Canvas Down: ShinyHunters Claims 275 Million School Records
ShinyHunters breached Instructure on April 30, exposing Canvas data from 8,809 schools and threatening to release private messages by May 12.
When university students in North Carolina logged into Canvas on the evening of May 7, some found the platform unavailable. Others found something more disorienting: an extortion message from ShinyHunters where the login form should have been, warning that billions of private student messages would go public unless their institutions paid. CNN reported students stranded, unable to retrieve coursework or submit assignments, as Canvas went dark institution by institution across the country. Finals week had given the outage unusual stakes.
The disruption traced back the previous Thursday. At 5:06 PM on April 30, Instructure, the company that builds and maintains Canvas, detected that tools depending on its API keys had begun behaving abnormally. The intrusion method, as Instructure later described it through the steps taken to contain it, carried the signature of a credential or token compromise: privileged credentials were revoked, application keys were rotated, and patches were deployed. Those were the right responses, and they came quickly. The data had already left.
What happened
On May 3, ShinyHunters claimed responsibility. The group published a list of 8,809 schools, universities, and online education platforms it said were affected, with per-institution record counts ranging from tens of thousands to several million. The Daily Pennsylvanian reported that more than 306,000 Penn affiliates appeared in the claimed dataset. Duke University, Harvard, MIT, Oxford, the University of North Carolina at Chapel Hill, Wake County Public Schools, and Durham Public Schools were all on the list. TechCrunch broke the story on May 5. Inside Higher Ed ran a piece the same day under the headline “PAY OR LEAK.”
Instructure’s chief information security officer, Steve Proud, confirmed the core facts in a public statement. The breach had exposed names, email addresses, student ID numbers, and messages exchanged between users on the platform. Instructure said it found no evidence that passwords, dates of birth, government identifiers, or financial information were involved. ShinyHunters set a first deadline of May 6 for Instructure to make contact, then escalated: institutions on the affected list had until end of day May 12 before the group threatened to release everything. To underscore the pressure, the group defaced Canvas login pages at a number of schools on May 7, replacing the login form with the extortion notice and taking services down in the process. DataBreaches.net tracked the situation in real time as the defacements spread.
This wasn’t ShinyHunters’ first move against education infrastructure. In March 2026, the same group accessed an Infinite Campus Salesforce environment, extracted staff contact data, and issued a ransom demand before the extortion went nowhere. The group had also been linked to an October 2025 incident at the University of Pennsylvania in which mass spam emails were sent from addresses tied to the university’s Graduate School of Education. Before that, ShinyHunters participated in the 2024 Snowflake credential attacks that exposed data at Ticketmaster, AT&T, and other large organizations. The pattern across these incidents is consistent: locate a target holding centralized, high-value data; compromise a credential or application token; extract what’s accessible; and use the threat of public exposure to generate payment. Education technology platforms keep appearing on that target list because they hold detailed records on millions of people and frequently operate under security budgets that don’t match the scale of what they protect.
ShinyHunters’ claim of 275 million affected records has not been independently verified, and EdScoop noted that Instructure hasn’t confirmed that specific figure. But even if the true count is a fraction of what the group claims, the dataset spans thousands of institutions and years of platform usage. Malwarebytes characterized the breach as exposing data on “millions of students and teachers worldwide.”
Why it matters
The data Instructure says wasn’t taken includes the categories that consumer protection frameworks have built remediation pathways around. Passwords can be reset, credit can be monitored, financial accounts can be closed. Those omissions are genuinely reassuring, as far as they go.
What ShinyHunters has threatened to publish is something else entirely. WRAL and Malwarebytes both cited the group’s threat to release “several billions of private messages among students and teachers.” Private conversations can’t be frozen like a credit account, changed like a password, or blocked with a fraud alert. Messages between a student and a professor about a missed deadline, an accommodation request, a personal crisis, or a mental health episode are the kind of communication that people send specifically because they trust the platform with it. Once that data is public, there’s no corrective step that puts it back. That irreversibility is what separates this incident from a typical credential leak.
The Family Educational Rights and Privacy Act gives students and parents meaningful rights over educational records, including grades, transcripts, and enrollment data. But FERPA was written for a world where student records meant files in an administrative office. The law’s restrictions apply to institutions’ disclosure of education records, and whether Canvas messaging data falls cleanly within that definition hasn’t been settled for the kind of platform-level breach ShinyHunters is describing. What FERPA can do after a mass unauthorized publication is even less clear. The law provides access rights and restrictions on institutional disclosure. It doesn’t provide a mechanism to remediate a leak that’s already happened. That gap, between what FERPA was designed to protect and what modern LMS platforms actually store, is where this situation sits uncomfortably.
The Times Higher Education flagged a secondary concern: even if ShinyHunters doesn’t follow through on the bulk data release, the stolen names, email addresses, and institutional affiliations create a rich surface for personalized phishing. Someone who knows a student’s name, university, course enrollment, and email format can craft a message that looks like it came from a financial aid office, an IT department, or a course instructor. That risk persists regardless of what happens on May 12.
What this means for students and parents
For students and families at any of the 8,809 affected institutions, the immediate practical options are limited. Instructure hasn’t indicated which specific conversations were in the systems the group accessed, and Canvas doesn’t offer a self-service data export that would let users audit what the platform holds about them. If your institution is on the list, you likely can’t determine what was taken from your account.
Parents at K-12 schools using Canvas often have their own parent-facing accounts with message histories: conversations with teachers about student progress, attendance, and family circumstances. Those records are in the affected pool alongside university communications. EdScoop noted that the breach spans both K-12 districts and higher education institutions. The sensitivity profile differs between a middle school parent-teacher exchange and a graduate student’s private messages, but both categories are in what ShinyHunters claims to hold.
For the school documents that parents sign at the edges of this same digital ecosystem, like consent forms, permission slips, and field trip authorizations, tools that process signing locally rather than routing the document through a cloud platform keep at least that layer of data off external servers. Signegy’s browser-based PDF signer, macOS Preview, and OpenSign all handle signing without transmitting a copy of the document to a third party. That addresses a narrower concern than Canvas communications. But it reflects the same structural reality this incident makes visible: data stored on a vendor’s platform is subject to whatever security posture that vendor applies, and to whatever happens to that vendor’s credentials on any given Thursday afternoon.
What comes next
The May 12 deadline is the nearest fixed point. If ShinyHunters releases the data as threatened, the question shifts to how Instructure and the 8,809 affected institutions respond to students and families with individual notifications, and on what timeline. If the group abandons the extortion the way it did with Infinite Campus in March, the question becomes whether any meaningful public accounting follows of what was actually accessed and from which systems.
Most of the schools on ShinyHunters’ list are finishing their semesters this week. Attention will move on. What DataBreaches.net and EdScoop and dozens of campus newspapers are tracking now will become background for the majority of the people whose messages were in those systems. Whether institutions use May 12 as the end of the incident or the beginning of a notification and disclosure process is the thing worth watching after the deadline passes. So far, Instructure hasn’t said.