ShinyHunters Defaces Canvas LMS, Threatening Leak of 275 Million Records

The ShinyHunters group hijacked the Canvas login page on May 7, 2026, threatening to leak data from 275 million users and causing widespread outages during fin…

This report is based on verified sources and was accurate at the time of publication.

On May 7, 2026, the login page for Canvas, the widely used learning management system (LMS) by Instructure, was defaced with a ransom demand attributed to the ShinyHunters hacking group. The message threatened to leak the personal data of 275 million students and faculty members across nearly 9,000 educational institutions. The attackers set a final payment deadline for May 12, 2026. Social media was quickly flooded with screenshots of the altered login page as students and faculty reported the compromise.

ShinyHunters is a well-known threat actor specializing in large-scale data theft and extortion. Investigative reports indicate the group frequently gains initial access through voice phishing and social engineering, though this specific vector has not been officially confirmed for the May 2026 breach.

The incident forced Instructure into a drastic response during a critical period of the academic year, highlighting how a single breach at a centralized vendor can paralyze the entire U.S. higher education ecosystem.

Key Takeaways

On May 7, 2026, ShinyHunters defaced the Canvas login page with a ransom demand.
Attackers threaten to leak data from 275 million users across 9,000 institutions by a May 12, 2026, deadline.
Instructure took the platform offline; the University of California blocked access, and the University of Illinois postponed exams.
A May 6 update confirmed stolen data includes names, emails, student IDs, and messages, but excluded passwords and financial info.
ShinyHunters is notorious for data extortion, often utilizing social engineering for initial entry.

The Attack Timeline

The defacement directly targeted the entry point of Instructure’s LMS. Users attempting to log in were met with a message stating: “ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some ‘security patches.’” The appearance of the note caused immediate concern, as it coincided with the final exam season for many universities.

Instructure responded by taking the Canvas platform offline, replacing the login page with a generic scheduled maintenance notice. This service interruption affected thousands of institutions, resulting in an abrupt blackout of the primary learning management tool used across the U.S. academic sector during a high-stakes testing window.

Scope of the Exposed Data

In a statement released on May 6, 2026—just one day before the defacement—Instructure claimed that the stolen data was limited to names, email addresses, student IDs, and internal user messages. The company explicitly ruled out the theft of passwords, dates of birth, government identifiers, or financial information. At that time, Instructure described the incident as "contained," stating: “At this stage, we believe the incident has been contained.”

The May 7 defacement directly challenged those reassurances. While the May 6 claims may have been based on the information available at the time, they did not account for the high-profile escalation that followed. The public move by ShinyHunters forced Instructure into an immediate platform takedown to prevent further exposure and regain control of the crisis.

Instructure has not yet clarified if the 275 million user count claimed by ShinyHunters represents the platform’s entire global user base or if the figure has been inflated for extortion purposes. The company has only confirmed partial categories of compromised data, leaving the full scale of the dataset in the hands of the attackers uncertain.

275 million students and faculty from nearly 9,000 educational institutions: the figure claimed by ShinyHunters in the ransom message appearing on the Canvas login page on May 7, 2026.

Widespread Institutional Disruption

The University of California Office of the President instructed all UC campuses to temporarily block or redirect Canvas access until system security could be verified. The official directive suspended all service connections pending technical confirmation from Instructure.

While the University of California’s preemptive block protected millions of users, it simultaneously cut off access to syllabi, course materials, and grade records. This measure illustrates how a third-party security incident can have a cascading effect on the daily operations of major universities.

The University of Illinois was forced to postpone exams and assignments scheduled for Friday, Saturday, and Sunday. In an official statement, the university confirmed: “Canvas, our learning management system, is offline due to an ongoing cybersecurity incident. We are awaiting information from Instructure [...] as to when the service will become available again.” This move effectively halted the university’s assessment schedule for the entire weekend.

Other major institutions, including Northwestern, UChicago, and ISU, also issued statements regarding the incident, according to reports by ABC7. The reaction highlighted a widespread systemic dependency on a single external platform for both teaching and evaluation.

Analysis and Security Outlook

For students and faculty, the immediate priority remains monitoring official communications from their respective institutions and Instructure. The exposure of names, emails, and student IDs significantly lowers the barrier for attackers to launch sophisticated spear-phishing campaigns. Users must remain vigilant regarding any messages demanding urgent action or containing suspicious links, particularly over the coming weeks.

For educational institutions, this incident underscores the risks associated with critical dependency on a single LMS vendor. Universities like the University of Illinois were forced to activate emergency contingency plans for exams. This case necessitates a re-evaluation of business continuity protocols and the need for redundant communication channels when a primary academic platform becomes unavailable without warning.

Furthermore, universities should assess whether the internal messages exchanged on Canvas—confirmed as part of the exfiltrated data—contain additional sensitive information that could be leveraged for social engineering. The availability of student IDs alongside contact info provides fertile ground for targeted attacks against both the student body and administrative staff.

Finally, the incident serves as a reminder to view initial corporate damage control with caution. Instructure’s May 6 claim that the incident was “contained” was rapidly contradicted by the events of May 7. Institutional risk assessments should incorporate a buffer of caution rather than relying solely on early vendor updates.

The investigation is ongoing, and Instructure has not provided a definitive timeline for the secure restoration of Canvas nationwide. Thousands of institutions remain in a state of uncertainty as the May 12, 2026, deadline approaches. The U.S. educational sector is monitoring developments closely before determining how to proceed with final grades and semester conclusions.

Dipan Mann, CEO of Cloudskope, noted that the history of incidents involving educational vendors suggests that “the path of least resistance is the second one.” This observation raises questions about the sector’s ability to withstand extortionate pressure when service disruptions directly threaten the successful completion of an academic semester.