Show summary Hide summary
Canvas down across the US today as the ShinyHunters extortion gang forces widespread outages. The criminal group breached Instructure, Canvas’ parent company, claiming 275 million users are affected. They’ve issued a final deadline of May 8 to prevent massive data leaks.
🔥 Quick Facts
- Breach Scope: ShinyHunters compromised 275 million users across 9,000 institutions worldwide
- Outage Today: Canvas went down on May 7, 2026, with nearly 10,000 reported issues by afternoon
- Extortion Demand: Hackers demand contact by May 8 or will leak all data, including private messages
- Data Exposed: Names, emails, student IDs, course enrollments, and billions of private messages
Massive Breach Affects Nearly 9,000 Schools Globally
The ShinyHunters cybercrime group claimed responsibility for breaching Instructure on May 1, targeting one of the world’s most widely used learning management systems. The attack exposed data from nine thousand institutions spanning K-12 schools and universities across North America and globally. Canvas serves more than 40 percent of higher education institutions, making this hack one of education’s most devastating breaches.
According to reports, all eight Ivy League universities appear on ShinyHunters’ leaked victim list. The University of Pennsylvania alone has over 306,000 affected users, including current students, faculty, and staff members dating back years.
Canvas down across US as ShinyHunters hack forces outage, extortion threat issued
Conference League final path goes through Selhurst Park as Palace faces Shakhtar in semifinal
Extortion Threat and the May 8 Deadline Looms
ShinyHunters posted its demand on dark web forums, using the message ‘PAY OR LEAK’ to pressure Instructure. The group threatened to release several billions of private messages exchanged between students, teachers, and staff unless contacted by May 8, 2026. Original deadline was May 6, but messages indicate the group extended it slightly as negotiations apparently stalled.
According to ShinyHunters’ spokesman, Instructure has not engaged in direct communication or negotiation attempts. The group claims the ransom demand was reasonable compared to similar incidents, though specific amounts haven’t been publicly disclosed.
What Data Was Compromised in the Breach
| Data Type | Status |
| Names, Emails, Student IDs | Confirmed Stolen |
| Course Enrollments | Confirmed Stolen |
| Private Messages (Billions) | Allegedly Stolen |
| Passwords, Financial Data | No Evidence of Theft |
Instructure confirmed that identifying information was compromised, including names, emails, and student ID numbers. The company’s chief information security officer Steve Proud released multiple updates stating they found no evidence that passwords, dates of birth, government identifiers, or financial information were involved. However, ShinyHunters claims possession of billions of private messages containing personal conversations and phone numbers.
‘While we continue actively investigating, indications are that the information involved consists of names, email addresses, and student ID numbers, as well as messages among users. At this time, we have found no evidence that passwords, dates of birth, government identifiers, or financial information were involved.’
— Steve Proud, Chief Information Security Officer, Instructure
Canvas Outage Reported Across US Today
Canvas went down on May 7, 2026, the same day this article was published, with reports flooding in starting early afternoon. Downdetector.com tracked approximately 10,000 user reports of the platform being inaccessible by 1:40 p.m. PT. Most users reported general website issues and problems accessing courses, messages, and assignments. Canvas’ official status page indicated the platform was under maintenance and investigating issues with Student ePortfolios.
The outage’s exact connection to the breach remains unclear, though Instructure stated it had contained the attack and revoked compromised credentials. The company deployed security patches, rotated keys, and implemented enhanced monitoring.
Why Hackers Now Target Education Tech Giants Instead of Individual Schools
Security experts warn that ShinyHunters’ focus on Instructure instead of individual universities reveals a shift in cybercriminal strategy. Rather than attacking hundreds of separate institutions, hackers now target the vendors that schools depend on, gaining access to all their clients at once. Doug Thompson, chief education architect at cybersecurity firm Tanium, explained that attackers are ‘moving up the data supply chain’ to hit thousands of institutions simultaneously.
This isn’t ShinyHunters’ first vendor breach. The group previously infiltrated Salesforce, Infinite Campus, and McGraw Hill Education. With real names, emails, and personalized messages now in criminals’ hands, phishing attacks could become far more convincing and targeted at specific students and teachers.
Sources
- The Daily Pennsylvanian – Detailed reporting on Penn’s 306,000 affected users and ShinyHunters’ demands
- Inside Higher Ed – Comprehensive analysis of the breach affecting 9,000 institutions and extortion tactics
- GV Wire – Real-time Canvas outage reporting on May 7, 2026 with Downdetector data
