A data extortion attack on the Canvas education platform disrupted classes nationwide today. A cybercrime group defaced the login page with a ransom demand, threatening to leak data from 275 million students and faculty across nearly 9,000 institutions.

Canvas parent company Instructure disabled the platform in response. Instructure had acknowledged a data breach earlier this week after the ShinyHunters cybercrime group claimed responsibility. ShinyHunters stated they would leak data on tens of millions of users unless paid a ransom. The initial payment deadline was May 6, then moved to May 12.

Instructure said on May 6 that its investigation showed stolen information included user names, email addresses, student ID numbers, and messages among users. The company found no evidence of compromised passwords, dates of birth, government identifiers, or financial information. That May 6 update claimed Canvas was fully operational with no ongoing unauthorized activity. "At this stage, we believe the incident has been contained," Instructure wrote.

By midday Thursday, May 7, students and faculty at dozens of schools reported a ShinyHunters ransom demand had replaced the Canvas login page. Instructure took Canvas offline, replacing the portal with a "scheduled maintenance" message. "We anticipate being up soon, and will provide updates as soon as possible," the Instructure status page stated.

ShinyHunters claims the stolen data includes billions of private messages between students and teachers, along with names, phone numbers, and email addresses. Many affected schools are in the middle of final exams. A prolonged outage could severely damage Instructure.

The extortion message advised affected schools to negotiate their own ransom payments, regardless of Instructure's decision. "ShinyHunters has breached Instructure (again)," the message read. "Instead of contacting us to resolve it they ignored us and did some 'security patches.'"

A source close to the investigation, unauthorized to speak publicly, said several universities have already contacted ShinyHunters about paying. The source also noted that ShinyHunters' data leak blog no longer lists Instructure among its current extortion victims. Samples of stolen Canvas customer data were also removed. Extortion groups typically remove victims from leak sites after receiving payment or agreeing to negotiate.

Dipan Mann, founder and CEO of Cloudskope, criticized Instructure for calling today's outage "scheduled maintenance." Mann stated ShinyHunters first demonstrated a breach on May 1. Instructure's Chief Information Security Officer Steve Proud declared the incident contained the next day.

Mann said today's attack marks at least the third time in eight months that ShinyHunters has breached Instructure. In a blog post today, Mann noted ShinyHunters released thousands of internal University of Pennsylvania files in September 2025. These included donor records and confidential memos, accessed partly through a Canvas/Instructure path. "Penn was the named victim," Mann wrote. "Instructure was the mechanism."

Mann stated the September 2025 Penn breach served as a proof of concept. The May 1, 2026 incident was the production run. The May 7, 2026 recompromise showed publicly that the May 2 "containment" failed. In February, a ShinyHunters spokesperson told The Daily Pennsylvanian that Penn did not pay a $1 million ransom demand. On March 5, ShinyHunters published 461 megabytes of data stolen from Penn.

ShinyHunters is a cybercriminal group specializing in data theft and extortion. They often gain access through voice phishing and social engineering, impersonating IT personnel. Last month, ShinyHunters stole personal information from 5.5 million ADT home security customers.