TechPopDaily logo TechPopDaily
Cybersecurity Tech News May 9, 2026 4 min read

Canvas Hack Puts 275M Students at Risk

The criminal hacking group ShinyHunters has claimed responsibility for breaching Instructure, the parent company of Canvas LMS — used by nearly 9,000 schools worldwide. Up to 275 million student and staff records are at risk, with a ransom deadline of May 12, 2026. Here's the full story.

By TechPopDaily Admin Updated May 9, 2026
Cybersecurity breach digital lock representing ShinyHunters Instructure Canvas LMS hack exposing 275 million student records 2026

If you or your child attends a university or school that uses Canvas — the world's most widely used learning management system — your personal data may already be in criminal hands. The breach is massive, the ransom clock is ticking, and the institutions most affected are the ones least equipped to respond.

What Happened

On April 30, 2026, a criminal extortion group identifying itself as ShinyHunters exploited a vulnerability in systems operated by Instructure, the Utah-based company that owns and operates Canvas. Instructure confirmed on May 1 that attackers had gained access, forcing the company to take down Canvas Data 2 and Canvas Beta environments.

By May 3, ShinyHunters formally claimed responsibility and began making demands. By May 7, the group had escalated — defacing login pages at multiple Canvas-connected institutions with extortion messages, demanding payment or threatening to release the entire dataset publicly.

Digital security breach warning on computer screen representing Canvas LMS Instructure ShinyHunters ransomware attack affecting 9000 schools

The Scale: 275 Million Records

The numbers are difficult to process. According to reports:

  • 275 million records potentially exposed — students, teachers, and administrative staff
  • ~9,000 educational institutions affected globally
  • Billions of private messages between students and teachers included in the dataset
  • Data includes: names, student IDs, email addresses, and internal platform messages

Notably, passwords and banking details were not included in the breach — but the combination of student IDs, names, and private messages creates a rich dataset for targeted phishing, identity theft, and social engineering attacks.

The Ransom Deadline: May 12

ShinyHunters set a public deadline of end of day May 12, 2026 before threatening to leak everything publicly. The University of Pennsylvania confirmed that data from its systems had already been leaked after it refused to pay a $1 million ransom.

San Diego-area campuses, multiple Missouri universities including St. Louis University and University of Missouri, and dozens of institutions across the UK and Australia have confirmed they are affected.

University campus building representing educational institutions affected by Canvas LMS ShinyHunters data breach May 2026

What Students and Staff Should Do Right Now

  1. Change your Canvas password immediately — even though passwords weren't in this breach, ShinyHunters has access to credentials from previous breaches
  2. Enable multi-factor authentication on all accounts linked to your institution email
  3. Be hyper-vigilant about phishing emails — attackers now know your name, student ID, and who your professors are
  4. Watch for unusual account activity on any platform you use the same email for
  5. Contact your institution's IT security team for specific guidance

This breach is a stark reminder that educational institutions — chronically underfunded on cybersecurity — are among the most attractive targets for ransomware groups. Centralised platforms serving millions of students are exactly the kind of high-value, low-security targets that groups like ShinyHunters hunt for.

Tags #Technology

More Stories

View all →