“Everything is leaked and there will be no chance at a negociation for anyone.” — ShinyHunters, in a message posted as part of its extortion campaign against Canvas users.
ShinyHunters’ claim and timeline
ShinyHunters, described in the source as a prolific criminal hacker and extortion group, announced on May 1 that it had exfiltrated “several terabytes” of data from Canvas, the learning management system developed by Instructure, and said the haul contained personal information for 275 million users. The group set a deadline in early May and — after criticizing what it said was a lack of engagement from Instructure — posted a second message on Thursday extending that deadline to May 12.
What the group says it wants and how it is negotiating
In its posts, ShinyHunters criticized Instructure, saying the company “has not even bothered speaking to us to understand the situation or to even negociate with us to prevent the release of this data.” The group also claimed that its demand “was not even as high as you might think it is.” ShinyHunters advised affected schools to consult security professionals and to use the Tox messaging protocol if they wished to negotiate a “settlement” with the group.
Scope of institutions named
The group attached a list of affected institutions that includes numerous school districts and a number of well-known universities. Among the universities named in the list are Cambridge, Columbia, Cornell, Georgetown, Harvard, MIT and UC Berkeley. ShinyHunters said nearly 9,000 educational institutions were affected by the breach.
Types of data reportedly exposed
Reporting cited by the source indicates there are mixed accounts about precisely which records were included in the exfiltrated files. Tech Radar reported that affected data includes names, email addresses, student ID numbers and user communications. According to that same reporting, passwords, dates of birth and financial information were not involved.
What this means for universities, school districts, and security teams
- Universities named on the list — including Cambridge, Columbia, Cornell, Georgetown, Harvard, MIT and UC Berkeley — will need to determine whether their records appear in the files the group says it holds and what categories of information, if any, have been exposed.
- School districts listed among the nearly 9,000 institutions face the same verification and notification tasks; the size of the list, as presented, suggests broad potential impact across K–12 administrative and instructional systems.
- Security teams and independent professionals were directly urged by ShinyHunters to advise affected organizations; the group also recommended using Tox for negotiations. Technical teams will be responsible for assessing file contents, confirming whether the data matches the categories described in Tech Radar’s reporting, and coordinating any required notifications or mitigations.
ShinyHunters’ public posture — a series of messages coupled with an extended deadline and an attached list of institutions — frames the immediate questions for those named: do the files contain records from their systems, what categories of data were included, and how will Instructure and the affected institutions respond. The group’s assertion that Instructure has not engaged, and its extension of the deadline to May 12, place a clear next step on the calendar: either engagement, remediation, or escalation — but the source provides the claim, the list of affected institutions, and the disputed description of exposed data as the record for now.
