Canvas Under Siege: Inside the ShinyHunters Attack on America’s Schools

On the morning of May 7, 2026, students attempting to access Canvas were met with a ransom note from ShinyHunters, turning what first appeared to be a routine outage into a major cybersecurity incident affecting schools across the United States.

By Tyler / 2026-05-08 / 11 min read

CybersecurityCanvasShinyHuntersDataBreachEducationEdTechHackingCloudSecurityStudentPrivacyInstructure

Canvas, ShinyHunters, and the Anatomy of a Modern Ed-Tech Extortion Attack

A reported analysis of what is known, what remains unconfirmed, and why the Canvas incident matters far beyond one login page.

On the morning of Thursday, May 7, 2026...

Students across the United States and abroad who attempted to log into their school’s Canvas account found themselves face-to-face with an unsettling message: a black-and-white ransom note from ShinyHunters, a well-known hacking group that has targeted various organizations in the past several years to extract data from their cloud servers.

The message claimed that Instructure, the software company behind Canvas, had been hacked once again. Instructure was instructed to contact the hackers through the encrypted messaging platform TOX and was informed that their data would be made public on May 12, 2026, unless they agreed with the hackers. These messages were seen across various social media platforms and news outlets. BleepingComputer reported that the hack targeted 330 educational institutions’ Canvas portals, an attack that lasted for only 30 minutes before Canvas was able to take the hacked website offline.

While the company’s website stated that its platforms were down due to maintenance mode, the news of the hack created confusion between two separate issues: the data breach of Instructure and the hacking of their Canvas login portal. Instructure stated on its website that Canvas, Canvas Beta, and Canvas Test were all undergoing maintenance mode, with the company promising that the platforms would be restored “soon.” However, no time has yet been published for the restoration of these platforms as of May 7, 2026.

The central question surrounding this hack and data breach is: how did they do it? While the exact details of the data breach are yet to be made public by Instructure, third-party individuals and organizations outside of the company have no idea how the hackers accessed Instructure’s platform or data. However, from the information that is public, it is possible to understand in what way the hackers likely entered the platform and began the defacement of the school login portal.

What appears to have happened

Instructure has confirmed that a cyber incident has exposed information belonging to users of the institutions involved in the attack. Data exposed included names, email addresses, student ID numbers, and messages among those who used the system. Instructure confirmed that it found no evidence of the exposure of passwords, dates of birth, government identifiers, or financial information of those students. However, Instructure has implemented patches and increased monitoring in the system, as well as rotated the application keys used by its customers to access its systems via APIs.

ShinyHunters, however, claimed that the data breach was of a much more extensive nature. The hackers claimed that they had obtained information regarding 275 million to 280 million individuals from 8,809 to nearly 9,000 schools, universities, districts, and education platforms. Such figures are provided by the hackers, but have yet to be independently verified. ShinyHunters claimed that the information that was obtained included data of users, messages among those users, enrollment data, and other information that was gathered through the features provided to users of Canvas to export their data.

Beyond the data theft, ShinyHunters also defaced the Canvas login portals. BleepingComputer reports that the hackers exploited a vulnerability in the software that allowed them to install an additional message onto the login portals for Canvas. Furthermore, the article states that Instructure took Canvas offline while responding to this latest attack. While not the same as having root access to the servers and databases of Canvas, such an attack is still not trivial in its impact upon the users of the software.

While there is no public proof that ShinyHunters obtained root access to the servers of Canvas, or that they were able to take control of the databases of Canvas altogether, or that they were able to change grades or assignments within the platform, the data theft and the defacement of the login portal does indicate two failures of the software provider: unauthorized access to sensitive data, and unauthorized access to changing the user experience of the platform.

Login screen, now fixed:

DO NOT GO TO ANY WEBSITES FROM THIS IMAGE AS THEY COULD BE DANGEROUS!



The likely technical story: not one magic bug, but a chain

The phrase “they exploited a vulnerability” is misleading. The “vulnerability” in these types of breaches is typically not the result of an attacker finding a buffer overflow in the software or a “zero-day” vulnerability that was exploited by hackers to gain access to the software’s servers. More likely, the “vulnerability” is the result of an exposed API, an integration with too much access, a leaked application key, the leaking of an API key that was used to export data from the application, a support account with too much access, or the use of an OAuth token to act as a legitimate application within the software.

Instructure’s responses to the breach indicate that these types of actions are typically taken if it is believed that application keys, OAuth tokens, integrations, or application access have been compromised. Thus, while this does not indicate that the method that was used to gain access to Instructure’s Canvas was through the use of a stolen OAuth token, it does suggest that the type of breach is similar to those other SaaS and cloud-based platform breaches in which the hackers obtained access to an account and were able to leverage the platform’s built-in data export and API features to remove the data from the platform.

The hackers ShinyHunters claim data from Canvas through its data export features, including DAP and API features. These features are legitimate features of the Canvas platform that are used by educational institutions and third-party vendors to manage the platform. The danger of these features is that they are high-volume features that are used to report on the platform, provision software, provide analytics on the software, and manage the educational institutions that use the software. Thus, if hackers gain access to the appropriate permissions, the software can perform the work of exporting the data for them.

In this scenario, ShinyHunters may not have needed to install malware onto thousands of school laptops. They may not have needed to gain access to each of the universities that use the software. Instead, they may have only needed to find a way to gain access to the vendor that provides the software to these schools.

How ShinyHunters has operated in the past

ShinyHunters is not a ransomware gang per se. The actors behind ShinyHunters are most known for their efforts in relation to data theft, leak sites, and their association with groups like Scattered Spider. The hackers behind ShinyHunters have, however, often used social engineering, voice phishing, OAuth data, and SaaS access rights to perform their data theft efforts.

The efforts of ShinyHunters and related groups in the Salesforce CRM have resulted in various data theft efforts. Obsidian Security discovered that the 2025 Salesforce CRM data theft campaigns did not use any vulnerabilities in the Salesforce software platform. Instead, the hackers performed voice phishing and used malicious OAuth “Connected Apps” to gain access to CRM data via OAuth tokens.

While these efforts are not the same as the Canvas data breach, they are representative of the efforts of the hackers behind ShinyHunters. In 2026, ShinyHunters attempted to breach Salesforce Experience Cloud systems. However, they did not find any vulnerabilities in the Experience Cloud software platform. Instead, their data scraping efforts relied upon guest user access rights that were too permissive for these public-facing websites, according to both The Register and Salesforce Ben.

Finally, BleepingComputer reported that ShinyHunters had performed a significant data breach of McGraw-Hill’s 13.5 million accounts. This data included names, physical addresses, phone numbers, and email addresses. While the details of how the data was leaked are not made public by McGraw-Hill, it is relevant to ShinyHunters due to the company’s relationship with Salesforce.

What they have, or claim to have

There are two categories of information regarding this data breach: what Instructure has acknowledged and what ShinyHunters has claimed.

Instructure has acknowledged the data breach and confirmed that the data included the names, email addresses, student ID numbers, and the messages sent between students within the affected educational institutions. Instructure has also stated that it has found no evidence of the data breach, including passwords, dates of birth, government information, or financial information of those students.

ShinyHunters has claimed that the data breach included the personal data of hundreds of millions of students, teachers, and staff members, the private messages sent between individuals within the education system, the enrollment data of students within the affected schools, the user records of those schools, and the data related to the courses taken by students within those schools from thousands of schools across the United States. BleepingComputer has reported that ShinyHunters claimed that there were 280 million data records from 8,809 educational institutions affected by the data breach. Meanwhile, the AP News reported that ShinyHunters claimed that there were nearly 9,000 educational schools affected by the data breach and that there were billions of private messages sent between individuals within those educational institutions. These figures have not yet been verified.

The distinction between the two categories of information regarding the size and impact of the data breach is crucial to understand. The number of affected individuals that ShinyHunters has reported is a means of increasing the pressure that is placed upon them due to the data breach. The information that Instructure has confirmed, however, does contain sensitive information regarding each of these students. For instance, the data of each student that is revealed from this data breach may include their name, school, and private messages with others within the school, which could reveal information regarding the student’s health, educational status, disabilities, or other issues that are not meant to be shared with others.

What they want

They want money, not sabotage. The message within the Canvas portals informed the schools and Instructure that they needed to contact the hacker directly to negotiate a settlement by May 12, 2026. The Associated Press has reported that the hackers also gave schools until May 7 and May 12; however, the latter date suggests that the hackers are still discussing the settlement with school districts.

No reliable source has reported the amount of money that the ShinyHunters are seeking from the schools using Canvas platforms. Usually, the amount that is demanded of hackers is communicated directly between the victim of the cyberattack and the hackers themselves. The amount will not be publicly reported.

Who is affected

The affected population potentially consists of students, teachers, faculty, staff, administrators, and even alumni who have accessed the platform on Canvas. Canvas is currently in use by K-12 districts as well as community colleges and universities. Both the AP news agency and several California news outlets have reported that the outages affected thousands of schools and universities nationwide during the finals season, including institutions like the UC system, CSU system, community colleges, and other educational institutions.

The impact of the outage varies from school to school. Some schools may only have directory data for their students within the school’s Canvas account. Other schools may have message histories, grade records for their students, third-party software integrations, and years of records stored within their Learning Management System. According to UVA, Instructure has confirmed that the university was impacted by the outage, but has stated that there was no indication that any sensitive information for the school was at risk. However, UC Berkeley announced that their bCourses platform, which is separate from Canvas, was undergoing maintenance and that users should be vigilant for potential phishing attempts.

Not all users face the same level of risk during this outage. For instance, students whose Canvas accounts have only contained information like their name and email addresses may face a different level of risk than students whose private messages contain information related to their mental health, immigration statuses, experiences with harassment, and communications with their teachers.

Is it dangerous?

Yes, but the danger is specific.

The most immediate danger of a data breach on Canvas is phishing attacks. Since the attackers have access to the students’ names, school emails, and student IDs, they can craft convincing messages that appear to come from the platform and its departments. The advisory from UC Berkeley specifically instructed users not to click on the links in the unsolicited emails purporting to come from Canvas or Instructure.

The second danger is the exposure of private messages between students and teachers. The messages contain private information between students and teachers. If the claims of the attackers are to be believed, this would be a threat to the private information of the students.

The third danger is the potential for disruption of the school’s essential services. Canvas hosts students’ classroom assignments, exams, lectures, and more. As the news outlet reported, AP’s school was in chaos as students tried to prepare for their finals. The schools had to rush to provide information on exams and classroom activities during the semester.

Finally, there is the danger of copycat attacks by other criminals who also want to access the data of these schools. These criminals could pose as the IT departments of these schools and advertise their presence in order to steal the data of these schools. Even if the passwords were not obtained through this initial breach, these attacks could still obtain the students’ passwords.

When will Canvas be back online?

There is no projection for what is to happen beyond the “soon” language that Instructure will use. On May 7, Instructure’s status page indicated that Canvas, Canvas Beta, and Canvas Test were in maintenance mode and that the company was anticipating being back up soon. The Los Angeles Times reported the same message from Instructure, but also reported that some websites were redirecting to maintenance schedules by the evening.

While some institutions indicated that their campuses were still able to access Canvas during the morning, others reported maintenance or outages for their institutions. Virginia’s University (UVA) announced at 2 pm Eastern that Canvas was still available and operational for their institution. The University of California at Berkeley, however, reported at 4:50 pm Pacific time that its Courses platform and related websites were down for maintenance.

As of May 7 at 7:27 PM, students across the majority of California continue to encounter this maintenance message upon attempting to access their academic portals:

What should students and staff do now?

Do not panic, but be skeptical about any messages that come through. Click the links in any email related to Canvas only if you are expecting the message. Otherwise, navigate to Canvas through your school’s website. Canvas will not send you messages demanding that you verify your account or recover your data. It will also not send you messages stating that there is sensitive data related to your school that was leaked.

If your school is recommending that you change your Canvas password, do so. It is essential to ensure that you have not used the same password for other platforms.

Do not lose contact with your faculty members. Berkeley suggested that instructors contact their students through channels other than Canvas. They pointed out that maintaining contact lists and mailing lists would allow for better communication in the event of exams, assignments, and other academic issues.

Schools should take a close look at their Canvas accounts. Specifically, they should review which third-party applications are integrated with Canvas, and review the permissions for each of those applications. The most important question is not whether the school was mentioned in the breach notices, but instead what information was shared between the school’s Canvas installation and those third-party applications.

What we still do not know

What we do not know is the identity of the intrusion vector. We do not know if the vulnerability that allowed the perpetrators to perform the defacement of the login page was related to the data theft. We do not know if the record counts published by ShinyHunters are accurate. We do not know if the hackers still have access to the system. We do not know if negotiations are occurring regarding the potential release of the private messages. We do not know if the content of those messages will be published, sold, or retained by the hackers.

What we do know is that this attack is part of a general trend towards the hacking of these centralized platforms, as they contain so much sensitive data regarding so many educational institutions, and those integrations are relied upon by those institutions to manage their classrooms and students.

In the old model of school cybersecurity, the district’s internal network was the system that was thought to be the most important to protect. Yet, as evidenced by this attack on Canvas, the most important system within a school may belong to another organization in the cloud, the most important access point may be an API, and the hackers may never need to enter the school’s firewall once.


Follow Us on X to stay informed:

View on X