Canvas LMS Hacked 2026: Why Canvas Went Down, the ShinyHunters Data Breach, and What Every Student Must Do Right Now
The Canvas LMS cyberattack disrupted millions of students during finals week 2026. | Illustration: DailyUpdates360
Millions of students across the United States and the world woke up on May 7, 2026 to a nightmare they never expected during finals season — their Canvas LMS was hacked, their login pages hijacked by a ransom message, and an estimated 275 million records potentially in the hands of one of the internet’s most brazen hacking groups. Here is the complete story of why Canvas went down, who did it, what data was stolen, and exactly what you need to do to protect yourself.
If you use Canvas LMS, change your password immediately, watch for phishing emails, and follow your school’s official guidance. ShinyHunters has a May 12 deadline to release stolen data unless Instructure pays a ransom.
What Is Canvas LMS and Why Was It Hacked?
Canvas LMS (Learning Management System) is a product of Instructure, a US-based educational technology company. Used by more than 30 million active users worldwide, Canvas is the digital backbone of higher education and K-12 schooling in dozens of countries. Students submit assignments, access lecture videos, receive grades, and communicate with professors entirely through Canvas. When Canvas goes down, education effectively stops.
That is precisely what made the Canvas data breach of May 2026 so devastating. The timing — right in the middle of finals week for universities across North America — was not accidental. Hackers know that disrupting education platforms during high-stakes exam periods maximizes pressure on institutions to pay ransoms quickly.
The Canvas Hack Timeline: How It All Unfolded
This was not a single, sudden attack. The Instructure Canvas hack had been building for weeks before the dramatic outage on May 7. Here is the complete timeline of events:
Instructure first detects unauthorized access on its systems. The company begins an internal investigation but does not make it public.
ShinyHunters exploits a vulnerability and gains deep access to Canvas infrastructure. Canvas Data 2 and Canvas Beta are taken offline. Schools start noticing API failures and third-party integration issues.
Instructure publicly confirms a cybersecurity incident, saying it has been “contained.” The company reveals that names, email addresses, student IDs, and some private messages were exposed. Canvas Data 2 is restored by May 3.
ShinyHunters lists Instructure on their dark-web leak site with a blunt “PAY OR LEAK” threat, claiming 275 million records stolen from 9,000 schools. A May 6 deadline is set. The leak list includes Harvard, MIT, Stanford, Oxford, and thousands more.
ShinyHunters attacks again, directly defacing Canvas login pages at affected schools with ransom messages. Students trying to access Canvas mid-afternoon are greeted with the hacker message instead. Instructure places all Canvas platforms in maintenance mode. The platform goes dark globally. The new deadline is extended to May 12, 2026.
Canvas is restored for most users by late evening of May 7. Canvas Beta and Canvas Test remain offline. Instructure removes the ShinyHunters listing from their leak site, fueling speculation that a negotiation may be underway.
ShinyHunters is believed to be a loose network of young hackers based in the US and UK. | Illustration: DailyUpdates360
Who Is ShinyHunters? The Group Behind the Canvas Cyberattack
Understanding the Canvas LMS hack requires understanding the group responsible for it. ShinyHunters is a cybercriminal syndicate described by Luke Connolly, a threat intelligence analyst at cybersecurity firm Emsisoft, as a “loose affiliation of teenagers and young adults based in the US and the United Kingdom.” Despite sounding almost amateurish, this group is anything but.
Formed around 2020, ShinyHunters has been linked to some of the most high-profile data breaches of the past several years. Their previous victims read like a who’s who of major corporations and institutions:
- Ticketmaster / Live Nation (2024) — 560 million customers’ personal and partial payment details stolen
- AT&T (2024) — Massive customer records exposed on dark web forums
- Salesforce (2025) — Targeted enterprise environments via sophisticated vishing (voice phishing) campaigns
- Rockstar Games — Game developer data breach, leaked footage of unreleased titles
- McGraw-Hill (April 2026) — 13.5 million email addresses confirmed stolen just weeks before the Canvas attack
- University of Pennsylvania, Harvard, Princeton (Late 2025) — Direct university breaches preceding the larger Instructure attack
- Vimeo (May 2026) — Simultaneous breach via a supply chain attack through partner company Anodot
Security researchers link ShinyHunters to a broader cybercrime supergroup alongside Scattered Spider and LAPSUS$, all sharing overlapping members rooted in youth cybercrime culture. Despite arrests in Canada, France, Turkey, and Finland — including the 2024 sentencing of French member Sebastien Raoult to three years in prison — the group has not slowed down.
“ShinyHunters is a loose group of teenagers and young adults based in the US and the United Kingdom. The group is believed to have formed in 2020 and has been involved in previous high-profile hacking incidents.”
— Luke Connolly, Threat Intelligence Analyst, Emsisoft
What Data Was Stolen in the Canvas Data Breach?
One of the most critical questions for students and parents is: what exactly was stolen? Based on confirmed statements from Instructure and claims from ShinyHunters, here is what we know about the Canvas student data breach:
Confirmed Exposed by Instructure:
- Full names of students, staff, and faculty
- Institutional email addresses (primarily .edu accounts)
- Student ID numbers
- Canvas inbox messages (private conversations between students and instructors)
- Course information and enrollment data
Claimed by ShinyHunters (Unverified):
- 275 million individual records total
- “Several billion” private messages
- 3.65 terabytes of data
- Salesforce instance data from Instructure’s CRM system
- Data spanning 15,000 institutions across North America, Europe, Asia, and Oceania
Instructure stated it found no evidence that passwords, dates of birth, government identifiers (SSN/national ID numbers), or financial information were exposed in the initial breach. However, the second attack on May 7 may have expanded access.
Which Schools and Universities Were Affected by the Canvas Hack?
The scale of the Canvas school data breach is staggering. ShinyHunters released a list of approximately 8,809 institutions across at least 10 countries. The educational institutions in the US, UK, Australia, Sweden, New Zealand, and the Netherlands all reported disruptions.
Among the most prominent institutions confirmed or listed as affected:
- Harvard University
- MIT (Massachusetts Institute of Technology)
- Stanford University
- Columbia University
- Princeton University
- Yale University
- Georgetown University
- University of Pennsylvania
- Rutgers University
- Kent State University
- University of Washington
- University of Oklahoma
- Oxford University (UK)
- School districts in California, Florida, Georgia, Oklahoma, Oregon, Nevada, North Carolina, Tennessee, Utah, Virginia, and Wisconsin
Remarkably, the breach list also included corporate clients like Amazon, Apple, and Cisco — companies that use Canvas for employee training programs — suggesting the data exposure extends well beyond traditional educational settings.
Students across top universities lost access to Canvas during finals week, forcing professors to scramble for alternatives. | Illustration: DailyUpdates360
Why Was Canvas Down During Finals Week? The Real Impact
The Canvas outage could not have come at a worse time. Finals season across US universities typically runs from late April through mid-May. Students were in the middle of submitting assignments, accessing study materials, taking online exams, and communicating with professors when Canvas suddenly went dark.
At the University of Pennsylvania, a student studying for finals was abruptly logged out mid-session. At Harvard, the login page was replaced by a hacker message at around 3:30 PM on May 7. At the University of Washington, students refreshing Canvas saw the ShinyHunters ransom note in place of their coursework.
Professors scrambled to email course materials directly. School districts announced “alternative methods of instruction.” Wake County Public Schools in North Carolina removed Canvas from its entire WakeID Portal and told students to avoid the application entirely. Teachers, as one Wake County educator put it, simply had to “roll with it.”
“I went onto WakeID… it is nothing that Wake County could have done, or the school, or as a teacher, we could not have planned for this. So we will just roll with it.”
— Wake County Public School Teacher, via WRAL.com
Is Canvas Safe to Use Now? Instructure’s Response
By late evening on May 7, Instructure announced that Canvas was available for most users again. Canvas Beta and Canvas Test remained in maintenance mode. The company issued the following statement:
“As we respond to this incident, we’re focused on three things: completing a rigorous investigation, communicating verified information to impacted customers, and continuing to strengthen the safeguards that protect customer and student data.”
— Instructure Holdings, Official Statement, May 8, 2026
Instructure’s Chief Information Security Officer Steve Proud confirmed the security team had revoked all privileged credentials and access tokens following the first breach on May 1. However, ShinyHunters attacked again on May 7 anyway — mocking Instructure’s “security patches” in their ransom note.
Instructure detected the initial unauthorized access on April 29. The fact that ShinyHunters struck a second time suggests the patches applied after May 1 were insufficient to fully close off their access. The listing of Instructure on ShinyHunters’ dark web site was subsequently removed — a sign that negotiations between Instructure and the hackers may be underway, according to cybersecurity tracking site DataBreaches.net.
ShinyHunters has set a hard deadline of May 12, 2026 to leak all stolen data unless Instructure and affected schools negotiate a settlement. Until this deadline passes, the full scope of data exposure remains uncertain.
What Should Students, Parents, and Schools Do Now?
If your school uses Canvas LMS and you received notification of the breach — or even if you have not yet — here are the concrete steps cybersecurity experts recommend taking immediately:
- Change your Canvas password immediately — even if your school uses single sign-on (SSO), change your institutional email password too
- Check for password reuse — if you use the same password elsewhere (email, gaming, social media), change all of them now
- Beware phishing emails — with names, institutional emails, and message context in hackers’ hands, scam emails will look highly convincing. Treat any “Canvas”-related email as suspicious
- Go directly to websites — do not click links in emails. Navigate directly to canvas.yourinstitution.edu or your school portal
- Review active Canvas sessions — check for unrecognized devices or OAuth-connected apps you do not recognize
- Monitor your child’s accounts — parents of K-12 students should personally oversee password changes and check all education platform logins
- Follow your school’s official communications — your district or university is the primary source of information specific to your institution
- Consider a credit/identity monitoring alert — while financial data was reportedly not exposed, stolen student IDs and emails can still enable identity fraud
Instructure confirmed that passwords, dates of birth, Social Security numbers, and financial data were not part of the confirmed exposure from the initial breach. However, remain vigilant as investigations are ongoing.
The Bigger Picture: Why Education Is Now the Top Cyber Target
The Canvas LMS hack 2026 is not an isolated event — it is the latest chapter in a long and accelerating war on educational institutions. As cybersecurity analyst Luke Connolly noted, the Canvas attack is strikingly similar to the PowerSchool breach of 2025, where a Massachusetts college student was charged for similar LMS intrusion.
Schools are, in the words of NBC News, “rich in digitized data” — storing information that was once locked in paper filing cabinets but is now accessible through a single vulnerability. Past major attacks have hit Minneapolis Public Schools, the Los Angeles Unified School District, and now Instructure’s Canvas at a global scale.
The question cybersecurity experts are increasingly asking is not whether educational platforms will be attacked — but whether they are investing enough in protection. With 30 million active Canvas users, a second breach in the same platform within eight months speaks to a systemic challenge in the EdTech industry’s approach to security.
Quick Recap: Everything You Need to Know About the Canvas Hack
- Canvas LMS, owned by Instructure, was hacked by ShinyHunters — a notorious international cybercriminal group
- The first breach was detected on April 29, 2026; a second, more damaging attack occurred on May 7
- ShinyHunters claims 275 million records stolen from 8,809+ schools and institutions worldwide
- Canvas went down during finals week, disrupting millions of students across the US and globally
- Harvard, MIT, Stanford, Columbia, Princeton, and thousands of K-12 districts were affected
- Confirmed exposed data includes names, institutional emails, student IDs, and private messages
- Canvas was restored for most users by the evening of May 7, 2026
- A final data leak deadline of May 12, 2026 remains active — change your passwords now
Frequently Asked Questions (FAQs)