Data Breaches

Canvas Data Breach

May 9, 2026 04:07 · 12 min read
Canvas Data Breach

Canvas Data Breach Disrupts Schools and Universities

A cybercrime group known as ShinyHunters has targeted the widely-used education technology platform Canvas, disrupting classes and coursework at school districts and universities across the United States.

The attack, which defaced the service’s login page with a ransom demand, threatened to leak data from 275 million students and faculty across nearly 9,000 educational institutions. Canvas parent firm Instructure responded by disabling the platform, which is used by thousands of schools, universities, and businesses to manage coursework and assignments, and to communicate with students.

Instructure's Response

Instructure acknowledged a data breach earlier this week, after ShinyHunters claimed responsibility and said they would leak data on tens of millions of students and faculty unless paid a ransom. The stated deadline for payment was initially set at May 6, but it was later pushed back to May 12.

In a statement on May 6, Instructure said the investigation so far shows the stolen information includes “certain identifying information of users at affected institutions, such as names, email addresses, and student ID numbers, as well as messages among users.” The company said it found no evidence the breached data included more sensitive information, such as passwords, dates of birth, government identifiers, or financial information.

ShinyHunters' Attack

ShinyHunters is a prolific and fluid cybercriminal group that specializes in data theft and extortion. They typically gain access to companies through voice phishing and social engineering attacks that often involve impersonating IT personnel or other trusted members of a targeted organization.

Last month, ShinyHunters relieved the home security giant ADT of personal information on 5.5 million customers. The extortion group told BleepingComputer they breached the company by compromising an employee’s Okta single sign-on account in a voice phishing attack that enabled access to ADT’s Salesforce instance.

Impact on Schools and Universities

The attack on Canvas customers is just one of several major cybercrime campaigns being launched by ShinyHunters at the moment, said Charles Carmakal, chief technology officer at the Google-owned Mandiant Consulting. Many of the affected schools and universities are in the middle of final exams, and a prolonged outage could be highly damaging for the company.

A source close to the investigation who was not authorized to speak to the press told KrebsOnSecurity that a number of universities have already approached the cybercrime group about paying. The same source also pointed out that the ShinyHunters data leak blog no longer lists Instructure among its current extortion victims, and that the samples of data stolen from Canvas customers were removed as well.

Criticism of Instructure's Response

Dipan Mann, founder and CEO of the security firm Cloudskope, slammed Instructure for referring to today’s outage as a “scheduled maintenance” event on its status page. Mann said Shiny Hunters first demonstrated they’d breached Instructure on May 1, prompting Instructure’s Chief Information Security Officer Steve Proud to declare the following day that the incident had been contained.

But Mann said today’s attack is at least the third time in the past eight months that Instructure has been breached by ShinyHunters. In a blog post today, Mann noted that in September 2025, ShinyHunters released thousands of internal University of Pennsylvania files — donor records, internal memos, and other confidential materials — through what the Daily Pennsylvanian and other outlets later determined was, in part, a Canvas/Instructure-mediated access path.

Update on the Breach

Instructure has published an incident update page that includes more information about the breach. Instructure said its Canvas portal is functioning normally again, and that the hackers exploited an issue related to Free-for-Teacher accounts. “This is the same issue that led to the unauthorized access the prior week,” Instructure wrote. “As a result, we have made the difficult decision to temporarily shut down Free-for-Teacher accounts.

Instructure said affected organizations were notified on May 6. “If your organization is affected, Instructure will contact your organization’s primary contacts directly,” the update states. “Please don’t rely on third-party lists or social media posts naming potentially affected organizations as those lists aren’t verified. Instructure will confirm validated information through direct outreach to all affected organizations.”

Source: Krebs on Security

Source: Krebs on Security

Powered by ZeroBot

Protect your website from bots, scrapers, and automated threats.

Try ZeroBot Free

Related Articles

💥 Data Breaches

CISA Data Leak Sparks Congressional Inquiry

Lawmakers are demanding answers from CISA after a contractor leaked agency secrets on a public GitHub account, raising concerns about the agency's internal policies and procedures.

May 22, 2026 20:02 · Krebs on Security 12 min read
💥 Data Breaches

7-Eleven Data Breach

Convenience store giant 7-Eleven confirms a data breach after ShinyHunters claimed to have stolen information from the company's systems.

May 20, 2026 20:02 · The Record 10 min read
💥 Data Breaches

CISA Admin Exposes AWS GovCloud Keys

A CISA contractor leaked credentials to highly privileged AWS GovCloud accounts and internal CISA systems on a public GitHub repository.

May 19, 2026 00:03 · Krebs on Security 12 min read