Published by TrenBuzz.com | May 7, 2026 | BREAKING — LIVE UPDATE
Key Points at a Glance – ShinyHunters Hacks Canvas Twice
- Cybercrime group ShinyHunters has breached Instructure – Canvas’s parent company – twice in the span of one week.
- The group claims to have stolen 275 million records from 8,809 schools, universities, and online education platforms worldwide.
- Stolen data includes names, email addresses, student ID numbers, and private messages between students and teachers.
- NO passwords, dates of birth, government IDs, or financial information were compromised, per Instructure.
- ShinyHunters defaced Canvas login pages at multiple schools Thursday, replacing them with ransom demands.
- Schools have a May 12, 2026 deadline to negotiate — or the data will be publicly leaked.
- Harvard, Duke, Penn, University of Oklahoma, University of Washington, and thousands more are affected.
- Penn alone has 306,000 affected users — and previously refused to pay a $1 million ransom in February.
- Instructure described its site as “undergoing scheduled maintenance” – a label students immediately saw through.
- The attack hits during finals week — making the timing particularly devastating for millions of students.
It’s finals week. Students are logged out of their classes. And hackers are holding the world’s most widely used learning management system hostage for ransom. This is the ShinyHunters Canvas crisis — and it’s still unfolding.
A hacker group called “ShinyHunters” said it was responsible for a data breach of Instructure, which manages Canvas. The group said it would release data it acquired through the breach unless it was paid a ransom. The hacking group posted online that nearly 9,000 schools worldwide were affected, with billions of private messages and other records accessed.
The Second Breach — What ShinyHunters Did Next
Education tech giant Instructure disclosed a data breach where hackers stole students’ private information, including their names, personal email addresses, and messages sent between teachers and students. The hackers then compromised Instructure again – defacing several schools’ login pages to display their ransom message. TechCrunch saw a message published by the cybercrime group ShinyHunters on the Canvas login pages of three separate schools.
“ShinyHunters has breached Instructure (again),” the message read. “Instead of contacting us to resolve it they ignored us and did some ‘security patches.'” The message instructed affected schools to consult with a cyber advisory firm and contact the hackers to negotiate a settlement. “You have till the end of the day by 12 May 2026 before everything is leaked,” the warning stated.
Which Schools Are Affected by the Canvas Hack?
Harvard students lost access to Canvas Thursday afternoon. By 3:30 p.m., the site began redirecting to a ShinyHunters message. By 4:20 p.m., it displayed “Canvas is currently undergoing scheduled maintenance” — a message the hacker group had replaced Instructure’s own content with.
ShinyHunters claimed to have stolen data from 306,000 Penn affiliates — including emails, names, Penn ID numbers, and course enrollments. The DP confirmed the group obtained Penn user data after a ShinyHunters member shared a sample. Penn had already refused a $1 million ransom in February 2026, leading to the release of thousands of internal files.
Several colleges and universities reported their Canvas apps were down, including the University of Pennsylvania and the University of Oklahoma. The North Carolina Department of Public Instruction, which agreed to use Canvas across all state K-12 schools in 2015, was also notified of the breach. Duke University’s IT Security Office confirmed the university was among the institutions affected.
What Data Was Stolen — And What Wasn’t
Instructure said ShinyHunters claimed to have stolen “certain identifying information of users such as names, email addresses, and student ID numbers, as well as messages among users.” Instructure also reported it “found no indication” that passwords, dates of birth, government identifiers, or financial information were compromised.
The criminals shared a list of 8,809 school districts, universities, and online education platforms with BleepingComputer whose Canvas instances they claim were impacted, with per-institution record counts ranging from tens of thousands to several million.
The Human Impact — Students in Panic During Finals
One student impacted by the hack said he was in a panic when he was logged out of his Canvas account while trying to study for finals at the University of Pennsylvania. “The biggest cause of fear and anxiety in me is that I was deprived of significant resources to study and do the best,” Anish Garimidi, a junior at the university, told CNN.
Canvas is used to manage grades, course notes, assignments, lecture videos, and more. Teachers confirmed they would adapt, but acknowledged this was something nobody could have planned for. “We will just roll with it. Hopefully, everything comes back to normal,” said one Wake County teacher.
Who Is ShinyHunters?
Luke Connolly, a threat analyst at cybersecurity firm Emisoft, described ShinyHunters as a loose affiliation of teenagers and young adults based in the US and UK. The group also has been tied to other attacks including one aimed at Live Nation’s Ticketmaster subsidiary. ShinyHunters has also claimed responsibility for breaching Infinite Campus – a K-12 student information system — and publisher McGraw Hill.
What Students and Parents Should Do Right Now
If your school uses Canvas, assume your name, email, student ID, and course messages may have been accessed. Change your Canvas password immediately — especially if you use the same password for other accounts.
Be especially wary of emails and texts claiming to be from the school or Instructure asking you to “confirm” login details, open unexpected attachments, or pay fees via unusual methods. Instead, open a new browser window and go to the official site directly. Consider using a password manager to create strong, unique passwords for every education platform your child uses.
The May 12 deadline is five days away. Whether Instructure negotiates, ignores, or patches its way out of this – millions of students are caught in the middle.
Disclaimer: This article is for general informational and news reporting purposes only. All breach details, school names, and data claims are based on publicly available reporting from CNN, TechCrunch, WRAL, The Harvard Crimson, The Daily Pennsylvanian, The Duke Chronicle, BleepingComputer, and Malwarebytes as of May 7, 2026. Instructure has confirmed a breach but denies that passwords or financial data were compromised. ShinyHunters’ claims have not been independently verified in all details. TrenBuzz.com does not represent Instructure or any school district. Students and parents should follow official school and Instructure communications for the most current guidance.