Instructure Confirms Major Hack Affecting Canvas Users Across Thousands of Schools
Perhaps it is time to return to the Blue Book.
Instructure, the company behind the Canvas learning platform, has confirmed a major data breach linked to the hacking group ShinyHunters, exposing personal data from millions of students, teachers, and staff at thousands of schools and universities in the U.S. and abroad.
Canvas, a platform used by over 8,000 universities and K-12 schools for course websites, assignments and communication, shut down for several hours on Thursday. A hacking group claimed responsibility for a data breach affecting the company that owns the platform, jeopardizing the personal data of millions of students and teachers.
Instructure, which provides Canvas to about half of all colleges and universities in North America, said late Thursday in an alert posted on its website that the software was available for most users. But the company added that two separate services, Canvas Beta and Canvas Test, remained in maintenance mode.
Several prominent universities, including the University of Michigan and Harvard, alerted students earlier on Thursday that Canvas was unavailable. Across the country, students have been preparing for, or are already taking, their final exams.
Instructure, which did not immediately respond to a request for comment, said earlier that it was investigating why the software was unavailable.
So this has been happening so far all morning. My uni boys couldn’t submit assignments or log into Canvas today due to worldwide hack of their accounts. Basically all their personal data information passport student ID,
Passport info and bank account linked to uni have been… pic.twitter.com/Mx8g0ceHuf— Kayke (@Kayke777) May 8, 2026
The hack was discovered when a University of Washington student tried to log in to Canvas and was greeted by a message from the hacking group ShinyHunters, which claimed to have “breached” the platform’s parent company.
The note, reported by different student news outlets, demanded ransoms to prevent data leaks from the platform.
A student at the University of Pennsylvania said he was logged out of his Canvas account while studying for finals. Professors had to scramble to send class materials in other ways, the student said.
Universities across the country, including Columbia University, Rutgers, Princeton, Kent State, Harvard and Georgetown issued statements alerting students to the hack impacting institutions nationwide. School districts in California, Florida, Georgia, Oklahoma, Oregon, Nevada, North Carolina, Tennessee, Utah, Virginia, Texas and Wisconsin also reported being affected.
ShinyHunters is a notorious black-hat cybercriminal hacking and extortion group that first emerged around 2019-2020 and has been responsible for hundreds of major data breaches affecting millions of users worldwide. The group operates primarily for financial gain, using a “pay or leak” extortion model: they demand ransom from breached organizations and release stolen data on dark web forums if payment is refused.
However, sometimes members of the criminal enterprise are caught.
The group operates under the leadership of a persona known as ShinyCorp – also referred to as sp1d3rhunters or shinyc0rp across Telegram channels. Google’s Threat Intelligence Group (GTIG) tracks ShinyHunters-attributed activity under multiple threat clusters: UNC6040, UNC6240, and UNC6661, which allows researchers to differentiate between specific campaigns and operational roles within the broader organization.
ShinyHunters has not operated without consequence. In May 2022, Sébastien Raoult – a French programmer tied to the group – was arrested in Morocco and extradited to the United States. In January 2024, he was sentenced to three years in prison and ordered to return five million dollars. In June 2025, French authorities arrested four additional suspected members linked to BreachForums administration.
Arrests have slowed the group temporarily, but have not stopped them. Operations continued through and after each law enforcement action.
I will simply note that this hack occurred during finals week for many schools. I may be revealing a bit too much about my age, but perhaps it is time to go back to The Blue Book for exams.
Fuck AI pic.twitter.com/9bJiSiyPB7
— Keith Orejel (@keithdorejel) May 6, 2026
The attack exposes a vulnerability that goes far beyond Instructure’s server architecture: American education, from K-12 to the Ivy League, has become dangerously consolidated onto a handful of corporate platforms, leaving millions of students and their personal data hostage to the security practices of vendors.
Though ShinyHunters has already felt the sting of law enforcement and is a known hacking group, history shows that arrests merely slow them; they don’t stop them.
Perhaps the real lesson here isn’t about cybersecurity at all; it’s about the hubris of an educational establishment that digitized everything and contingency-planned nothing.
Donations tax deductible
to the full extent allowed by law.
Comments
Make Houghton-Mifflin Great Again!
One of DW’s ranching buddies is the principal of a school for at-risk teens. His school got hit with a ransomware attack several days ago (doesn’t seem to be this one). They can’t even get into their own systems and are struggling over what to do.
It seems abundantly clear by now that the FBI is almost totally ineffective against cyber-threats, whether domestic or international.
Ugh it WAS this hack.
List of affected schools: http://91.215.85.103/pay_or_leak/instructure_affected_schools_list.txt
Funny thing. You can’t hack paper books
Especially my notebooks. I can’t even decipher my own handwriting.
You weren’t alone. I’ve been told that my penmanship alone could have gotten me a full ride scholarship to medical school.
Technology will save us.
We got notified for K-12.
It’s not the first time.
That a kindergartner would need access to an internet share file is a big warning sign.
The primary schools typically use the portions of the software that facilitate student record tracking. This hack is all about putting student ID data at risk, so it works on all the schools.
The government will continue to promote AI and simultaneously maintain a lackadaisical attitude to hacking even though it is greatly facilitated by AI.
It’s their business model.
Hacking is not facilitated by AI. I’m not sure where you got that from.
What’s facilitated by AI is tech illiterate humans that get scammed. It’s no longer a safe world for people to remain ignorant of both opportunities and fraud potential.
He got it from a well publicized exploit of somewhere between six months and a year or so, when a black hat conned an AI into helping him execute an intrusion. It was reported here.
Over the past two weeks, I have been swamped with a tsunami of scam emails “from” (Tractor Supply, Marriott, Delta, Lowes, HD, Walmart, Ace, Harbor Freight, Cheesecake Factory, AAA…) offering me (free merch, raffle prizes, cheap sheets/towels, $100, “points”…) for chasing their links. They come from different servers all over the globe (“Tase Our Menu!”), and are impossible to characterize for spam-filtering purposes.
You know what would be 100x better at filtering this crap by “intent?” AI. Good luck finding that solution. But stuff like this, AI is all over THAT.