ShinyHunters claims new Instructure hack, threatens schools with data leak

A routine Canvas login screen became a pressure point for schools after ShinyHunters defaced pages at several Instructure customer sites with an extortion message, a move that turned a widely used education platform into a visible warning about third-party risk. The attack landed on a service relied on by schools, universities and other educational organizations across the country, exposing how a single vendor incident can ripple through daily access to classes, assignments and student records.

Instructure, the Salt Lake City company behind Canvas, disclosed a cybersecurity incident on May 1 and said unauthorized access may have exposed names, email addresses, student ID numbers and messages exchanged among users. The company said it had no current evidence that passwords, birth dates, government IDs or financial information were compromised. It brought in outside forensic experts, reissued some application keys and placed Canvas Data 2 and Canvas Beta/Test under maintenance while it investigated.

By May 6, Instructure said the incident had been resolved, Canvas was fully operational and no ongoing unauthorized activity was being seen. The company’s response suggests the kind of operational disruption that often follows vendor breaches, where schools are forced to wait on a central platform provider to restore systems they do not fully control. Even when core login services return, the incident can leave administrators weighing whether student data, internal messages or downstream integrations were exposed.

ShinyHunters claimed responsibility and said it stole 3.65 terabytes of data tied to roughly 275 million people and nearly 9,000 institutions worldwide, including universities and corporate customers. The group reportedly set a May 12 deadline for private negotiation before releasing the data. TechCrunch reported that a member of the group shared a sample of allegedly stolen material that included records from two U.S. schools, one in Massachusetts and one in Tennessee, underscoring that the risk reached beyond a single district or campus.

The episode adds to mounting concern about the education sector after the January 2025 PowerSchool breach, which exposed student and teacher data and remains a central benchmark for K-12 and higher-ed cybersecurity. For parents, teachers and administrators, the lesson is not just that attackers can steal data. It is that a breach at one education-tech vendor can quickly become a trust problem, an access problem and a safety problem for schools far beyond the company’s own walls.