A criminal hacking group just breached the learning platform used by 30 million students and teachers worldwide. Here is everything you need to know, and what your school or organization should do right now.
On May 1, 2026, Instructure, the Salt Lake City-based company behind the Canvas learning management system, confirmed that a criminal threat actor had breached its systems. Two days later, the extortion group ShinyHunters posted an ultimatum on its dark-web leak site: "PAY OR LEAK." On May 8, the group escalated by replacing Canvas login pages at schools across the country with its own ransom message.
The attack hit during finals week for many universities and K-12 districts, compounding disruption for millions of students, teachers, and administrators who rely on Canvas daily for assignments, grades, course content, and private communications.
ShinyHunters is a financially motivated criminal extortion group that security analysts describe as a loose affiliation of young adults based primarily in the United States and the United Kingdom. The group has built a track record of targeting cloud-based platforms and SaaS companies, relying on stolen credentials, social engineering, and supply-chain compromises to gain access to large data stores.
This is not the group's first attack on education. Earlier in 2026, ShinyHunters claimed breaches of Infinite Campus, a widely used K-12 student information system, and the publisher McGraw-Hill.
In late 2025, the group directly targeted the University of Pennsylvania, Harvard University, and Princeton. Penn ultimately had its data leaked after refusing to pay a $1 million ransom. The group also claimed responsibility for the Ticketmaster breach at Live Nation.
Notably, this is Instructure's second confirmed ShinyHunters breach in approximately eight months. In September 2025, the same group exploited a social engineering attack against the company's Salesforce environment.
What Data Did ShinyHunters Steal?
Canvas serves as the primary channel where students disclose medical conditions, mental health concerns, and academic accommodation requests to advisers and instructors. Canvas is also a channel for confidential Title IX communications. The exposure of these messages goes far beyond typical credential theft and creates serious privacy and safety risks for vulnerable individuals.
ShinyHunters shared a list of 8,809 school districts, universities, and online education platforms with the security press. Affected institutions span North America, Europe, and parts of Asia and Oceania.
Named institutions include Harvard University, Stanford University, MIT, Oxford University, Cambridge University, UC Berkeley, the University of Pennsylvania, Duke University, Baylor University, the University of Chicago, San Francisco State University, and the entire California State University system. The Wake County Public School System and North Carolina's Department of Public Instruction, which brought Canvas to all K-12 schools statewide, also confirmed impact.
Canvas holds about 41% of the higher-education learning management system market in North America. The platform is also deeply embedded in K-12 systems nationwide, meaning the breach reaches from kindergartners to doctoral students.
Schools collect and store vast amounts of sensitive data: identity information, academic records, health disclosures, financial aid details, and years of private communications, etc. Many institutions run on tight IT budgets, rely heavily on third-party vendors, and face pressure to keep systems accessible, making them more likely to become victims.
ShinyHunters exploited the trust that schools place in large SaaS providers. Rather than attacking each institution individually, the group targeted the single platform that thousands of them share. One successful breach unlocked data from nearly 9,000 organizations at once. This supply-chain leverage is the defining cybersecurity threat facing the education sector today.
Our team at 4BIS covers this pattern in depth in our guide to proactive versus reactive cybersecurity risk assessments. Waiting for a vendor to notify you after a breach is reactive. Building visibility into your vendor ecosystem before an incident is the only effective defense.
If your institution uses Canvas, treat this as an active security event. Take these steps now:
For organizations that already have an internal IT team but need specialized security support, our co-managed cybersecurity services let your team stay in control while 4BIS provides threat monitoring, incident response expertise, and vendor risk oversight that this kind of supply-chain attack demands.
ShinyHunters has a documented history of following through on threats. When Penn refused to pay a $1 million ransom, the group released thousands of internal files including donor records and internal memos. The group now threatens to release "several billions of private messages among students and teachers" if Instructure does not respond by May 12. Security analysts note that the May 12 deadline suggests active negotiations may be underway, but no resolution is guaranteed.
Even if Instructure reaches a settlement, cybersecurity experts consistently warn that paying ransoms does not guarantee data deletion. Once a criminal group holds sensitive records, those records remain a liability.
If you suspect your organization's data appears in this breach, or if a related phishing attack is already hitting your users, our team responds to active incidents around the clock. Visit our rapid ransomware and breach recovery services page or use our 24/7 emergency line if you believe you are being attacked right now.
For schools and businesses that want to get ahead of the next attack rather than react to it, our comprehensive cybersecurity services include vendor risk management, user awareness training, and continuous monitoring that specifically guards against the social engineering and supply-chain tactics ShinyHunters relies on.
We offer managed IT support services that build the underlying hygiene, patching, and access control discipline that makes your organization a harder target in the first place.
The ShinyHunters Canvas breach shows that even large, trusted platforms can fail your users. Talk to the 4BIS team today about protecting your school, business, or institution.
Interested in hearing our COO's thoughts on the latest attack? Check out our YouTube chanel or podcast on Spotify.