Millions of students, teachers and university staff across the United States woke up on May 7, 2026, to find Canvas one of the most widely used educational platforms in the world inaccessible. The outage is tied to a significant data breach carried out by ShinyHunters, a well known cybercrime group that has now set a hard deadline of May 8 for Instructure, Canvas’ parent company, to make contact or face a mass leak of stolen data.
The breach, which ShinyHunters claims to have executed on May 1, represents one of the most far reaching attacks ever carried out against the education technology sector.
What happened and who is behind it
ShinyHunters posted details of the attack on dark web forums, claiming it had successfully infiltrated Instructure’s systems and gained access to data belonging to 275 million users spread across approximately 9,000 institutions, including K-12 schools, colleges and universities in North America and beyond. The group issued a blunt ultimatum pay or leak and threatened to release billions of private messages exchanged on the platform between students, teachers and staff unless Instructure responded by the deadline.
The original deadline was reportedly May 6, but the group extended it slightly after what appear to have been stalled or nonexistent negotiations. A spokesperson for ShinyHunters claimed Instructure had made no direct contact with the group.
Which schools and institutions are affected
The scale of the breach is difficult to overstate. Canvas is used by more than 40 percent of higher education institutions in the United States, which means the ripple effects of this attack are being felt at campuses from coast to coast. All eight Ivy League universities are listed among the affected institutions on the group’s leaked victim list. The University of Pennsylvania alone is reported to have more than 306,000 affected users, a figure that includes current and former students as well as faculty and staff.
The affected institutions span multiple countries, making this a globally significant incident rather than one confined to the U.S. education system.
What data was taken
Instructure confirmed that some user information was compromised in the breach. According to the company’s chief information security officer, Steve Proud, the data involved includes names, email addresses, student ID numbers and messages exchanged between users. Proud stated in a public update that the company found no evidence that passwords, dates of birth, government identification numbers or financial information were part of what was taken.
ShinyHunters, however, claims its haul is far more extensive. The group says it possesses billions of private messages from the platform, which could include personal conversations, contact details and other sensitive information shared between users in what they believed were private exchanges.
Canvas goes down across the U.S.
The platform experienced a widespread outage on May 7, the same day the breach details became widely known. Reports began flooding in during the early afternoon, and by 1:40 p.m. PT, the outage tracking site Downdetector had logged close to 10,000 reports of users being unable to access Canvas. Complaints centered on inability to reach courses, assignments and messages. Canvas official status page acknowledged the disruption, noting that the team was investigating issues related to student ePortfolios while the platform was under maintenance.
Instructure stated it had taken steps to contain the attack, including revoking compromised credentials, rotating security keys, deploying patches and strengthening its monitoring systems. Whether the May 7 outage was a direct result of those containment efforts or something else remains unclear.
Why hackers are now targeting education platforms instead of individual schools
Cybersecurity experts say the ShinyHunters attack on Instructure reflects a broader and increasingly common strategy among criminal hacking groups. Rather than targeting individual universities one by one a slow and resource intensive approach groups like ShinyHunters are now going after the technology vendors that hundreds or thousands of schools rely on simultaneously.
Doug Thompson, chief education architect at cybersecurity firm Tanium, described the strategy as moving up the data supply chain, meaning a single successful breach of a vendor like Instructure gives attackers access to the data of every institution that uses its platform.
This is not ShinyHunters first attempt at this kind of vendor level attack. The group has previously been linked to breaches involving Salesforce, Infinite Campus and McGraw Hill Education. With real names, verified email addresses and the content of private messages now potentially in hand, security experts warn that highly personalized phishing attacks targeting students and educators could become far more convincing in the weeks ahead.
