What's new since our earlier coverage: Since our initial post on this breach, ShinyHunters has dramatically escalated — defacing Canvas login pages directly, forcing dozens of major universities to reschedule final exams, and confirming that the attacker retained access even after Instructure declared the incident "contained." New details have also emerged about the breach vector and ShinyHunters' broader attack pattern against Instructure going back to September 2025.
If your child logged into Canvas this week and saw a ransom demand where their coursework should have been, you weren't imagining things — and you're not alone. What started as a quietly disclosed data breach has turned into one of the most disruptive cyberattacks on American education in recent memory, and it's still unfolding.
Here's what happened, what it means for your family, and — most importantly — what you should do right now.
What Happened to Canvas?
Canvas is a Learning Management System (LMS) built by Instructure, a Salt Lake City-based educational technology company founded in 2008. It supports tens of millions of users across more than 100 countries and, according to Baylor University's notice to students, is used by 41% of higher education institutions in North America.
The trouble began when the cybercriminal group ShinyHunters claimed it had quietly breached Instructure's systems and stolen a massive trove of data. Instructure's CISO Steve Proud publicly acknowledged the incident and, on May 6, said the company believed it had been "contained."
That containment didn't hold.
On May 7, students trying to log into Canvas at schools across the country — including Duke, Princeton, Northwestern, the University of Florida, Ohio State, Iowa State, and dozens more — were greeted not by their course materials but by an on-screen ransom note from ShinyHunters. Malwarebytes reports the group used another vulnerability in Instructure's systems to modify Canvas login portals for hundreds of institutions, defacing both the web login and the Canvas mobile app simultaneously.
The note read: "ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it, they ignored us and did some 'security patches.'" A deadline of May 12 was set for Instructure and affected schools to negotiate.
Instructure's response was to pull Canvas offline entirely — which prompted its own backlash when the company's status page described the outage as "scheduled maintenance." Dipan Mann, founder and CEO of security firm Cloudskope, called out Instructure for that characterization directly.
Finals Week. Worst Possible Timing.
The timing couldn't have been more damaging. The Record reports that multiple universities were forced to delay final exams after students were locked out of the platform for several hours. Social media filled with students joking and panicking in equal measure — many of whom had assignments, quizzes, and course submissions due.
Several K-12 school districts were also impacted by the outages.
What Data Was Stolen?
According to Instructure, the stolen data includes:
- Names
- Email addresses
- Student ID numbers
- Messages between users
The company says it found no evidence that passwords, dates of birth, government identifiers, or financial information were included. ShinyHunters, however, claims the haul includes data on approximately 275 million students from 8,800 to 9,000 academic institutions — and Krebs on Security notes the group also claims to hold several billion private messages between students and teachers.
Instructure confirmed the initial breach vector: hackers exploited an issue related to Free-for-Teacher accounts — the same vulnerability that enabled the first intrusion and that ShinyHunters leveraged again for the May 7 defacement. Instructure has since shut down Free-for-Teacher accounts entirely.
This May Be the Third Breach in Eight Months
Cloudskope's Mann points out that this attack follows a pattern stretching back to September 2025, when ShinyHunters released thousands of internal University of Pennsylvania files — donor records, internal memos, and confidential materials — through what investigators later determined was partly a Canvas/Instructure-mediated access path. Penn failed to pay a reported $1 million ransom demand, and ShinyHunters published 461 megabytes of stolen data in March 2026.
Mann's conclusion is stark: "The September 2025 Penn breach was the proof of concept. The May 1, 2026 incident was the production run. The May 7, 2026 recompromise was ShinyHunters demonstrating publicly that the May 2 'containment' did not happen."
And this isn't the only ShinyHunters campaign active right now. Charles Carmakal, CTO at Google-owned Mandiant Consulting, told Krebs on Security that "there are multiple concurrent and discrete ShinyHunters intrusion and extortion campaigns happening right now." The group has also recently claimed attacks on ADT, Rockstar Games, McGraw Hill, and Carnival cruise lines.
6 Steps Parents and Students Should Take Right Now
Whether your child's school is one of the thousands confirmed affected or you're not yet sure, treat this as if your data was exposed. Here's what ZDNet and Malwarebytes recommend:
1. Change your Canvas password now. Don't wait for official confirmation. If you've reused that password anywhere else — your email, your school portal, your bank — change those too. Consider using a password manager to generate strong, unique passwords for each account.
2. Enable two-factor or multi-factor authentication (2FA/MFA). If Canvas or your school's login system supports it, turn it on today. This single step makes it dramatically harder for attackers to use stolen credentials even if they have your password.
3. Check Have I Been Pwned. Visit haveibeenpwned.com and search your email address. It's free. While the Canvas data may not appear there immediately, it's worth bookmarking and checking regularly — and you may discover other breaches you weren't aware of.
4. Watch for phishing emails. This is the real long-term danger. If your child's name, email, school name, and course information are all in the hands of criminals, they have everything they need to write a convincing fake email from a teacher, financial aid office, or Canvas itself. The Record quotes Arctic Wolf CISO Adam Marrè: "The biggest risk after incidents like this is not instant identity theft but scams that surface weeks or months later and appear legitimate." Verify anything unexpected by phone before clicking any link.
5. Stay in touch with your school. Check your school or district's official website and communication channels for updates specific to your institution. If Canvas was their primary platform, they may be distributing coursework through alternate channels in the meantime.
6. Monitor your child's credit and financial activity. Stolen names and contact information can be combined with data from other breaches over time. As children get older and begin establishing financial accounts, the risk of identity fraud from old breached records grows. Malwarebytes specifically recommends monitoring financial and credit activity as children age into adulthood.
What About Schools and Districts?
If you're an IT administrator, superintendent, or school business manager: now is the time to review every third-party ed-tech platform you use, audit single sign-on (SSO) integrations, and make sure your incident communication plan is ready before the next defacement, not after. The Canvas incident shows that even a vendor's "containment" statement can be premature.
If you need a second set of eyes on your district's or business's security posture, we're happy to help — our business IT services are designed for exactly these situations.
The Canvas breach is a reminder that the software platforms we trust our children's education to carry real security risks — and that when those platforms fail, the consequences land on students, parents, and teachers, not just IT departments. Staying informed and taking even a few basic protective steps can make a meaningful difference in limiting the fallout.
