For millions of students pulling all-nighters during Znals week, May 7, 2026 started as any other stressful Thursday. Then, at roughly 1:20 p.m. PaciZc time, something strange began spreading across university campuses. Students logging into Canvas — the digital backbone of coursework, assignments, grades, and communication at thousands of schools — were not greeted by their dashboards. Instead, they found a threatening message from a cybercriminal group called ShinyHunters.
Within hours, what started as confused Reddit posts hadbecome a full-blown crisis. The Canvas hack is now officially the largest education security breach in history. It has affected universities, K-12 districts, and education ministries across at least eight countries. Utah-based Instructure faced pressure from a furious hacking group, worried school administrators, and millions of students during one of the busiest times of the academic year.
This report explains what experts have confirmed, what investigators still dispute, and what students, parents, and educators need to know right now.
What Is Canvas — and Why Does It Matter?
Canvas is a cloud-based Learning Management System (LMS) developed by Instructure, a private company headquartered in Salt Lake City, Utah. It serves as the digital classroom hub for coursework management, grade tracking, assignment submissions, quizzes, and direct messaging between students and faculty. According to Instructure’s own Zgures, the platform has more than 30 million active users worldwide.
In the United States alone, Canvas is used by 41% of higher education institutions, making it the country’s most widely deployed LMS. Beyond universities, many K-12 school districts — including entire county systems like Wake County Public Schools in North Carolina — depend on it daily. When Canvas goes dark, the educational supply chain efectively stops.
Who Are ShinyHunters?
ShinyHunters is not a new name in the cybersecurity world. Threat intelligence analysts describe the group as a loose, financially motivated collective of teenagers and young adults from the United States and the United Kingdom that likely formed around 2020. Luke Connolly, a threat intelligence analyst at cybersecurity Zrm Emsisog, characterizes the group as opportunistic extortionists who follow a repeatable playbook: breach a high-value target, publicize the theg, and demand a ransom before leaking the stolen data publicly.
Their track record is substantial. In 2024, they claimed responsibility for stealing the personal details of 560 million Ticketmaster customers from Live Nation’s database. They have also targeted AT&T, Rockstar Games, and Salesforce. In 2024, the U.S. Department of Justice sentenced a 22-year-old French national, Sébastien Raoult, identiZed as a ShinyHunters member, to three years in prison and ordered him to pay over $5 million in restitution for wire fraud and identity theg. Despite that prosecution, the group has continued to operate.
“ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some ‘security patches.'” — SHINYHUNTERS RANSOM NOTE, MAY 7, 2026
A Timeline of the Attack
APRIL 29, 2026
Instructure detects the Zrst signs of unauthorized activity inside its Canvas environment. The exposure window opens.
MAY 1, 2026
Instructure publicly discloses a cybersecurity incident, saying it has been “contained.” The company says passwords, Znancial data, and government IDs do not appear to have been compromised.
MAY 3, 2026
ShinyHunters goes public on threat intelligence platform Ransomware.live, claiming to hold 275 million records from nearly 9,000 schools. They demand contact by May 6 or they will leak everything.
MAY 7, 2026 — 1:20 P.M. PDT
Canvas login pages at institutions across the U.S. are defaced. Millions of students see the ShinyHunters ransom message instead of their course dashboards. The deadline is extended to May 12.
MAY 7, 2026 — 8:00 P.M. EDT
Instructure replaces the ransom message with a maintenance alert and begins investigating. Canvas Beta and Canvas Test remain ooine.
MAY 8, 2026
Canvas comes back online ager Instructure permanently shuts down its Free-For-Teacher account program. API keys are rotated. Law enforcement is engaged.
MAY 9–12, 2026
Ransom deadline is still active as of publication. Instructure has notconZrmed whether any payment was made. Full scope of the breach remains under investigation.
How Did the Hackers Get In? The Free-ForTeacher Vulnerability
The technical entry point has now been identiZed. According to Instructure and a detailed technical advisory published by Bitdefender, the attackers exploited a design weakness in Instructure’s Free-For-Teacher account program — a feature that allowed individual educators to create Canvas accounts without requiring institutional veriZcation or formal enrollment through a paid district or university license.
These accounts, while logically isolated, shared the same underlying infrastructure as paid institutional tenants. That meant the same platform, the same databases, and the same back-end systems served both veriZed university deployments and unveriZed individual teacher accounts. The trust boundary between these two environments was considerably weaker than the sensitivity of the data it was protecting.
Instructure conZrmed the exposure window ran from April 30 to May 7, 2026. Once they identiZed the exploit, they permanently shut down the entire Free-For-Teacher program — a drastic but necessary measure that allowed them to restore access to the rest of the platform. The company also revoked privileged credentials and rotated API keys across theenvironment.
Critically, this was not ShinyHunters’ Zrst breach of Instructure. A September 2025 incident involved the same hacking group targeting Instructure’s Salesforce business systems through social engineering. That earlier attack did not involve Canvas product data, but it signaled a persistent adversary that had been studying Instructure’s infrastructure for months before landing on a far more damaging exploit.
What Data Was Exposed?
Instructure confirmed that hackers exposed full names, email addresses, student ID numbers, and private messages shared between students and instructors on the Canvas platform. The company has stated there is no evidence that passwords, dates of birth, government identiZcation numbers, or Znancial information were part of the breach.
ShinyHunters, for their part, claimed a far larger trove — asserting they obtained 3.65 terabytes of data covering approximately 275 million individual records, along with access to billions of private messages. These Zgures have not been independently veriZed as of the publication of this report. Queensland’s Minister of Education John-Paul Langbroek cited a Zgure of 200 million people impacted by the attack, based on information available to Australian authorities.
Even the conZrmed data — names, email addresses, and student IDs combined with private messages — is enough to enable highly targeted, personalized phishing attacks. Security researchers at Times Higher Education warned that the stolen information could be weaponized to crag convincing impersonation emails from faculty to students and vice versa, making future scams signiZcantly harder to detect.
Which Schools Were Hit?
The geographic and institutional scope is staggering. Educational institutions in the United States, Canada, the United Kingdom, Australia, New Zealand, Sweden, the Netherlands, and Singapore all reported disruptions or conZrmed exposure. In the U.S., speciZcally named institutions include Arizona State University, the University of Illinois, Illinois State University, Northwestern University, the University of Chicago, Baylor University, the University of Maryland, the University of Pennsylvania, the University of Oklahoma, and the University of California, Riverside, among many others.
K-12 systems were not spared. Wake County Public Schools — which serves all high schools in one of North Carolina’s largest districts — conZrmed that students received the ransom message and temporarily removed Canvas access from its login portal. Durham Public Schools said personal data including student and parent account information may have beenaccessed. Cumberland County Schools shiged to alternative instruction methods while the platform was down.
In Australia, the University of Melbourne, University of Technology Sydney, RMIT, Gri]th University, Adelaide University, and the University of Canberra all reported impact and ofered assignment extensions to afected students. Both UTS and Adelaide University proactively disabled Canvas access as a precautionary measure.
The Timing Could Not Have Been Worse
The attack landed during one of the most academically sensitive periods of the year. For most American universities, early May marks Znal examination season — a time when students rely on Canvas to access review materials, submit papers, take online exams, and check grades. The University of Illinois postponed all Znal exams and assignments scheduled for that Friday, Saturday, and Sunday. Multiple professors scrambled to distribute class materials through email, personal websites, and Zle-sharing platforms.
A University of California, Riverside student described the experience to CNN as “a little bit of a freakout,” noting she had missed a quiz and relied on Canvas to revisit recorded lectures before her upcoming midterm. At Arizona State University, endof-year celebrations were temporarily halted while the administration assessed the situation.
What Is Instructure Doing About It?
Instructure permanently terminated the Free-For-Teacher account program — the gateway through which the attack was executed. The company has engaged external forensic investigators and is cooperating with law enforcement. API credentials have been rotated and privileged account access has been revoked. Canvas was declared fully restored on May 8, though some institutions continued to restrict access pending their own internal security assessments.
Cybersecurity advisors recommend that schools rotate their own API credentials, conduct elevated phishing awareness training for at least 90 days following the breach, and monitor authentication logs for anomalous activity. Any institution that had Free-For-Teacher accounts integrated into its environment should treat those integrations as potentially compromised.
Conclusion
The 2026 Canvas breach is a watershed moment for ed-tech security. It exposes a structural vulnerability that exists across much of the educational technology sector: platforms that serve tens of millions of users ogen carry lower-friction onboarding features — designed to make adoption easier — that share infrastructure with highly sensitive institutional data. The cost of that convenience, in this case, may be measured in hundreds of millions of student and faculty records sitting on a criminalgroup’s servers.
The 2026 Canvas breach is a watershed moment for ed-tech security. It exposes a structural vulnerability that exists across much of the educational technology sector: platforms that serve tens of millions of users ogen carry lower-friction onboarding features — designed to make adoption easier — that share infrastructure with highly sensitive institutional data. The cost of that convenience, in this case, may be measured in hundreds of millions of student and faculty records sitting on a criminalgroup’s servers.
The ransom deadline of May 12 has not yet passed as this report goes to print. Whether Instructure pays, whether the data is leaked, and what regulatory and legal consequences follow will determine how the full story ends. What is already clear is that for students, educators, and institutions worldwide, the fallout from this breach will extend well beyond the end of Znals week.
Frequently Asked Questions
Q. Was my password stolen in the Canvas hack?
Instructure has stated there is no current evidence that passwords were part of the exposed data. However, as a precaution, changing your Canvas password and any accounts that share the same credentials is strongly recommended.
Q. Which schools were confirmed as a ected?
ShinyHunters published a list claiming 8,809 institutions. ConZrmed U.S. schools include Arizona State, University of Illinois, Northwestern,University of Pennsylvania, UC Riverside, and many more. In Australia, University of Melbourne, RMIT, and UTS were among those impacted.
Q. What data was actually stolen?
Instructure conZrmed exposure of names, email addresses, student ID numbers, and private messages between users. ShinyHunters claims a far larger dataset of 275 million records; this remains unveriZed by independent parties.
Q. Is Canvas safe to use now?
Instructure declared Canvas fully restored on May 8 ager shutting down the Free-For-Teacher program. Many institutions have independently veriZed their systems and re-enabled access. However, users should remain alert for phishing emails that may exploit the stolen data in the weeks ahead.
Q. Who are ShinyHunters and have they done this before?
ShinyHunters is a Znancially motivated hacking collective active since around 2020. Prior targets include Ticketmaster (560 million records), AT&T, Salesforce, and Rockstar Games. A member was sentenced in 2024 to three years in U.S. federal prison.
Q. What should students do right now?
Change your Canvas password immediately, enable two-factor authentication on all academic accounts, be highly suspicious of any emails referencing your coursework, grades, or Znancial aid that you did not initiate, and report suspicious emails to your institution’s IT department.
Q. Did Instructure pay the ransom?
As of May 10, 2026, Instructure has not publicly conZrmed or denied paying a ransom. The deadline ShinyHunters set is May 12, 2026. This storycontinues to develop.
References & Citations
1. Wikipedia. (2026, May 8). 2026 Canvas security incident. Wikimedia Foundation. en.wikipedia.org
2. Timberg, C., & Menn, J. (2026, May 9). Canvas hack: What we know about apparent cyberattack that impacted thousands of schools. CNN. cnn.com
3. Whittaker, Z. (2026, May 7). Hackers deface school login pages aKer claiming another Instructure hack. TechCrunch. techcrunch.com
4. Bitdefender Business Insights. (2026, May 9). Technical Advisory: ShinyHunters Breach of Instructure Canvas LMS. bitdefender.com
5. Schwartz, M. (2026, May 9). What to Know About the Canvas Cyberattack That’s AQected Thousands of Schools. TIME. time.com
6. Gaynor, T. (2026, May 8). Canvas hacked: Data breach aQects schools nationwide. ABC7 Chicago / WLS. abc7chicago.com
7. WRAL News. (2026, May 8). ‘Security patches’ put student learning system back online aKer hack. Wral.com
8. EdScoop. (2026, May 8). ShinyHunters claims nearly 9,000 schools aQected by Canvas data breach. edscoop.com
9. Times Higher Education. (2026, May 8). Personalised phishing attacks likely aKer global Canvas hack. timeshighereducation.com
