ShinyHunters Disrupts 9,000 Schools After Second Canvas Breach During Finals Week

ShinyHunters, a prolific cybercrime extortion group, defaced Canvas LMS (Learning Management System — software that delivers online course content, grades, and communications between students and instructors) login pages across the United States on May 7–8, 2026, escalating a data extortion campaign that began May 1 with the theft of records belonging to an estimated 275 million students, faculty, and staff at roughly 9,000 educational institutions. Instructure, the company behind Canvas, took the platform fully offline in response, disrupting coursework at Harvard University, Duke University, the University of Pennsylvania, Rutgers University, and thousands of other schools during finals week. ShinyHunters has set a revised ransom deadline of May 12, threatening to publish billions of private messages if Instructure does not negotiate.

The Second Breach: What Happened on May 7–8

The chain of events that produced Thursday's mass disruption began May 1, 2026, when ShinyHunters first demonstrated access to Instructure's Canvas Data 2 pipeline — the API layer that aggregates learning analytics and records across all Canvas institutions. Instructure's CISO declared the incident "contained" on May 2, and the Canvas Data 2 platform was restored by May 3. On May 5, Instructure issued its first public acknowledgement of the breach. ShinyHunters simultaneously added Instructure to their Tor-based leak site, posting samples of stolen data and issuing an initial ransom deadline of May 6.

Instructure deployed security patches and revoked credentials on May 6. The remediation appeared insufficient. On May 7, ShinyHunters announced a separate, fresh compromise of Instructure's systems — claiming "we hacked Instructure again" on their leak site — before pivoting to an unprecedented tactic: injecting altered HTML files into Canvas login pages across all 8,809 institutions on their list. The defaced pages displayed a "PAY OR LEAK" message alongside instructions for affected schools to contact cyber advisory firms and negotiate directly with ShinyHunters before the revised May 12 deadline.

The defacement confirmed that ShinyHunters retained active access to Instructure's infrastructure after the May 6 remediation attempt — either because the initial access vector was not fully identified, or because the group established persistence before patching occurred. Instructure took the Canvas platform fully offline following the defacement wave. The FBI and CISA (Cybersecurity & Infrastructure Security Agency — the U.S. federal agency responsible for protecting critical infrastructure from cyber threats) have both been notified by Instructure.

TechCrunch confirmed the defacement of school login pages and the second-breach claim on May 7, while Krebs on Security reported the full scope of the nationwide disruption as it unfolded on May 8.

Scope of Exposure: 275 Million Records, 9,000 Institutions

ShinyHunters claims to hold 3.65 terabytes of data extracted from Instructure's systems, representing records from approximately 275 million individuals. A list of 8,809 affected institutions shared with BleepingComputer spans school districts, universities, community colleges, and online learning platforms across the United States.

Confirmed exposed data types include:

• Full names
• Email addresses
• Student ID numbers
• Private messages between students and instructors

Instructure's CISO stated that passwords, dates of birth, government-issued identifiers (such as Social Security numbers), and financial information were not part of the breach. However, the inclusion of private message data raises significant concerns beyond standard PII (Personally Identifiable Information). Canvas messages are used for academic counseling, mental health referrals, disability accommodations, and disciplinary proceedings — contexts in which students and instructors have a reasonable expectation of confidentiality.

To put the scale in context: the 2021 T-Mobile breach, one of the largest U.S. data breaches in recent memory, exposed records for approximately 54 million customers. The Instructure breach, if the claimed 275 million figure is accurate, is roughly five times larger by record count. The Malwarebytes blog has confirmed the incident and published an initial impact analysis.

How ShinyHunters Operates

ShinyHunters is a financially motivated cybercrime group with a documented track record of targeting large-scale SaaS (Software-as-a-Service) platforms and their downstream customer bases. Prior confirmed victims include ADT, Rockstar Games, Salesforce, Infinite Campus, and McGraw Hill. Security researchers characterize the group as particularly proficient at vishing (voice phishing — phone-based social engineering attacks that manipulate employees into surrendering credentials or taking unauthorized actions on behalf of an attacker), which is the likely initial access vector for the Instructure compromise.

The login page defacement represents a tactical evolution for ShinyHunters. Data extortion groups typically limit their leverage to two mechanisms: publishing stolen data samples to demonstrate possession, and operating countdown timers on their leak site. Defacing an end-user-facing platform inflicts operational disruption without requiring additional exploitation — and it demonstrates to the victim that remediation has failed. For a LMS (Learning Management System) platform used by millions of active students during finals week, the operational impact of a complete takedown is severe and immediate, amplifying the negotiating pressure on Instructure.

The group had previously targeted at least two other educational platforms — Infinite Campus and McGraw Hill — suggesting a deliberate focus on the education supply chain. By targeting platform vendors rather than individual institutions, ShinyHunters can compromise one system and immediately threaten thousands of downstream organizations simultaneously.

Who Is Affected

Every institution on ShinyHunters' 8,809-entry roster faces potential exposure of student and faculty data. Specifically named in media coverage as confirmed affected:

• Harvard University
• University of Pennsylvania
• Duke University
• Rutgers University
• University of Utah
• North Carolina Department of Public Instruction (representing public K-12 schools statewide)

The timing maximizes harm. Final exams at most U.S. universities and colleges run through mid-May, meaning a Canvas outage directly blocks students from submitting assignments, accessing study materials, reviewing grades, and communicating with instructors. Canvas represents a single point of failure for millions of active course sections. Universities typically lack tested fallback systems for a total LMS outage of this scale and duration.

What You Should Do Right Now

For students and faculty:

• Do not click any links in emails claiming to be from Canvas, Instructure, or your school's IT department. Phishing campaigns exploiting breach notification emails are a near-certain secondary threat. Verify all communications by navigating directly to your school's official IT security page.

• Change your Canvas password immediately, and change the password on the email account linked to your Canvas profile. If you have reused those passwords elsewhere, change them on every affected service.

• Enable MFA (Multi-Factor Authentication — a login method requiring a second verification step beyond a password, such as a time-based code from an authenticator app like Google Authenticator or Authy) on your school email and any accounts that share credentials with Canvas.

• Be alert to social engineering using your Canvas data. An attacker who knows your name, email, institution, and the content of your private messages can craft highly convincing and targeted phishing or extortion attempts. Treat unexpected contact from "instructors," "counselors," or "IT staff" with heightened skepticism.

• Monitor your email address in breach notification services such as Have I Been Pwned for updates as the Instructure data potentially circulates on dark web markets.

For school IT administrators:

• Verify your institution's presence in ShinyHunters' published list of 8,809 affected organizations via your Instructure account representative.

• Contact Instructure through official channels at support.instructure.com for formal breach notification, incident response guidance, and current platform status.

• Audit and revoke SSO (Single Sign-On — a credential federation system allowing one login to authenticate across multiple connected services) integrations and OAuth grants issued by Canvas. If your institution's identity provider is federated with Canvas via SAML or OAuth, revoke all Canvas-issued API tokens and require users to re-authenticate once the platform is restored.

• Preserve log data. Do not rotate or delete authentication logs, access logs, or Canvas API call logs from the affected period (May 1 onward). Law enforcement and incident responders will need this data.

• Report observed login page defacement to CISA at (888) 282-0870 and file a complaint with the FBI's Internet Crime Complaint Center at ic3.gov.

Background: ShinyHunters and the Education Technology Supply Chain

The Canvas breach is a direct consequence of supply chain concentration in education technology. Canvas is the most widely deployed LMS in U.S. higher education, used by approximately 40% of universities and a significant share of K-12 school districts. When a single vendor holds data for 275 million users across 9,000 institutions, a single successful intrusion produces a catastrophic and simultaneous blast radius. No individual school made a security error — their collective exposure flows from dependency on a shared cloud platform.

This is not the first time education technology supply chain attacks have produced mass downstream impact. The 2023 MOVEit breach compromised the National Student Clearinghouse, affecting data from 890 colleges and universities. The 2021 Blackbaud ransomware attack affected hundreds of universities and nonprofits globally. The consistent targeting pattern indicates that adversaries view EdTech vendors as high-value targets precisely because scale means one successful compromise affects thousands of institutions at once.

ShinyHunters' persistence is also noteworthy. Despite arrests of associated operators in 2022 and 2023, the group has continued operating with new infrastructure and, apparently, new members. The tactical evolution visible in this campaign — defacing end-user infrastructure alongside data theft — mirrors a broader industry trend toward hybrid ransomware-extortion models where the threat is both data publication and active service disruption.

For Instructure, the failure to prevent a second breach after declaring the first one "contained" on May 2 is a significant credibility problem. The lesson for every EdTech vendor is the same as in any supply chain breach: initial containment declarations are not the same as verified eradication. Persistent access by a sophisticated actor requires forensic validation of every credential, API key, and authentication token — not just deployment of patches.

Conclusion

ShinyHunters' May 8 attack has disrupted coursework for millions of students at 9,000 institutions during finals week, with a May 12 data-release deadline creating acute pressure on Instructure. Students should change passwords and enable MFA immediately; institutions should revoke all Canvas OAuth tokens, preserve logs, and engage Instructure directly — while monitoring for the phishing campaigns that will inevitably follow this breach.