May 7
/
Latest News
ShinyHunters Defacement of Canvas LMS Triggers Widespread University Disruptions
Students at universities across the United States reported major disruptions on Thursday after the Canvas learning management system began displaying a defacement message attributed to the cybercrime group ShinyHunters.
The incident unfolded shortly after Instructure, the company behind Canvas, confirmed unauthorized access to parts of its systems earlier this month, raising concerns about the scope of the breach.
One of the affected portals, canvas.vt.edu, showed a ransom-style message claiming ShinyHunters had “breached Instructure again” and warning universities listed in an attached file to contact the group before May 12, 2026 or risk the public release of stolen data. The message accused Instructure of ignoring prior outreach and applying “security patches” instead of engaging with the attackers.
Students at the University of Colorado Colorado Springs explained that access to Canvas became unstable around 1 p.m. local time, disrupting classes and blocking access to assignments, exams, and course materials. Similar complaints surfaced across social media and campus forums as students at multiple institutions reported outages and inaccessible coursework.
Instructure previously acknowledged that exposed data included names, email addresses, student ID numbers, and internal Canvas messages, though the company said there is no evidence that passwords, financial information, government IDs, or birth dates were accessed. ShinyHunters, however, claims to have stolen 3.65TB of data tied to nearly 9,000 institutions and roughly 275 million users worldwide—figures that have not been independently verified but are being closely watched by cybersecurity researchers.
Canvas is widely used for coursework, grading, exams, messaging, and attendance tracking, making even brief outages highly disruptive during peak academic periods. Several universities have already urged students to be cautious of phishing attempts and fraudulent password-reset emails that often follow major breaches.
The defacement of a public-facing login page suggests the attackers sought visibility as well as leverage, though it remains unclear whether the compromise stemmed from university infrastructure, a shared Canvas environment, or another connected service. ShinyHunters, known for high-profile data theft and extortion campaigns, has increasingly targeted cloud platforms and SaaS providers in recent years.
Instructure has not yet confirmed the full extent of the latest disruption, and investigations are ongoing. More universities are expected to issue statements as they assess whether their systems or user data were affected.
The incident unfolded shortly after Instructure, the company behind Canvas, confirmed unauthorized access to parts of its systems earlier this month, raising concerns about the scope of the breach.
One of the affected portals, canvas.vt.edu, showed a ransom-style message claiming ShinyHunters had “breached Instructure again” and warning universities listed in an attached file to contact the group before May 12, 2026 or risk the public release of stolen data. The message accused Instructure of ignoring prior outreach and applying “security patches” instead of engaging with the attackers.
Students at the University of Colorado Colorado Springs explained that access to Canvas became unstable around 1 p.m. local time, disrupting classes and blocking access to assignments, exams, and course materials. Similar complaints surfaced across social media and campus forums as students at multiple institutions reported outages and inaccessible coursework.
Instructure previously acknowledged that exposed data included names, email addresses, student ID numbers, and internal Canvas messages, though the company said there is no evidence that passwords, financial information, government IDs, or birth dates were accessed. ShinyHunters, however, claims to have stolen 3.65TB of data tied to nearly 9,000 institutions and roughly 275 million users worldwide—figures that have not been independently verified but are being closely watched by cybersecurity researchers.
Canvas is widely used for coursework, grading, exams, messaging, and attendance tracking, making even brief outages highly disruptive during peak academic periods. Several universities have already urged students to be cautious of phishing attempts and fraudulent password-reset emails that often follow major breaches.
The defacement of a public-facing login page suggests the attackers sought visibility as well as leverage, though it remains unclear whether the compromise stemmed from university infrastructure, a shared Canvas environment, or another connected service. ShinyHunters, known for high-profile data theft and extortion campaigns, has increasingly targeted cloud platforms and SaaS providers in recent years.
Instructure has not yet confirmed the full extent of the latest disruption, and investigations are ongoing. More universities are expected to issue statements as they assess whether their systems or user data were affected.
Executive IT Forums, Inc.
Educational Programs on Information Technology, Governance, Risk Management, & Compliance (GRC).
Our Newsletter
Get regular updates on CPE programs, news, and more.
Thank you!
Copyright © 2026 Executive IT Forums, Inc. All Rights Reserved.
Get started
Let us introduce our school
Write your awesome label here.