ShinyHunters Escalates Canvas LMS Attack — 275 Million Student Records at Risk as Schools Cancel Exams

The cybercrime group ShinyHunters has escalated its attack on Instructure’s Canvas learning management system, defacing the platform’s login page with a ransom demand threatening to leak data from 275 million students and faculty across nearly 9,000 educational institutions. The deadline for payment has been set at May 12, 2026.

Instructure was forced to take Canvas completely offline after the defacement, disrupting classes and coursework at schools and universities nationwide. Several institutions — including UMass Lowell and UMass Dartmouth — have postponed final exams. The stolen data reportedly includes names, email addresses, student IDs, and private messages between students and teachers. ShinyHunters claims the dataset includes billions of private messages.

The extortion message told individual schools to negotiate their own ransom payments, regardless of whether Instructure pays. Instructure had initially stated the incident was contained as of May 6, but the login page defacement on May 7 proved otherwise.

Source

Krebs on Security · Malwarebytes · CBS News

Commentary

This attack is uniquely destructive because of its timing — hitting during finals season at thousands of schools. ShinyHunters isn’t just stealing data; they’re weaponizing the disruption itself as leverage. The decision to tell individual schools to negotiate separately is a cynical but effective pressure tactic.

The bigger story here is the concentration risk in EdTech. Canvas is used by a staggering number of institutions, and a single breach cascades into nationwide disruption. Instructure’s premature “incident contained” statement on May 6 — followed by a full login page defacement 24 hours later — also raises serious questions about their incident response capabilities.