exposure.

Why It's Relevant Today

PowerSchool showed that paying an edtech extortion demand does not stop downstream re-extortion. That history will weigh on Instructure's decision before May 12.

Sources

(19)
+13
TechCrunch DataBreaches.net TechRepublic BleepingComputer Inside Higher Ed The Next Web The Harvard Crimson Times Higher Education Wikipedia CNN ABC10 ABC7 Chicago The Breeze (James Madison University) UCnet (University of California) WWLP WRAL Ciphers Security Malwarebytes New University (UC Irvine)