A cybercriminal group stole roughly 6.65 terabytes of data from Canvas, a widely used educational software platform, in a breach that disrupted students across the United States as they prepared for end-of-year assignments. The incident, which began on April 25, 2026, affected nearly 9,000 schools worldwide and exposed student names, email addresses, student ID numbers, and private messages between students, teachers, and staff.
The group responsible, ShinyHunters, announced the theft in a May 3 post on its website. In a follow-up message on May 5, the group said Canvas parent company Instructure had “not even bothered speaking to us” to prevent a data leak, and published a list of roughly 1,400 individual schools and districts, inviting them to negotiate directly. A source familiar with the matter told Reuters that some schools and universities did individually reach out to the hackers in an attempt to prevent the release of their data.
Instructure first disclosed it was investigating a cybersecurity incident on May 1. The company said hackers exploited a vulnerability in its Free-for-Teacher service, which allows non-Canvas users to access parts of the platform. Instructure has temporarily shut down that service. On May 7, students at multiple schools logged into Canvas and found a message from ShinyHunters with a link to the list of affected schools, prompting Instructure to briefly take Canvas offline before restoring access approximately four hours later.
Instructure declared the situation resolved on May 6, and Canvas was reported fully operational as of May 7. Canvas Beta and Canvas Test remained in maintenance mode as of the company’s latest update. ShinyHunters removed its posts about the incident on May 7, replacing them with a statement saying they had “no further comment to make regarding this global incident.”
Canvas serves 30 million active users from kindergarten through college age. The breach may raise concerns about data security for the millions of students, parents, and educators who rely on the platform daily. Montgomery County Public Schools in Maryland said it was continuing to restrict access “until all services have been reviewed and confirmed safe for use.”
Source: Tech-Economic Times