Skip to main content
Emerging ThreatsData Breaches

ShinyHunters Breach Exposes 330 Colleges in Canvas Hack

Blurred laptop screen shows Canvas login page in bright college library setting.

"ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some 'security patches'."

What the defacement said and how long it lasted

BleepingComputer reported that the login pages for Canvas were replaced with an extortion message from the ShinyHunters gang. The defacement told Instructure and affected schools they had until May 12, 2026 to negotiate, warning, "You have till the end of the day by May 12 2026 before everything is leaked." The message also urged schools to "consult with a cyber advisory firm and contact us privately at TOX to negotiate a settlement."

The defacements were visible for roughly 30 minutes before being taken offline and, according to reporting, the extortion content also appeared inside the Canvas app.

Scope of the website defacement and the larger breach claims

BleepingComputer said the Canvas login portals for approximately 330 educational institutions were defaced. The incident follows an earlier disclosure from Instructure, made last week, that it was investigating a cyberattack after threat actors claimed to have stolen 280 million student and staff records tied to 8,809 schools, universities, and education platforms that use Canvas.

How the attackers say they obtained data

The defacement was allegedly caused by a vulnerability in Instructure's systems that allowed the threat actor to modify login portals, according to BleepingComputer's reporting. ShinyHunters later told BleepingComputer the stolen data included "user records, private messages, enrollment data, and other information," which the gang said had been gathered through Canvas data export features and APIs. The reporting uses the term "allegedly" for those claims from the gang.

Instructure's actions and communication status

Instructure confirmed that data was stolen during the attack and said it is continuing to investigate the incident. The company has taken Canvas offline while it responds to the latest cyberattack, according to BleepingComputer. BleepingComputer also reported that it repeatedly contacted Instructure with questions about the attack and whether the company plans to notify students and staff, but those emails have so far gone unanswered.

What this means for students, administrators, and IT/security teams

  • Students and staff: The gang claims a wide variety of personal data were taken — the defacement threatens a public leak if ransom demands are not met by May 12, 2026 — raising immediate concerns about potential exposure of private messages and enrollment data.
  • Administrators and school leadership: At least 330 institutions saw public defacements, and the broader claim links 280 million records to 8,809 institutions, putting notification decisions, legal obligations, and incident response coordination squarely on administrators as investigations continue.
  • IT and security teams at affected institutions: The reported vulnerability reportedly allowed modification of login portals and also implicated Canvas export features and APIs as sources of data — teams will be focused on remediation, assessment of export/API controls, and restoring safe access while Canvas remains offline.

Conclusion

The public face of this incident is a short-lived but blunt extortion notice and a deadline that puts pressure on both Instructure and the schools whose login pages were altered. Behind that message sits a broader claim of hundreds of millions of records tied to thousands of institutions and an ongoing investigation that Instructure has acknowledged. With Canvas offline and BleepingComputer's outreach unanswered, the central, immediate questions are whether the data claims will be substantiated by the investigation and how Instructure and affected institutions will notify and protect the students and staff named in the alleged haul.

Original reporting: https://www.bleepingcomputer.com/news/security/canvas-login-portals-hacked-in-mass-shinyhunters-extortion-campaign/