English
Instructure, the parent company of the widely used Canvas learning management system, has confirmed it reached an agreement with the cybercriminal group ShinyHunters after hackers stole data on 275 million users. In a statement released on May 12, 2026, Instructure said the stolen data has been returned and digitally destroyed, though the company did not disclose whether a ransom was paid. The Canvas data breach 2026 has disrupted final exams at hundreds of universities worldwide, including Harvard, Columbia, and the University of California system.
What Happened in the Canvas Hack?
The breach unfolded in two phases. First, on May 3, 2026, ShinyHunters exploited a vulnerability in Canvas's 'Free-For-Teacher' account system to access a database containing names, email addresses, student ID numbers, and internal messages from approximately 275 million users across more than 8,800 educational institutions in over 100 countries. After Instructure deployed security patches instead of engaging with the hackers, ShinyHunters struck again on May 7, defacing Canvas login dashboards at hundreds of universities with a ransom message demanding payment before a May 12 deadline.
Who Are the ShinyHunters Hackers?
ShinyHunters is a notorious black-hat hacker and extortion group active since 2019. According to Wikipedia, the group has been responsible for numerous high-profile breaches including Microsoft (2020), Tokopedia, and the Dutch telecom provider Odido. In the Odido case, which was the largest data breach in Netherlands history, ShinyHunters leaked the full customer database of 6.2 million accounts after the company refused to pay. The group typically operates a 'pay or leak' model: if ransoms are not paid, stolen data is sold on dark web forums or published publicly.
Previous Targets and Methods
ShinyHunters has utilized cloud misconfigurations, OAuth token theft, supply chain attacks, and zero-day exploits. Notable victims include Mathway (25 million users), Wishbone, and multiple edtech providers. In 2022, French member Sébastien Raoult was extradited to the U.S. and sentenced to three years in prison. Despite law enforcement actions, the group's leadership remained active.
Instructure's Response and the Ransom Deal
Initially, Instructure took a hardline stance. CEO Steve Daly later acknowledged the company mishandled communications. 'We prioritized security patches over customer communication, and that was a mistake,' Daly said in a May 11 update. As the May 12 deadline approached, with universities facing canceled exams and growing pressure from students and parents, Instructure negotiated directly with ShinyHunters. The company's statement read: 'As part of the agreement, the data has been returned to us and we have received digital confirmation of its destruction. We have been told that no customers are being extorted.'
Impact on Universities and Students
The hack forced dozens of universities to take Canvas offline, causing chaos during final exam season. The California State University system, which serves over 460,000 students, was among those affected. Many institutions advised students to email professors directly and promised no academic penalties due to the disruption. Security experts warned that even with the data destroyed, affected individuals face increased phishing risks. The student data privacy concerns raised by this breach have prompted calls for stronger cybersecurity regulations in the education sector.
What Data Was Stolen?
According to multiple sources, the compromised data includes:
- Full names and email addresses
- Student ID numbers and institutional affiliations
- Internal messages and course-related communications
- Account creation dates and last login timestamps
Importantly, no financial information, Social Security numbers, or passwords were reported as compromised. However, the volume of data—3.65 terabytes—makes this one of the largest educational data breaches in history.
Comparison: Odido vs. Canvas Breach
| Target | Records Stolen | Ransom Paid? | Data Published? |
|---|---|---|---|
| Odido (2025) | 6.2 million | No | Yes (full leak) |
| Canvas/Instructure (2026) | 275 million | Undisclosed | No (destroyed) |
FAQ: Canvas Hack and Data Breach
Was my data stolen in the Canvas hack?
If you are a student or educator at an institution using Canvas, your name, email, and student ID may have been exposed. Check with your school's IT department for confirmation.
Did Instructure pay the ransom?
Instructure has not confirmed whether a ransom was paid, but security analysts widely believe a payment was made given the data's return and destruction.
What should I do if my data was compromised?
Be vigilant against phishing emails, enable two-factor authentication on your educational accounts, and monitor for suspicious activity. Change your Canvas password if you haven't recently.
Is Canvas safe to use now?
Instructure has implemented additional security measures and shut down the 'Free-For-Teacher' account program. The platform is operational, but users should remain cautious.
Who is responsible for the hack?
The ShinyHunters group claimed responsibility. Law enforcement agencies including the FBI are investigating.
Follow Discussion