Canvas Hackers Warn 'Pay or Leak' as Ransom Deadline Looms Over 30 Million Students' Stolen Records

Cybercrime group ShinyHunters has taken control of Canvas login pages at hundreds of universities, replacing them with a ransom demand targeting Instructure, the parent company of the learning management system. The group gave Instructure until May 12, 2026, to pay a ransom or risk public exposure of stolen data from over 30 million students across 8,000 institutions, including Harvard, Columbia, Princeton, Georgetown, and the University of Pennsylvania. Instructure first disclosed a security incident on May 1, 2026, involving access to user data such as names, email addresses, student IDs, and internal messages. The company stated at the time that passwords, birthdates, government IDs, and financial information were not compromised. However, ShinyHunters claimed the breach was ignored and escalated by defacing login portals on May 7, during finals week, with an extortion message. The group alleges the breach covers approximately 275 million records from 8,809 educational institutions worldwide, including the U.S., U.K., New Zealand, Australia, Sweden, and the Netherlands. At the University of Pennsylvania alone, ShinyHunters claimed access to over 306,000 user records, including Canvas account data and faculty-student communications. Instructure responded by taking Canvas offline globally, citing maintenance, but did not provide further comment. ShinyHunters described the May 7 attack as a second breach, distinct from the May 1 incident, though it did not specify the exploited vulnerability. The group’s data leak site claims 3.65 terabytes of stolen data, though figures vary between reports. Affected institutions remain on high alert as the ransom deadline approaches.