Hacker group ShinyHunters claims to have disrupted a major educational platform not once but twice in the past few weeks. And the data breach could not have come at a worse time for students and teachers. These incidents took place during finals in many of the affected schools.
On April 30th, Instructure, the edtech company behind Canvas, the popular Learning Management System (LMS) used by educational institutions around the world, was temporarily offline. A day later, Instructure confirmed that a “criminal threat actor” has caused a data breach in the company’s systems.
According to ShinyHunters, the group stole data from 275 million Canvas users at nearly 9,000 schools around the world. Affected users included students, teachers, and staff, and although no passwords or other sensitive data were taken, the data stolen was significant. Hackers claimed usernames, email addresses, student IDs, and private messages exchanged on the platform were part of the stolen data. Some of the affected users are young students.
Mashable 101 Favorites: Vote for your favorite creator today!
Immediately after the hack, Instructure confirmed that it had revoked access to the bad actors, took steps to fix the issues and prevent further breaches from happening, and brought Canvas back online.
However, after just one week, ShinyHunters says hit Canvas again. In this case, the hackers compromised the school’s login pages on the platform and defaced the pages with messages threatening to publicly release the previously breached stolen data unless Instructure agreed to “negotiate a settlement.”
The demand for money from ShinyHunters is not surprising. Ransomware groups have been known to scam victims following data breaches. However, Instructure’s second breach was a surprise. Canvas went offline again, and when it came back, the company had removed the source of the second incident: Free Accounts for Teachers.
According to the new update incident page on Instructure’s website, the company says it “identified a vulnerability related to support tickets in our free Teacher platform that was exploited.”
Mashable Light Speed
“We have temporarily disabled Free for Teacher while we complete a full security review,” the company said. “We know that’s disruptive, and we didn’t drive that lightly. But keeping the entire Canvas platform secure has to come first.”
Although the second breach did not result in any data being stolen, the timing of the security incident could not have been worse for students, as many schools are currently holding finals and other end-of-year academic deadlines.
As PCMag reported, “students and professors struggled to access the online platform used to submit assignments and tests.” (Disclosure: PCMag and Mashable are both owned by the same parent company, Ziff Davis.)
According to data provided to Mashable from Alliance Risk Trends, Google searches for “canvas hacked” and “canvas down” dropped nearly 1,000 percent this past Friday. There was a combined search volume of over 1 million searches involving Canvas security incidents and subsequent downtime.
Some readers reached out to Mashable to share their experiences. One parent of a Seton Hall University student sent Mashable an email the school sent while Canvas was inactive.
“We know this is a difficult time,” the school’s email to students read. “Finals are underway, course work is due, and Canvas being offline right now is really annoying.”
Other schools, such as Bayton University in Texas, postponed final exams on Friday mainly due to problems accessing Canvas.
“Since Canvas has dropped to the national level, Baylor University will delay final exams tomorrow (Friday, May 8, 2026),” the school’s statement said.
Canvas is now back online. However, ShinyHunters’ “payment” deadline for releasing data on May 12 is still to come.
Want to learn more about getting the most out of your technology? Sign up for Mashable’s Top Stories and Deals newsletters today.
Articles
Applications and Software Cybersecurity
