Canvas, the LMS that pretty much every college student and teacher lives in, went down hard on May 7 after the hacking group ShinyHunters hijacked login portals at around 330 schools, swapping out the normal login page with an extortion message and giving Instructure until May 12 to pay up or watch their data get dumped publicly.
What Happened
ShinyHunters found a vulnerability in Instructure’s systems and used it to deface Canvas login portals at hundreds of schools. For about 30 minutes, anyone who tried to log into Canvas saw this instead of their dashboard:
“ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some ‘security patches.’ If any of the schools in the affected list are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately at TOX to negotiate a settlement. You have till the end of the day by May 12 2026 before everything is leaked.”
The message students saw when trying to log into Canvas on May 7, 2026.
It wasn’t just the website either, the same message showed up in the Canvas mobile app. Instructure eventually pulled Canvas offline entirely while they figure out what to do next.
The Broader Breach
This defacement is actually the second hit in a week. Last week, Instructure admitted they were looking into a cyberattack after ShinyHunters claimed they’d stolen 280 million student and staff records from 8,809 schools and education platforms. Instructure confirmed data was taken but said they’re still working through the full picture.
What got grabbed? Names, email addresses, student ID numbers, and private messages between students and teachers. Instructure says passwords, Social Security numbers, and financial data weren’t in the mix — but with the investigation still open, it’s hard to say that with full confidence.
ShinyHunters is also claiming they walked away with 3.65TB of raw data. That’s a lot.
ShinyHunters’ leak site listing for Instructure, updated May 3, 2026 — “FINAL WARNING PAY OR LEAK.”
Real-World Impact
The worst part about the timing? Finals week. Thousands of students across the country suddenly couldn’t access their exams, assignments, or grades with zero notice. Virginia Tech pushed their May 8 finals to May 10. Oklahoma State, Harvard, Rutgers, and the University of Washington all confirmed they were hit. No timeline for when things come back online.
Worth keeping in mind, Canvas is used by about 41 percent of higher education institutions in North America. When Instructure goes down, a huge chunk of academia goes with it.
From the Trenches
I found out the same way most students did, got an official notification from my school while I was sitting down to do some coursework. It’s a different feeling when it’s not just a headline and you actually can’t get to your work.
The thing that gets me about this one isn’t just the breach, it’s the strategy. ShinyHunters didn’t bother targeting individual schools. They went straight for the platform that sits underneath thousands of them. One vulnerability, one vendor, and hundreds of institutions are offline at the same time during the worst possible week of the semester. That’s not luck, that’s calculated.
The May 12 deadline hasn’t passed yet. If Instructure doesn’t play ball, that data is likely going public. In the meantime, keep your guard up, with real names, real course info, and actual message history potentially in attacker hands, any phishing emails that come through are going to look a lot more convincing than the usual garbage.
If you get any Canvas-related emails or messages you weren’t expecting, don’t click anything. Check your school’s official IT page for updates and go from there.
Sources: BleepingComputer, Inside Higher Ed, FOX 13 Seattle, Oklahoma State O’Colly, Virginia Tech Collegiate Times, Harvard Crimson, Rutgers OIT