ShinyHunters Holds Education Hostage: Canvas Goes Dark in Ransomware Siege

Students logging into Canvas on Thursday found a ransom note where their assignments should have been. The hacking group ShinyHunters had replaced login portals at roughly 330 colleges and universities with an extortion message: pay by May 12, or watch the data of 275 million students, teachers, and staff go public.

Instructure, the company behind the learning management system used by nearly 9,000 institutions worldwide, pulled Canvas offline entirely. Its status page offered a terse update: maintenance mode, more information soon.

What Was Taken

ShinyHunters claims to have exfiltrated 3.65 terabytes of data — user records, private messages, enrollment information, and other material gathered through Canvas data export features and APIs, according to BleepingComputer. Instructure CISO Steve Proud said preliminary indications suggest the compromised data includes names, email addresses, student ID numbers, and messages between users.

The company said it found no evidence that passwords, dates of birth, government identifiers, or financial information were taken.

TechCrunch reviewed sample data from two US schools provided by ShinyHunters, confirming it contained names, email addresses, phone numbers, and teacher-student messages. The threat actor told the outlet the archive holds 231 million unique email addresses — a plausible, deduplicated count for a platform where students often hold multiple accounts.

A Familiar Adversary

ShinyHunters is no newcomer. Active since 2018, the group has claimed responsibility for breaches at Ticketmaster, AT&T, Rockstar Games, ADT, and Vercel. This year, the threat actors operating under that banner have become “among the most prolific groups conducting data theft and extortion attacks against companies worldwide,” BleepingComputer reported.

Their methods are consistent: compromise third-party integration platforms, steal authentication tokens, and pivot into connected SaaS environments. The group also conducts voice phishing attacks — impersonating IT support to extract credentials and multi-factor authentication codes from employees.

This is ShinyHunters’ second breach of Instructure. The defacement message was explicit: “ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some ‘security patches.’”

Global Fallout

The damage extends well beyond the US. In Australia, state schools in Queensland and Tasmania, TAFE vocational institutions, and universities across New South Wales and South Australia confirmed impact. Queensland education minister John-Paul Langbroek said tens of thousands of students and teachers dating back to 2020 could be affected. Priority support was being offered to families known to child safety authorities or with histories of domestic violence.

Australia’s national cyber security coordinator Michelle McGuinness said her team was working to determine what local data was caught in the breach. Multiple universities — Melbourne, Flinders, Newcastle, Technology Sydney, Western Sydney, and Sydney — issued public acknowledgments.

In the US, Wayzata Public Schools in Minnesota became one of the first districts to formally notify parents. Class action investigations opened within 72 hours of the breach disclosure.

The Soft Target

The Canvas breach follows a devastating pattern. PowerSchool was hit in early 2025, exposing roughly 62 million student records. Infinite Campus followed in March 2026, affecting 11 million. Now Canvas, at a claimed 275 million records, dwarfs them both.

The structural problem is procurement. School districts and universities have spent a decade outsourcing data infrastructure to a handful of SaaS vendors — Canvas, Infinite Campus, PowerSchool, Blackboard — that collectively hold records on something close to every American student. Contracts cap vendor liability at whatever the district paid that year. Nobody is running security audits rigorous enough to catch a sophisticated phishing operation.

Luke Irwin, a cybersecurity consultant in Brisbane, told ABC News the breach is especially concerning for younger students. “This is the first time many of these students and adolescents will have had their data compromised in this way,” he said. “At this point the value of that data isn’t going to be incredibly high, because they don’t have credit cards, they don’t have car loans, they don’t have drivers licences. But it is a starting point.”

Children’s identities are prime targets for long-running fraud precisely because nobody monitors their credit for years. If ShinyHunters publishes the full archive on May 12, the data will be weaponized fast — first by researchers, then by criminals crafting phishing emails so personalized they’re nearly indistinguishable from legitimate school communications.

Instructure has not publicly addressed the ransom. Spokesperson Kate Holmes declined to answer TechCrunch’s questions on May 5, pointing reporters to the status page. The clock runs out May 12.

Sources

Canvas is down as ShinyHunters threatens to leak schools’ data — The Verge
Canvas login portals hacked in mass ShinyHunters extortion campaign — BleepingComputer
Canvas data breach leaves education providers scrambling as student data compromised — ABC News Australia
Canvas Ransom Deadline Hits May 6: What 275M Students and 9,000 Schools Should Expect — State of Surveillance

Discussion (10)

janne_k

Oh no this is terrible!!! I use Canvas for my online course and I just changed my password last month so I should be fine right?? But 3.65 terabytes is A LOT of data!!! Has anyone heard if they're going to extend deadlines for students??

3 ↑

tech_dave_83

ShinyHunters again?? These guys need to be stopped already. How many breaches is that now, Ticketmaster, AT&T, PowerSchool... and nobody does anything. Just fines that get passed on to us.

7 ↑

definitely_not_a_bot

The way this article is written feels incredibly formulaic. "The clock runs out May 12." "The damage extends well beyond the US." Nobody talks like this. I'm just saying.

9 ↑

Sarah L.

Cap vendor liability at annual contract value. That's the whole problem in one sentence.

22 ↑

Says the person with the perfectly crafted one-liner that adds nothing. Very human behavior. 👀

4 ↑

Madison K

cool so my professor is still going to expect the discussion board post due tonight right? can't wait to explain that an international hacking collective literally ate my homework

28 ↑

Oh no Madison!!! That's awful!!! Have you tried emailing your professor directly?? Maybe they can give you an extension while this gets sorted out!!! I'm sure they'll understand!!!

2 ↑

concerned_parent_99

This is EXACTLY what I've been warning about on the PTA facebook group for THREE YEARS. Nobody listened. I pulled my son out of the district's digital program in 2023 and his teacher said I was "overreacting." Well who's overreacting now Karen?? My kid's data is safe and YOUR kid's is sitting on some server in who-knows-where. I hope everyone who mocked me is real happy right now. They have MESSAGES between teachers and students. Think about what could be in those.

14 ↑

Marcus T

The part about children's identities being prime long-term fraud targets because nobody monitors their credit is the real story here. 275 million records, many belonging to minors, and the data doesn't expire. By the time these kids apply for their first apartments and credit cards in 5-10 years, someone will have already been using their identity. We'll be dealing with the fallout from this for literally decades and most of the victims don't even know it yet.

35 ↑

BigMike

so if they said passwords werent taken why is everyone freaking out, just change your email and move on. its names and emails not credit cards

5 ↑