Canvas Data Breach 2026: ShinyHunters Steal 275 Million Student Records

The Canvas data breach is now officially the largest educational data breach in history. The cybercrime group ShinyHunters claims to have stolen 3.65 terabytes of data — approximately 275 million records — from Instructure’s Canvas learning management system, affecting 8,809 universities and institutions worldwide. The ransom deadline is May 12, 2026. If Instructure does not pay, ShinyHunters says everything gets leaked.

This Canvas data breach is not a drill. Harvard, Princeton, Columbia, Georgetown, the University of Melbourne, and thousands of other schools have been hit. Student names, email addresses, ID numbers, and private messages between students and teachers are all in the hands of criminals. And the timing could not be worse — it happened during finals week.

Canvas Data Breach Timeline: What Happened

Instructure first detected unauthorized activity in Canvas on April 29, 2026. The exposure window lasted from April 30 to May 7. Here is the complete timeline of how the Canvas data breach unfolded in this massive Canvas data breach:

• April 29: Instructure detects suspicious activity in its Canvas platform
• April 30 – May 1: Unauthorized access continues as ShinyHunters exfiltrate data through the Free-For-Teacher account exploit
• May 1: Instructure publicly acknowledges a cybersecurity incident has occurred
• May 2: Instructure says the issue is “contained” but confirms names, emails, student IDs, and messages were stolen
• May 3: ShinyHunters posts a ransom note on Ransomware.live claiming responsibility and threatening to leak data from 9,000+ schools
• May 5: Inside Higher Ed reports ShinyHunters’ “PAY OR LEAK” extortion campaign targeting higher education
• May 7 (1:20 PM PDT): ShinyHunters launches a second attack, defacing Canvas login pages at ~330 institutions with their ransom message. Students post screenshots on Reddit
• May 8: Canvas restored for most users. Harvard, Penn, and other top universities confirm they were listed in the breach
• May 12 (TOMORROW): ShinyHunters’ ransom deadline — threatened to leak all stolen data if not paid

The breach was not a single event. ShinyHunters hit Canvas twice — first stealing the data, then coming back a week later to deface login pages and apply direct pressure on individual schools.

How ShinyHunters Caused the Canvas Data Breach: The Free-For-Teacher Exploit

The attack vector was embarrassingly simple. ShinyHunters exploited Instructure’s Free-For-Teacher (FFT) account program, which allowed educators to create Canvas tenants without institutional verification. No identity checks. No multi-factor authentication. Just sign up and you are in.

According to Rescana’s breach analysis, the FFT exploit gave ShinyHunters direct access to the Canvas platform where institutional course data, student information, and private communications live. This was not a sophisticated zero-day. It was an access control failure that any pentester would have flagged during a basic security audit.

Instructure later confirmed that the breach was caused by “an issue related to its Free-For-Teacher accounts.” The FFT program has since been suspended, but the damage was already done — 3.65 terabytes of data had already been exfiltrated.

What Data Was Stolen in the Canvas Data Breach: 3.65 Terabytes of Student Records

ShinyHunters claims to have stolen approximately 275 million records totaling 3.65 terabytes of data. According to multiple reports including Malwarebytes and TIME, the stolen data includes:

• Full names of students, faculty, and staff
• Email addresses (personal and institutional)
• Student ID numbers
• Private messages exchanged between students and teachers on Canvas
• Canvas account records and course enrollment data
• Institutional data from 8,809 universities and educational organizations

At the University of Pennsylvania alone, ShinyHunters claimed to have accessed data on more than 306,000 users, including internal messages between students and faculty. The private messages component is particularly concerning — Canvas is used for sensitive academic communications including grade disputes, mental health accommodations, disability disclosures, and disciplinary proceedings.

Universities Affected: Harvard, Princeton, Penn, and 8,800 More

The Canvas hack affected 8,809 universities, educational ministries, and institutions worldwide, making it the largest educational security breach on record. Canvas is used by 41% of higher education institutions in the United States alone.

Confirmed affected institutions include:

• Ivy League: Harvard, Princeton, Columbia, Georgetown, University of Pennsylvania
• Australia: University of Melbourne, University of Technology Sydney, RMIT, Griffith University, Adelaide University, University of Canberra
• United States: Thousands of public and private universities plus K-12 school districts
• Global: Institutions across Europe, Asia, and South America

Several Australian universities are already offering assignment extensions to affected students. Harvard’s Crimson reported that the university’s Canvas site went down after being listed in the breach. The Daily Pennsylvanian confirmed that Penn’s Canvas system was crashed by the cybercrime group.

The Ransom Demand: Pay by May 12 or Everything Leaks

ShinyHunters operates a pure “pay or leak” extortion model. Unlike traditional ransomware groups that encrypt files and demand payment for decryption keys, ShinyHunters does not use encryption at all. Their only leverage is the threat of public data release.

The group set a deadline of May 12, 2026 (tomorrow) for schools to negotiate ransom payments. According to IBTimes, ShinyHunters pivoted from targeting Instructure centrally to direct school-by-school extortion, pressuring individual institutions to pay separately for their own data.

It is not clear whether Instructure or any individual schools have paid. The FBI and CISA have consistently advised against paying ransoms, as payment does not guarantee data deletion and funds criminal operations. But with 275 million records on the line and private student-teacher messages at stake, the pressure on institutions is immense.

The Second Attack: ShinyHunters Defaced 330 Login Pages

On May 7, ShinyHunters launched a second attack on Canvas. This time, instead of data exfiltration, they defaced the login pages of approximately 330 institutions with their ransom message. Students at schools across the country opened their Canvas portals to find a hacker message instead of their coursework.

The attack came to public attention at approximately 1:20 PM PDT when students began posting screenshots on Reddit. CNN reported that the hack stranded college students during finals week, with many unable to access assignments, submit papers, or take scheduled exams.

By May 8, Instructure reported that Canvas was “available for most users” and that no further incidents had been detected. But the damage — both to student academic timelines and to institutional trust — was already done.

Who Are ShinyHunters? The Group Behind the Canvas Hack

ShinyHunters is a well-known cybercrime group that has been active since at least 2020. They are responsible for multiple high-profile data breaches including the 2024 Snowflake data theft campaign that compromised AT&T, Ticketmaster, Santander, and dozens of other companies.

The group’s operational model is distinctive: they steal data and threaten to publish it unless victims pay. They typically do not deploy ransomware or encrypt files. Their attacks are focused purely on data theft and extortion. ShinyHunters is believed to operate primarily from French-speaking regions, and at least one member was arrested in Morocco in 2024.

The Canvas attack represents a strategic shift for ShinyHunters — targeting educational institutions rather than corporations. Universities often have weaker security budgets, fewer dedicated security staff, and massive amounts of sensitive data. It is a target-rich environment for data extortion.

Impact on Students: Finals Week Chaos

The timing of the Canvas hack was devastating. The breach and subsequent login page defacement hit during finals week at many universities, when students depend heavily on Canvas for submitting assignments, accessing study materials, and taking online exams.

The impact was felt globally. Australian universities including Melbourne, UTS, RMIT, and Griffith offered deadline extensions. American universities scrambled to set up alternative submission methods. Some professors moved exams to in-person formats on short notice. Others simply postponed everything.

Beyond academic disruption, there is a deeper concern: the stolen private messages. Canvas is used for communications about disability accommodations, mental health support, grade appeals, plagiarism allegations, and Title IX complaints. If leaked, these messages could expose extremely sensitive personal information about millions of students.

Instructure’s Response: Too Little, Too Late?

Instructure’s response has drawn criticism from cybersecurity experts and university administrators alike. The company detected the breach on April 29 but did not publicly acknowledge it until May 1. The Free-For-Teacher vulnerability that enabled the attack was a known weak point that should have been secured years ago.

By May 9, Al Jazeera reported that Canvas was partially restored for millions of students. Instructure stated on its website that Canvas is now “available for most users.” However, the company has not publicly disclosed whether it has paid any ransom or what steps it is taking to prevent future attacks on this scale.

The Bitdefender technical advisory on the breach noted that the Free-For-Teacher exploit was a fundamental access control failure. Allowing unverified accounts to access a platform containing data from 275 million users represents a systemic security design flaw, not a sophisticated attack that was impossible to prevent.

What Students and Faculty Should Do Right Now

If you use Canvas at any institution, assume your data has been compromised. Here is what you should do immediately:

• Change your Canvas password and any other accounts that share the same password
• Enable two-factor authentication on your institutional email and any linked accounts
• Monitor your email for phishing attempts — attackers may use stolen data to craft convincing phishing emails
• Check your student ID — if your student ID number was leaked, contact your institution about getting a new one
• Review your Canvas messages — consider whether any private messages contain sensitive information that could be used against you
• Be wary of “Canvas security” emails — ShinyHunters or copycats may send fake security notifications to harvest more credentials
• Contact your university’s IT department if you notice unusual activity on your accounts

The Bigger Picture: Why Education Is a Prime Target

The Canvas breach is a wake-up call for the entire education sector. Universities hold enormous amounts of personally identifiable information — student records, financial aid data, health information, research data — but typically spend a fraction of what corporations invest in cybersecurity.

According to industry reports, education was already the third most-targeted sector for ransomware in 2025. The Canvas hack shows that attackers are scaling up, going after the platforms that connect thousands of institutions rather than targeting schools one by one. A single vulnerability in Canvas gave ShinyHunters access to data from nearly 9,000 institutions simultaneously.

The “pay or leak” model also creates a uniquely difficult situation for universities. Unlike corporations, public universities cannot easily make large ransom payments without public scrutiny. And unlike corporate data, student data includes information about minors, disability accommodations, and other protected categories that carry additional legal and ethical obligations.

Final Thoughts

The Canvas hack is a 275-million-record reminder that centralized educational platforms are critical infrastructure that needs to be treated as such. A Free-For-Teacher account program with no identity verification should never have existed on a platform holding data from 8,809 institutions.

Tomorrow is May 12 — ShinyHunters’ ransom deadline. Whether the data leaks or not, the damage to student privacy and institutional trust is already done. The education sector needs to fundamentally rethink how it secures the platforms that millions of students depend on every day.

We will update this article as the May 12 deadline passes and new information becomes available.

How This Canvas Data Breach Compares to 2026 Attacks

The Canvas breach doesn’t exist in isolation. 2026 has been a catastrophic year for cybersecurity across every sector. In April alone, cryptocurrency platforms lost $629 million to exploits. The Dirty Frag Linux kernel exploit demonstrated that even the most fundamental operating system layers remain vulnerable to privilege escalation attacks. Meanwhile, the PAN-OS zero-day CVE-2026-0300 showed that enterprise firewalls designed to protect networks can become the attack vector themselves.

What makes the ShinyHunters Canvas data breach particularly alarming is the combination of scale and sensitivity. Unlike financial data breaches where credit monitoring can mitigate damage, stolen educational records create lifelong identity verification problems. Academic credentials, institutional emails, and enrollment histories form the backbone of professional identity verification systems that candidates use throughout their careers.

The education sector has historically underfunded cybersecurity compared to financial services or healthcare. According to IBM’s Cost of a Data Breach Report, educational institutions spend an average of $3.7 million per breach incident but allocate less than 6% of their IT budgets to security operations. CISA’s CI Fortify directive now requires critical infrastructure operators to prepare for extended cyber blackouts — — a clear signal in the wake of the Canvas data breach that the threat landscape has escalated beyond what traditional security budgets can address. Organizations should also review the cPanel zero-day that compromised 44,000 servers and the growing trend of AI-assisted attacks documented in Mandiant’s M-Trends report.