Skip to main content

Cyber Attack on Schools: About Canvas (ShinyHunters) Attack

Cyber Attack on Schools: About Canvas (ShinyHunters) Attack

A criminal hacking group just breached the learning platform used by 30 million students and teachers worldwide. Here is everything you need to know, and what your school or organization should do right now.

Active Threat Alert

On May 1, 2026, Instructure, the Salt Lake City-based company behind the Canvas learning management system, confirmed that a criminal threat actor had breached its systems. Two days later, the extortion group ShinyHunters posted an ultimatum on its dark-web leak site: "PAY OR LEAK." On May 8, the group escalated by replacing Canvas login pages at schools across the country with its own ransom message.

The attack hit during finals week for many universities and K-12 districts, compounding disruption for millions of students, teachers, and administrators who rely on Canvas daily for assignments, grades, course content, and private communications.

Who Is ShinyHunters?

ShinyHunters is a financially motivated criminal extortion group that security analysts describe as a loose affiliation of young adults based primarily in the United States and the United Kingdom. The group has built a track record of targeting cloud-based platforms and SaaS companies, relying on stolen credentials, social engineering, and supply-chain compromises to gain access to large data stores.

This is not the group's first attack on education. Earlier in 2026, ShinyHunters claimed breaches of Infinite Campus, a widely used K-12 student information system, and the publisher McGraw-Hill.

In late 2025, the group directly targeted the University of Pennsylvania, Harvard University, and Princeton. Penn ultimately had its data leaked after refusing to pay a $1 million ransom. The group also claimed responsibility for the Ticketmaster breach at Live Nation.

How the Canvas Attack Unfolded

Notably, this is Instructure's second confirmed ShinyHunters breach in approximately eight months. In September 2025, the same group exploited a social engineering attack against the company's Salesforce environment.

What Data Did ShinyHunters Steal?

  • Full names of students, teachers, and staff
  • Email addresses, mostly institutional .edu accounts
  • Student ID numbers
  • Private Canvas messages, potentially billions of threads between students, teachers, and advisers

Canvas serves as the primary channel where students disclose medical conditions, mental health concerns, and academic accommodation requests to advisers and instructors. Canvas is also a channel for confidential Title IX communications. The exposure of these messages goes far beyond typical credential theft and creates serious privacy and safety risks for vulnerable individuals.

Which Schools and Institutions Are Affected?

ShinyHunters shared a list of 8,809 school districts, universities, and online education platforms with the security press. Affected institutions span North America, Europe, and parts of Asia and Oceania.

Named institutions include Harvard University, Stanford University, MIT, Oxford University, Cambridge University, UC Berkeley, the University of Pennsylvania, Duke University, Baylor University, the University of Chicago, San Francisco State University, and the entire California State University system. The Wake County Public School System and North Carolina's Department of Public Instruction, which brought Canvas to all K-12 schools statewide, also confirmed impact.

Canvas holds about 41% of the higher-education learning management system market in North America. The platform is also deeply embedded in K-12 systems nationwide, meaning the breach reaches from kindergartners to doctoral students.

This Attack Follows a Pattern: Why Education Is a Prime Target

Schools collect and store vast amounts of sensitive data: identity information, academic records, health disclosures, financial aid details, and years of private communications, etc. Many institutions run on tight IT budgets, rely heavily on third-party vendors, and face pressure to keep systems accessible, making them more likely to become victims.

ShinyHunters exploited the trust that schools place in large SaaS providers. Rather than attacking each institution individually, the group targeted the single platform that thousands of them share. One successful breach unlocked data from nearly 9,000 organizations at once. This supply-chain leverage is the defining cybersecurity threat facing the education sector today.

Our team at 4BIS covers this pattern in depth in our guide to proactive versus reactive cybersecurity risk assessments. Waiting for a vendor to notify you after a breach is reactive. Building visibility into your vendor ecosystem before an incident is the only effective defense.

Immediate Steps for Schools and Organizations Using Canvas

If your institution uses Canvas, treat this as an active security event. Take these steps now:

  • Rotate Canvas credentials immediately. Even though passwords appear uncompromised, reset them anyway. Require all users, including students, to change their passwords at next login.
  • Audit connected third-party applications. Instructure rotated API keys as part of its response. Any Canvas-connected integration your institution uses needs re-authorization. Review what has access to your Canvas environment and remove anything unnecessary.
  • Warn your community about targeted phishing. Attackers now hold real names, institutional emails, student IDs, and message context. They will craft phishing emails that reference real classes, real advisers, and real deadlines. Your staff and students need to know this before the attacks arrive.
  • Verify notifications before acting on them. Any email claiming to be from Canvas, Instructure, or your school's IT department about the breach should be verified by going directly to the official website, not by clicking a link in the message.
  • Engage a cybersecurity partner to assess your exposure. Your institution needs to know what data Instructure held on your behalf and what the downstream risk looks like for your specific community.

For organizations that already have an internal IT team but need specialized security support, our co-managed cybersecurity services let your team stay in control while 4BIS provides threat monitoring, incident response expertise, and vendor risk oversight that this kind of supply-chain attack demands.

What Happens If Instructure Does Not Pay?

ShinyHunters has a documented history of following through on threats. When Penn refused to pay a $1 million ransom, the group released thousands of internal files including donor records and internal memos. The group now threatens to release "several billions of private messages among students and teachers" if Instructure does not respond by May 12. Security analysts note that the May 12 deadline suggests active negotiations may be underway, but no resolution is guaranteed.

Even if Instructure reaches a settlement, cybersecurity experts consistently warn that paying ransoms does not guarantee data deletion. Once a criminal group holds sensitive records, those records remain a liability.

How 4BIS Helps Organizations Respond to Breaches Like This

If you suspect your organization's data appears in this breach, or if a related phishing attack is already hitting your users, our team responds to active incidents around the clock. Visit our rapid ransomware and breach recovery services page or use our 24/7 emergency line if you believe you are being attacked right now.

For schools and businesses that want to get ahead of the next attack rather than react to it, our comprehensive cybersecurity services include vendor risk management, user awareness training, and continuous monitoring that specifically guards against the social engineering and supply-chain tactics ShinyHunters relies on.

We offer managed IT support services that build the underlying hygiene, patching, and access control discipline that makes your organization a harder target in the first place.

Is Your Organization Protected Against the Next Attack?

The ShinyHunters Canvas breach shows that even large, trusted platforms can fail your users. Talk to the 4BIS team today about protecting your school, business, or institution.

Interested in hearing our COO's thoughts on the latest attack? Check out our YouTube chanel or podcast on Spotify.
Christina Teed
Christina Teed

Christina is a seasoned professional with over seventeen years of experience across multiple disciplines. She holds dual bachelor's degrees in English Education and Theatre, equipping her with a strong foundation in communication, storytelling, and audience engagement. Throughout her career, she has developed a diverse skill set that includes marketing strategy, program management, public speaking, leadership development, education, operations, project management, and cross-functional collaboration.

As the Marketing Manager at 4BIS Cyber Security and IT Services, Christina leads strategic marketing initiatives that drive brand awareness, community engagement, and business growth. Her journey with the company spans several roles, including helpdesk technician, dispatcher, administrative support, digital creator, and content developer. This unique progression gives her a deep understanding of both the technical and operational sides of the business, allowing her to translate complex cybersecurity concepts into clear, compelling messaging that resonates with decision-makers and the broader community.

Christina is known for blending creativity with strategy and for building marketing programs rooted in education, trust, and meaningful connection.

  • There are no suggestions because the search field is empty.
Sign Up For Our Newsletter

Enter your email to receive the latest news and to learn about interesting events.
`