Canvas platform goes offline following ShinyHunters ransom demand after massive data breach
ShinyHunters claims responsibility for the intrusion and has issued a deadline for institutions to negotiate a settlement before releasing stolen personal data.
The Instructure-owned learning management platform, Canvas, is currently unavailable following a confirmed data breach and a ransom message attributed to the cybercriminal collective ShinyHunters. The outage affects the main Canvas environment, as well as Canvas Beta and Canvas Test, leaving millions of users unable to access their systems while Instructure investigates the disruption.
ShinyHunters has claimed responsibility for the attack, stating that they have compromised data belonging to 275 million students, teachers, and staff across 9,000 schools. The group asserts that the stolen information includes names, email addresses, ID numbers, and private messages. This incident marks a second separate breach attributed to the collective against Instructure Canvas, following earlier incidents where the group defaced login portals for three separate educational institutions with similar extortion demands.
In their ransom communication, ShinyHunters accused Instructure of ignoring their initial requests to resolve the issue and instead deploying security patches, which the attackers claim prompted the current platform unavailability. The message directed affected schools to contact the group privately to negotiate a settlement and prevent the public release of the stolen data. The hackers set a deadline for schools to respond by 12 May 2026, after which they threatened to leak the information.
Instructure previously acknowledged the breach last week and stated that it had deployed patches to enhance system security. The company's status page confirms that the platform is currently down while the issue is being investigated. The attackers provided a link to a list of schools they claim to have breached through Canvas, though the specific volume of data leaked and the full extent of the impact remain based on claims made by the group and third-party reporting rather than an independent forensic audit.
ShinyHunters is a known cybercriminal collective with a history of high-profile attacks on major organisations including Ticketmaster, AT&T, Rockstar Games, ADT, and Vercel. This latest operation against the education sector highlights the ongoing risks facing digital infrastructure and the potential for widespread disruption when security vulnerabilities are exploited by organised crime groups.
