The criminal extortion group ShinyHunters has defaced the login pages of Canvas, the most widely used learning management system in North American higher education, replacing them with ransom demands and threatening to release stolen data from nearly 9,000 schools unless Instructure, the platform's parent company, pays up by 12 May.
Students and faculty at dozens of universities, including Harvard, the University of Pennsylvania, MIT, Duke and the University of Oklahoma, reported being greeted by the hackers' message when they tried to log in on Thursday afternoon.
The attack struck during spring finals week at many institutions, forcing Instructure to pull Canvas offline and replace the portal with a maintenance notice.
ShinyHunters first claimed responsibility for breaching Instructure on 3 May, saying it had accessed data from 275 million users across 8,809 educational institutions in at least 10 countries, including the United States, the United Kingdom, Australia and Sweden.
The group said the stolen records included names, email addresses, student identification numbers and billions of private messages exchanged between students and teachers on the platform.
Instructure said it found no evidence that passwords, dates of birth, government identifiers or financial information were compromised.
Canvas is used by 41% of higher education institutions in North America and serves more than 30 million active users worldwide, a concentration that cybersecurity experts say makes education technology vendors especially attractive targets.
Luke Connolly, a threat analyst at cybersecurity firm Emsisoft, described ShinyHunters as a loose affiliation of teenagers and young adults based in the United States and the United Kingdom, and said the extended 12 May deadline suggests discussions about extortion payments may be ongoing.
Instructure's chief information security officer Steve Proud said the company believed the breach had been contained as of 6 May, after revoking compromised credentials, deploying security patches and increasing monitoring across all platforms.
That assessment proved premature when ShinyHunters hijacked Canvas login pages the following day, accusing the company of ignoring its outreach and applying only superficial fixes.
The incident is at least the third time in eight months that ShinyHunters has breached Instructure's systems, according to cybersecurity journalist Brian Krebs.
In September 2025, the group exploited Instructure's Salesforce environment and leaked thousands of internal files belonging to the University of Pennsylvania, and it has since claimed attacks on the student information system Infinite Campus, publisher McGraw Hill and the European Commission.
The Wake County Public School System in North Carolina said Instructure had notified the district of the breach but could not yet confirm what information was accessed.
Duke University's chief information security officer Nick Tripp said the university was monitoring the situation and that there was no indication sensitive data such as passwords or financial information had been involved.
Related reading
- Ransomware group's own coding blunder turns its software into a data destroyer, making recovery impossible ev…
- Anthropic's Claude Mythos faces questions over value despite strong cybersecurity scores
- World Cup prompts wide cyber security preparations
The University of Michigan told students to log out of Canvas immediately while its security teams investigated, and Penn State said it and many other universities had been unable to access the platform.
Instructure said Canvas was available again for most users by late Thursday evening.
The recap
- ShinyHunters claims to have breached Instructure's Canvas platform
- Nearly 9,000 schools worldwide said to be affected
- Hackers set a ransom deadline for schools next week
