"ShinyHunters has breached Instructure (again)," the extortion message read, claiming to hold data on 275 million students and faculty at nearly 9,000 institutions.
The visible damage: login pages defaced and Canvas pulled offline
Mid-day on May 7, students and faculty at dozens of schools reported on social media that a ransom demand from the cybercrime group ShinyHunters had replaced the usual Canvas login page. Instructure — the parent company of the Canvas learning platform — responded by disabling the platform, replacing the portal with a message that read, "Canvas is currently undergoing scheduled maintenance. Check back soon." Instructure’s public status page said, "We anticipate being up soon, and will provide updates as soon as possible." The outage and page defacement disrupted classes and coursework across K-12 districts, universities and other Canvas customers, many of which were in the middle of final exams.
What ShinyHunters says it stole
ShinyHunters claimed the breach included "names, phone numbers and email addresses" and—by the group's account—"several billion private messages among students and teachers." The extortion demand threatened to publish data from 275 million students and faculty spanning nearly 9,000 educational institutions unless ransom demands were met. A source close to the investigation told KrebsOnSecurity that the ShinyHunters leak blog no longer listed Instructure among current extortion victims and that samples of data stolen from Canvas customers were removed from the site.
Instructure's timeline and public updates
On May 6, Instructure acknowledged a data breach and said its investigation showed the stolen information includes “certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as as messages among users.” The company stated it had found no evidence the breached data included more sensitive items such as passwords, dates of birth, government identifiers or financial information. In that update Instructure wrote, "At this stage, we believe the incident has been contained." By May 7 the company had taken Canvas offline after the visible defacement; Instructure later published an incident update on May 8 saying the portal was functioning normally again and attributing the exploit to an issue related to Free-for-Teacher accounts. Instructure wrote, "This is the same issue that led to the unauthorized access the prior week," and said it had made the decision to temporarily shut down Free-for-Teacher accounts. The company also said, "If your organization is affected, Instructure will contact your organization’s primary contacts directly," and warned against relying on third-party lists or social media naming potentially affected organizations.
ShinyHunters' tactics and prior incidents tied to Instructure
ShinyHunters is a prolific and fluid extortion group that has claimed responsibility for a string of recent attacks. The source material links the group to a September 2025 release of University of Pennsylvania files that security researchers later tied in part to a Canvas/Instructure-mediated access path. Dipan Mann, founder and CEO of security firm Cloudskope, said ShinyHunters first demonstrated a breach of Instructure on May 1 and that Instructure’s Chief Information Security Officer Steve Proud had declared on May 2 that the incident had been contained. Mann wrote that the May 7 incident was at least the third time in the past eight months that ShinyHunters had breached Instructure and characterized the September 2025 Penn breach as a "proof of concept" for later activity. The record also shows other recent ShinyHunters campaigns: in March the group published 461 megabytes of data stolen from Penn after a reported failed ransom demand in February; last month ShinyHunters said it obtained personal information on 5.5 million ADT customers by compromising an employee’s Okta single sign-on account, enabling access to ADT’s Salesforce instance; and the group has recently taken credit for extortion claims against Medtronic, Rockstar Games, McGraw Hill, 7‑Eleven and Carnival. Charles Carmakal, chief technology officer at the Google-owned Mandiant Consulting, said there are "multiple concurrent and discrete ShinyHunters intrusion and extortion campaigns happening right now."
What this means for Cloudskope and Mandiant technologists, affected schools and districts, and ShinyHunters
- Technologists at Cloudskope, Mandiant and similar security teams will be watching whether the Free-for-Teacher account vector—identified by Instructure in its May 8 update—represents a persistent access path or a one-off misconfiguration. Cloudskope's Dipan Mann described repeated access incidents and criticized Instructure’s use of a "scheduled maintenance" message while the defacement was live.
- Universities, K-12 districts and education ministries now face practical choices: pressure Instructure publicly and demand remediation and disclosures, or pursue their own negotiations with the extortionists. A source told KrebsOnSecurity that several universities have already approached ShinyHunters about paying; history in education-vendor incidents, Mann warned, suggests many institutions may quietly absorb breaches rather than escalate.
- For ShinyHunters, continued success in multiple concurrent campaigns increases leverage — both over vendors like Instructure and over customer organizations — and may encourage further data disclosures unless targets or vendors adopt different response postures.
The breach puts a stark light on how a single third-party platform can ripple across the academic calendar: the attack coincided with final exams at many institutions, intensifying pressure on Instructure and on its customers. Whether universities and school districts will press for collective action, negotiate individually with the extortionists, or accept the disruption quietly remains the immediate unanswered question — one that will shape how data-extortion cases against education platforms are handled going forward.
Source: KrebsOnSecurity — Canvas Breach Disrupts Schools & Colleges Nationwide




