A cyberattack on Canvas, the world’s most widely used learning management system, has exposed data belonging to roughly 275 million students, teachers, and staff across nearly 9,000 educational institutions worldwide. The breach, carried out by the criminal extortion group ShinyHunters, is now considered the largest education-sector security incident ever recorded.
The hack affected an estimated 9,000 universities, education ministries, and other institutions worldwide, with particularly significant implications in the United States, where Canvas is used by 41% of higher education institutions as well as some K-12 schools. The disruption hit at the worst possible time, as it occurred during the end of the academic year for many institutions, including during final exam periods at some colleges and universities.
How the Attackers Got In
ShinyHunters first gained access to Instructure systems on or around April 25, 2026, exploiting a vulnerability in the company’s Free-For-Teacher account program, a feature that allowed educators to create Canvas accounts without institutional verification. This low-friction onboarding process resulted in weaker trust boundaries between Free-For-Teacher and institutional tenants, all of which shared the same underlying infrastructure.
Instructure confirmed on an FAQ page that it started an investigation after it first detected unauthorized activity in Canvas on April 29, and immediately revoked the intruder’s access. Four days after that, on May 1st, Instructure disclosed the incident publicly and stated by May 2nd that it believed the breach had been contained.
The Second Wave and the Ransom Note
Despite Instructure’s claim that the situation had been resolved, Canvas was hacked again on May 7th. Its login page was replaced with a ransomware message by ShinyHunters. Instructure also found more unauthorized activity tied to the April 29th incident. Someone had changed the pages that appeared when students and teachers logged into Canvas.
ShinyHunters claimed in a ransom note shared on May 3rd via Ransomware.live, which tracks ransomware attacks and groups, that it had breached individuals’ data and had access to “several billions of private messages,” giving a May 6th deadline for Instructure to respond.
When Instructure did not respond, the group escalated. ShinyHunters wrote that Instructure had tried to implement security patches rather than negotiate with the hackers. This prompted the group to cause an outage where their new ransom note was displayed to every user.
Universities across the country, including Columbia University, Rutgers, Princeton, Kent State, Harvard, and Georgetown issued statements alerting students to the hack. School districts in California, Florida, Georgia, Oklahoma, Oregon, Nevada, North Carolina, Tennessee, Utah, Virginia, Texas, and Wisconsin also reported being affected.
What Data Was Taken
Instructure admitted that ShinyHunters exploited a security vulnerability in its Free-for-Teacher learning system and confirmed that stolen data includes usernames, email addresses, course names, enrollment information, and messages. The company stated that there was no evidence that passwords, dates of birth, government identification numbers, or financial information were compromised.
However, on a dark web leak site, ShinyHunters alleged it had stolen more than 3.65 terabytes of data and threatened to release it unless its demands were met.
Instructure Paid the Ransom
On May 11th, Instructure confirmed it reached an agreement with ShinyHunters and received digital confirmation of data destruction, with assurance that no customers would face further extortion. The company did not disclose the monetary value of the agreement.
This decision drew immediate pushback from cybersecurity professionals. Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance, said the payment “reinforces the economic incentive structure behind cyber extortion” and “risks normalizing payment as a viable incident response strategy, which law enforcement agencies consistently warn against because it fuels further attacks across the sector.”
Instructure also notified the FBI and the U.S. Cybersecurity and Infrastructure Security Agency, and hired CrowdStrike to assist with forensic analysis and incident response. The Free-For-Teacher program has since been permanently shut down.
The Threat That Remains
Even with the ransom paid, security researchers say the risks for affected users are not over. Cybersecurity researchers have warned that the stolen data is particularly dangerous because it arms attackers with enough specific context to craft convincing spear-phishing messages, emails that use a recipient’s actual course name, instructor, or real student ID. Instructure itself acknowledged there is “never complete certainty when dealing with cyber criminals.”
This is ShinyHunters’ second attack on Instructure in less than a year. In September 2025, the group compromised Instructure’s Salesforce business systems through social engineering, although no Canvas product data was accessed in that incident. The May 2026 breach went much further, reaching the core of the platform itself.
For now, Instructure says Canvas is fully back online. Affected users are advised to change their Canvas passwords, use strong credentials not shared across other accounts, and stay alert to phishing attempts.
