A Canvas hack has exposed nearly 280 million records from faculty, staff, and students across 8,809 colleges, online learning platforms, and school districts.
Instructure-owned Canvas learning management system (LMS) enables schools, universities, and online learning platforms to communicate with their students, manage coursework, assign work, and grade tests.
Upon learning of the cyber intrusion on May 1, 2026, Instructure put Canvas in maintenance mode, revoked or rotated authentication tokens, increased system monitoring, and hired experienced third-party cyber forensic experts.
“Instructure recently experienced a cybersecurity incident perpetrated by a criminal threat actor. We are actively investigating this incident with the help of outside forensics experts,” the LMS giant stated.
Canvas hack disrupts learning activities across institutions
Learning activities across multiple institutions were temporarily disrupted after files and other resources became temporarily unavailable. Students took to social media and online learning forums, complaining that Canvas system instability prevented them from downloading files or submitting assignments, potentially affecting their ability to complete their end-of-year assignments.
Meanwhile, Instructure has acknowledged the Canvas hack and confirmed that it exposed names, email addresses, student ID numbers, and messages exchanged between Canvas users, which could contain sensitive details shared among students or with learning institutions. Instructure also disclosed that the threat actor exploited a security flaw in the Free-For-Teacher functionality.
However, the Canvas hack never exposed birth dates, financial information, government-issued IDs such as driver’s license numbers and passport numbers, or login credentials.
Nonetheless, students were advised to be on the lookout for potential phishing attacks and account takeover attempts by cybercriminals.
So far, the University of Colorado Boulder has confirmed it was affected by the nationwide Canvas data breach. Rutgers University and Tilburg University have also launched independent investigations to determine if the Canvas hack had affected their faculty, staff, and students.
Harvard University, Columbia University, and Georgetown University also notified their students about the Canvas hack, preparing them for possible disruptions to avoid unnecessary frustrations.
Canvas remained unavailable throughout Thursday afternoon. However, by May 6, 2026, Instructure confirmed that it had resolved the Canvas hack and had not observed any further threat actor activity.
“The breach affecting Instructure is a serious incident, and the scale being reported, which includes hundreds of millions of users across thousands of institutions globally, reflects the kind of high-value target ShinyHunters has pursued with increasing frequency,” said Darren Guccione, CEO & Co-Founder, Keeper Security. “Educational platforms hold an unusual concentration of sensitive data, such as personal identifiers, institutional records and private communications, making this a particularly consequential exposure.”
ShinyHunters takes responsibility for the Canvas hack
ShinyHunters has taken responsibility for the Canvas hack and threatened to leak sensitive information online, including personal information and private messages. The group listed the affected learning institutions and the number of records involved, with some schools having millions of personal records exposed.
The group claims it stole approximately 3.65TB of data from thousands of schools worldwide using the Canvas export feature, DAP queries, reports, and APIs.
ShinyHunters also defaced schools’ Canvas portals with a ransom message demanding payment by May 12, 2026, and threatening to publish the stolen information online.
Additionally, the hacking group accused the LMS giant of ignoring its attempts to reach out and negotiate for a ransom.
“ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some ‘security patches,’” the group stated.
The cybercrime group also attempted to extort affected universities directly, urging them to contact the gang to prevent their data from being leaked online.
“This is not Instructure’s first encounter with ShinyHunters,” added Guccione. “In September 2025, the group breached the company’s Salesforce environment via social engineering. ShinyHunters now claims this latest attack reached the same environment, this time through a vulnerability that has since been patched. Two confirmed breaches by the same threat actor on the same platform suggests a pattern that demands scrutiny of whether remediation following the first incident went far enough.”
ShinyHunters also claims it breached Instructure’s Salesforce instance and obtained more sensitive information. The group recently claimed responsibility for the GTA V and Red Dead Redemption 2 Maker Rockstar Games through cloud provider Snowflake, after compromising Anodot third-party integrations and stealing authentication tokens.
Video hosting and sharing platform Vimeo has also confirmed a data breach stemming from the Anodot hack. Other organizations victimized by ShinyHunters include SoundCloud, Ticketmaster, AT&T, and Vercel.
“ShinyHunters has previously targeted organizations including Google, AT&T and Air France-KLM via Salesforce environments, and the group has demonstrated a sustained, systematic focus on cloud infrastructure and SaaS platforms rather than traditional network intrusion,” continued Guccione. “Whether the entry point is a misconfiguration, a social engineering interaction or an exploited vulnerability, attackers are continuing to identify the weakest point in how access to cloud environments is governed, with the intention of moving quickly once inside.”
