ShinyHunters extortion targets Instructure Canvas

Overview

Canvas is the homework portal and gradebook for millions of students. On May 7, 2026, during finals week, students at dozens of universities logged in and found a ransom note instead of their coursework. ShinyHunters, a criminal extortion group, claims it stole records on roughly 275 million students, teachers, and staff from about 8,809 schools. James Madison University moved Friday exams to May 13. The University of Illinois suspended final exams and assignments. Instructure, the company that runs Canvas, restored access by May 8 and confirmed it notified the FBI and the Cybersecurity and Infrastructure Security Agency (CISA).

Why it matters

If the leak goes ahead, scammers gain a verified list of who attends which school, useful for personalized phishing of students and parents.

Key Indicators

275M

Records claimed stolen

ShinyHunters' figure for affected students, teachers, and staff. Instructure disputes the scope.

8,809

Institutions on leak list

School districts, universities, and online education platforms named by the attackers.

3.65 TB

Data volume claimed

Size of records, messages, and enrollment data the group says it pulled from Canvas.

May 12

Ransom deadline

Date set by ShinyHunters for Instructure to pay or have stolen data published.

8 of 8

Ivy League schools listed

Every Ivy appears on the leak list, alongside MIT, Oxford, Duke, and Penn.

Interactive

Exploring all sides of a story is often best achieved with Play.

Ever wondered what historical figures would say about today's headlines?

Debate Arena

Two rounds, two personas, one winner. You set the crossfire.

People Involved

Steve Proud

Leading Instructure's incident response and public communications

Organizations Involved

ShinyHunters

Cybercriminal extortion group

Holding Instructure data for ransom; deadline May 12, 2026

A long-running data-theft and extortion crew known for stealing customer databases from cloud platforms and naming victims publicly to force payment.

Instructure

Educational technology company

Canvas restored after outage; FBI and CISA notified; third-party forensics engaged; May 12 ransom deadline approaching

The Salt Lake City company behind Canvas, the dominant learning-management system in U.S. higher education and a large share of K-12.

Timeline

Ransom deadline
Deadline

Date by which ShinyHunters has threatened to publish the full data trove if no settlement is reached.
In 4 days
Canvas restored; Instructure confirms FBI and CISA notification
Response

Instructure brought Canvas back online after the May 7 outage, confirmed it had notified federal law enforcement including the FBI and CISA, and said it had engaged a third-party forensics firm to support the investigation.
Today
Finals disrupted at multiple universities as Canvas goes dark
Impact

James Madison University postponed Friday morning exams to Wednesday May 13. The University of Illinois suspended final exams and assignments. UMass Amherst, Rutgers, and dozens of other campuses reported students unable to access coursework or submit work during the outage.
Today
University of California system blocks Canvas access across all campuses
Response

The University of California's Office of the President directed all UC campuses to temporarily block or redirect Canvas while Instructure's investigation continued, affecting the entire ten-campus system.
Today
Login pages defaced, May 12 deadline set
Escalation

ShinyHunters injects ransom messages onto Canvas login pages at multiple schools and gives Instructure five days to settle.
Yesterday
8,809-institution leak list published
Statement

BleepingComputer obtains list of affected schools from the attackers, including all eight Ivies, MIT, Oxford, and 44 Dutch universities.
3 days ago
ShinyHunters claims 275 million records
Statement

Group posts Instructure to its leak site, naming the company and claiming theft of 3.65 TB of student and staff data.
5 days ago
Instructure discloses investigation
Disclosure

Company tells customers it is investigating a cybersecurity incident affecting Canvas data.
6 days ago
Initial Canvas data exfiltration
Attack

Attackers pull data from Canvas using legitimate export features including DAP queries, provisioning reports, and user APIs.
April 15th, 2026
European Commission data leaked
Background

Group publishes 350 GB of internal European Commission communications and documents, raising its profile in Europe.
March 9th, 2026
ShinyHunters pivots to Salesforce Experience Cloud
Background

Begins scanning for misconfigured guest access on Salesforce Experience Cloud, eventually claiming roughly 400 corporate victims.
September 1st, 2025
ShinyHunters claims Santander breach
Background

Group claims theft of Santander staff and 30 million customer records, part of its broader Snowflake-tenant campaign.
May 30th, 2024

Scenarios

Instructure pays, data does not leak publicly

Discussed by: Inside Higher Ed; security analysts cited by BleepingComputer

Instructure or a coalition of affected schools quietly negotiates a settlement with ShinyHunters before May 12. Public leak is averted, but copies of the data may already sit with brokers and other criminal groups, so phishing risk persists. This path is the one the attackers want and the one most often chosen when stolen data includes minors' records.

Deadline passes, full dataset hits the internet

Discussed by: TechCrunch; Times Higher Education

Instructure refuses to pay, citing legal exposure and the precedent set by paying. ShinyHunters publishes the 3.65 TB trove on its leak site and on file-sharing networks. Within weeks, automated phishing kits begin sending school-specific lures using real names, real student IDs, and real teacher-student message threads, hitting families through the rest of the academic year.

Class actions reshape edtech vendor liability

Discussed by: Education-law attorneys quoted in Inside Higher Ed and Harvard Crimson coverage

Plaintiffs' firms file consolidated class actions against Instructure under state privacy statutes such as Illinois BIPA, California's CCPA, and FERPA-derived contractual claims. A favorable settlement or ruling would push edtech vendors to carry more breach insurance and accept tougher contractual security clauses with school customers, raising platform costs.

Law-enforcement action disrupts ShinyHunters

Discussed by: Cybersecurity reporters at Cybernews, Dark Reading

U.S. and European authorities, building on prior arrests of group members, seize leak-site infrastructure and arrest operators before a full publication. Past takedowns of similar groups have only paused operations rather than ending them, so disruption would likely delay rather than prevent eventual data exposure.

Historical Context

MOVEit Transfer mass extortion (2023)

May–December 2023

What Happened

The Cl0p ransomware group exploited a zero-day in Progress Software's MOVEit file-transfer tool, stealing data from roughly 2,700 organizations and tens of millions of individuals, including state DMVs, U.S. federal agencies, and the BBC. Cl0p named victims on its leak site one by one and demanded payment within days.

Outcome

Short Term

Most victims refused to pay. Cl0p released stolen data in waves through late 2023, fueling years of identity-theft litigation.

Long Term

MOVEit became the reference case for vendor-driven mass breaches, pushing regulators and insurers to focus on third-party software supply chains.

Why It's Relevant Today

Like Instructure, Progress was a single vendor whose product sat inside thousands of customer environments, turning one bug into a sector-wide event. The Canvas incident is following the same pattern in education.

Snowflake customer data theft (2024)

April–July 2024

What Happened

ShinyHunters and an associate stole data from at least 165 Snowflake-tenant customers, including AT&T, Ticketmaster, Santander, and Advance Auto Parts. The attackers used stolen credentials, often pulled from earlier malware infections, against accounts that lacked multifactor authentication.

Outcome

Short Term

Several companies paid undisclosed settlements. AT&T data and Ticketmaster records appeared on leak forums. Snowflake made multifactor authentication mandatory.

Long Term

The campaign became a case study in shared-responsibility failure between cloud platforms and their customers, and cemented ShinyHunters as one of the most active extortion crews in the world.

Why It's Relevant Today

Same threat actor, same playbook: legitimate platform features used at scale to siphon customer data, followed by pay-or-leak deadlines. Canvas is the next chapter of an ongoing campaign rather than a one-off.

PowerSchool student-data breach (2024–2025)

December 2024 – January 2025

What Happened

Attackers used a single stolen support credential to access PowerSchool's student-information system and exfiltrated records on roughly 62 million students and 9.5 million teachers across U.S. and Canadian K-12 districts. Data included names, addresses, Social Security numbers in some districts, and medical notes.

Outcome

Short Term

PowerSchool reportedly paid an extortion demand. Data still surfaced months later as a separate actor began re-extorting individual school districts.

Long Term

Triggered state attorney-general investigations and class actions and put edtech vendors on notice that paying does not end the exposure.

Why It's Relevant Today

PowerSchool showed that paying an edtech extortion demand does not stop downstream re-extortion. That history will weigh on Instructure's decision before May 12.