"ShinyHunters claims it stole 3.65 TB of data, including about 275 million records from about 8,800 schools," the extortion group said — and has given institutions until end-of-day May 12 to contact it or face publication of the dataset.
Instructure acknowledges two separate intrusions into Canvas
Instructure, the maker of the Canvas learning platform, confirmed two rounds of unauthorized activity affecting Canvas within two weeks. In a security incident update the company apologized for the disruption that occurred "when Canvas went offline last Thursday, leaving thousands of colleges, universities, and K-12 schools without access to course materials, grades, and due dates during final exams and Advanced Placement testing for many."
The company said it first "detected unauthorized activity in Canvas" on April 29, immediately revoked the intruder's access, and launched a probe. On May 7, Instructure identified "additional unauthorized activity tied to the same incident." In its Monday disclosure the firm said criminals exploited a vulnerability in its Free-for-Teacher learning system and that intruders stole information including usernames, email addresses, course names, enrollment information, and messages.
Instructure added that "Core learning data (course content, submissions, credentials) was not compromised," and that it was "still validating all findings, but we want to be clear about what we understand was and wasn't affected."
ShinyHunters: defacements, claims, and a pay-or-leak deadline
The attack has been tied by the extortion group ShinyHunters, which defaced roughly 330 Canvas school login portals by exploiting the same Free-for-Teacher vulnerability. The group claims to have stolen 3.65 TB of data encompassing about 275 million students, teachers, and staff across nearly 9,000 schools — naming Harvard, Columbia, Rutgers, Georgetown, and Stanford among the affected institutions.
ShinyHunters repeatedly moved a pay-or-leak timetable and, according to the source material, has set a final deadline of end-of-day May 12 for individual institutions to contact the group directly to negotiate payment. The group warned it will publish the full dataset if its terms are not met.
Operational impact on schools and timing during exams
The outage occurred at a sensitive time: Instructure acknowledged that outages coincided with final exams and Advanced Placement testing for many schools. Canvas being "fully back online and available for use" was reported by the company as of Saturday, but that restoration followed days in which students and educators lost access to schedules, grades, and course materials.
ShinyHunters' portal defacements — around 330 login pages — were a visible external symptom that prompted Instructure to take Canvas "into maintenance mode to contain the activity."
Instructure's technical and investigative response
Instructure said it temporarily shut down Free-for-Teacher accounts and took a series of containment and remediation steps: it revoked privileged credentials and access tokens tied to compromised systems, rotated internal keys, restricted token creation pathways, and added monitoring across all platforms. The company engaged CrowdStrike to assist with forensic analysis and incident response.
Instructure also reported notifying the FBI — which published its own alert on social media — and the US Cybersecurity and Infrastructure Security Agency. The company noted this is its second breach in less than a year and addressed a prior incident: ShinyHunters claimed to have breached Instructure's Salesforce environment in September 2025. Instructure said "The prior Salesforce-related incident and this Canvas security incident are distinct events involving different systems and circumstances."
What this means for technologists, colleges and K‑12 districts, and federal agencies
- Technologists and security teams: Expect to watch for further forensic findings from CrowdStrike and Instructure's validation process, and to prioritize revocation and rotation of credentials, token and key management, and expanded monitoring — the exact steps Instructure reported taking.
- Colleges, universities, and K‑12 districts: Institutions named by ShinyHunters (including Harvard, Columbia, Rutgers, Georgetown, and Stanford) and the nearly 9,000 schools the group says are affected face the immediate decision the attackers have forced: whether to engage directly by the May 12 deadline or prepare for potential publication of records that the group claims to hold.
- Federal agencies and law enforcement: The FBI and CISA were notified by Instructure and, per the company, the FBI published an alert on social media; both agencies are positioned as the official recipients of incident notifications and prospective investigators as Instructure and external responders continue their work.
The breach leaves two stark facts on the table: Instructure says core learning artifacts and credentials were not taken, while ShinyHunters claims a vast trove of personal and enrollment data and has set a hard deadline for direct, institution-level contact. With the dataset — if real — said to include hundreds of millions of records and with schools already reporting logistical disruption during exams, the immediate choices for affected institutions and the effectiveness of the firm's containment measures will determine whether the incident remains primarily a service outage or becomes a much wider data-exposure event.




