Canvas Breach Disrupts Schools & Colleges Nationwide – Krebs on Security
An ongoing data hacking attack targeting a widely used education technology platform The canvas Disrupted classes and academic work in school districts and universities across the United States today, after a cybercriminal group compromised the service’s login page with a ransom demand that threatened to leak data from 275 million students and faculty across nearly 9,000 educational institutions.
A screenshot shared by a reader showing the scam message displayed on the Canvas login page today.
The parent company of canvases Education [NYSE:INST] responded to today’s malware attacks by disabling the platform, which is used by thousands of schools, universities and businesses to manage courses and assignments, and to communicate with students.
Instructure admitted to the data breach earlier this week, after a cybercrime group ShinyHunters they say they will take responsibility and they say they will leak information to tens of millions of students and faculty without paying a ransom. The payment deadline was originally set for May 6, but was pushed back to May 12.
In a May 6 statement, Instructure said the investigation so far shows the data stolen includes “certain information that identifies users at the affected institutions, such as names, email addresses, and student ID numbers, as well as messages between users.” The company said it found no evidence that the breached data included sensitive information, such as passwords, birthdays, government identifiers or financial information.
The May 6 update said that Canvas was fully operational, and that Instructure was not seeing any unauthorized activity going on on its site. “At this time, we believe the incident has been staged,” Instructure wrote.
However, during the day on Thursday, May 7, students and teachers of many schools and universities flooded social media saying that the ransom demand from ShinyHunters had replaced the normal Canvas login page. Instructure responded by taking Canvas offline and replacing the portal with the message, “Canvas is currently undergoing scheduled maintenance. Check back soon.”
“We expect to be up and running soon, and will provide updates as soon as possible,” reads a current message on Instructure’s status page.
Although the data stolen by ShinyHunters may or may not contain very sensitive information (ShinyHunters say it includes billions of private messages between students and teachers, as well as names, phone numbers and email addresses), this attack could not have happened at the worst time of the Order: Many schools and universities affected are in the middle of final exams, and the long-term damage to the company could be serious damage.
A phishing message that greeted dozens of Canvas users today advised affected schools to negotiate their own ransom payments to prevent the publication of their data – regardless of whether Instructure decides to pay.
“ShinyHunters has breached Instructure (again),” the scam message read. Instead of contacting us to resolve it they ignore us and do ‘security patches.’
A source close to the investigation who was not authorized to speak to the media told KrebsOnSecurity that a number of universities have already contacted the cybercrime group about the payment. The same source also revealed that data leak blog ShinyHunters no longer lists Instructure among its current victims of the hack, and that samples of stolen data from Canvas customers have also been removed. Phishing groups like ShinyHunters will usually only remove victims from the leaking sites after receiving a payment for the scam or after the victim agrees to negotiate.
Dipan Mannfounder and CEO of a securities firm Cloudscopecriticized Instructure for calling today’s outage a “scheduled maintenance” event on its status page. Mann said that the Shiny Hunters first demonstrated that they breached Instructure on May 1, which led to the Chief Information Security Officer at Instructure. Steve Proud announcing the next day that the incident had been contained. But Mann said today’s attack is at least the third time in the past eight months that Instructure has been breached by ShinyHunters.
In a blog post today, Mann noted that in September 2025, ShinyHunters released thousands of internal University of Pennsylvania files — donor records, internal memos, and other confidential material — through what the Daily Pennsylvanian and other outlets later determined was, in part, a Canvas/Instructure-mediated approach.
Mann wrote: “Penn was the victim. “Education was the way. The incident was treated as a Penn-specific matter by most of the national media and was quietly handled by Instructure as a client-specific matter. That frame was wrong at the time. It is very wrong considering the events of May 2026, which now look like a planned escalation of the ShinyHunters attack pattern that had been going on for at least eight months prior to The Instructure. Penn’s 2025 breach was proof of concept The May 1, 2026 incident was a reproduction of the May 7, 2026 ShinyHunters publicly demonstrating that the May 2 ‘content’ never happened.
In February, said a spokesperson for ShinyHunters The Daily Pennsylvanian that Penn failed to pay the $1 million ransom. On March 5, ShinyHunters published 461 megabytes worth of data stolen from Penn, including thousands of files such as donor records and internal memos.
ShinyHunters is a full-fledged and watertight cybercriminal group specializing in data theft and fraud. They often gain access to companies through phishing and social engineering attacks that often involve impersonating IT employees or other trusted members of the target organization.
Last month, ShinyHunters released the home security giant ADT of personal information to 5.5 million customers. A group of hackers told BleepingComputer that they breached the company by compromising one Okta employee account in a phishing attack that allowed access to ADT’s Salesforce instance. BleepingComputer says that ShinyHunters have recently gained notoriety for a number of attacks by robbing high-profile organizations, including Medtronic, Rockstar Games, McGraw Hill, 7-Eleven and cruise line operator Carnival.
The attack on Canvas customers is one of several major cybercrime campaigns currently being launched by ShinyHunters, it said. Charles Carmakalchief technology officer at Google Mandiant Consulting. Carmakal declined to comment directly on the Canvas breach, but said there are “multiple concurrent and sophisticated ShinyHunters and fraud campaigns going on right now.”
Cloudskope’s Mann said what happens next depends largely on whether Instructure’s customers — the universities, K-12 districts, and educational services that pay for Canvas — choose to apply pressure or remain silent.
“Anecdotal evidence for academic vendors suggests the path of least resistance is secondary,” he concluded.
