Canvas LMS Hack: ShinyHunters Breached 275 Million Students — And Instructure Paid the Ransom

In what security researchers are calling the largest educational data breach in recorded history, hackers compromised Instructure’s Canvas LMS — the learning management system used by more than 8,800 universities, colleges, and school systems worldwide. The ShinyHunters cybercrime group claimed responsibility, threatening to leak data on 275 million individuals including billions of private student messages. Last week, Instructure quietly paid the ransom — a decision cybersecurity experts are calling catastrophic for the industry.

Here’s the full story of how the breach happened, who is exposed, what Instructure did wrong, and what every student, educator, and institution needs to know right now.

The Scale of the Breach: 8,809 Institutions, 275 Million People

The numbers are staggering. According to ShinyHunters’ own claims and reporting from Inside Higher Ed, the breach potentially affects:

• 8,809 institutions including 2,514 higher education institutions — among them all eight Ivy League universities and major state university systems
• 275 million individuals whose data was reportedly exfiltrated
• “Several billion” private messages between students, professors, and staff
• Data types including names, email addresses, student ID numbers, and internal platform communications

To put the scale in context: Canvas is to education what Microsoft 365 is to enterprise — a mission-critical, deeply integrated platform that billions of people’s academic lives run through. Grades, assignments, communications, accommodations documentation, financial aid correspondence — it all lives in Canvas. Whoever controls that data controls a comprehensive portrait of the academic lives of a quarter billion people.

Timeline: How the Attack Unfolded

The attack played out over three chaotic weeks:

• April 25: Unauthorized actors gained access to Canvas systems
• April 29: Instructure detected the intrusion and engaged third-party cyber forensics experts
• May 1: Instructure publicly disclosed the incident
• May 3: ShinyHunters published a ransom note claiming access to 275 million records, setting a May 6 deadline
• May 5-6: Instructure claimed the situation was “resolved” — ShinyHunters disputed this
• May 7: Canvas was hacked again. ShinyHunters set a new deadline of May 12 to pay or face a full data dump
• May 11: Instructure reached an “agreement” with ShinyHunters — one day before the final deadline

The May 7 second breach is the most damning detail in this timeline. Instructure’s May 6 claim that the situation was “resolved” was apparently premature or false — ShinyHunters immediately proved continued access by breaching Canvas again. This suggests Instructure either failed to fully remediate the initial access vectors or that ShinyHunters had established persistent backdoor access before the initial disclosure.

ShinyHunters: The Most Prolific Breach Crew of 2025-2026

ShinyHunters is not a new name in cybersecurity. The group has been active since 2020 and is responsible for some of the largest data breaches in recent years, including the Ticketmaster breach that exposed 560 million customer records in 2024. They are part of the same broader ecosystem as Scattered Spider, LAPSUS$, and the CoinbaseCartel group behind the Grafana GitHub breach this week.

What makes ShinyHunters particularly dangerous is their patience and methodology. They do not rely exclusively on zero-day exploits. Instead, they use a combination of social engineering, credential stuffing against identity providers, and abuse of legitimate API access — attack vectors that are harder to detect and harder to attribute than traditional malware-based intrusions.

Their business model is pure extortion: breach, prove possession of sensitive data, threaten public release, negotiate payment. The Canvas breach follows this playbook precisely. And now, with Instructure having paid, that playbook has been validated on one of the world’s largest educational platforms — a signal to every other education technology company that they are viable targets.

Instructure Paid the Ransom — Why That’s a Disaster

Instructure confirmed on May 11 that it reached an “agreement” with the hackers. The company received what it described as “digital confirmation of data destruction” and assurance that “no Instructure customers will be extorted as a result of this incident.” The specific monetary value of the ransom has not been disclosed.

Cybersecurity experts were swift and unanimous in their condemnation. Paying the ransom is bad for several reasons:

• You cannot verify data destruction: Digital “confirmation” is meaningless. ShinyHunters can trivially claim to have deleted data while retaining copies. There is no technical mechanism to verify that 275 million records have been deleted from attacker infrastructure.
• It funds the next attack: Ransom payments are the revenue model that makes these operations financially viable. Instructure’s payment directly funds ShinyHunters’ next campaign.
• It signals vulnerability to the entire sector: Every other education technology company — Blackboard, D2L, Pearson, Chegg — is now a confirmed-viable target. The attack on Canvas proved that educational institutions will pay rather than fight.
• It creates a dangerous feedback loop: As security firm Trend Micro noted, paying “can create a dangerous feedback loop where attackers are effectively rewarded for successful breaches.”

Compare this to Grafana’s approach this week: transparency, refusal to pay, rapid technical remediation. That’s the playbook that doesn’t fund attacker operations and doesn’t signal weakness to the broader threat landscape. Instructure chose the opposite path, and the consequences will echo through the EdTech sector for years.

What Students and Faculty Need to Do Now

If you have ever used Canvas as a student or faculty member at any institution worldwide, you should assume your data may be in attacker hands. Here’s what to do:

• Change your Canvas password immediately — even though Instructure claims the situation is resolved, credential data from the breach may already be circulating
• Enable two-factor authentication on your institutional email and any other accounts that use the same email address as your Canvas login
• Watch for phishing emails targeting your institutional email — attackers with access to student data frequently pivot to targeted phishing using the stolen information to craft convincing lures
• Be vigilant about suspicious contact referencing your coursework, grades, or institutional ID — this data is now potentially in attacker hands
• Monitor for identity theft indicators over the next 12-24 months — breached personal data often surfaces in fraudulent credit applications long after the initial incident

The EdTech Security Crisis

The Canvas breach is not an isolated incident — it’s the latest and largest chapter in a sustained campaign against educational technology infrastructure. Higher education has been consistently identified as one of the worst-performing sectors in cybersecurity posture: institutions are cash-strapped, IT teams are undersized, and the culture of open access that makes universities great for learning makes them terrible for security.

EdTech vendors sit at the nexus of this vulnerability. They aggregate data from thousands of institutions that individually lack the security sophistication to evaluate their vendors’ practices rigorously. A single successful breach of a centralized platform like Canvas creates damage that dwarfs any individual university breach — a systemic risk that the sector has been warned about for years but has done little to address.

As AI-assisted attacks become more sophisticated — as documented in Mandiant’s M-Trends 2026 report — the gap between attacker capabilities and EdTech security maturity is only going to widen. The Canvas breach is a preview of what happens when that gap is exploited against critical civilian infrastructure. The preview is ugly. The full version could be catastrophic.

For ongoing coverage of major data breaches and cybersecurity incidents, follow SudoFlare’s cybersecurity section.