Canvas Is Down: ShinyHunters Hit Instructure as 275 Million Users Sit Exposed

On May 7, 2026, students sitting down for end-of-semester exams opened the Canvas Learning Management System and found their coursework replaced by a ransom note from a cybercrime group called ShinyHunters.

The Platform That Quietly Runs American Higher Education

Canvas is not a household name in the way Google Docs or Zoom became during the pandemic, but for anyone enrolled at a North American university it functions as the operating system of the academic week. Approximately 41 percent of higher-education institutions in North America use Canvas to host coursework, assignments, grades, and direct messages between instructors and students. The platform has more than 30 million global active users and serves more than 8,000 institutional customers worldwide. Its owner, Instructure, is a publicly listed education-technology company headquartered in Salt Lake City, Utah.

That footprint is what turned a single intrusion into a continental academic event. When Instructure placed Canvas into global maintenance mode on the afternoon of May 7, the disruption did not stop at one campus or one school district. It traveled, in the same hour, through the systems of universities including Harvard, Duke, Penn State, Columbia, the University of California system, UCLA, Northwestern, the University of Chicago, the University of Illinois Chicago, the University of Wisconsin–Madison, the University of Pennsylvania, Sacramento State, Wake County Public Schools, and Spokane Public Schools. Forty-four educational institutions in the Netherlands were also listed as affected, alongside schools in Australia and New Zealand.

The timing was not incidental. The outage struck during the final week of the spring academic term at many American universities, the period in which Canvas is doing the most load-bearing work it does all year: hosting end-of-semester exams, accepting final submissions, and routing the messages students rely on to ask last-minute questions of teaching assistants.

ShinyHunters, the Second Visit, and the Moving Deadline

The group claiming responsibility is one that security researchers have tracked since 2020. ShinyHunters is described by researchers as a loose affiliation of teenagers and young adults based in the United States and the United Kingdom. The group is financially motivated and known for selling stolen consumer databases on dark-web forums, typically gaining initial access through stolen employee credentials or compromised third-party software services and then publishing proof samples to pressure victims into paying.

What makes the Canvas incident unusual inside that pattern is that, according to statements ShinyHunters members gave to reporters, this was a second, separate breach of Instructure following an earlier intrusion the group says happened in April 2026. By early May, ShinyHunters say they had stolen personal data belonging to roughly 275 million users across the Canvas platform, including students, teachers, and staff. The group released a list of nearly 9,000 schools, school districts, universities, and online education providers that they claim were affected by the breach.

The extortion ran on a public clock. ShinyHunters set an initial deadline of May 6, 2026 for Instructure to make contact and negotiate. When the company did not, the group extended the threat to May 12, 2026 and, on May 7, escalated from threat to demonstration. They injected an HTML file into Canvas login screens at multiple schools, replacing the normal sign-in page with a message threatening to publish the stolen data. TechCrunch confirmed the defacement at three separate schools before Instructure pulled the platform offline.

An Afternoon at Harvard

The Harvard timeline is the cleanest record of how the outage cascaded in real time at a single institution. The Canvas site at Harvard remained accessible until roughly 2:00 p.m. local time on May 7. By about 3:30 p.m., the portal began redirecting users to the ShinyHunters ransom message. Fifty minutes later, by 4:20 p.m., the screen had switched to a standard maintenance message. By 4:30 p.m. the system was fully inaccessible on both web and mobile.

"Canvas platform is currently unavailable due to a cyber incident," Tim Bailey, a spokesperson for Harvard University Information Technology, said in a statement that afternoon. The brevity was the point. There was no extended explanation to offer at 4:30 p.m. on a Thursday in early May; the platform that hosted the work was simply gone.

A few hundred miles away, Penn State was already managing the operational consequences. The university canceled all tests scheduled for Thursday and Friday at its Pollock Testing Center after losing access to Canvas. Penn State officials told students that no one had access to Canvas and that they did not expect the platform to be restored within the next 24 hours. Late on Thursday night, Instructure posted to its public status page that "Canvas is now available for most users," confirming a partial restoration but not a full one.

What Was Taken, and What Instructure Says Was Not

The numbers on each side of this incident do not line up, and the gap is the most important detail in the public record so far. ShinyHunters claim to hold personal data belonging to roughly 275 million users. Instructure has confirmed something narrower. According to the company, the data the attackers accessed includes user names, email addresses, student ID numbers, and messages exchanged among users on the platform. Instructure publicly stated it found no indication that passwords, dates of birth, government identifiers, or financial information were compromised in the incident.

That distinction matters for the millions of students, teachers, and administrators trying to assess their personal exposure this week. The categories Instructure has ruled out are the ones most directly tied to financial fraud and identity theft. The categories the company has confirmed, names, school-issued email addresses, student ID numbers, and message contents, are the raw material for targeted phishing campaigns and for any reporting that draws on the substance of private exchanges between instructors and students.

Local statements have hewed close to the same line. "We are not aware of any sensitive data contained in this breach," Spokane Public Schools said in a statement on May 7. The carefulness of that language, aware rather than confident, is consistent with what is publicly known: the full inventory of what ShinyHunters actually exfiltrated has not been independently audited.

The Open Questions Heading Into May 12

Two questions sit at the center of the story and remain unanswered in public reporting. The first is the price. No public source has confirmed the specific dollar amount ShinyHunters demanded from Instructure, and the company has not disclosed one. The second is the response. Instructure has not publicly confirmed whether it has paid, will pay, or will refuse to pay any ransom. The silence is itself the public posture, and it is the posture every other institution on the leaked victim list is now reading for signal.

What is fixed is the calendar. The extended extortion deadline is May 12, 2026. Between now and then, the partial restoration noted on Instructure's status page has to hold; nearly 9,000 institutions on the leaked list have to decide what, if anything, to communicate to the people in their care; and the gap between the 275 million figure ShinyHunters cite and the narrower set of data categories Instructure has confirmed has to either close, through new disclosure, or remain the defining ambiguity of the incident.

For the academic year, the immediate damage is already on the record. Exams were canceled, deadlines were moved, and the platform that quietly underwrites a large share of North American higher education spent an afternoon hosting an extortion message instead of a final exam.

Sources

• The Verge
• TechCrunch
• CBS News
• Malwarebytes
• The Harvard Crimson
• Wikipedia