A sweeping cyberattack on Instructure’s Canvas learning management system — used The hack, claimed by the ShinyHunters ransomware group, has disrupted coursework, endangered personal data, and prompted federal investigations.
The attack was discovered on May 7, 2026, when students and faculty across multiple institutions logged into Canvas and found a message from the hackers: “ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some ‘security patches.'” The group had exploited a vulnerability in Canvas’s Free-For-Teacher accounts to gain access to the platform.
Instructure, Canvas’s parent company, confirmed the breach and said it took the system offline temporarily “out of an abundance of caution.” The company said it has restored Canvas access but shut down Free-For-Teacher accounts indefinitely. The platform serves more than 30 million active users across the United States, Canada, and beyond.
Threat intelligence firm Ransomware.live posted copies of ransom communications showing ShinyHunters claimed to hold data on 275 million individuals from nearly 9,000 schools. The group set a deadline of May 12, 2026, for schools to contact them about settlement before any data release — a deadline that has since passed.
Harvard University, where the breach was first reported by the Harvard Crimson, was among the institutions most acutely affected. Students reported being unable to access coursework, grades, and exam materials during a critical period of the semester. Other major schools — whose names appeared on a leaked list published
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is coordinating with Instructure and affected school districts. The FBI has opened an investigation into the breach, which is being treated as both a data theft and extortion case.
Security researchers say the breach represents one of the largest attacks on educational infrastructure in U.S. history. The exposed data could include student names, email addresses, grades, and in some cases Social Security numbers — depending on the school and what information is stored on Canvas.
ShinyHunters, a known ransomware and data theft group, has previously been linked to breaches at numerous companies. The group operates on a ransomware-as-a-service model and is known for publishing stolen data when ransom demands are not met.
US school cyberattack: ShinyHunters breach Canvas LMS — 275M individuals’ data at risk from 9,000 schools. Finals disrupted. FBI investigating.
Written by Carlos Mendez, Americas Correspondent
Carlos Mendez
Carlos Mendez covers Latin American politics, economics, and regional affairs from Mexico City to Buenos Aires.